+ 1

(Wanted) Code-Injection in Java

I wondered lately, how I could make a program execute (java) commands that were entered and read by a Scanner. It returns me a String, I think, (how) can I tell Java:"Hey, look at this String, it's cool, try to to what it tells you." For example: my String is "System.out.println(5);". Now guess what I want to happen... There might be a problem, I know: The JVM reads my code compiled as Bytecode, so that might not work. But what would happen, if I entered Bytecode (as String)? I hope someone can help me ā˜ŗ

javacodeinjection
14th Feb 2018, 11:41 AM
D B
D B - avatar
3 Answers
+ 1
yeah, I guessed you Had Kind of Idea ;) No, I'm sorry; Java does Not Work that way. think of the JavaVM as a little blackbox/Sandbox Kind of Thing. there might bei scenarios where User Inputs have that effect; e.g. Java embedded very poorly in Javascript, but then it's more the Implementation in Javascript thats flawed. because of that, I did Not do/saw much in Java, but when I did, it was about deserialization. if thats too hard, generally, stackbufferoverflows are the First step into binary exploitation, If you have not looked Into It yet. you Just need a simple c program, and gdb. Cheers ;)
18th Feb 2018, 7:42 PM
Chiliz
+ 1
Well that depends. do you Want your own program to do this? There are some ways to achieve this, but they look rather hacky/smelly tbh. do you Want to Trigger that in another program? (e.g. as an exploit) that won't Work that in such a direct way, because JVM is, what it says - a Virtual Machine, and we don't know how the Data is processed, the memory is stored and how the commands end up getting executed(in direct contrast to c/c++, where we know all that, and can see it with e.g. gdb). Java has other vulnerabilities as Javascript or C/c++, for example, deserialization. of course, If its embedded in Javascript, it's different. and you can Play with the bytecode using Agent, there are some Tutorials online (I don't know much about that). If you Want to implement that: you are looking vor an Eval() aequivalent right? that May be possibility If you use a few Tricks.. but First: Java, is a compiled language, and Eval or eval-like functions Need the Compiler/Interpreter at runtime, which is Not usually the Case in Java. so you need to think carefully If you Want to Change that, usually These Things are there for a reason.
18th Feb 2018, 7:05 PM
Chiliz
+ 1
Well, when I have a Textinput and I perform a SQL-thing with it (and it is done bad) I can do a code Injection like: "" OR TRUE I want that to happen with Java in a similar way. Maybe a better demonstration is: In my IDE, I have a little box where I can enter commands. Like 4+4 8 myObj.doThat(); myObj.giveMeNames() "Peter" Now is it possible to have this without my IDE?
18th Feb 2018, 7:18 PM
D B
D B - avatar

Often have questions like this?

Learn more efficiently, for free:

See all courses
Hot today
ŠšŠ°Šŗ рŠµŃˆŠøть?
0 Votes
How can I use "Return" I don't understand šŸ˜…
0 Votes
I need help! I have no idea why my calculator is not working, it shows an error in line 4 in JS, and I have no idea how fix it!
2 Votes
Help me please šŸ„ŗšŸ„ŗ
0 Votes
I'm not even know coding. where i can start?
0 Votes
How can I mention someone in a comment ?
2 Votes
Suggestions
2 Votes
Just new here
1 Votes
Š—Š°Š“Š°Ń‡Š° цŠøŠŗŠ»Š° While C# Š”уŠ¼Š¼Š°
2 Votes
PHP
1 Votes