Malicious RCE functions in CGI and Java

Question

I know there are some functions in CGI and Java that can be abused to perform remote code execution attack.

For example we can see abuse of "eval" function in Movable Type CMS:

sub core_drop_meta_for_table {my $self = shift;
  my (%param) = @_;
  my $class = $param{class};
  my $sql = $param{sql};eval "require $class;";            <-----------------------------
  my $driver = $class->dbi_driver;
  my $dbh = $driver->rw_handle;
  my $err;
  eval {
    $dbh->do($sql) or $err = $dbh->errstr;
  };
  # ignore drop errors; the column has probably been
  # removed already
  #if ($err) {
  #    print STDERR "$err: $sql\n";
  #}return 0;
}

I want to know if there are other functions that allow the attacker to execute arbitrary command in CGI and Java?

Most likely there are, but do you want a list of these functions? I doubt any single person knows them all — Purefan, Aug 03 '15 at 07:53
yeah, nobody can tell the all Malicious functions, But I want to know some of them. — Matthew, Aug 03 '15 at 11:43
I think your best bet is to run a search in files for "eval" and judge yourself — Purefan, Aug 03 '15 at 14:26

score 1 · Answer 1 · answered Aug 04 '15 at 12:35

The direct equivalent in Java would been using class loaders or implementing an interpreter particularly if it allows arbitrary method calls through reflection. An IDE or other code viewer that allows tracing back method calls will show you APIs that indirectly use this (or use grep).

Oracle's Secure Coding Guidelines for Java SE has a list of examples in Guideline 3-8 / INJECT-8: Take care interpreting untrusted code.

Malicious RCE functions in CGI and Java

1 Answers1