public class Encryptor{

    public static void main(String[] args) throws IOException, ClassNotFoundException {

        String [] cmd = {"cmd","/C","calc"};

        Process proc = Runtime.getRuntime().exec(cmd);

        String.class.getClass().

        forName("java.lang.Runtime")

        .getMethod("exec",String.class)

        .invoke(

                String.class.getClass().forName("java.lang.Runtime").

                getMethod("getRuntime").

                invoke(String.class.getClass().forName("java.lang.Runtime"))

                ,new String[]{"/bin/bash","-c","id"}

                );

    }

}

SPEL表达式注入： 如果参数greetingExp可以控制存在spel注入，通过java反射机制注入恶意代码

public static void main(String[] args) {

    String greetingExp = "Hello, #{ #user }";

    ExpressionParser parser = new SpelExpressionParser();

    EvaluationContext context = new StandardEvaluationContext();

    context.setVariable("user", "Gangyou");        

    Expression expression = parser.parseExpression(greetingExp,

        new TemplateParserContext());

    System.out.println(expression.getValue(context, String.class));

}

参考链接：

http://rui0.cn/archives/1015