最近在做CTF的题目,遇见了一个都是[]()+!这样的文件,于是百度了一下,发现这个博客对这个有解释。

G Reader里Dexter同学的分享,来自sla.ckers.org的又一神作

点我测试

GReader里看不到效果的同学请自行测试下列HTML:

<script language="javascript" type="text/javascript">
([][(![]+[])[!+[]+!+[]+!+[]]+(!![]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]])[+!+[]+[+[]]]+(!![]+[])[+!+[]]+(!![]+[])[+[]]][([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]]+[])[!+[]+!+[]+!+[]]+(![]+[])[+!+[]]+(![]+[])[!+[]+!+[]]+(![]+[])[!+[]+!+[]]]()[(![]+[])[+!+[]]+(![]+[])[!+[]+!+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]+(!![]+[])[+[]]])([][(![]+[])[!+[]+!+[]+!+[]]+(!![]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]])[+!+[]+[+[]]]+(!![]+[])[+!+[]]+(!![]+[])[+[]]][([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]]+[])[!+[]+!+[]+!+[]]+(![]+[])[+!+[]]+(![]+[])[!+[]+!+[]]+(![]+[])[!+[]+!+[]]]()[(![]+[])[+!+[]]+(!![]+[])[+[]]+(!![]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]])[+!+[]+[+[]]]+([][(![]+[])[!+[]+!+[]+!+[]]+(!![]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]])[+!+[]+[+[]]]+(!![]+[])[+!+[]]+(!![]+[])[+[]]][([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]]+[])[!+[]+!+[]+!+[]]+(![]+[])[+!+[]]+(![]+[])[!+[]+!+[]]+(![]+[])[!+[]+!+[]]]()+[])[!+[]+!+[]]]((![]+[])[+!+[]]+(+[![]]+[])[+[]])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(+[![]]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]])[+!+[]+[+!+[]]]+(!![]+[])[+[]]+[][(![]+[])[!+[]+!+[]+!+[]]+(!![]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]])[+!+[]+[+[]]]+(!![]+[])[+!+[]]+(!![]+[])[+[]]][([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]]+[])[!+[]+!+[]+!+[]]+(![]+[])[+!+[]]+(![]+[])[!+[]+!+[]]+(![]+[])[!+[]+!+[]]]()[(![]+[])[+!+[]]+(!![]+[])[+[]]+(!![]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]])[+!+[]+[+[]]]+([][(![]+[])[!+[]+!+[]+!+[]]+(!![]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]])[+!+[]+[+[]]]+(!![]+[])[+!+[]]+(!![]+[])[+[]]][([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]]+[])[!+[]+!+[]+!+[]]+(![]+[])[+!+[]]+(![]+[])[!+[]+!+[]]+(![]+[])[!+[]+!+[]]]()+[])[!+[]+!+[]]]((![]+[])[+!+[]]+(+[![]]+[])[+[]])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]+(!![]+[])[!+[]+!+[]+!+[]])
</script>

在线转换工具

跟Brainfuck有的一拼。。。是挂马的好办法。。。

更新:研究了一下它实现的原理,有一个码表:

    (NaN+[]["filter"])[11]',
!   window["atob"]("If")[0]',
"   ("").fontcolor()[12]',
#   window["atob"]("0iN")[1]',
$   window["atob"]("0iT")[1]',
%   window["atob"]("0iW")[1]',
&   window["atob"]("0ia")[1]',
'   window["atob"]("0if")[1]',
(   (false+[]["filter"])[20]',
)   (false+[]["filter"])[21]',
*   window["atob"]("0ir")[1]',
+   window["atob"]("0it")[1]',
,   window["atob"]("0iy")[1]',
-   (NaN+window["Date"]())[31]',
.   window["atob"]("1i4")[1]',
/   (true+("")["sub"]())[10]',
0-9 ignored*/ ,,,,,,,,,,
:   window["Date"]()[21]',
;   window["atob"]("O0")[0]',
<   ("")["sub"]()[0]',
=   ("").fontcolor()[11]',
>   ("")["sub"]()[10]',
?   window["atob"]("0j9")[1]',
@   window["atob"]("00A")[1]',
A   (+[]+[]["constructor"])[10]',
B   (+[]+(false)["constructor"])[10]',
C   window["atob"]("00N")[1]',
D   window["btoa"](00)[1]',
E   window["btoa"](01)[2]',
F   (0+[]["filter"]["constructor"])[10]',
G   window["btoa"]("0f")[1]',
H   window["btoa"]("0t")[1]',
I   ("Infinity")[0]',
J   window["atob"]("00r")[1]',
K   window["btoa"]("(")[0]',
L   window["btoa"]("/")[0]',
M   window["btoa"](0)[0]',
N   ("NaN")[0]',
O   window["btoa"](8)[0]',
P   window["btoa"]("<")[0]',
Q   window["btoa"]("a")[1]',
R   window["atob"]("01I")[1]',
S   window["btoa"]("I")[0]',
T   window["btoa"]("N")[0]',
U   window["atob"]("01W")[1]',
V   window["atob"]("01a")[1]',
W   (true+window)[12]',
X   window["atob"]("01i")[1]',
Y   window["btoa"]("a")[0]',
Z   window["btoa"]("f")[0]',
[   (undefined+[]["filter"])[33]',
\   window["atob"]("01y")[1]',
]   (true+[]["filter"])[40]',
^   window["atob"](014)[1]',
_   window["atob"](018)[1]',
`   window["atob"]("02A")[1]',
a   ("false")[1]',
b   (window+[])[2]',
c   ([]["filter"]+[])[3]',
d   ("undefined")[2]',
e   ("true")[3]',
f   ("false")[0]', 
g   ([]+("")["constructor"])[14]',
h   window["atob"]("aN")[0]',
i   ([false]+undefined)[10]',
j   (window+[])[3]',
k   window["atob"]("a0")[0]',
l   ("false")[2]',
m   (Number+[])[11]',
n   ("undefined")[1]',
o   (true+[]["filter"])[10]',
p   window["atob"]("cN")[0]',
q   window["atob"]("cf")[0]',
r   ("true")[1]',
s   ("false")[3]',
t   ("true")[0]',
u   ("undefined")[0]',
v   (0+[]["filter"])[30]',
w   ([]["sort"]["call"]()+[])[13]',
x   window["atob"]("eN")[0]',
y   (NaN+[Infinity])[10]',
z   window["atob"]("et")[0]',
{   (NaN+[]["filter"])[21]',
|   window["atob"]("03y")[1]',
}   (NaN+[]["filter"])[41]',
~   window["atob"](234)[1]'

拼接出来字符串 "eval",如何把 "eval" 变成 eval() 呢?方法是

[]["sort"]["call"]()["eval"]

其中 []["sort"]["call"]() 等于 [].sort.call() ,等价于 window,所以上面 []["sort"]["call"]()["eval"] 就等价于 window.eval

然后就是体力活了,把码表对应转换成 eval("blah blah") 这种形式就可以执行任意代码了

不同浏览器的码表不一样。 Chrome和Firefox的index就不一样。

其实这个码表还可以通过 ·toLocal*()` 函数族扩展到Unicode,比fromCharCode要简短 :D

【转载】--仅用 []()+! 就足以实现几乎任意Javascript代码的更多相关文章

  1. 只用这 6 个字符,就可以写出任意 JavaScript 代码!

    你可能在网上见过有人用 几个不同的字符写的各种稀奇古怪的 JavaScript 代码,虽然看起来奇怪,但是能正常运行!比如这个: (!(~+[])+{})[--[~+""][+[] ...

  2. 转载:Eclipse+Spket插件+ExtJs4修改版提供代码提示功能[图]

    转载:Eclipse+Spket插件+ExtJs4修改版提供代码提示功能[图] ExtJs是一种主要用于创建前端用户界面,是一个基本与后台技术无关的前端ajax框架.功能丰富,无人能出其右.无论是界面 ...

  3. [转载]基于TFS实践敏捷-修复Bug和执行代码评审

    本主题阐释了这些功能,以继续这一关注虚拟敏捷团队成员的一天的教程. Peter 忙于编写一些代码以完成积压工作 (backlog) 项任务.但是,他的同事发现了一个阻碍他们工作的 Bug,他想立即修复 ...

  4. 用6个字符写出任意的Javascript代码

    博客搬到了fresky.github.io - Dawei XU,请各位看官挪步.最新的一篇是:用6个字符写出任意的Javascript代码.

  5. WordPress Woopra Analytics插件‘ofc_upload_image.php’任意PHP代码执行漏洞

    漏洞名称: WordPress Woopra Analytics插件‘ofc_upload_image.php’任意PHP代码执行漏洞 CNNVD编号: CNNVD-201310-195 发布时间: ...

  6. 精心收集的 48 个 JavaScript 代码片段,仅需 30 秒就可理解!

    原文:https://github.com/Chalarangelo/30-seconds-of-code#anagrams-of-string-with-duplicates 作者:Chalaran ...

  7. 精心收集的 48 个 JavaScript 代码片段,仅需 30 秒就可理解

    原文:Chalarangelo  译文:IT168 https://github.com/Chalarangelo/30-seconds-of-code#anagrams-of-string-with ...

  8. phpMyAdmin setup.php脚本的任意PHP代码注入漏洞

    phpMyAdmin (/scripts/setup.php) PHP 注入代码 此漏洞代码在以下环境测试通过:      phpMyAdmin 2.11.4, 2.11.9.3, 2.11.9.4, ...

  9. 突破XSS字符限制执行任意JS代码

    突破XSS字符限制执行任意JS代码 一.综述 有些XSS漏洞由于字符数量有限制而没法有效的利用,只能弹出一个对话框来YY,本文主要讨论如何突破字符数量的限制进行有效的利用,这里对有效利用的定义是可以不 ...

随机推荐

  1. Windows操作系统下远程连接MySQL数据库

    用Eclipse做一个后台项目,但是数据库不想放在本地电脑,于是买了一个腾讯云服务器(学生有优惠,挺便宜的),装上MySQL数据库,但是测试连接的时候,发现总是连接不是上,但是本地数据库可以连接,于是 ...

  2. 飞一般的国内maven中央仓库

    修改maven根目录下的conf文件夹中的setting.xml文件,内容如下: <mirrors>     <mirror>       <id>alimaven ...

  3. 安全测试 - XSS如何防御

    XSS主要是通过劫持用户COOKIE,执行JS脚本进行攻击 如何发现: 可以使用<script>alert(/yourname/)</script> script最具有代表性也 ...

  4. common-pool2 学习:thrift连接池的另一种实现

    对象池是一种很实用的技术,经典的例子就是数据库连接池.去年曾经从零开始写过一个thrift客户端连接池.如果不想重造轮子,可以直接在apache开源项目commons-pool的基础上开发. 步骤: ...

  5. [LeetCode] Climbing Stairs 爬梯子问题

    You are climbing a stair case. It takes n steps to reach to the top. Each time you can either climb ...

  6. 用Tensorflow让神经网络自动创造音乐

    #————————————————————————本文禁止转载,禁止用于各类讲座及ppt中,违者必究————————————————————————# 前几天看到一个有意思的分享,大意是讲如何用Ten ...

  7. 系统级性能分析工具perf的介绍与使用

    测试环境:Ubuntu16.04(在VMWare虚拟机使用perf top存在无法显示问题) Kernel:3.13.0-32 系统级性能优化通常包括两个阶段:性能剖析(performance pro ...

  8. asp.net 正则获取url参数

    现在有一种场景:Url是数据库里面的,里面带有很多参数,如何获取具体参数的值呢? var uri = new Uri(pageUrl); var queryString = uri.Query; va ...

  9. 轻量级jQuery语法高亮代码高亮插件jQuery Litelighter。

    <!DOCTYPE html><html><head><meta charset="UTF-8" /><title>jQ ...

  10. 以.net core重构原有.net framework过程中的一些API变更记录(持续更新)

    1)Type.IsGenericType类似属性变更 以下是.net framework 4.5中Type抽象类中泛型类型的几个个属性,用于泛型类型的相关信息判断: 以下是.net core(nets ...