Resources

People often ask me "How did you learn how to hack?" The answer: by reading. This page is a collection of the blog posts and other articles that I have accumulated over the years of my journey. Enjoy!

OGNL (Object Graph Navigation Library) is an expression language used for getting and setting properties of Java Objects. This is used by a plethora of big products, such as Apache Struts.

OGNL evaluations are exploitable when OGNL code is evaluated twice. According to the author, this is often done when the findString() or findValue() function is called consecutively inside an object with nested calls. While reading on previous work, the author noticed that special Apache strut files called ftl (FreeMarker) files can also have OGNL expressions.

ftl (FreeMarker) files are used to define how an element will present itself in the final HTML code. Within a ftl file there was a call to findString() on a user controlled parameter. Then, later on, the function getText() is called, which has a nested call to findValue().

The code for the call is stack.findValue("getText('" + text + "')");, where text is user controllable data. getText() appears to have limited functionality for getting code execution. But, because we have a string concatenation on a dynamic query language, we can escape the original call and make our own call. This is similar to SQL injection in that way.

The payload text = a') + #application + getText('b will result in us escaping the getText() function to allow arbitrary queries to be ran. Using this, a payload to achieve code execution can be made but is too long to put into this resource. The article has a good example of this though.

The author found a minor XSS issue on the onChange event. This required user interaction in order to exploit though. Overall, I really enjoyed the double OGNL bug leading to code execution in Struts. It is interesting to see a query language that I'm unfamiliar with get exploited in a way similar to SQL injection.