Add exploit for CVE-2022-42889 Apache Commons Text RCE #18638
Conversation
| Target should run JDK < 15 | ||
|
|
||
| ## Testing | ||
| Follow the steps in [this](https://github.com/karthikuj/cve-2022-42889-text4shell-docker?tab=readme-ov-file) PoC to setup the environment |
There was a problem hiding this comment.
Could we please add the steps here in case the resource disappears, or link to the file directly:
https://github.com/karthikuj/cve-2022-42889-text4shell-docker/tree/288959eddad312218ec31c7bc06cf2622b26e91e
| register_options([ | ||
| OptString.new('TARGETURI', [ true, 'The target URI']), | ||
| OptString.new('PARAM', [ true, 'The vulnerable parameter']), | ||
| OptString.new('METHOD', [ true, 'The HTTP method to use', 'GET' ]) |
There was a problem hiding this comment.
This should likely be an ENUM?
| ) | ||
| ) | ||
| register_options([ | ||
| OptString.new('TARGETURI', [ true, 'The target URI']), |
There was a problem hiding this comment.
Documents say the default value is /, but there is none here?
There was a problem hiding this comment.
Must've missed it, thanks for pointing it out.
|
|
||
| # blind command injection using sleep command | ||
| sleep_time = rand(4..8) | ||
| print_status("Performing command injection test issuing a sleep command of #{sleep_time} seconds.") |
There was a problem hiding this comment.
| print_status("Performing command injection test issuing a sleep command of #{sleep_time} seconds.") | |
| vprint_status("Performing command injection test issuing a sleep command of #{sleep_time} seconds.") |
| { | ||
| 'Platform' => 'win', | ||
| 'Arch' => ARCH_CMD, | ||
| 'Type' => :windows_command, |
There was a problem hiding this comment.
| 'Type' => :windows_command, | |
| 'Type' => :windows_cmd, |
For consistency
| 'Platform' => 'linux', | ||
| 'Arch' => [ARCH_X86, ARCH_X64], | ||
| 'Type' => :linux_dropper, | ||
| 'DefaultOptions' => { 'Payload' => 'linux/x64/meterpreter/reverse_tcp' } |
There was a problem hiding this comment.
Is there a reason you selected this payload? It will fail on 32-bit hosts that are supported by this target entry.
There was a problem hiding this comment.
Yes you're right, payload should've been x86
|
Hi, I've finally tested it on windows and added the output for the same |
ekalinichev-r7
added
the
rn-modules
Release NotesAdds an exploit module for CVE-2022-42889 that targets web apps utilising Apache Commons Text's (1.5-1.9) StringSubstitutor interpolator class in an insecure fashion |
This PR adds a module to exploit web apps utilising Apache Commons Text's (1.5-1.9) StringSubstitutor interpolator class in an insecure fashion (CVE-2022-42889). Vulnerable targets can be exploited by crafting a special payload
${script:javascript:<java code here>}and sending it through the vulnerable parameter.Follow the steps in this PoC to setup the environment
Verification Steps
use apache_commons_text4shellRHOST, RPORT, TARGETURI, PARAM, METHOD, TARGET, LHOSTrunNote
The exploit has not yet been tested on a windows target