5.3.1. Basic Concepts

5.3.1.1. JVM

The JVM is the core of the Java platform, implemented in machine code, and provides all the basic functions required for program execution, such as bytecode parsers, JIT compilers, garbage collectors, and more. Since it is implemented in machine code, it is also vulnerable to binary attacks.

JCL is a standard library that comes with the JVM and contains hundreds of system classes. By default, all system classes are trusted and have all privileges.

5.3.1.2. JDK

Java Development Kit (Java Development Kit, JDK) is a Java platform released by Oracle Corporation, and there are Standard Edition (Java SE), Enterprise Edition (Enterprise Edition, Java EE) and other versions.

In the beginning, JDK was released in binary form, then on November 17, 2006, Sun released the source code of Java under the GPL license, and then OpenJDK appeared.

5.3.1.3. JMX

JMX (Java Management Extensions, Java Management Extensions) is a framework that implants management functions for applications, and mainly provides corresponding tools for managing and monitoring applications, system objects, devices and service-oriented networks. JMX can remotely read values ​​in the system and call methods in the system. When JMX is not configured for authentication or the JDK version is too low, there is a deserialization vulnerability, which may lead to remote code execution.

5.3.1.4. JNI

JNI (Java Native Interface) is an interface provided by Java to interact with other languages.

5.3.1.5. JNA

JNA (Java Native Access) is a framework on top of JNI, which is used to automatically implement the mapping of Java interfaces to native functions without the need to write additional JNI code.

5.3.1.6. OGNL

OGNL (Object-Graph Navigation Language, Object Navigation Language) is a powerful expression language. Through simple and consistent expression syntax, it provides access to any properties of objects, methods of calling objects, and traversing the structure diagram of the entire object. , to achieve field type conversion and other functions.

OGNL is used in Struts2, which provides a ValueStack class. ValueStack is divided into two parts: root and context. The root is the current action object, and the context is all the content in the ActionContext.

5.3.1.7. IO Model

Java encapsulates various IO models of the operating system to form different APIs.

5.3.1.7.1. BIO

BIO (Blocking I/O) is a synchronous blocking I/O mode. The reading and writing of data must be blocked in a thread waiting for its completion.

5.3.1.7.2. NIO

NIO (New I/O) is a synchronous non-blocking I/O model, introduced in Java 1.4, corresponding to the java.nio package, which provides abstractions such as Channel, Selector, and Buffer.

5.3.1.7.3. AIO

AIO (Asynchronous I/O) was introduced in Java 7 and is an improved version of NIO. It is an asynchronous non-blocking IO model based on events and callback mechanisms.

5.3.1.8. Reflection

5.3.1.8.1. Introduction

Java reflection mechanism means that in the running state, for any class, you can know all the properties and methods of this class; for any object, you can call any of its methods and properties; this dynamic acquisition of information and dynamic invocation of objects The function of the method is called the reflection mechanism of the language.

5.3.1.8.6. Constructor

  • newInstance(Object… initargs)
    • Create an object of the class based on the passed parameters