OGNL Injection occurs when the Expression Language (EL) interpreter attempts to interpret user-supplied data without validation enabling attackers to inject their own EL code.

Object Graph Navigation Language (OGNL) was developed to provide developers with an easy way to extract data from an object model like a scripting language. It is similar to a server side template and is used within Java Server Pages since JSP 2.0. Tthe vulnerabilities occurs is when the Expression Language (EL) interpreter attempts to interpret user-supplied data without validation. This enables attackers to inject their own EL code.

Impact

Equifax Breach: Exploiting OGNL Injection in Apache Struts

CVE-2017-5638 has facilitated the Equifax breach in 2017 that exposed the personal information of more than 145 million US citizens.

Mining Cryptocurrency: Hackers latch onto new Apache Struts megavuln to mine cryptocurrency

Hackers are abusing the CVE-2018-11776 vulnerability to attack systems running Apache Struts 2 to install the CNRig cryptocurrency miner.

Testing for OGNL Injection in Java

Testing for OGNL Injection in a black box scenario involves inserting an EL expression into an input parameter. If the server code does not perform input validation and allows evaluation by a OGNL interpreter then the server is vulnerable to OGNL Injection. To test for this situation enter an EL expression into the input parameter as shown below.

gk6q${“zkz”.toString().replace(“k”, “x”)}doap2

or

foobar%{191*7}

If the application returns igk6qzxzdoap2 in the first case or foobar1337 in the second case then it is vulnerable to OGNL Injection.

Testing  can be done statically if you have access to the source code. When reviewing source code check for all inputs to a EL interpreter and ensure that untrusted input is not sent to the EL interpreter or that it is validated against a whitelist prior to consumption.

Examples of OGNL Injection

Example payloads,

gk6q${“zkz”.toString().replace(“k”, “x”)}doap2
https://www.example.url/?vulnerableParameter=PRE-${%23_memberAccess%3d%40ognl.OgnlContext%40DEFAULT_MEMBER_ACCESS,%23kzxs%3d%40org.apache.struts2.ServletActionContext%40getResponse().getWriter()%2c%23kzxs.print(%23parameters.INJPARAM[0])%2c%23kzxs.print(new%20java.lang.Integer(829%2b9))%2c%23kzxs.close(),1%3f%23xx%3a%23request.toString}-POST&INJPARAM=HOOK_VAL

Fixing

In general, method evaluating OGNL expression should not receive user input. It is intended to be used in static configurations and JSP.

Tales

Equifax Breach: Exploiting OGNL Injection in Apache Struts

CVE-2017-5638 has facilitated the Equifax breach in 2017 that exposed the personal information of more than 145 million US citizens. Despite being a company with over 3 billion dollars in annual revenue, it was hacked via a known vulnerability in the Apache Struts model-view-controller (MVC) framework. The attacker sends a crafted request to upload a file to a vulnerable server that uses a Jakarta-based plugin to process the upload request. The attacker can then send malicious code in the Content-Type header to execute the command on a vulnerable server.

Want to check your projects for free?

References

MediaService: Exploiting OGNL Injection
Metasploit GitHub: OGNL exploits within Apache Struts2
NMMapper Apache Struts: Real World Examples of OGNL Injection
Expression Language Injection: Discussion Paper
ONGL Expression Injection: The evaluation of unvalidated OGNL expressions can lead to remote code execution.