漏洞描述
命令执行漏洞是指应用有时需要调用一些执行系统命令的函数,如果系统命令代码未对用户可控参数做过滤,则当用户能控制这些函数中的参数时,就可以将恶意系统命令拼接到正常命令中,从而造成命令执行攻击。
漏洞危害
继承Web服务程序的权限去执行系统命令或读/写文件,反弹shell,控制整个网站甚至控制服务器,进一步实现内网渗透。
ProcessBuilder命令执行方法
Java.lang.ProcessBuilder类用于创建操作系统进程,每个ProcessBuilder实例管理一个进程属性集。start()方法利用这些属性创建一个新的Process实例,可以利用ProcessBuilder执行命令
@Testvoid pbtest() throws IOException, InterruptedException {String command = "dir & ping 127.0.0.1";ProcessBuilder p = new ProcessBuilder("cmd", "/c",command);Process pstart = p.start();BufferedReader reader = new BufferedReader(new InputStreamReader(pstart.getInputStream()));String line;while ((line = reader.readLine()) != null){System.out.println(line);}reader.close();}
若comand参数为用户传输,且后端未对其进行校验时,可通过 & 等符号拼接命令进行执行
Runtime exec命令执行
@Testvoid shell() throws IOException, InterruptedException {Runtime runtime = Runtime.getRuntime();String cmd[] = {"cmd","/c","ping 127.0.0.1"};Process p = runtime.exec(cmd);BufferedReader reader = new BufferedReader(new InputStreamReader(p.getInputStream()));String line;while ((line = reader.readLine()) != null){System.out.println(line);}reader.close();}
同样的将其余命令拼接:String cmd[] = {“cmd”,”/c”,”ping 127.0.0.1 & ipconfig”};
@Test
void shell() throws IOException, InterruptedException {
Runtime runtime = Runtime.getRuntime();
// String cmd[] = {"cmd","/c","ping 127.0.0.1 & ipconfig"};
// Process p = runtime.exec(cmd);
Process p = runtime.exec("cmd /c \"ping 127.0.0.1 & ipconfig & dir\"");
BufferedReader reader = new BufferedReader(new InputStreamReader(p.getInputStream()));
String line;
while ((line = reader.readLine()) != null){
System.out.println(line);
}
reader.close();
}
若有收获,就点个赞吧
0 人点赞
