仅用 []()+! 就足以实现几乎任意Javascript代码
Posted | archive
G Reader里Dexter同学的分享,来自sla.ckers.org的又一神作
GReader里看不到效果的同学请自行测试下列HTML:
<script language="javascript" type="text/javascript">([][(![]+[])[!+[]+!+[]+!+[]]+(!![]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]])[+!+[]+[+[]]]+(!![]+[])[+!+[]]+(!![]+[])[+[]]][([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]]+[])[!+[]+!+[]+!+[]]+(![]+[])[+!+[]]+(![]+[])[!+[]+!+[]]+(![]+[])[!+[]+!+[]]]()[(![]+[])[+!+[]]+(![]+[])[!+[]+!+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]+(!![]+[])[+[]]])([][(![]+[])[!+[]+!+[]+!+[]]+(!![]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]])[+!+[]+[+[]]]+(!![]+[])[+!+[]]+(!![]+[])[+[]]][([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]]+[])[!+[]+!+[]+!+[]]+(![]+[])[+!+[]]+(![]+[])[!+[]+!+[]]+(![]+[])[!+[]+!+[]]]()[(![]+[])[+!+[]]+(!![]+[])[+[]]+(!![]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]])[+!+[]+[+[]]]+([][(![]+[])[!+[]+!+[]+!+[]]+(!![]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]])[+!+[]+[+[]]]+(!![]+[])[+!+[]]+(!![]+[])[+[]]][([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]]+[])[!+[]+!+[]+!+[]]+(![]+[])[+!+[]]+(![]+[])[!+[]+!+[]]+(![]+[])[!+[]+!+[]]]()+[])[!+[]+!+[]]]((![]+[])[+!+[]]+(+[![]]+[])[+[]])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(+[![]]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]])[+!+[]+[+!+[]]]+(!![]+[])[+[]]+[][(![]+[])[!+[]+!+[]+!+[]]+(!![]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]])[+!+[]+[+[]]]+(!![]+[])[+!+[]]+(!![]+[])[+[]]][([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]]+[])[!+[]+!+[]+!+[]]+(![]+[])[+!+[]]+(![]+[])[!+[]+!+[]]+(![]+[])[!+[]+!+[]]]()[(![]+[])[+!+[]]+(!![]+[])[+[]]+(!![]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]])[+!+[]+[+[]]]+([][(![]+[])[!+[]+!+[]+!+[]]+(!![]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]])[+!+[]+[+[]]]+(!![]+[])[+!+[]]+(!![]+[])[+[]]][([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]]+[])[!+[]+!+[]+!+[]]+(![]+[])[+!+[]]+(![]+[])[!+[]+!+[]]+(![]+[])[!+[]+!+[]]]()+[])[!+[]+!+[]]]((![]+[])[+!+[]]+(+[![]]+[])[+[]])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]+(!![]+[])[!+[]+!+[]+!+[]])</script>
跟Brainfuck有的一拼。。。是挂马的好办法。。。
更新:研究了一下它实现的原理,有一个码表:
(NaN+[]["filter"])[11]
! window["atob"]("If")[0]
" ("").fontcolor()[12]
# window["atob"]("0iN")[1]
$ window["atob"]("0iT")[1]
% window["atob"]("0iW")[1]
& window["atob"]("0ia")[1]
' window["atob"]("0if")[1]
( (false+[]["filter"])[20]
) (false+[]["filter"])[21]
* window["atob"]("0ir")[1]
+ window["atob"]("0it")[1]
, window["atob"]("0iy")[1]
- (NaN+window["Date"]())[31]
. window["atob"]("1i4")[1]
/ (true+("")["sub"]())[10]
0-9 ignored*/ ,,,,,,,,,,
: window["Date"]()[21]
; window["atob"]("O0")[0]
< ("")["sub"]()[0]
= ("").fontcolor()[11]
> ("")["sub"]()[10]
? window["atob"]("0j9")[1]
@ window["atob"]("00A")[1]
A (+[]+[]["constructor"])[10]
B (+[]+(false)["constructor"])[10]
C window["atob"]("00N")[1]
D window["btoa"](00)[1]
E window["btoa"](01)[2]
F (0+[]["filter"]["constructor"])[10]
G window["btoa"]("0f")[1]
H window["btoa"]("0t")[1]
I ("Infinity")[0]
J window["atob"]("00r")[1]
K window["btoa"]("(")[0]
L window["btoa"]("/")[0]
M window["btoa"](0)[0]
N ("NaN")[0]
O window["btoa"](8)[0]
P window["btoa"]("<")[0]
Q window["btoa"]("a")[1]
R window["atob"]("01I")[1]
S window["btoa"]("I")[0]
T window["btoa"]("N")[0]
U window["atob"]("01W")[1]
V window["atob"]("01a")[1]
W (true+window)[12]
X window["atob"]("01i")[1]
Y window["btoa"]("a")[0]
Z window["btoa"]("f")[0]
[ (undefined+[]["filter"])[33]
\ window["atob"]("01y")[1]
] (true+[]["filter"])[40]
^ window["atob"](014)[1]
_ window["atob"](018)[1]
` window["atob"]("02A")[1]
a ("false")[1]
b (window+[])[2]
c ([]["filter"]+[])[3]
d ("undefined")[2]
e ("true")[3]
f ("false")[0]
g ([]+("")["constructor"])[14]
h window["atob"]("aN")[0]
i ([false]+undefined)[10]
j (window+[])[3]
k window["atob"]("a0")[0]
l ("false")[2]
m (Number+[])[11]
n ("undefined")[1]
o (true+[]["filter"])[10]
p window["atob"]("cN")[0]
q window["atob"]("cf")[0]
r ("true")[1]
s ("false")[3]
t ("true")[0]
u ("undefined")[0]
v (0+[]["filter"])[30]
w ([]["sort"]["call"]()+[])[13]
x window["atob"]("eN")[0]
y (NaN+[Infinity])[10]
z window["atob"]("et")[0]
{ (NaN+[]["filter"])[21]
| window["atob"]("03y")[1]
} (NaN+[]["filter"])[41]
~ window["atob"](234)[1]
拼接出来字符串 "eval",如何把 "eval" 变成 eval() 呢?方法是
[]["sort"]["call"]()["eval"]
其中 []["sort"]["call"]() 等于 [].sort.call() ,等价于 window,所以上面 []["sort"]["call"]()["eval"] 就等价于 window.eval。
然后就是体力活了,把码表对应转换成 eval("blah blah") 这种形式就可以执行任意代码了
不同浏览器的码表不一样。Chrome和Firefox的index就不一样。
其实这个码表还可以通过 toLocal*() 函数族扩展到Unicode,比fromCharCode要简短 :D
Comments