This Metasploit module exploits an expression language remote code execution flaw in the Primefaces JSF framework Primefaces versions prior to 5221, 538 or 60 are vulnerable to a padding oracle attack, due to the use of weak crypto and default encryption password and salt ...
😛 Primefaces 5.X EL Injection Exploit (CVE-2017-1000486)
😛 pwnfaces
Primefaces 5X EL Injection Exploit
🕵️ What is pwnfaces?
🕵️ pwnfaces is a Golang tool created to exploit the vulnerability defined as CVE-2017-1000486 (EL Injection in PrimeFaces 5X)
⚡ Installing / Getting started
A quick guide of how to install and use pwnfaces
1 go install githubcom/oppsec/pwnfaces@latest
2
Remote Code Execution exploit for PrimeFaces 5.x - EL Injection (CVE-2017-1000486)
CVE-2017-1000486
Remote Code Execution exploit for PrimeFaces 5x - EL Injection (CVE-2017-1000486)
This is basically the same exploit made by Mogwailabs, but edited to work in closed environments without access to the internet or with blocked firewall outbound traffic
It gives you results in HTTP response header, so in case you're trying doing blind RCEwith old exploit -
CVE-2017-1000486
Primefaces <= 5221, 538 or 60 - Remote Code Execution Exploit
To install the requirements execute:
git clone githubcom/pimps/CVE-2017-1000486git
cd CVE-2017-1000486
pip3 install -r requirementstxt
Here is how to use the exploit:
$ python primefacespy -h
============================================
Proof of Concept Exploit for PrimeFaces 5.x EL Injection (CVE-2017-1000486)
CVE-2017-1000486
Proof of Concept Exploit for PrimeFaces 5x EL Injection (CVE-2017-1000486), a RCE vulnerability that can be used to gain Remote
Code Execution on a target
Vulnerability description
You can find an excellent description of the vulnerability on the Minded Security blog
Usage
The exploit provides a help function that prints all important parameters
/primefaces
CVE-2017-1000486
This is part of Cved: a tool to manage vulnerable docker containers
Cved: githubcom/git-rep-src/cved
Image source: githubcom/cved-sources/cve-2017-1000486
Image author: githubcom/pimps/CVE-2017-1000486
CVE-2017-1000486
This is a PoC of CVE-2017-1000486 with some payloads useful to bypass blacklisting lexicographic checks on standard functions used to achieve RCE (getClass(), exec(), etc) and for retrieving primefaces secret through Padding Oracle in order to be less noisy possible on exploitation
Thanks to @pimps, @federicodotta and @AonCyberLabs for their work related on
De la Mesa al Código: Un Viaje a Través de la Vulnerabilidad RCE en POS para Restaurantes
En esta oportunidad nos encontramos por casualidad con una vulnerabilidad presente en varias aplicaciones de POS para restaurantes XETUX, la cual es una solución para monitoreo y automatización de restaurantes En panamá es una herramienta ampliamente u