Java中是否可以进行代码注入? [英] Is code injection possible in Java?

问题描述

如今，您可以阅读有关代码注入，漏洞利用，缓冲区溢出，堆栈溢出和堆溢出等内容的更多信息，从而导致代码的注入和运行.我不知道这些东西中有什么与Java相关.

nowadays you can read much about code injection, exploits, buffer-, stack- and heap-overflows etc. leading to inject and run code. I wonder what of this stuff is relevant for Java.

我知道，Java语言中没有指针.但是JVM是否不以堆和/或堆栈的形式组织数据?我知道没有eval函数(例如在PHP中)，因此您不能轻松地将输入用作Java代码.我不确定字节码级别上发生了什么.

I know, there are no pointers in the Java language. But doesn't the JVM organize data in heaps and / or stacks? I know there is no eval function (like in PHP) so you cant easily use an input as Java-code. I am not so sure whats going on on bytecode level.

我认为XSS是可能的，例如在Java EE应用程序中，当没有输入被过滤时.但这不是JavaScript注入吗，因为注入的代码在浏览器中运行，而不是在JVM中运行?

I think XSS is possible, for example in an Java EE application, when no inputs are filtered. But isn't this more a JavaScript injection, because the injected code runs in the browser and not in the JVM?

那么Java可以进行哪些代码注入，而哪些则不能?其他Java平台语言也是如此吗?

So which code injections are possible with java and which are not? And is this true for other Java platform languages, too?

谢谢.

推荐答案

Java程序本身几乎不容易受到代码注入的攻击.但是，支持该应用程序的所有本机代码都容易受到各种不同类型的代码注入的影响-这包括JVM和应用程序或其库中的所有本机代码部分.

A java program itself is pretty much not vulnerable to code injection. However, all the native code that supports the app is vulnerable to all the different kinds of code injection - this includes the JVM and all native code parts in the app or its libraries.

此外，还需要考虑一些其他事项:

Also, there are a few more things to consider:

将Java用作通往其他系统的网关的任何事情都是可能的:

Anything where java is used as a gateway to other systems is possible:

SQL注入

XSS(最后就是JavaScript注入)

XSS (which is in the end nothing more than JavaScript Injection)

如果Java程序本身就是某种解释器/编译器，则有可能将代码注入到您的解释语言/编译程序中(这包括将程序用作Java编译器...)

If the java program is itself a interpreter/compiler of some kind, it might be possible to inject code into your interpreted language/compiled program (this includes using your program as a java compiler...)

当然，如果您可以使Java程序将包含代码(本地代码，Java或其他代码)的文件写入磁盘，则可以通过其他方式(可能是另一个漏洞)执行该文件在您的应用程序(操作系统或其他应用程序)中)-这不是直接的代码注入，但效果非常相似.

And of course if you can get the java program to write a file to disk that contains code (be it native, java or something else) you might be able to get it executed by other means (which can be a different vulnerability in your app, the os or another app) - this is not direct code injection but quite similar in effect.

这篇关于Java中是否可以进行代码注入?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！