Java审计之命令执行篇
0x00 前言
在Java中能执行命令的类其实并不多,不像php那样各种的命令执行函数。在Java中目前所知的能执行命令的类也就两种,分别是Runtime和 ProcessBuilder类。
0x01 Runtime 执行命令分析
关于Runtime具体的使用可以看这篇文章,反射去调用Runtime。
@WebServlet("/execServlet")
public class execServlet extends HttpServlet {
protected void doPost(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException {
this.doGet(request, response);
}
protected void doGet(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException {
String exec = request.getParameter("exec");
Process res = Runtime.getRuntime().exec(exec);
InputStream inputStream = res.getInputStream();
ServletOutputStream outputStream = response.getOutputStream();
int len;
byte[] bytes = new byte[1024];
while ((len = inputStream.read(bytes))!=-1){
outputStream.write(bytes,0,len);
}
这里来运行一下,传入一个命令看看能不能正常运行。
http://localhost:8080/untitled9_war_exploded/execServlet?exec=ipconfig