A (malleable) PoC and solution for the SU_pwn challenge from SUCTF 2025. Based on this issue from the original discoverer (Felix Wilhelm) and this blog post (thanat0s). Tries not to rely as much on hard constants as the existing PoCs out there.
If you want to deliver a different java bytecode payload to e.g. bypass some WAF, just edit RCE.java. Otherwise, RCE command lives at the top of CVE-2022-34169.py.
(web.jar is the handout from SU_pwn)
docker compose up
curl -X POST -F "File=@output/target.xslt" http://localhost:8080/upload