【代码审计】JAVA命令执行

0x00 版权声明

JAVA基础系列是笔者学习@炼石星球的笔记，大部分文字描述取自星球内发布的教程文件，仅作学习。

0x01 命令执行方式

在Java中可用于执行系统命令的方式有三种，分别是java.lang.Runtime， java.lang.ProcessBuilder以及java.lang.UNIXProcess/ProcessImpl。 这三种方式都是JDK原生提供的，并不需要再额外引入。

在针对Java系统进行代码审计以及渗透测试时，目标系统如果存在执行命令的功能，大概率是这三种方法之一。

0x02 java.lang.Runtime

Runtime是java.lang中的一个类，主要是与操作系统交互执行操作命令。

在main.java下新建ExecRuntime.class文件，键入代码：

import java.io.*;
import java.nio.charset.Charset;
public class ExecRuntime {
    public static void main(String[] args) throws Exception {
        String command1 = "cmd /c whoami";
        //windows环境下执行
        String[] command2 = {"cmd","/c","ping www.baidu.com"};
        //Linux环境下执行，也可以是bash，
        //String[] command3 = {"/bin/sh", "/root/xxx.sh", "xxx.sh所需的参数"};
        //exec执行字符串命令
        cmdstring(command1);
        //exec以数组方式接受多个参数并执行
        cmdarray(command2);
    }
    //exec执行字符串命令
    private static void cmdstring(String command) throws IOException {

        String[] command2 = {"cmd","/c", "ipconfig"};
        String line = null;
        Process process = Runtime.getRuntime().exec(command);
        //使用BufferedReader设置编码解决执行命令响应中文乱码问题
        BufferedReader bufferedReader = new BufferedReader(new InputStreamReader(process.getInputStream(), Charset.forName("GBK")));
        while ((line = bufferedReader.readLine()) != null) {
            System.out.println(line);
        }
    }
    //exec以数组方式接受多个参数并执行
    private static void cmdarray(String[] command) throws IOException {
        String line = null;
        Process process = Runtime.getRuntime().exec(command);
        //使用BufferedReader设置编码解决执行命令响应中文乱码问题
        BufferedReader bufferedReader =
                new BufferedReader(new InputStreamReader(process.getInputStream(), Charset.forName("GBK")));
        while ((line = bufferedReader.readLine()) != null) {
            System.out.println(line);
        }
    }
}

0x03 java.lang.ProcessImpl

键入代码：

import java.io.BufferedReader;
import java.io.InputStreamReader;
import java.lang.reflect.Method;
import java.nio.charset.Charset;
import java.util.Map;
public class ExecProcessImpl {
    public static void main(String[] args) throws Exception {
        String[] cmds = new String[]{"whoami"};
        Class clazz = Class.forName("java.lang.ProcessImpl");
        Method method = clazz.getDeclaredMethod("start", String[].class, Map.class, String.class, ProcessBuilder.Redirect[].class, boolean.class);
        method.setAccessible(true);
        Process process = (Process) method.invoke(null, cmds, null, ".", null, true);
        String line = null;
        BufferedReader bufferedReader = new BufferedReader(new InputStreamReader(process.getInputStream(), Charset.forName("GBK")));
        while ((line = bufferedReader.readLine()) != null) {
            System.out.println(line);
        }
    }
}

0x04 java.lang.ProcessBuilder

键入代码：

import java.io.BufferedReader;
import java.io.File;
import java.io.IOException;
import java.io.InputStreamReader;

public class ExecProcessBuilder {
    public static void main(String[] args) throws IOException{
        ProcessBuilder pb = new ProcessBuilder("net","users");
        Process process = pb.start();
        String line;
        BufferedReader reader = new BufferedReader(new InputStreamReader(process.getInputStream(), "GBK"));
        while ((line = reader.readLine()) != null) {
            System.out.println(line);
        }
        reader.close();
    }
}

0x05 JavaWeb项目执行命令

创建Spring Initializr，Java版本选择8，等待项目创建成功。

pom.xml中引入servlet依赖：

<dependency>
<groupId>javax.servlet</groupId>
<artifactId>javax.servlet-api</artifactId>
<version>4.0.1</version>
<scope>provided</scope>
</dependency>

在main.java.com.example.javawebexec目录新建ExecController.class文件，键入代码：

package com.example.javawebexec;
import org.springframework.stereotype.Controller;
import org.springframework.web.bind.annotation.RequestMapping;
import org.springframework.web.bind.annotation.ResponseBody;
import javax.servlet.http.HttpServletResponse;
import java.io.*;
import java.nio.charset.Charset;
import java.io.BufferedReader;
import java.io.InputStreamReader;
import java.lang.reflect.Method;
import java.nio.charset.Charset;
import java.util.Map;
import java.io.File;
import java.io.IOException;
import java.io.InputStreamReader;
@Controller
@ResponseBody
public class ExecController {
    @RequestMapping("/execRuntimeString")
    public void execRuntimeString(String command, HttpServletResponse response) throws IOException {
        String line = null;
        Process process = Runtime.getRuntime().exec(command);
        BufferedReader bufferedReader = new BufferedReader(new InputStreamReader(process.getInputStream(), Charset.forName("GBK")));
        PrintWriter out = response.getWriter();
        while ((line = bufferedReader.readLine()) != null) {
            //逐行读取
            System.out.println(line);
            out.print(line);
        }
        bufferedReader.close();
    }
    @RequestMapping("/execRuntimeArray")
    public void execRuntimeArray(String command, HttpServletResponse response) throws IOException {
        String line = null;
        String[] commandarray ={"cmd","/c",command};
        Process process = Runtime.getRuntime().exec(commandarray);
        BufferedReader bufferedReader = new BufferedReader(new InputStreamReader(process.getInputStream(), Charset.forName("GBK")));
        PrintWriter out = response.getWriter();
        while ((line = bufferedReader.readLine()) != null) {
            //逐行读取
            System.out.println(line);
            out.print(line);
        }
        bufferedReader.close();
    }
    @RequestMapping("/execProcess")
    public static void execProcess(String command, HttpServletResponse response) throws Exception{
        String line = null;
        String[] cmds = new String[]{"cmd","/c",command};
        Class clazz = Class.forName("java.lang.ProcessImpl");
        Method method = clazz.getDeclaredMethod("start", String[].class, Map.class, String.class, ProcessBuilder.Redirect[].class, boolean.class);
        method.setAccessible(true);
        Process process = (Process) method.invoke(null, cmds, null, ".", null, true);
        BufferedReader bufferedReader = new BufferedReader(new InputStreamReader(process.getInputStream(), Charset.forName("GBK")));
        PrintWriter out = response.getWriter();
        while ((line = bufferedReader.readLine()) != null) {
            System.out.println(line);
            out.print(line);
        }
        bufferedReader.close();
    }
    @RequestMapping("/execBuilder")
    public static void execBuilder(String command, HttpServletResponse response) throws Exception{
        String line = null;
        String[] cmds = new String[]{"cmd","/c",command};
        ProcessBuilder pb = new ProcessBuilder(cmds);
        Process process = pb.start();
        BufferedReader reader = new BufferedReader(new InputStreamReader(process.getInputStream(), "GBK"));
        PrintWriter out = response.getWriter();
        while ((line = reader.readLine()) != null) {
            System.out.println(line);
            out.print(line);
        }
        reader.close();
    }

}

启动项目，浏览器访问不同的接口：

http://localhost:8080/execRuntimeString/?command=whoami

http://localhost:8080/execRuntimeArrary/?command=whoami

http://localhost:8080/execProcess/?command=whoami

http://localhost:8080/execBuilder/?command=whoami