手机浏览 RSS 2.0 订阅 膘叔的简单人生 , 腾讯云RDS购买 | 超便宜的Vultr , 注册 | 登陆

仅用 []()+! 就足以实现几乎任意Javascript代码

首页 > Javascript >

Submitted by gouki on 2010, February 27, 8:22 PM. Javascript

这篇文章很强悍,看到的时候我很惊讶,传说中的大吃一斤又出现了。
没办法,人啊。。。总是会想到奇怪的方法,呵呵。。
看内容吧。不多说了,很彪悍。

G Reader里Dexter同学的分享,来自sla.ckers.org的又一神作:点我测试

GReader里看不到效果的同学请自行测试下列HTML:

JavaScript代码
  1. <script language="javascript" type="text/javascript">  
  2. ([][(![]+[])[!+[]+!+[]+!+[]]+(!![]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]])[+!+[]+[+[]]]+(!![]+[])[+!+[]]+(!![]+[])[+[]]][([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]]+[])[!+[]+!+[]+!+[]]+(![]+[])[+!+[]]+(![]+[])[!+[]+!+[]]+(![]+[])[!+[]+!+[]]]()[(![]+[])[+!+[]]+(![]+[])[!+[]+!+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]+(!![]+[])[+[]]])([][(![]+[])[!+[]+!+[]+!+[]]+(!![]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]])[+!+[]+[+[]]]+(!![]+[])[+!+[]]+(!![]+[])[+[]]][([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]]+[])[!+[]+!+[]+!+[]]+(![]+[])[+!+[]]+(![]+[])[!+[]+!+[]]+(![]+[])[!+[]+!+[]]]()[(![]+[])[+!+[]]+(!![]+[])[+[]]+(!![]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]])[+!+[]+[+[]]]+([][(![]+[])[!+[]+!+[]+!+[]]+(!![]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]])[+!+[]+[+[]]]+(!![]+[])[+!+[]]+(!![]+[])[+[]]][([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]]+[])[!+[]+!+[]+!+[]]+(![]+[])[+!+[]]+(![]+[])[!+[]+!+[]]+(![]+[])[!+[]+!+[]]]()+[])[!+[]+!+[]]]((![]+[])[+!+[]]+(+[![]]+[])[+[]])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(+[![]]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]])[+!+[]+[+!+[]]]+(!![]+[])[+[]]+[][(![]+[])[!+[]+!+[]+!+[]]+(!![]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]])[+!+[]+[+[]]]+(!![]+[])[+!+[]]+(!![]+[])[+[]]][([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]]+[])[!+[]+!+[]+!+[]]+(![]+[])[+!+[]]+(![]+[])[!+[]+!+[]]+(![]+[])[!+[]+!+[]]]()[(![]+[])[+!+[]]+(!![]+[])[+[]]+(!![]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]])[+!+[]+[+[]]]+([][(![]+[])[!+[]+!+[]+!+[]]+(!![]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]])[+!+[]+[+[]]]+(!![]+[])[+!+[]]+(!![]+[])[+[]]][([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]]+[])[!+[]+!+[]+!+[]]+(![]+[])[+!+[]]+(![]+[])[!+[]+!+[]]+(![]+[])[!+[]+!+[]]]()+[])[!+[]+!+[]]]((![]+[])[+!+[]]+(+[![]]+[])[+[]])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]+(!![]+[])[!+[]+!+[]+!+[]])  
  3. </script> 
在线转换工具

 

跟Brainfuck有的一拼。。。是挂马的好办法。。。

更新:研究了一下它实现的原理,有一个码表:

XML/HTML代码
  1.     (NaN+[]["filter"])[11]',  
  2. !   window["atob"]("If")[0]',  
  3. "   ("").fontcolor()[12]',  
  4. #   window["atob"]("0iN")[1]',  
  5. $   window["atob"]("0iT")[1]',  
  6. %   window["atob"]("0iW")[1]',  
  7. &   window["atob"]("0ia")[1]',  
  8. '   window["atob"]("0if")[1]',  
  9. (   (false+[]["filter"])[20]',  
  10. )   (false+[]["filter"])[21]',  
  11. *   window["atob"]("0ir")[1]',  
  12. +   window["atob"]("0it")[1]',  
  13. ,   window["atob"]("0iy")[1]',  
  14. -   (NaN+window["Date"]())[31]',  
  15. .   window["atob"]("1i4")[1]',  
  16. /   (true+("")["sub"]())[10]',  
  17. 0-9 ignored*/ ,,,,,,,,,,  
  18. :   window["Date"]()[21]',  
  19. ;   window["atob"]("O0")[0]',  
  20. <   ("")["sub"]()[0]',  
  21. =   ("").fontcolor()[11]',  
  22. >   ("")["sub"]()[10]',  
  23. ?   window["atob"]("0j9")[1]',  
  24. @   window["atob"]("00A")[1]',  
  25. A   (+[]+[]["constructor"])[10]',  
  26. B   (+[]+(false)["constructor"])[10]',  
  27. C   window["atob"]("00N")[1]',  
  28. D   window["btoa"](00)[1]',  
  29. E   window["btoa"](01)[2]',  
  30. F   (0+[]["filter"]["constructor"])[10]',  
  31. G   window["btoa"]("0f")[1]',  
  32. H   window["btoa"]("0t")[1]',  
  33. I   ("Infinity")[0]',  
  34. J   window["atob"]("00r")[1]',  
  35. K   window["btoa"]("(")[0]',  
  36. L   window["btoa"]("/")[0]',  
  37. M   window["btoa"](0)[0]',  
  38. N   ("NaN")[0]',  
  39. O   window["btoa"](8)[0]',  
  40. P   window["btoa"]("<")[0]',  
  41. Q   window["btoa"]("a")[1]',  
  42. R   window["atob"]("01I")[1]',  
  43. S   window["btoa"]("I")[0]',  
  44. T   window["btoa"]("N")[0]',  
  45. U   window["atob"]("01W")[1]',  
  46. V   window["atob"]("01a")[1]',  
  47. W   (true+window)[12]',  
  48. X   window["atob"]("01i")[1]',  
  49. Y   window["btoa"]("a")[0]',  
  50. Z   window["btoa"]("f")[0]',  
  51. [   (undefined+[]["filter"])[33]',  
  52. \   window["atob"]("01y")[1]',  
  53. ]   (true+[]["filter"])[40]',  
  54. ^   window["atob"](014)[1]',  
  55. _   window["atob"](018)[1]',  
  56. `   window["atob"]("02A")[1]',  
  57. a   ("false")[1]',  
  58. b   (window+[])[2]',  
  59. c   ([]["filter"]+[])[3]',  
  60. d   ("undefined")[2]',  
  61. e   ("true")[3]',  
  62. f   ("false")[0]',   
  63. g   ([]+("")["constructor"])[14]',  
  64. h   window["atob"]("aN")[0]',  
  65. i   ([false]+undefined)[10]',  
  66. j   (window+[])[3]',  
  67. k   window["atob"]("a0")[0]',  
  68. l   ("false")[2]',  
  69. m   (Number+[])[11]',  
  70. n   ("undefined")[1]',  
  71. o   (true+[]["filter"])[10]',  
  72. p   window["atob"]("cN")[0]',  
  73. q   window["atob"]("cf")[0]',  
  74. r   ("true")[1]',  
  75. s   ("false")[3]',  
  76. t   ("true")[0]',  
  77. u   ("undefined")[0]',  
  78. v   (0+[]["filter"])[30]',  
  79. w   ([]["sort"]["call"]()+[])[13]',  
  80. x   window["atob"]("eN")[0]',  
  81. y   (NaN+[Infinity])[10]',  
  82. z   window["atob"]("et")[0]',  
  83. {   (NaN+[]["filter"])[21]',  
  84. |   window["atob"]("03y")[1]',  
  85. }   (NaN+[]["filter"])[41]',  
  86. ~   window["atob"](234)[1]'  
拼接出来字符串 "eval",如何把 "eval" 变成 eval() 呢?方法是:[]["sort"]["call"]()["eval"]

其中 []["sort"]["call"]() 等于 [].sort.call() ,等价于 window,所以上面 []["sort"]["call"]()["eval"] 就等价于 window.eval

然后就是体力活了,把码表对应转换成 eval("blah blah") 这种形式就可以执行任意代码了,不同浏览器的码表不一样。 Chrome和Firefox的index就不一样。

其实这个码表还可以通过 ·toLocal*()` 函数族扩展到Unicode,比fromCharCode要简短 :D

原文来自:http://www.cnblogs.com/pandora/archive/2010/02/27/1674833.html

 



本站采用创作共享版权协议, 要求署名、非商业和保持一致. 本站欢迎任何非商业应用的转载, 但须注明出自"易栈网-膘叔", 保留原始链接, 此外还必须标注原文标题和链接.

« 上一篇 | 下一篇 »

1条记录访客评论

我靠  还有这种事

Post by 虫少侠 on 2010, March 1, 10:07 AM 引用此文发表评论 #1


发表评论

评论内容 (必填):