CVE-2022-42889

This exploit demonstrates a POST-based RCE vulnerability in Apache Commons Text versions prior to 1.10.0 by leveraging script interpolation to execute a reverse shell payload. The payload uses JavaScript to spawn a bash reverse shell to a specified callback IP and port.

This repository contains a functional PoC for CVE-2022-42889 (Text4Shell), demonstrating RCE via Apache Commons Text string interpolation. The exploit leverages the vulnerable `StringSubstitutor` class to execute arbitrary commands.

This repository contains a proof-of-concept exploit for CVE-2022-42889 (Text4Shell), targeting Apache Commons Text versions 1.5 through 1.9. The exploit leverages the StringSubstitutor interpolator to execute arbitrary commands via script, DNS, or URL lookups.

This PoC exploits CVE-2022-42889 (Text4Shell) in Apache Commons Text by crafting a malicious payload that triggers remote code execution via script interpolation. The payload uses a reverse shell command to connect back to an attacker-controlled IP and port.

This PoC demonstrates CVE-2022-42889, an RCE vulnerability in Apache Commons Text due to unsafe interpolation of script, dns, and url lookups. It allows arbitrary JavaScript execution via the StringSubstitutor class.

This repository contains a functional proof-of-concept for CVE-2022-42889 (Text4Shell), demonstrating RCE via Apache Commons Text's StringSubstitutor interpolator. It includes endpoints for testing script, DNS, and URL interpolators, with examples for both Nashorn (JDK < 15) and JEXL (JDK 15+).

This repository contains a Burp Suite extension for scanning CVE-2022-42889 (Text4Shell), a vulnerability in Apache Commons Text. The scanner is passive and checks for the vulnerability by sending crafted payloads and monitoring responses.

This repository contains a functional Proof of Concept (PoC) for CVE-2022-42889 (Text4Shell), demonstrating remote code execution via Apache Commons Text variable interpolation. The PoC includes payloads for script, URL, and DNS lookups, along with reverse shell capabilities for both Windows and Linux targets.

The repository contains a functional Python script that tests for CVE-2022-42889 (Text4Shell) by crafting malicious strings for RCE (via JavaScript execution) or SSRF (via URL fetching) and sending them to a target endpoint. The script supports two modes (RCE/SSRF) and encodes payloads before sending HTTP GET requests.

This repository contains a functional Python script that tests for CVE-2022-42889 (Text4Shell) by crafting malicious strings for RCE and SSRF attacks. The script automates the exploitation process by constructing payloads and sending HTTP requests to a target URL.

This repository contains a Python script to test for CVE-2022-42889 (Text4Shell), a vulnerability in Apache Commons Text that allows RCE or SSRF via crafted strings. The script supports two modes: RCE (using JavaScript execution) and SSRF (using URL fetching).

This repository contains a functional proof-of-concept for CVE-2022-42889, demonstrating RCE via Apache Commons Text's StringSubstitutor. It includes examples for DNS, URL, and script-based exploits, along with a reverse shell payload.

This repository contains a functional Proof of Concept (PoC) for CVE-2022-42889, demonstrating the Text4Shell vulnerability in Apache Commons Text. It includes a Spring Boot application with endpoints to test both reflected and blind exploitation via StringSubstitutor interpolation.

This repository provides a script to mitigate CVE-2022-42889 by replacing the vulnerable Apache Commons Text 1.9 with version 1.10.0 in JMeter's lib directory. It includes checksum verification to ensure the integrity of the downloaded file.

This repository contains a collection of Log4Shell (CVE-2021-45046) payloads for testing and exploiting vulnerable systems. It includes one-liners, WAF bypass techniques, and custom headers for various attack vectors.

This repository contains a functional Proof of Concept (PoC) for CVE-2022-42889, demonstrating remote code execution via Apache Commons Text's variable interpolation feature. The exploit leverages the 'script' lookup to execute arbitrary commands, as shown in the README and controller code.

This repository contains a functional PoC for CVE-2022-42889 (Text4Shell), demonstrating RCE via Apache Commons Text's StringSubstitutor. The Spring Boot application exposes an endpoint that processes user input with StringSubstitutor, allowing arbitrary code execution through crafted strings.

This is a functional PoC exploit for CVE-2022-42889 (Text4Shell), targeting Apache Commons Text versions 1.5 through 1.9. It leverages string interpolation to execute arbitrary commands via a malicious payload, requiring netcat on the target system to establish a reverse shell.

This repository contains a scanner for detecting CVE-2022-42889 (Text4Shell) vulnerability in Apache Commons Text libraries. It scans directories for vulnerable JAR files and reports their paths and versions.

This repository provides a policy-based scanner to detect CVE-2022-42889 (Text4Shell) vulnerabilities in OCI images using Sigstore and Kubernetes enforcement. It includes a Java-based CSV parser for SLSA data but does not contain exploit code.

This repository provides a Burp Suite scanner profile for detecting CVE-2022-42889 (Text4Shell), a vulnerability in Apache Commons Text versions 1.5 through 1.9. It includes instructions for integrating the scanner into Burp BountyData.

This is a Python script that exploits CVE-2022-42889 (Text4Shell) by crafting a malicious payload to achieve remote code execution (RCE) via Apache Commons Text. The payload uses a reverse shell generated with netcat and is URL-encoded before being sent to the target.

This Python script exploits CVE-2022-42889 (Text4Shell) by crafting malicious payloads to achieve remote code execution (RCE) via Apache Commons Text string interpolation. It supports ping, reverse shell, and custom payloads.

This repository contains a Java agent-based PoC for CVE-2022-42889, which mitigates the vulnerability in Apache Commons Text by intercepting and sanitizing malicious input to the StringSubstitutor class. It supports both premain (startup) and agentmain (runtime) attachment methods.

This repository provides a Docker-based lab for CVE-2022-42889 (Text4Shell), demonstrating RCE via Apache Commons Text string interpolation. The PoC includes a Spring Boot app vulnerable to the exploit and instructions for testing in Docker and Kubernetes environments.

This repository contains a functional Proof of Concept (PoC) for CVE-2022-42889 (Text4Shell), demonstrating Remote Code Execution (RCE) via a crafted URL exploiting the Apache Commons Text library vulnerability. The PoC uses a SpringBoot controller to showcase the vulnerability, allowing arbitrary command execution through string interpolation.

This YAML file is a Nuclei template designed to detect CVE-2022-42889 (Text4Shell) by sending crafted requests to trigger a DNS interaction via an OGNL injection payload. It does not execute arbitrary commands but confirms vulnerability via DNS callbacks.

This repository contains a functional PoC for CVE-2022-42889, exploiting a remote code execution vulnerability in Apache Commons Text versions prior to 1.10. The PoC uses a crafted string with a malicious script expression to trigger a reverse shell via netcat.

This repository contains a working PoC for CVE-2022-42889, demonstrating RCE via Apache Commons Text's StringSubstitutor with untrusted input. It uses an embedded Jetty server to expose a vulnerable endpoint that processes user-controlled input.

This is a functional Proof of Concept for CVE-2022-42889 (Text4Shell), exploiting Apache Commons Text to achieve arbitrary command execution via crafted payloads in query parameters or User-Agent headers. It uses an out-of-band (OOB) interaction with Interactsh for validation.

This is a functional PoC for CVE-2022-42889 (Text4Shell), exploiting a remote code execution vulnerability in Apache Commons Text via malicious string interpolation. It sends a crafted payload to a target URL, triggering a reverse shell connection to the attacker's specified host and port.

This repository provides a detailed technical writeup on CVE-2022-42889 (Text4Shell), including its root cause in the Apache Commons Text library's StringSubstitutor class and exploitation steps. It references an external PoC but does not contain functional exploit code itself.

This repository provides a detailed technical analysis of CVE-2022-42889 (Text4Shell), including execution conditions, attack scenarios, and a step-by-step demonstration of exploitation. It covers the vulnerability's root cause, patch analysis, and mitigation strategies.

This repository provides a detailed technical analysis of CVE-2022-42889 (Text4Shell), including vulnerability details, affected versions, exploit features, and mitigation strategies. It does not contain actual exploit code but offers a comprehensive writeup with technical depth.

This repository contains a functional Proof of Concept (PoC) for CVE-2022-42889, demonstrating the Text4Shell vulnerability in Apache Commons Text. It includes a Spring Boot application with endpoints that process user input using StringSubstitutor, allowing for remote code execution via crafted payloads.

This repository contains a functional exploit PoC for CVE-2022-42889, demonstrating RCE via Apache Commons Text's StringSubstitutor. It includes a Spring Boot application with endpoints to trigger script, DNS, URL, and reverse shell payloads.

This repository contains a functional PoC for CVE-2022-42889 (Text4Shell), demonstrating RCE via Apache Commons Text string interpolation. The exploit leverages the `StringSubstitutor` class to execute arbitrary commands through crafted input.

This repository contains a Python-based exploit for CVE-2022-42889 (Text4Shell), targeting Apache Commons Text versions < 1.10.0. The exploit crafts a malicious payload to trigger a reverse shell via Java script injection.

This repository contains a functional PoC for CVE-2022-42889 (Text4Shell), demonstrating RCE via Apache Commons Text string interpolation. The exploit leverages the `StringSubstitutor` class to execute arbitrary commands through crafted input.

This repository contains a functional PoC for CVE-2022-42889 (Text4Shell), demonstrating RCE via Apache Commons Text string interpolation. The exploit leverages the `StringSubstitutor` class to execute arbitrary commands when processing malicious input.

This repository contains a proof-of-concept for CVE-2022-42889, a vulnerability in Apache Commons Text. The exploit leverages the StringSubstitutor class to achieve remote code execution (RCE) via insecure interpolation.

This is a functional Python-based PoC exploit for CVE-2022-42889 (Text4Shell), targeting Apache Commons Text < 1.10.0. It leverages the `StringSubstitutor` class with script interpolation to execute a reverse shell via a crafted HTTP POST request.

This repository contains a functional PoC for CVE-2022-42889 (Text4Shell), demonstrating RCE via Apache Commons Text string interpolation. The exploit leverages the vulnerable `StringSubstitutor` class to execute arbitrary commands through crafted input.

This repository contains a functional PoC for CVE-2022-42889 (Text4Shell), demonstrating RCE via Apache Commons Text string interpolation. The exploit leverages the `${script:javascript:...}` lookup to execute arbitrary commands.

This repository contains a Go-based PoC for CVE-2022-42889 (Text4Shell), demonstrating remote command execution via crafted payloads using the Apache Commons Text library. The main.go file executes arbitrary commands, while possiblepoc.go includes a reverse shell capability.

This PoC exploits CVE-2022-42889 (Text4Shell) by injecting a malicious payload into the User-Agent header and URL query parameter to achieve remote code execution via JavaScript execution in Apache Commons Text.

This repository contains a functional PoC for CVE-2022-42889, demonstrating RCE via Apache Commons Text string interpolation. It includes a Spring Boot application and a Python script to trigger the vulnerability.

This repository contains a functional PoC for CVE-2022-42889 (Text4Shell), demonstrating RCE via Apache Commons Text string interpolation. The exploit leverages the `StringSubstitutor` class to execute arbitrary commands when processing user-controlled input.

This repository demonstrates CVE-2022-42889 (Text4Shell), a remote code execution vulnerability in Apache Commons Text. It includes a Spring Boot application with endpoints that exploit the vulnerability via StringSubstitutor interpolation, showcasing RCE and file read capabilities.

This repository contains a functional PoC for CVE-2022-42889 (Text4Shell), demonstrating RCE via Apache Commons Text string interpolation. It includes automated scripts and a vulnerable Spring Boot application for testing.

This repository contains a Dockerized proof-of-concept for CVE-2022-42889 (Text4Shell), demonstrating remote code execution via Apache Commons Text string interpolation. The vulnerable endpoint processes user input with StringSubstitutor, allowing arbitrary command execution.

This repository contains a minimal Java code snippet demonstrating basic usage of Apache Commons Text's TextStringBuilder, but it does not exploit CVE-2022-42889 or any vulnerability. The code lacks exploit logic or malicious intent.

This repository contains a working PoC for CVE-2022-42889, demonstrating RCE via Apache Commons Text's StringSubstitutor with a JavaScript script injection. The exploit leverages the default interpolator to execute arbitrary code.

This repository contains a scanner for detecting CVE-2022-42889 (Text4Shell), an RCE vulnerability in Apache Commons Text. The tool fuzzes HTTP headers, POST data, and JSON parameters with DNS callback payloads to identify vulnerable hosts.

This repository contains a functional PoC for CVE-2022-42889, demonstrating RCE via Apache Commons Text 1.9's StringSubstitutor feature. The exploit uses a crafted template string to execute arbitrary commands, creating a file `/tmp/rce_test` as proof of execution.

This repository contains a functional exploit PoC for CVE-2022-42889 (Text4Shell), demonstrating remote code execution via Apache Commons Text's StringSubstitutor.createInterpolator(). The Dockerized Spring Boot application exposes an endpoint that processes user input with the vulnerable function, allowing arbitrary code execution.

This repository contains a functional exploit for CVE-2022-42889, targeting Apache Commons Text versions 1.5 through 1.9. The exploit leverages the StringSubstitutor feature to execute arbitrary commands via script lookups, leading to remote code execution (RCE).

This is a functional exploit for CVE-2022-42889, leveraging the Apache Commons Text RCE vulnerability by injecting a malicious script expression via a crafted URL parameter. The exploit triggers a reverse shell to the attacker's specified IP and port using netcat.

This Metasploit module exploits CVE-2022-42889 (Text4Shell) in Apache Commons Text by leveraging the StringSubstitutor interpolator's flawed default behavior, allowing arbitrary code execution via the 'script' lookup key. It supports multiple payload types including Java in-memory execution, command execution, and droppers for Windows/Linux.