Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Local malicious class loading and code execution vulnerability due to unauthorized access to designer page. #484

Open
T3qui1a opened this issue Nov 29, 2019 · 0 comments

Comments

@T3qui1a
Copy link

T3qui1a commented Nov 29, 2019

With the following source code, we can easily find that the 'class. Forname' method can load malicious classes.

image

'Class.forname' is a method for JVM to retrieve and load into memory. In this process, the static phase of loading class will be executed.

In other words, if a malicious class is defined in advance, you can execute the static code block of the malicious class here.

image

We successfully execute the code by loading the malicious classes set in advance.

image

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

1 participant