{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/products/opencats-0.9.7.4/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["OpenCATS 0.9.7.4"],"_cs_severities":["high"],"_cs_tags":["sqli","webapps","opencats"],"_cs_type":"advisory","_cs_vendors":["OpenCATS"],"content_html":"\u003cp\u003eA SQL Injection vulnerability has been identified in OpenCATS version 0.9.7.4. A public exploit (EDB-52579) is available on Exploit-DB, significantly increasing the risk to systems running this version. The exploit, tested on Ubuntu 22.04 with Apache2, PHP, and MariaDB 10.6, leverages a flaw in the getDataGridPager function to inject SQL commands. This allows an attacker to potentially extract sensitive information, including database version details, usernames, access levels, and password hashes, thereby compromising the application\u0026rsquo;s security. The availability of a working exploit makes it crucial for organizations using OpenCATS 0.9.7.4 to apply necessary patches or mitigations immediately.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access to the OpenCATS application.\u003c/li\u003e\n\u003cli\u003eThe attacker authenticates to the application, using default credentials if available (admin/cats).\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious HTTP GET request to the \u003ccode\u003eajax.php\u003c/code\u003e endpoint, specifically targeting the \u003ccode\u003egetDataGridPager\u003c/code\u003e function.\u003c/li\u003e\n\u003cli\u003eWithin the parameters of \u003ccode\u003egetDataGridPager\u003c/code\u003e, the attacker injects SQL code into the \u003ccode\u003esortDirection\u003c/code\u003e parameter. This is achieved by manipulating the JSON-encoded parameters passed to the function.\u003c/li\u003e\n\u003cli\u003eThe injected SQL code is designed to exploit a blind SQL Injection vulnerability, using \u003ccode\u003eDESC,IF(({cond}),SLEEP({delay}),0)\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe attacker uses conditional statements and \u003ccode\u003eSLEEP()\u003c/code\u003e functions to infer data based on response times. This allows them to bypass traditional output-based SQL injection protections.\u003c/li\u003e\n\u003cli\u003eThe attacker extracts the database version, usernames, access levels, and password hashes from the database.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the extracted credentials and information to further compromise the system or gain unauthorized access to sensitive data.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this SQL Injection vulnerability can lead to full database compromise. An attacker could potentially extract sensitive information such as usernames, passwords, and other confidential data stored within the OpenCATS database. This could result in unauthorized access to the application, data breaches, and potential reputational damage. The vulnerability targets any system running OpenCATS 0.9.7.4, making it a widespread risk for users of this software.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eApply available patches or updates for OpenCATS to address the SQL Injection vulnerability.\u003c/li\u003e\n\u003cli\u003eMonitor web server logs for suspicious GET requests to \u003ccode\u003eajax.php\u003c/code\u003e with unusual parameters in the \u003ccode\u003ef\u003c/code\u003e and \u003ccode\u003ep\u003c/code\u003e parameters, using the Sigma rule provided.\u003c/li\u003e\n\u003cli\u003eImplement a web application firewall (WAF) rule to filter out SQL injection attempts targeting the \u003ccode\u003esortDirection\u003c/code\u003e parameter in \u003ccode\u003egetDataGridPager\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eEnforce strong password policies and multi-factor authentication to mitigate the impact of compromised credentials, based on extracted password hashes.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule to detect SQL injection attempts via \u003ccode\u003eajax.php\u003c/code\u003e and tune it to your specific environment.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-27T12:51:22Z","date_published":"2026-05-27T12:51:22Z","id":"https://feed.craftedsignal.io/briefs/2026-05-opencats-sqli/","summary":"A SQL Injection vulnerability exists in OpenCATS 0.9.7.4, with a published exploit that allows for database version and user extraction on unpatched systems.","title":"OpenCATS 0.9.7.4 SQL Injection Vulnerability","url":"https://feed.craftedsignal.io/briefs/2026-05-opencats-sqli/"}],"language":"en","title":"CraftedSignal Threat Feed — OpenCATS 0.9.7.4","version":"https://jsonfeed.org/version/1.1"}