Add a feature to cause OGNL expression injection

k-tamura · Mar 8, 2017 · b44c8b6 · b44c8b6
1 parent ad1d918
commit b44c8b6
Show file tree

Hide file tree

Showing 7 changed files with 44 additions and 31 deletions.
diff --git a/pom.xml b/pom.xml
@@ -83,16 +83,16 @@
         </exclusion>
       </exclusions>
     </dependency>
-    <dependency>
-      <groupId>org.owasp.esapi</groupId>
-      <artifactId>esapi</artifactId>
-      <version>2.1.0.1</version>
-    </dependency>
-                <dependency>
-                <groupId>ognl</groupId>
-                <artifactId>ognl</artifactId>
-                <version>3.0.17</version>
-            </dependency>
+	<dependency>
+		<groupId>org.owasp.esapi</groupId>
+		<artifactId>esapi</artifactId>
+		<version>2.1.0.1</version>
+	</dependency>
+	<dependency>
+		<groupId>ognl</groupId>
+		<artifactId>ognl</artifactId>
+		<version>3.0.17</version>
+	</dependency>
   </dependencies>
   <build>
     <plugins>

diff --git a/src/main/java/org/t246osslab/easybuggy/vulnerabilities/OGNLExpressionInjectionServlet.java b/src/main/java/org/t246osslab/easybuggy/vulnerabilities/OGNLExpressionInjectionServlet.java
@@ -10,42 +10,38 @@
 import javax.servlet.http.HttpServletRequest;
 import javax.servlet.http.HttpServletResponse;
 
-import ognl.Ognl;
-import ognl.OgnlContext;
-import ognl.OgnlException;
-
+import org.apache.commons.lang.math.NumberUtils;
+import org.owasp.esapi.ESAPI;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 import org.t246osslab.easybuggy.utils.Closer;
 import org.t246osslab.easybuggy.utils.HTTPResponseCreator;
 import org.t246osslab.easybuggy.utils.MessageUtils;
 
+import ognl.Ognl;
+import ognl.OgnlContext;
+import ognl.OgnlException;
+
 @SuppressWarnings("serial")
 @WebServlet(urlPatterns = { "/ognleijc" })
 public class OGNLExpressionInjectionServlet extends HttpServlet {
 
     private static Logger log = LoggerFactory.getLogger(OGNLExpressionInjectionServlet.class);
 
-    // OGNL Expression Injection occurs
-    // /ognleijc?input=%23rt%3D%40java.lang.Runtime%40getRuntime()%2C%23rt.exec("calc.exe")
-    // /ognleijc?input=%40java.lang.Math%40sqrt(144)
-    // /ognleijc?input=%40Math%40sqrt(%40Math%40sqrt(144))
-    // /ognleijc?input=%40java.lang.Math%40sqrt(144)%2C%23rt%3D%40java.lang.Runtime%40getRuntime()%2C%23rt.exec("calc.exe")
     protected void service(HttpServletRequest req, HttpServletResponse res) throws ServletException, IOException {
-        
+
         PrintWriter writer = null;
         try {
-            Object expr = null;
             Object value = null;
             boolean isValid = true;
             Locale locale = req.getLocale();
             OgnlContext ctx = new OgnlContext();
             String expression = req.getParameter("expression");
-            if(expression == null || expression.equals("")){
+            if (expression == null || expression.equals("")) {
                 isValid = false;
-            }else{
+            } else {
                 try {
-                    expr = Ognl.parseExpression(expression);
+                    Object expr = Ognl.parseExpression(expression.replaceAll("Math.", "@Math@"));
                     value = Ognl.getValue(expr, ctx);
                 } catch (OgnlException e) {
                     isValid = false;
@@ -55,28 +51,28 @@ protected void service(HttpServletRequest req, HttpServletResponse res) throws S
 
             StringBuilder bodyHtml = new StringBuilder();
             bodyHtml.append("<form action=\"ognleijc\" method=\"post\">");
-            bodyHtml.append(MessageUtils.getMsg("msg.enter.decimal.value", locale));
+            bodyHtml.append(MessageUtils.getMsg("msg.enter.math.expression", locale));
             bodyHtml.append("<br>");
             bodyHtml.append("<br>");
             if (isValid) {
-                bodyHtml.append("<input type=\"text\" name=\"expression\" size=\"100\" maxlength=\"100\" value=" + value
-                        + ">");
+                bodyHtml.append("<input type=\"text\" name=\"expression\" size=\"80\" maxlength=\"300\" value=\""
+                        + ESAPI.encoder().encodeForHTML(expression) + "\">");
             } else {
-                bodyHtml.append("<input type=\"text\" name=\"expression\" size=\"100\" maxlength=\"100\">");
+                bodyHtml.append("<input type=\"text\" name=\"expression\" size=\"80\" maxlength=\"300\">");
             }
             bodyHtml.append(" = ");
-            if (isValid) {
+            if (isValid && value != null && NumberUtils.isNumber(value.toString())) {
                 bodyHtml.append(value);
             }
             bodyHtml.append("<br>");
             bodyHtml.append("<br>");
             bodyHtml.append("<input type=\"submit\" value=\"" + MessageUtils.getMsg("label.calculate", locale) + "\">");
             bodyHtml.append("<br>");
             bodyHtml.append("<br>");
-            bodyHtml.append(MessageUtils.getMsg("msg.note.enter.decimal.value", locale));
+            bodyHtml.append(MessageUtils.getMsg("msg.note.enter.runtime.exec", locale));
             bodyHtml.append("</form>");
             HTTPResponseCreator.createSimpleResponse(res,
-                    MessageUtils.getMsg("title.loss.of.trailing.digits.page", locale), bodyHtml.toString());
+                    MessageUtils.getMsg("title.ognl.expression.injection.page", locale), bodyHtml.toString());
 
         } catch (Exception e) {
             log.error("Exception occurs: ", e);

diff --git a/src/main/resources/indexpage_en.properties b/src/main/resources/indexpage_en.properties
@@ -55,6 +55,8 @@ function.name.ldap.injection=LDAP Injection
 function.description.ldap.injection=There is an LDAP injection vulnerability in this page.
 function.name.code.injection=Code Injection
 function.description.code.injection=There is a code injection vulnerability in this page.
+function.name.os.command.injection=OS Command Injection
+function.description.os.command.injection=There is a command injection vulnerability in this page.
 function.name.unrestricted.upload=Unrestricted File Upload
 function.description.unrestricted.upload=This page is vulnerable for attacks such as DoS because there are no limitation for uploading.
 function.name.open.redirect=Open Redirect

diff --git a/src/main/resources/indexpage_ja.properties b/src/main/resources/indexpage_ja.properties
@@ -58,6 +58,8 @@ function.name.ldap.injection=LDAP\u30a4\u30f3\u30b8\u30a7\u30af\u30b7\u30e7\u30f
 function.description.ldap.injection=\u3053\u306e\u30da\u30fc\u30b8\u306b\u306fLDAP\u30a4\u30f3\u30b8\u30a7\u30af\u30b7\u30e7\u30f3\u306e\u8106\u5f31\u6027\u304c\u3042\u308a\u307e\u3059\u3002
 function.name.code.injection=\u30b3\u30fc\u30c9\u30a4\u30f3\u30b8\u30a7\u30af\u30b7\u30e7\u30f3
 function.description.code.injection=\u3053\u306e\u30da\u30fc\u30b8\u306b\u306f\u30b3\u30fc\u30c9\u30a4\u30f3\u30b8\u30a7\u30af\u30b7\u30e7\u30f3\u306e\u8106\u5f31\u6027\u304c\u3042\u308a\u307e\u3059\u3002
+function.name.os.command.injection=OS\u30b3\u30de\u30f3\u30c9\u30a4\u30f3\u30b8\u30a7\u30af\u30b7\u30e7\u30f3
+function.description.os.command.injection=\u3053\u306e\u30da\u30fc\u30b8\u306b\u306fOS\u30b3\u30de\u30f3\u30c9\u30a4\u30f3\u30b8\u30a7\u30af\u30b7\u30e7\u30f3\u306e\u8106\u5f31\u6027\u304c\u3042\u308a\u307e\u3059\u3002
 function.name.unrestricted.upload=\u5236\u9650\u306e\u7121\u3044\u30d5\u30a1\u30a4\u30eb\u30a2\u30c3\u30d7\u30ed\u30fc\u30c9
 function.description.unrestricted.upload=\u3053\u306e\u30da\u30fc\u30b8\u306b\u306f\u30d5\u30a1\u30a4\u30eb\u30a2\u30c3\u30d7\u30ed\u30fc\u30c9\u306e\u5236\u9650\u304c\u7121\u3044\u305f\u3081\u3001DoS\u653b\u6483\u306a\u3069\u306b\u5bfe\u3057\u3066\u8106\u5f31\u3067\u3059\u3002
 function.name.open.redirect=\u30aa\u30fc\u30d7\u30f3\u30ea\u30c0\u30a4\u30ec\u30af\u30c8

diff --git a/src/main/resources/messages_en.properties b/src/main/resources/messages_en.properties
@@ -34,6 +34,7 @@ msg.db.connection.leak.occur=DB connection leak occurs every time you load this
 msg.dead.lock.not.occur=Dead Lock does not occur.
 msg.dead.lock.occur=Dead Lock occurs after loading this page few times.
 msg.deadlock.occurs=A lock could not be obtained due to a deadlock.
+msg.enter.math.expression=Please enter a mathematical expression using java.lang.Math. For example, Math.sqrt(Math.pow(2, 6)) - 5
 msg.enter.json.string=Please enter JSON string.
 msg.enter.name.and.passwd=If you enter your name and password, then your secret number is shown.
 msg.enter.name=Please enter your name.
@@ -62,6 +63,8 @@ msg.note.enter.specific.nembers=<span class="glyphicon glyphicon-info-sign"></sp
 Truncation error occurs if you enter 3 or 7 or 9.
 msg.note.enter.decimal.value=<span class="glyphicon glyphicon-info-sign"></span>&nbsp; \
 Loss of trailing digits occurs if you enter 0.0000000000000001.
+msg.note.enter.runtime.exec=<span class="glyphicon glyphicon-info-sign"></span>&nbsp; \
+If you enter @java.lang.Runtime@getRuntime().exec('rm -fr /your-important-dir/''), then your important directory is removed on your server.
 msg.note.positive.number=<span class="glyphicon glyphicon-info-sign"></span>&nbsp; \
 Integer overflow occurs if you enter a number greater than or equal to 63.
 msg.note.slow.regular.expression=<span class="glyphicon glyphicon-info-sign"></span>&nbsp; \
@@ -105,6 +108,7 @@ title.endless.waiting.page=Execute batch
 title.integer.overflow.page=The distance from Earth to the moon 
 title.login.page=Login page for administrators
 title.loss.of.trailing.digits.page=Decimal addition
+title.ognl.expression.injection.page=Mathematical calculation
 title.parse.json=Parse JSON
 title.round.off.error.page=Easy subtraction
 title.slow.regular.expression.page=Test regular expression

diff --git a/src/main/resources/messages_ja.properties b/src/main/resources/messages_ja.properties
@@ -35,6 +35,7 @@ msg.dead.lock.not.occur=\u30c7\u30c3\u30c9\u30ed\u30c3\u30af\u306f\u767a\u751f\u
 msg.dead.lock.occur=\u3053\u306e\u30da\u30fc\u30b8\u3092\u6570\u56de\u30ed\u30fc\u30c9\u3059\u308b\u3068\u3001\u30c7\u30c3\u30c9\u30ed\u30c3\u30af\u304c\u767a\u751f\u3057\u307e\u3059\u3002
 msg.deadlock.occurs=\u30c7\u30c3\u30c9\u30ed\u30c3\u30af\u306b\u3088\u308a\u30ed\u30c3\u30af\u3092\u53d6\u5f97\u3067\u304d\u307e\u305b\u3093\u3067\u3057\u305f\u3002
 msg.enter.json.string=JSON\u6587\u5b57\u5217\u3092\u5165\u529b\u3057\u3066\u4e0b\u3055\u3044\u3002
+msg.enter.math.expression=java.lang.Math\u3092\u4f7f\u7528\u3057\u305f\u6570\u5f0f\u3092\u5165\u529b\u3057\u3066\u4e0b\u3055\u3044\u3002\u4f8b) Math.sqrt(Math.pow(2, 6)) - 5
 msg.enter.name.and.passwd=\u540d\u524d\u3068\u30d1\u30b9\u30ef\u30fc\u30c9\u3092\u5165\u529b\u3059\u308b\u3068\u3001\u6697\u8a3c\u756a\u53f7\u304c\u8868\u793a\u3055\u308c\u307e\u3059\u3002
 msg.enter.name=\u540d\u524d\u3092\u5165\u529b\u3057\u3066\u4e0b\u3055\u3044\u3002
 msg.enter.positive.number=\u6b63\u306e\u6574\u6570\u3092\u5165\u529b\u3057\u3066\u4e0b\u3055\u3044\u3002
@@ -62,6 +63,8 @@ msg.note.enter.specific.nembers=<span class="glyphicon glyphicon-info-sign"></sp
 3\u30017\u30019\u3092\u5165\u529b\u3059\u308b\u3068\u3001\u6253\u3061\u5207\u308a\u8aa4\u5dee\u304c\u767a\u751f\u3057\u307e\u3059\u3002
 msg.note.enter.decimal.value=<span class="glyphicon glyphicon-info-sign"></span>&nbsp; \
 0.0000000000000001\u3092\u5165\u529b\u3059\u308b\u3068\u3001\u60c5\u5831\u6b20\u843d\u304c\u767a\u751f\u3057\u307e\u3059\u3002
+msg.note.enter.runtime.exec=<span class="glyphicon glyphicon-info-sign"></span>&nbsp; \
+@java.lang.Runtime@getRuntime().exec('rm -fr /your-important-dir/'')\u3092\u5165\u529b\u3059\u308b\u3068\u3001\u30b5\u30fc\u30d0\u30fc\u4e0a\u306e\u91cd\u8981\u306a\u30c7\u30a3\u30ec\u30af\u30c8\u30ea\u304c\u524a\u9664\u3055\u308c\u307e\u3059\u3002
 msg.note.positive.number=<span class="glyphicon glyphicon-info-sign"></span>&nbsp; \
 63\u4ee5\u4e0a\u306e\u6570\u3092\u5165\u529b\u3059\u308b\u3068\u3001\u6574\u6570\u30aa\u30fc\u30d0\u30fc\u30d5\u30ed\u30fc\u304c\u767a\u751f\u3057\u307e\u3059\u3002
 msg.note.sql.deadlock=<span class="glyphicon glyphicon-info-sign"></span>&nbsp; \
@@ -105,6 +108,7 @@ title.endless.waiting.page=\u30d0\u30c3\u30c1\u306e\u5b9f\u884c
 title.integer.overflow.page=\u6708\u307e\u3067\u306e\u8ddd\u96e2
 title.login.page=\u7ba1\u7406\u8005\u30ed\u30b0\u30a4\u30f3\u30da\u30fc\u30b8
 title.loss.of.trailing.digits.page=\u5c0f\u6570\u306e\u8db3\u3057\u7b97
+title.ognl.expression.injection.page=\u6570\u5f0f\u8a08\u7b97
 title.parse.json=JSON\u306e\u89e3\u6790
 title.round.off.error.page=\u7c21\u5358\u306a\u5f15\u304d\u7b97
 title.slow.regular.expression.page=\u6b63\u898f\u8868\u73fe\u306e\u30c6\u30b9\u30c8

diff --git a/src/main/webapp/index.jsp b/src/main/webapp/index.jsp
@@ -136,6 +136,11 @@
 						key="function.name.code.injection" /></a>:
 			<fmt:message key="function.description.code.injection" />
 		</p></li>
+		<li><p>
+			<a href="ognleijc" target="_blank"><fmt:message
+						key="function.name.os.command.injection" /></a>:
+			<fmt:message key="function.description.os.command.injection" />
+		</p></li>
 		<li><p>
 			<a href="urupload" target="_blank"><fmt:message
 						key="function.name.unrestricted.upload" /></a>: