Runtime.getRuntime().exec
的参数为simpleBean.getCmd
, 而此前也存在simple.setCmd
和simple.setCmd2
, 通过CmdObject
的声明可以知道,getCmd
将会拿到this.cmd1,setCmd
将会设置this.cmd1
,因此exec
的参数应该是aTaintCase022
的参数cmd
。package com.sast.astbenchmark.model;
public class CmdObject {
private String cmd1;
private String cmd2;
public void setCmd(String s) {
this.cmd1 = s;
}
public void setCmd2(String s) {
this.cmd2 = s;
}
public String getCmd() {
return this.cmd1;
}
public String getCmd2() {
return this.cmd2;
}
}
@RestController()
public class AstTaintCase001 {
/**
* 字段/元素级别->对象字段->对象元素
* case应该被检出
*/
@PostMapping(value = "case022")
public Map<String, Object> aTaintCase022(@RequestParam String cmd) {
Map<String, Object> modelMap = new HashMap<>();
try {
CmdObject simpleBean = new CmdObject();
simpleBean.setCmd(cmd);
simpleBean.setCmd2("cd /");
var sh = simpleBean.getCmd();
var sh2 = sh;
Runtime.getRuntime().exec(sh2);
modelMap.put("status", "success");
} catch (Exception e) {
modelMap.put("status", "error");
}
return modelMap;
}
}
Runtime.getRuntime().exec(* as $para)
$para #> as $paraDef
注意因为函数exec会传入this参数,因此会出现 Runtime.getRuntime()
也存在在参数中。
Runtime.getRuntime().exec(* as $para)
$para #-> as $paraDef
通过{}可以在向上或向下的数据流分析的过程中进行配置。
Runtime.getRuntime().exec(* as $para)
$para #{hook: `* as $a`}-> as $paraDef
package net.javaguides.usermanagement.web;
import java.io.IOException;
import java.sql.SQLException;
import java.util.List;
import javax.servlet.RequestDispatcher;
import javax.servlet.ServletException;
import javax.servlet.annotation.WebServlet;
import javax.servlet.http.HttpServlet;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import net.javaguides.usermanagement.dao.UserDAO;
import net.javaguides.usermanagement.model.User;
/**
* ControllerServlet.java
* This servlet acts as a page controller for the application, handling all
* requests from the user.
* @email Ramesh Fadatare
*/
@WebServlet("/")
public class UserServlet extends HttpServlet {
private static final long serialVersionUID = 1L;
private UserDAO userDAO;
public void init() {
userDAO = new UserDAO();
}
protected void doPost(HttpServletRequest req, HttpServletResponse resp) throws ServletException, IOException {
// 设置响应内容类型
resp.setContentType("text/html");
// 从请求中获取参数
String message = req.getParameter("message");
// 获取响应的 writer 对象,用于发送响应数据
PrintWriter out = resp.getWriter();
out.println("<h1>Received POST request with message: " + message + "</h1>");
}
protected void doGet(HttpServletRequest request, HttpServletResponse response)
throws ServletException, IOException {
String action = request.getServletPath();
try {
switch (action) {
case "/insert":
insertUser(request, response);
break;
}
} catch (SQLException ex) {
throw new ServletException(ex);
}
}
private void insertUser(HttpServletRequest request, HttpServletResponse response)
throws SQLException, IOException {
String name = request.getParameter("name");
String email = request.getParameter("email");
String country = request.getParameter("country");
User newUser = new User(name, email, country);
userDAO.insertUser(newUser);
response.sendRedirect("list");
}
}
/(do(Get|Post|Delete|Filter|\w+))|(service)/(*?{!have: this && opcode: param } as $req);
$req.getParameter as $directParam;
$req -{
hook: `*.getParameter as $indirectParam`
}->
$directParam + $indirectParam as $output;
$output(, * as $ParamName)
YAK官方资源
Yak 语言官方教程:
https://yaklang.com/docs/intro/
Yakit 视频教程:
https://space.bilibili.com/437503777
Github下载地址:
https://github.com/yaklang/yakit
Yakit官网下载地址:
https://yaklang.com/
Yakit安装文档:
https://yaklang.com/products/download_and_install
Yakit使用文档:
https://yaklang.com/products/intro/
常见问题速查:
https://yaklang.com/products/FAQ