Is there any gadget which can be exploded in constructor?

[ghost]

Hi, marshalsec, I wonder if you know about these gadgets which can be exploited in their constructor? for example: class A{ A(){ context.lookup(xxxx) } }

Thanks!

[mbechler]

If you mean a no argument constructor, then no, I don't think so. With these you don't have any controllable inputs, so I guess this would be rare and limited to cases where these do something really stupid(tm), e.g. calling System.exit(), deleting some files, or maybe setting some security relevant system property.

[mbechler]

Seeing this again makes me realize that I forgot to mention java.rmi.server.UnicastRemoteObject.UnicastRemoteObject() If the target technology allows to call a protected default constructor, this will open a RMI listener which you might to exploit further on a random port.