Command injection in Java

最新推荐文章于 2024-02-26 11:50:13 发布

sstevencao

最新推荐文章于 2024-02-26 11:50:13 发布

阅读量982

点赞数

分类专栏： Java 文章标签： Java

本文链接：https://blog.csdn.net/sstevencao/article/details/83884756

版权

Java 专栏收录该内容

62 篇文章 0 订阅

订阅专栏

Overview

Command injection vulnerabilities allow an attacker to inject arbitrary system commands into an application. The commands execute at the same privilege level as the Java application and provides an attacker with functionality similar to a system shell. In Java, Runtime.exec is often used to invoke a new process, but it does not invoke a new command shell, which means that chaining or piping multiple commands together does not usually work. Command injection is still possible if the process spawned with Runtime.exec is a command shell like command.com, cmd.exe, or /bin/sh.

Examples

Example 1

The code below allows a user to control the arguments to the Window's find command. While the user does have full control over the arguments, it is not possible to inject additional commands. For example, inputting “test & del file” will not cause the del command to execute, since Runtime.exec tokenizes the command string and then invokes the find command using the parameters “test”, “&”, “del”, and “file.”

import java.io.*;

public class Example1 {
	public static void main(String[] args)
	throws IOException {
		if(args.length != 1) {
			System.out.println("No arguments");
			System.exit(1);
		}
		Runtime runtime = Runtime.getRuntime();
		Process proc = runtime.exec("find" + " " + args[0]);
		
		InputStream is = proc.getInputStream();
		InputStreamReader isr = new InputStreamReader(is);
		BufferedReader br = new BufferedReader(isr);
		
		String line;
		while ((line = br.readLine()) != null) {
			System.out.println(line);
		}
	}
}

Example 2

The code below invokes the system shell in order to execute a non-executable command using user input as parameters. Non-executable Window's commands such as dir and copy are part of the command interpreter and therefore cannot be directly invoked by Runtime.exec. In this case, command injection is possible and an attacker could chain multiple commands together. For example, inputting “. & echo hello” will cause the dir command to list the contents of the current directory and the echo command to print a friendly message.

import java.io.*;

public class Example2 {
	public static void main(String[] args)
	throws IOException {
		if(args.length != 1) {
			System.out.println("No arguments");
			System.exit(1);
		}
		Runtime runtime = Runtime.getRuntime();
		String[] cmd = new String[3];
		cmd[0] = "cmd.exe" ;
                cmd[1] = "/C";
                cmd[2] = "dir " + args[0];
		Process proc = runtime.exec(cmd);
		
		InputStream is = proc.getInputStream();
		InputStreamReader isr = new InputStreamReader(is);
		BufferedReader br = new BufferedReader(isr);
		
		String line;
		while ((line = br.readLine()) != null) {
			System.out.println(line);
		}
	}
}

sstevencao

关注

0
点赞
踩
1

收藏

觉得还不错? 一键收藏
0
评论
Command injection in Java

OverviewCommand injection vulnerabilities allow an attacker to inject arbitrary system commands into an application. The commands execute at the same privilege level as the Java application ...
复制链接

扫一扫

专栏目录