POC详情: 4b371876b17ba258f3ca246ee40100969996ba8a

来源
https://github.com/mogwailabs/CVE-2017-1000486
关联漏洞
标题: Primetek Primefaces 加密问题漏洞 (CVE-2017-1000486)
描述:Primetek Primefaces是一个开源的使用在Java EE系统中的UI库。 Primetek Primefaces 5.x版本中存在加密问题漏洞。远程攻击者可利用该漏洞执行代码。
描述
Proof of Concept Exploit for PrimeFaces 5.x EL Injection (CVE-2017-1000486)
介绍
# CVE-2017-1000486

Proof of Concept Exploit for PrimeFaces 5.x EL Injection (CVE-2017-1000486), a RCE vulnerability that can be used to gain Remote 
Code Execution on a target.

## Vulnerability description
You can find an excellent description of the vulnerability on the [Minded Security blog](https://blog.mindedsecurity.com/2016/02/rce-in-oracle-netbeans-opensource.html).

## Usage

The exploit provides a help function that prints all important parameters

```bash
./primefaces.py --help

PrimeFaces 5.x EL injection exploit (CVE-2017-1000486) by MOGWAI LABS
=====================================================================

usage: primefaces.py [-h] [-t] [-e EXTENSION] url [payload]

PrimeFaces 5.x EL injection exploit

positional arguments:
  url                   The target URL (http/https)
  payload               File with the JavaScript (Rino/Nashorn) code to
                        execute or OS command

optional arguments:
  -h, --help            show this help message and exit
  -t, --test            Test mode (off by default)
  -e EXTENSION, --extension EXTENSION
                        Extension of the target (xhtml, jsf)

```

The exploit provides a simple test mode (-t parameter) that can be used to verify if a target is actually vulnerable. 
This works by sending the following EL-Expression to the target, which will add an additional header field to the HTTP response. 
The header is then checked by the exploit:

```
${facesContext.getExternalContext().setResponseHeader("MOGWAILABS","CHKCHK")}
```

Actual exploitation works by invoking the JavaScript interpreter that is bundeld with the Java VM. This allows to execute 
arbitrary Java Code from JavaScript.

The exploit provides two example payloads:

- payload.js (Execute a OS command)
- sleep.js (Sleep for 4 seconds, causing a delay of the response)

Please note that none of this examples will provide you with the output of the command.
文件快照

 [4.0K]  /data/pocs/4b371876b17ba258f3ca246ee40100969996ba8a
├── [  59]  payload.js
├── [4.1K]  primefaces.py
├── [1.9K]  README.md
├── [  23]  requirements.txt
└── [  32]  sleep.js

0 directories, 5 files
神龙机器人已为您缓存
备注
    1. 建议优先通过来源进行访问。
    2. 如果因为来源失效或无法访问,请发送邮箱到 f.jinxu#gmail.com 索取本地快照(把 # 换成 @)。
    3. 神龙已为您对POC代码进行快照,为了长期维护,请考虑为本地POC付费,感谢您的支持。