java反射机制执行命令

public class Encryptor{
    public static void main(String[] args) throws IOException, ClassNotFoundException {
        String [] cmd = {"cmd","/C","calc"};
        Process proc = Runtime.getRuntime().exec(cmd);
        String.class.getClass().
        forName("java.lang.Runtime")
        .getMethod("exec",String.class)
        .invoke(
                String.class.getClass().forName("java.lang.Runtime").
                getMethod("getRuntime").
                invoke(String.class.getClass().forName("java.lang.Runtime"))
                ,new String[]{"/bin/bash","-c","id"}
                );
    }
}

SPEL表达式注入： 如果参数greetingExp可以控制存在spel注入，通过java反射机制注入恶意代码

public static void main(String[] args) {        
    String greetingExp = "Hello, #{ #user }";                                 
    ExpressionParser parser = new SpelExpressionParser();           
    EvaluationContext context = new StandardEvaluationContext();        
    context.setVariable("user", "Gangyou");        

    Expression expression = parser.parseExpression(greetingExp, 
        new TemplateParserContext());     
    System.out.println(expression.getValue(context, String.class)); 
}

参考链接：
http://rui0.cn/archives/1015