PrimeFaces 5.x Application Expression Language Injection RCE

Repository is a standalone Golang exploitation tool named "pwnfaces" targeting PrimeFaces 5.x EL injection (CVE-2017-1000486). Structure: main.go implements CLI parsing (-u/--url, -c/--cmd default whoami, -p/--proxy) and supports bulk targeting via stdin (e.g., cat urls.txt | pwnfaces). src/interface/ui.go prints a banner. src/pwnfaces/exploit.go contains the exploit logic: it first performs a GET request to the provided base URL (ensuring trailing slash) and then crafts an encrypted PrimeFaces dynamic resource payload. The payload is DES-CBC encrypted with a derived key/IV using iterative MD5 (password "primefaces", fixed salt A9 9B C8 32 56 34 E3 03, 19 iterations) and base64-encoded to become the pfdrid parameter. The tool then POSTs form data (pfdrt=sc, ln=primefaces, pfdrid=<encrypted>, cmd=<operator command>) to two candidate endpoints: /javax.faces.resource/dynamiccontent.properties.jsf and /javax.faces.resource/dynamiccontent.properties.xhtml. The injected EL uses ScriptEngineManager + JavaScript to execute OS commands via ProcessBuilder (Windows cmd.exe /C or /bin/sh -c) and prints stdout to the HTTP response. The tool heuristically decides whether it got command output by checking the response body for "<!" (treating HTML as non-output). It supports SOCKS and HTTP proxies and disables TLS certificate verification. A Dockerfile is included to run a Tomcat 7 container with a PrimeFaces showcase WAR (showcase-5.2.war) as a likely vulnerable testbed.

This repository provides a proof-of-concept (PoC) exploit for CVE-2017-1000486, a remote code execution vulnerability in the PrimeFaces JSF framework. The exploit consists of two main scripts: 1. 'exploit.py' (Python): The main exploit script, which crafts and encrypts malicious Java Expression Language (EL) payloads and sends them to a target PrimeFaces endpoint via HTTP POST requests. It can optionally use a known or user-supplied PrimeFaces secret, or attempt to recover the secret using a padding oracle attack. The script supports custom payloads, command execution, and proxy configuration. 2. 'padBuster.pl' (Perl): An auxiliary tool used to perform padding oracle attacks to recover the PrimeFaces secret if it is not known. This script is invoked by 'exploit.py' as needed. The exploit works by abusing the weak encryption and predictable secret in vulnerable PrimeFaces versions, allowing an attacker to inject arbitrary EL expressions. These expressions can be used to execute system commands on the server, retrieve sensitive information, or manipulate server responses. The README.md provides detailed background, payload examples, and usage notes, including techniques to bypass common blacklists and filters. The main attack vector is network-based, targeting web applications that use vulnerable versions of PrimeFaces. The primary fingerprintable endpoint is any HTTP endpoint that processes the 'pfdrid' parameter as part of the PrimeFaces framework. The exploit is a PoC but demonstrates full RCE capability if the target is vulnerable.

This repository provides a working exploit for CVE-2017-1000486, a remote code execution vulnerability in the Primefaces JSF framework (versions <= 5.2.21, 5.3.8, or 6.0). The exploit is implemented in Python (primefaces.py) and leverages an expression language (EL) injection flaw, allowing arbitrary command execution on the target server. The exploit can use either a default encrypted payload (if the default password is in use) or a padding oracle attack to generate a valid payload if the password is unknown. The code supports optional proxying, custom cookies, and can be used in both proof-of-concept and full exploit modes. The repository includes a Dockerfile to set up a vulnerable test environment using Tomcat 7 and the Primefaces 5.2 showcase application. The main attack vector is network-based, targeting the vulnerable Primefaces resource endpoint via HTTP POST requests. The payload achieves command execution by injecting EL that instantiates a JavaScript engine and runs system commands, returning the output in the HTTP response. The exploit is operational and can be used to verify and exploit the vulnerability in real-world or test environments.