- 浏览: 659269 次
- 性别:
- 来自: 杭州
文章分类
最新评论
-
HkEndless:
不好意思,请问这确定是回调机制吗。你的例子中只是将接口的实现类 ...
Spring CallBack回调机制介绍 -
hanmiao:
写的真乱啊,完全不知所云...
Java如何调用可执行文件和批处理命令 -
junia_1:
junia_1 写道 shock: ...
为什么要使用EJB -
junia_1:
shock:
为什么要使用EJB -
coollifer:
不错
SQL Server数据导入到Oracle中的方法
Overview
Command injection vulnerabilities allow an attacker to inject arbitrary system commands into an application. The commands execute at the same privilege level as the Java application and provides an attacker with functionality similar to a system shell. In Java, Runtime.exec is often used to invoke a new process, but it does not invoke a new command shell, which means that chaining or piping multiple commands together does not usually work. Command injection is still possible if the process spawned with Runtime.exec is a command shell like command.com, cmd.exe, or /bin/sh.
Examples
Example 1
The code below allows a user to control the arguments to the Window's find command. While the user does have full control over the arguments, it is not possible to inject additional commands. For example, inputting “test & del file” will not cause the del command to execute, since Runtime.exec tokenizes the command string and then invokes the find command using the parameters “test”, “&”, “del”, and “file.”
import java.io.*; public class Example1 { public static void main(String[] args) throws IOException { if(args.length != 1) { System.out.println("No arguments"); System.exit(1); } Runtime runtime = Runtime.getRuntime(); Process proc = runtime.exec("find" + " " + args[0]); InputStream is = proc.getInputStream(); InputStreamReader isr = new InputStreamReader(is); BufferedReader br = new BufferedReader(isr); String line; while ((line = br.readLine()) != null) { System.out.println(line); } } }
Example 2
The code below invokes the system shell in order to execute a non-executable command using user input as parameters. Non-executable Window's commands such as dir and copy are part of the command interpreter and therefore cannot be directly invoked by Runtime.exec. In this case, command injection is possible and an attacker could chain multiple commands together. For example, inputting “. & echo hello” will cause the dir command to list the contents of the current directory and the echo command to print a friendly message.
import java.io.*; public class Example2 { public static void main(String[] args) throws IOException { if(args.length != 1) { System.out.println("No arguments"); System.exit(1); } Runtime runtime = Runtime.getRuntime(); String[] cmd = new String[3]; cmd[0] = "cmd.exe" ; cmd[1] = "/C"; cmd[2] = "dir " + args[0]; Process proc = runtime.exec(cmd); InputStream is = proc.getInputStream(); InputStreamReader isr = new InputStreamReader(is); BufferedReader br = new BufferedReader(isr); String line; while ((line = br.readLine()) != null) { System.out.println(line); } } }
发表评论
-
hibernate Restrictions用法 MatchMode.ANYWHERE
2012-07-14 15:50 3970方法 说明 Res ... -
URLClassLoader
2012-05-27 19:45 998This example shows how a serv ... -
MyClassLoader 自定义类加载器
2012-05-27 19:38 1524package demo; import java. ... -
Deal with big-endian and little-endian order
2011-12-25 19:17 1120Java virtual machine always use ... -
修改eclipse的背景色
2011-11-12 19:23 1114eclipse 操作界面默认颜色为白色。对于我们长期 ... -
多线程管道流输入输出模式
2011-11-07 07:23 1091import java.io.* ; class Send ... -
Java计数单字节双字节字符个数的例子
2011-10-26 14:29 1294/* 计数单双字符的个数并存储在Map对象中 ... -
常用内存数据库3
2011-10-24 00:24 15204.1.2 哪些场合适合使用其他的关系型数据库管 ... -
java字节码规则
2011-09-05 13:56 1253栈和局部变量操作 将常量压入栈的指令 aconst_nul ... -
Tomcat中限制ip访问
2011-08-23 21:40 1272Tomcat中限制ip访问是非常简单的,只需要编辑server ... -
一个Java程序员应该掌握的10项技能
2011-08-22 10:27 6211、语法:必须比较熟 ... -
2011 年 8 月 Java 开发人员新闻快讯
2011-08-18 18:59 837Java SE 7 发布了! 经过世界各地 Ja ... -
BlockingQueue
2011-08-13 09:59 718import java.util.concurrent.Arr ... -
eclipse中java项目转换为web项目
2011-07-27 18:29 898经常在eclipse中导入web项目时,出现转不了项目类型 ... -
Oracle官方Weblogic插件安装
2011-07-20 22:00 2881Installing Oracle Enterprise Pa ... -
Java集合HashSet-ArrayList-HashMap的线程同步控制方法和区别
2011-06-21 17:44 2321C ollections类中提供了多 ... -
关于java的集合类,以及HashMap中Set的用法
2011-06-21 17:35 1806import java.util.*; public c ... -
Java的动态代理实例
2011-06-16 03:44 1058首先写一个接口: package net.test.dyna ... -
Java如何调用可执行文件和批处理命令
2011-06-07 00:58 2351Java是种跨平台的语言,我们经常碰到需要通过Java调用wi ... -
jsp实现图片验证码的方法
2011-06-07 00:57 1393调用方法 <img src=&quo ...
相关推荐
在Java设计模式中,Command模式是相当实用的一种,尤其在需要灵活管理和调度操作的场景下,如GUI事件处理、事务管理等。通过了解和熟练掌握Command模式,开发者可以更好地设计和实现复杂系统,提高代码的可读性和可...
内容概要:本文档详细讲解了使用Python3在DVWA(Damn Vulnerable Web Application)平台进行Command Injection漏洞利用程序(Exploit)的编写步骤,涵盖了基本的概念解释、环境搭建、攻击向量的选择与实现、具体脚本...
$ java -jar JNDI-Injection-Exploit-1.0-SNAPSHOT-all.jar [-C] [command] [-A] [address] where: -C - command executed in the remote classfile. (optional , default command is "open /Applications/...
Java命令行工具是Java开发和运行过程中的基础,它们提供了对Java环境的全面管理,包括启动Java应用程序、编译源代码、查看类信息以及管理Java虚拟机(JVM)。以下是一些重要的Java命令及其详细解释: 1. **java命令...
这个主题,"JAVA-DOS-command.rar_DOS java_dos command_java dos_shelf" 就是关于如何在Java中调用DOS命令的实践指南。下面我们将详细探讨这一关键知识点。 1. **Runtime类与Process类**: Java的`java.lang....
### Java设计模式详解——《Patterns in Java Volume 2》概览与知识点提炼 #### 一、书籍概述 《Patterns in Java Volume 2》是一本深入探讨Java编程语言中设计模式应用的专业书籍。该书由Mark Grand撰写,并由...
命令模式(Command Pattern)是一种行为设计模式,它将请求封装为一个对象,使得你可以使用不同的请求、队列请求,或者支持可撤销的操作。在Java中实现命令模式,我们可以利用面向对象编程的特性来构建系统,使得...
《Patterns in Java》是一本由著名软件设计师及作家Erich Gamma和Richard Helm、Ralph Johnson以及John Vlissides合作编著的经典书籍,通常被称为“Gang of Four”(GoF)的设计模式之作。这本书深入探讨了在Java...
5. 命令注入(Command Injection) 6. 路径操作(Path Manipulation) 7. 跨站请求伪造(Cross-Site Request Forgery, CSRF) 8. 访问控制不当(Insecure Access Control) 9. 不安全的随机数生成(Insecure ...
Java实现远程登录Linux主机并发送命令获取回显,进行解析
"Command Line File Manager"利用Java提供的标准输入/输出流(System.in, System.out)和System类来实现用户交互,用户可以通过键盘输入命令来执行相应的文件操作。 文件管理是任何操作系统的核心部分。在"Command ...
Powerful Command-Line Applications in Go
Apart from knowing, a programming language you also need to have good command of these key computer fundamentals to not only qualify the interview but also excel in you jobs as a software engineer.
A command mentioned in the various analysis guides implies a link to the detailed command description given in this reference. For ordering purposes, the alphabetical ordering of commands that begin ...
而《HeadFirst in Java》则是学习Java编程的优秀教程,它涵盖了Java的基础和高级特性,同时也融入了设计模式的概念。 23种经典设计模式是GOF(GoF, Gamma, Helm, Johnson, Vlissides)在《设计模式:可复用面向...
In addition, the book covers several new classes and capabilities introduced in the last few revisions of the Java platform. New abstractions to be covered include NetworkInterface, InterfaceAddress, ...
本文将深入探讨Azkaban 3.51.0中的两种主要任务类型:`command`和`java`,并提供相应的示例。 ### 一、Azkaban支持的插件类型 Azkaban支持多种任务类型,包括但不限于: 1. **Command**:允许执行Linux Shell...
These windows exe files provides the same functions as usual Unix command, we can use powerful Unix command (very useful for text hanlding) in Windows now.
Jacl(Java Command Language)是专门为Java环境设计的一种Tcl脚本语言版本。它的解释器完全用Java编写,可以在任何Java虚拟机上运行。因此,Jacl能够成为Java环境中一个通用的脚本语言,用于创建Web内容或控制Java...