• Skip to primary navigation
  • Skip to main content
  • Skip to primary sidebar
  • Skip to footer

War Room

Shells from above

RSM logo

  • Home
  • About
  • Blog
  • Talks/Whitepapers
  • Tools
  • Recreation
Home > Offense > How to Perform OGNL Injection

How to Perform OGNL Injection

February 2, 2023 By RSM Author

While we frequently discuss SQL injection and command injection, OGNL injection receives a lot less attention.

What is OGNL?

OGNL stands for “Object Graph Navigation Language,” which is written through Java and is used in the Apache Struts2 framework for web applications. Struts2 was originally created to build “enterprise ready web applications” and was known for being able to handle multiple moving parts of a web application through a single framework.

Apache did this by making a model, view, and controller (MVC) architecture that handles OGNL expressions and other java code. Typically, OGNL expressions handle user input data–just as with other injection attacks, if user input is not sanitized injection can occur.

You may think that Struts2 was updated or changed so that this risk would be mitigated, but it has not been. Even the Apache Struts Security webpage provides ways to manually lock down the framework but also begins the page with “The Apache Struts 2 doesn’t provide any security mechanism – it is just a pure web framework.”

When there is an OGNL injection vulnerability present, there are a few things an attacker can do. OGNL expressions can change system variables as well as execute commands as the user running the web application, thus resulting in remote code execution.

How to Perform OGNL Injection

A website for learning areas in cyber security such as PenTesting, Blue/Red/Purple Teaming called TryHackMe.com has a room we can use to stand up a web application vulnerable to OGNL injection. The room is called “Atlassian, CVE-2022-26134.”

We begin by identifying services running on the machine using nmap.

nmap Scan of Vulnerable Machine

In this case, the available ports are 22, 8090, and 8091. We know that 8090 is hosting a web service because of the fingerprinting nmap performed for us. When we navigate to the webpage, this is where we land.

Landing Login page Example

Right away we can see what is running and its version number, Atlassian Confluence 7.3.5. After some research on the service, we can find a few vulnerabilities, specifically CVE-2022-26134.

Now that we know a vulnerability, we can check online for exploit code someone may have written. Places such as Exploit-DB and GitHub tend to work well. In this case we found an exploit for CVE-2022-26134 through GitHub.

CVE-2022-26134 Description

In this exploit’s description it says it will first check to see if the web application is vulnerable by using a POC payload. If it is vulnerable, it will execute a RCE payload to give us a reverse shell on the vulnerable machine.

URL showing OGNL Expressions

When the exploit code is run it injects OGNL expressions into the URL of the web application—though note that before any exploits were performed that there were already OGNL expressions in the URL, which could be another identifier of a possible OGNLi vulnerability.

After using the “cat” command we can dig deeper into what the exploit code is doing.

Exploit Code – PoC Payload
Exploit Code – PoC Payload

In this portion of the exploit code, we can see a python definition being made called PoC with the parameters of a string needing to be input and a Boolean to be output. In this set of code, we can see the OGNL payload being generated to check if the web application is vulnerable. The payload is then injected to the end of the URL of the landing page; if the response returns the desired information, then it is proof that OGNLi is possible on the web application.

Exploit code – “If Vul” statement
Exploit code – “If Vul” statement

Here is where the “poc” python definition is run. If the desired information is returned it will output that the application is vulnerable and will start to generate the RCE payload. If not, then the application is not vulnerable and the exploit stops.

Exploit code – RCE Payload
Exploit code – RCE Payload

This is where the “exp” python definition is created and is also where the OGNL RCE payload is generated.

Exploit code – RCE
Exploit code – RCE

If the application is vulnerable, then run the exploit code. When the exploit code is run it sits and listens for either “q” to terminate the shell or for other console commands being sent to the vulnerable machine.

RCE on target machine showing the exploit worked

How to Mitigate OGNL Injection Attacks

There are a few methods of mitigating the risk of an OGNL injection attack.

There are web application firewalls (WAPs) that can detect for OGNLi, through methods such as looking through the web applications’ logs.

Another way is to sanitize user input so that OGNL expressions inputted are not executed.

Finally, if you are planning on standing up a web application, try to avoid using applications with known security flaws such as OGNLi or avoid the Java Struts2 framework entirely.

For more options on how to secure your web application using Apache Struts2, see the Apache security page. Another good resource for further reading is a list

For additional information on OGNL injection, please see the following, a list of CVEs involving OGNL injection dating back approximately fifteen years: https://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=OGNL.

This post was written by Noah Godfrey.

Share this...
  • Reddit
  • Email
  • Facebook
  • Twitter
  • Linkedin

RSM Author

Primary Sidebar

Categories

  • Defense
  • Forensics
  • Offense
  • Physical
  • R&D

Most Viewed Posts

  • DLL Injection Part 1: SetWindowsHookEx 10.8k views
  • Sophos UTM Home Edition – 3 – The Setup 10.8k views
  • Leveraging MS16-032 with PowerShell Empire 10k views
  • Bypassing Gmail’s Malicious Macro Signatures 9.8k views
  • How to Bypass SEP with Admin Access 8.9k views

Footer

  • RSS
  • Twitter
  • Tools
  • About
  • RSM US LLP

+1 800 903 6264

1 S Wacker Dr Suite 800
Chicago, IL 60606

Copyright © 2023 RSM US LLP. All rights reserved. RSM US LLP is a limited liability partnership and the U.S. member firm of RSM International, a global network of independent audit, tax and consulting firms. The member firms of RSM International collaborate to provide services to global clients, but are separate and distinct legal entities that cannot obligate each other. Each member firm is responsible only for its own acts and omissions, and not those of any other party. Visit for more information regarding RSM US LLP and RSM International.