Share
## https://sploitus.com/exploit?id=917E1DCC-BEF6-5300-A5FB-21D0EB830A9F
# CVE-2022-34169 PoC

A (malleable) PoC and solution for the `SU_pwn` challenge from [SUCTF 2025](https://ctftime.org/event/2620). Based on this [issue](https://project-zero.issues.chromium.org/issues/42451418) from the original discoverer (Felix Wilhelm) and this [blog post](https://blog.noah.360.net/xalan-j-integer-truncation-reproduce-cve-2022-34169/) (thanat0s). Tries not to rely as much on hard constants as the existing PoCs out there.

If you want to deliver a different java bytecode payload to e.g. bypass some WAF, just edit `RCE.java`. Otherwise, RCE command lives at the top of `CVE-2022-34169.py`.

(`web.jar` is the handout from `SU_pwn`)

## Setup

```
docker compose up
curl -X POST -F "File=@output/target.xslt" http://localhost:8080/upload
```