仅用[]()+!等符号就足以实现几乎任意Javascript代码 |
|
本文标签:符号,Javascript代码 请在Firefox下测试 看了下例子: js代码 <script> alert("hi there") </script> 就等价于 <script> ([][(![]+[])[!+[]+!+[]+!+[]]+(!![]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]])[+!+[]+[+[]]]+(!![]+[])[+!+[]]+(!![]+[])[+[]]][([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]]+[])[!+[]+!+[]+!+[]]+(![]+[])[+!+[]]+(![]+[])[!+[]+!+[]]+(![]+[])[!+[]+!+[]]]()[(![]+[])[+!+[]]+(![]+[])[!+[]+!+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]+(!![]+[])[+[]]])([][(![]+[])[!+[]+!+[]+!+[]]+(!![]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]])[+!+[]+[+[]]]+(!![]+[])[+!+[]]+(!![]+[])[+[]]][([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]]+[])[!+[]+!+[]+!+[]]+(![]+[])[+!+[]]+(![]+[])[!+[]+!+[]]+(![]+[])[!+[]+!+[]]]()[(![]+[])[+!+[]]+(!![]+[])[+[]]+(!![]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]])[+!+[]+[+[]]]+([][(![]+[])[!+[]+!+[]+!+[]]+(!![]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]])[+!+[]+[+[]]]+(!![]+[])[+!+[]]+(!![]+[])[+[]]][([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]]+[])[!+[]+!+[]+!+[]]+(![]+[])[+!+[]]+(![]+[])[!+[]+!+[]]+(![]+[])[!+[]+!+[]]]()+[])[!+[]+!+[]]]((![]+[])[+!+[]]+(+[![]]+[])[+[]])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(+[![]]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]])[+!+[]+[+!+[]]]+(!![]+[])[+[]]+[][(![]+[])[!+[]+!+[]+!+[]]+(!![]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]])[+!+[]+[+[]]]+(!![]+[])[+!+[]]+(!![]+[])[+[]]][([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]]+[])[!+[]+!+[]+!+[]]+(![]+[])[+!+[]]+(![]+[])[!+[]+!+[]]+(![]+[])[!+[]+!+[]]]()[(![]+[])[+!+[]]+(!![]+[])[+[]]+(!![]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]])[+!+[]+[+[]]]+([][(![]+[])[!+[]+!+[]+!+[]]+(!![]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]])[+!+[]+[+[]]]+(!![]+[])[+!+[]]+(!![]+[])[+[]]][([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]]+[])[!+[]+!+[]+!+[]]+(![]+[])[+!+[]]+(![]+[])[!+[]+!+[]]+(![]+[])[!+[]+!+[]]]()+[])[!+[]+!+[]]]((![]+[])[+!+[]]+(+[![]]+[])[+[]])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]+(!![]+[])[!+[]+!+[]+!+[]]) </scirpt> 它实现的原理,有一个码表 复制代码 代码如下: (NaN+[]["filter"])[11], ! window["atob"]("If")[0], " ("").fontcolor()[12], # window["atob"]("0iN")[1], $ window["atob"]("0iT")[1], % window["atob"]("0iW")[1], & window["atob"]("0ia")[1], window["atob"]("0if")[1], ( (false+[]["filter"])[20], ) (false+[]["filter"])[21], * window["atob"]("0ir")[1], + window["atob"]("0it")[1], , window["atob"]("0iy")[1], - (NaN+window["Date"]())[31], . window["atob"]("1i4")[1], / (true+("")["sub"]())[10], 0-9 ignored*/ ,,,,,,,,,, : window["Date"]()[21], ; window["atob"]("O0")[0], < ("")["sub"]()[0], = ("").fontcolor()[11], > ("")["sub"]()[10], ? window["atob"]("0j9")[1], @ window["atob"]("00A")[1], A (+[]+[]["constructor"])[10], B (+[]+(false)["constructor"])[10], C window["atob"]("00N")[1], D window["btoa"](00)[1], E window["btoa"](01)[2], F (0+[]["filter"]["constructor"])[10], G window["btoa"]("0f")[1], H window["btoa"]("0t")[1], I ("Infinity")[0], J window["atob"]("00r")[1], K window["btoa"]("(")[0], L window["btoa"]("/")[0], M window["btoa"](0)[0], N ("NaN")[0], O window["btoa"](8)[0], P window["btoa"]("<")[0], Q window["btoa"]("a")[1], R window["atob"]("01I")[1], S window["btoa"]("I")[0], T window["btoa"]("N")[0], U window["atob"]("01W")[1], V window["atob"]("01a")[1], W (true+window)[12], X window["atob"]("01i")[1], Y window["btoa"]("a")[0], Z window["btoa"]("f")[0], [ (undefined+[]["filter"])[33], \ window["atob"]("01y")[1], ] (true+[]["filter"])[40], ^ window["atob"](014)[1], _ window["atob"](018)[1], ` window["atob"]("02A")[1], a ("false")[1], b (window+[])[2], c ([]["filter"]+[])[3], d ("undefined")[2], e ("true")[3], f ("false")[0], g ([]+("")["constructor"])[14], h window["atob"]("aN")[0], i ([false]+undefined)[10], j (window+[])[3], k window["atob"]("a0")[0], l ("false")[2], m (Number+[])[11], n ("undefined")[1], o (true+[]["filter"])[10], p window["atob"]("cN")[0], q window["atob"]("cf")[0], r ("true")[1], s ("false")[3], t ("true")[0], u ("undefined")[0], v (0+[]["filter"])[30], w ([]["sort"]["call"]()+[])[13], x window["atob"]("eN")[0], y (NaN+[Infinity])[10], z window["atob"]("et")[0], { (NaN+[]["filter"])[21], | window["atob"]("03y")[1], } (NaN+[]["filter"])[41], ' window["atob"](234)[1] 拼接出来字符串 "eval",如何把 "eval" 变成 eval() 呢?方法是 []["sort"]["call"]()["eval"] 其中 []["sort"]["call"]() 等于 [].sort.call() ,等价于 window,所以上面 []["sort"]["call"]()["eval"] 就等价于 window.eval 。 然后就是体力活了,把码表对应转换成 eval("blah blah") 这种形式就可以执行任意代码了 不同浏览器的码表不一样 。Chrome和Firefox的index就不一样 。 其实这个码表还可以通过 ·toLocal*()` 函数族扩展到Unicode,比fromCharCode要简短 原文:http://discogscounter.getfreehosting.co.uk/js-noalnum.php?txt=alert%28%22hi+there%22%29 |
