注入-shell
作者:互联网
import java.io.IOException;
import java.lang.ref.SoftReference;
import java.text.Normalizer;
import java.util.Scanner;
import java.util.regex.Pattern;
class Solution {
public static void main(String[] args) throws IOException {
Scanner scanner = new Scanner(System.in);
String cmd = scanner.next();//next=88.56.21.22;cat /etc/passwd
if (isIpValidate(cmd)) {
f(cmd);
}
}
public static void f(String ip) throws IOException {
String[] cmd = new String[5];
//RunTime不提供shell编译器,需要加/bin/bash -c才能提供,不然无法解析| >等符号
cmd[0] = "/bin/bash";
cmd[1] = "-c";
cmd[2] = "ping -c 4 ";
cmd[3] = ip;
Runtime.getRuntime().exec(cmd);
}
private static boolean isIpValidate(String cmd) {
String normalize = Normalizer.normalize(cmd, Normalizer.Form.NFKC);
Pattern pattern = Pattern.compile("\\||`|&|;<>");
boolean isMatched = pattern.matcher(cmd).find();
return !isMatched;
}
}
标签:shell,java,String,cmd,Normalizer,static,import,注入 来源: https://www.cnblogs.com/t1314/p/15782162.html