最近在做CTF的题目,遇见了一个都是[]()+!这样的文件,于是百度了一下,发现这个博客对这个有解释。

G Reader里Dexter同学的分享,来自sla.ckers.org的又一神作

点我测试

GReader里看不到效果的同学请自行测试下列HTML:

<script language="javascript" type="text/javascript">
([][(![]+[])[!+[]+!+[]+!+[]]+(!![]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]])[+!+[]+[+[]]]+(!![]+[])[+!+[]]+(!![]+[])[+[]]][([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]]+[])[!+[]+!+[]+!+[]]+(![]+[])[+!+[]]+(![]+[])[!+[]+!+[]]+(![]+[])[!+[]+!+[]]]()[(![]+[])[+!+[]]+(![]+[])[!+[]+!+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]+(!![]+[])[+[]]])([][(![]+[])[!+[]+!+[]+!+[]]+(!![]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]])[+!+[]+[+[]]]+(!![]+[])[+!+[]]+(!![]+[])[+[]]][([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]]+[])[!+[]+!+[]+!+[]]+(![]+[])[+!+[]]+(![]+[])[!+[]+!+[]]+(![]+[])[!+[]+!+[]]]()[(![]+[])[+!+[]]+(!![]+[])[+[]]+(!![]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]])[+!+[]+[+[]]]+([][(![]+[])[!+[]+!+[]+!+[]]+(!![]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]])[+!+[]+[+[]]]+(!![]+[])[+!+[]]+(!![]+[])[+[]]][([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]]+[])[!+[]+!+[]+!+[]]+(![]+[])[+!+[]]+(![]+[])[!+[]+!+[]]+(![]+[])[!+[]+!+[]]]()+[])[!+[]+!+[]]]((![]+[])[+!+[]]+(+[![]]+[])[+[]])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(+[![]]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]])[+!+[]+[+!+[]]]+(!![]+[])[+[]]+[][(![]+[])[!+[]+!+[]+!+[]]+(!![]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]])[+!+[]+[+[]]]+(!![]+[])[+!+[]]+(!![]+[])[+[]]][([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]]+[])[!+[]+!+[]+!+[]]+(![]+[])[+!+[]]+(![]+[])[!+[]+!+[]]+(![]+[])[!+[]+!+[]]]()[(![]+[])[+!+[]]+(!![]+[])[+[]]+(!![]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]])[+!+[]+[+[]]]+([][(![]+[])[!+[]+!+[]+!+[]]+(!![]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]])[+!+[]+[+[]]]+(!![]+[])[+!+[]]+(!![]+[])[+[]]][([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]]+[])[!+[]+!+[]+!+[]]+(![]+[])[+!+[]]+(![]+[])[!+[]+!+[]]+(![]+[])[!+[]+!+[]]]()+[])[!+[]+!+[]]]((![]+[])[+!+[]]+(+[![]]+[])[+[]])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]+(!![]+[])[!+[]+!+[]+!+[]])
</script>

在线转换工具

跟Brainfuck有的一拼。。。是挂马的好办法。。。

更新:研究了一下它实现的原理,有一个码表:

    (NaN+[]["filter"])[11]',
!   window["atob"]("If")[0]',
"   ("").fontcolor()[12]',
#   window["atob"]("0iN")[1]',
$   window["atob"]("0iT")[1]',
%   window["atob"]("0iW")[1]',
&   window["atob"]("0ia")[1]',
'   window["atob"]("0if")[1]',
(   (false+[]["filter"])[20]',
)   (false+[]["filter"])[21]',
*   window["atob"]("0ir")[1]',
+   window["atob"]("0it")[1]',
,   window["atob"]("0iy")[1]',
-   (NaN+window["Date"]())[31]',
.   window["atob"]("1i4")[1]',
/   (true+("")["sub"]())[10]',
0-9 ignored*/ ,,,,,,,,,,
:   window["Date"]()[21]',
;   window["atob"]("O0")[0]',
<   ("")["sub"]()[0]',
=   ("").fontcolor()[11]',
>   ("")["sub"]()[10]',
?   window["atob"]("0j9")[1]',
@   window["atob"]("00A")[1]',
A   (+[]+[]["constructor"])[10]',
B   (+[]+(false)["constructor"])[10]',
C   window["atob"]("00N")[1]',
D   window["btoa"](00)[1]',
E   window["btoa"](01)[2]',
F   (0+[]["filter"]["constructor"])[10]',
G   window["btoa"]("0f")[1]',
H   window["btoa"]("0t")[1]',
I   ("Infinity")[0]',
J   window["atob"]("00r")[1]',
K   window["btoa"]("(")[0]',
L   window["btoa"]("/")[0]',
M   window["btoa"](0)[0]',
N   ("NaN")[0]',
O   window["btoa"](8)[0]',
P   window["btoa"]("<")[0]',
Q   window["btoa"]("a")[1]',
R   window["atob"]("01I")[1]',
S   window["btoa"]("I")[0]',
T   window["btoa"]("N")[0]',
U   window["atob"]("01W")[1]',
V   window["atob"]("01a")[1]',
W   (true+window)[12]',
X   window["atob"]("01i")[1]',
Y   window["btoa"]("a")[0]',
Z   window["btoa"]("f")[0]',
[   (undefined+[]["filter"])[33]',
\   window["atob"]("01y")[1]',
]   (true+[]["filter"])[40]',
^   window["atob"](014)[1]',
_   window["atob"](018)[1]',
`   window["atob"]("02A")[1]',
a   ("false")[1]',
b   (window+[])[2]',
c   ([]["filter"]+[])[3]',
d   ("undefined")[2]',
e   ("true")[3]',
f   ("false")[0]', 
g   ([]+("")["constructor"])[14]',
h   window["atob"]("aN")[0]',
i   ([false]+undefined)[10]',
j   (window+[])[3]',
k   window["atob"]("a0")[0]',
l   ("false")[2]',
m   (Number+[])[11]',
n   ("undefined")[1]',
o   (true+[]["filter"])[10]',
p   window["atob"]("cN")[0]',
q   window["atob"]("cf")[0]',
r   ("true")[1]',
s   ("false")[3]',
t   ("true")[0]',
u   ("undefined")[0]',
v   (0+[]["filter"])[30]',
w   ([]["sort"]["call"]()+[])[13]',
x   window["atob"]("eN")[0]',
y   (NaN+[Infinity])[10]',
z   window["atob"]("et")[0]',
{   (NaN+[]["filter"])[21]',
|   window["atob"]("03y")[1]',
}   (NaN+[]["filter"])[41]',
~   window["atob"](234)[1]'

拼接出来字符串 "eval",如何把 "eval" 变成 eval() 呢?方法是

[]["sort"]["call"]()["eval"]

其中 []["sort"]["call"]() 等于 [].sort.call() ,等价于 window,所以上面 []["sort"]["call"]()["eval"] 就等价于 window.eval

然后就是体力活了,把码表对应转换成 eval("blah blah") 这种形式就可以执行任意代码了

不同浏览器的码表不一样。 Chrome和Firefox的index就不一样。

其实这个码表还可以通过 ·toLocal*()` 函数族扩展到Unicode,比fromCharCode要简短 :D

【转载】--仅用 []()+! 就足以实现几乎任意Javascript代码的更多相关文章

  1. 只用这 6 个字符,就可以写出任意 JavaScript 代码!

    你可能在网上见过有人用 几个不同的字符写的各种稀奇古怪的 JavaScript 代码,虽然看起来奇怪,但是能正常运行!比如这个: (!(~+[])+{})[--[~+""][+[] ...

  2. 转载:Eclipse+Spket插件+ExtJs4修改版提供代码提示功能[图]

    转载:Eclipse+Spket插件+ExtJs4修改版提供代码提示功能[图] ExtJs是一种主要用于创建前端用户界面,是一个基本与后台技术无关的前端ajax框架.功能丰富,无人能出其右.无论是界面 ...

  3. [转载]基于TFS实践敏捷-修复Bug和执行代码评审

    本主题阐释了这些功能,以继续这一关注虚拟敏捷团队成员的一天的教程. Peter 忙于编写一些代码以完成积压工作 (backlog) 项任务.但是,他的同事发现了一个阻碍他们工作的 Bug,他想立即修复 ...

  4. 用6个字符写出任意的Javascript代码

    博客搬到了fresky.github.io - Dawei XU,请各位看官挪步.最新的一篇是:用6个字符写出任意的Javascript代码.

  5. WordPress Woopra Analytics插件‘ofc_upload_image.php’任意PHP代码执行漏洞

    漏洞名称: WordPress Woopra Analytics插件‘ofc_upload_image.php’任意PHP代码执行漏洞 CNNVD编号: CNNVD-201310-195 发布时间: ...

  6. 精心收集的 48 个 JavaScript 代码片段,仅需 30 秒就可理解!

    原文:https://github.com/Chalarangelo/30-seconds-of-code#anagrams-of-string-with-duplicates 作者:Chalaran ...

  7. 精心收集的 48 个 JavaScript 代码片段,仅需 30 秒就可理解

    原文:Chalarangelo  译文:IT168 https://github.com/Chalarangelo/30-seconds-of-code#anagrams-of-string-with ...

  8. phpMyAdmin setup.php脚本的任意PHP代码注入漏洞

    phpMyAdmin (/scripts/setup.php) PHP 注入代码 此漏洞代码在以下环境测试通过:      phpMyAdmin 2.11.4, 2.11.9.3, 2.11.9.4, ...

  9. 突破XSS字符限制执行任意JS代码

    突破XSS字符限制执行任意JS代码 一.综述 有些XSS漏洞由于字符数量有限制而没法有效的利用,只能弹出一个对话框来YY,本文主要讨论如何突破字符数量的限制进行有效的利用,这里对有效利用的定义是可以不 ...

随机推荐

  1. SVN提交代码的规范

       协同开发中SVN的使用规范 先更新,再提交 SVN更新的原则是要随时更新,随时提交.当完成了一个小功能,能够通过编译并且自己测试之后,谨慎地提交. 如果在修改的期间别人也更改了svn的对应文件, ...

  2. Ioc和Ao使用扩展

    一.Bean作用域 spring容器创建的时候,会将所有配置的bean对象创建出来,默认bean都是单例的.代码通过getBean()方法从容器获取指定的bean实例,容器首先会调用Bean类的无参构 ...

  3. split和join的用法

    第一点:split 直接举例子,比较直观, >>> f = 'www.baidu.com.cn' >>> f.split()['www.baidu.com.cn'] ...

  4. Compiler Error Message: CS0016: Could not write to output file 回绝访问

    Compiler Error Message: CS0016: Could not write to output file 'c:\Windows...dll' 拒绝访问 C:\Windows\Te ...

  5. [LeetCode] Lexicographical Numbers 字典顺序的数字

    Given an integer n, return 1 - n in lexicographical order. For example, given 13, return: [1,10,11,1 ...

  6. [LeetCode] Range Addition 范围相加

    Assume you have an array of length n initialized with all 0's and are given k update operations. Eac ...

  7. [LeetCode] Coin Change 硬币找零

    You are given coins of different denominations and a total amount of money amount. Write a function ...

  8. [LeetCode] Max Points on a Line 共线点个数

    Given n points on a 2D plane, find the maximum number of points that lie on the same straight line. ...

  9. NPOI操作EXCEL(五)——含合并单元格复杂表头的EXCEL解析

    我们在第三篇文章中谈到了那些非常反人类的excel模板,博主为了养家糊口,也玩命做出了相应的解析方法... 我们先来看看第一类复杂表头: ...... 博主称这类excel模板为略复杂表头模板(蓝色部 ...

  10. from表单提交数组

    页面代码: function submitForm(){ var categoryArray = new Array(); var $ss = $("select[name=industry ...