Add LiteLLM proxy pre-auth SQL injection scanner (CVE-2026-42208)

[kenlacroix]

Summary

Adds auxiliary/scanner/http/litellm_proxy_sqli, a detection module for
CVE-2026-42208 (CVSS 9.3,
on the CISA KEV list) — a pre-authentication SQL injection in
BerriAI LiteLLM proxy.

Vulnerability

During API-key verification the proxy interpolates the raw Authorization bearer
value into a PostgreSQL query without parameterization:

WHERE v.token = '<bearer value>'

LiteLLM only SHA-256-hashes bearer tokens that begin with sk-; a value that does
not start with sk- reaches the query verbatim, so a single quote breaks out of
the string literal. The lookup runs on the authentication-failure path, which is
reachable before authentication. Affected versions are 1.81.16 through 1.83.6;
fixed in 1.83.7 by switching to a parameterized query (commit 4dc416ee74).

What the module does

This is a detection module. It confirms the flaw with a benign time-based
check and never reads or exfiltrates data:

1. A baseline request with a random non-sk- bearer.
2. A bearer carrying a pg_sleep(N) payload.
3. A second baseline, which must return quickly.
4. A bearer carrying a pg_sleep(2N) payload.

The target is reported vulnerable only when the injected delays scale with the
requested sleep while both controls stay fast, so a server that is merely slow or
degrading is not flagged.

Detection requirement: the injectable predicate is a WHERE clause PostgreSQL
evaluates per matching row, so the time-based signal only fires when the target has
provisioned at least one virtual key (a non-empty token table). This is the case
for any LiteLLM proxy in real use; a freshly initialized proxy with no keys may not
respond. The limitation is documented in the module and the docs.

Verification

Tested against the official images — vulnerable main-v1.83.3-stable and patched
main-v1.83.7-stable, each with a PostgreSQL backend and one provisioned virtual
key:

msf6 auxiliary(scanner/http/litellm_proxy_sqli) > set RPORT 4000   # 1.83.3
msf6 auxiliary(scanner/http/litellm_proxy_sqli) > run
[+] 127.0.0.1:4000        - LiteLLM pre-auth SQL injection confirmed (CVE-2026-42208): controls 0.06s/0.07s, pg_sleep(5)=5.05s, pg_sleep(10)=10.04s

msf6 auxiliary(scanner/http/litellm_proxy_sqli) > set RPORT 4001   # 1.83.7 (patched)
msf6 auxiliary(scanner/http/litellm_proxy_sqli) > run
[*] 127.0.0.1:4001        - Not vulnerable (pg_sleep(5) returned in 0.02s vs baseline 0.01s)

check returns Vulnerable / Safe respectively. The module also degrades cleanly
(reports not vulnerable, no errors) against a non-LiteLLM HTTP server and against a
vulnerable proxy whose token table is empty.

Documentation with the full Docker lab setup and scenarios is included at
documentation/modules/auxiliary/scanner/http/litellm_proxy_sqli.md.

Verification Steps

1. Start a vulnerable LiteLLM proxy with a PostgreSQL backend and provision one key (see docs)
2. use auxiliary/scanner/http/litellm_proxy_sqli
3. set RHOSTS <target>
4. run — the module reports the injection when the response time scales with pg_sleep