Welcome 微信登录

首页 / 脚本样式 / JavaScript / 仅用[]()+!等符号就足以实现几乎任意Javascript代码

请在Firefox下测试

看了下例子:
js代码
<script>
alert("hi there")
</script>
就等价于
<script>
([][(![]+[])[!+[]+!+[]+!+[]]+(!![]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]])[+!+[]+[+[]]]+(!![]+[])[+!+[]]+(!![]+[])[+[]]][([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]]+[])[!+[]+!+[]+!+[]]+(![]+[])[+!+[]]+(![]+[])[!+[]+!+[]]+(![]+[])[!+[]+!+[]]]()[(![]+[])[+!+[]]+(![]+[])[!+[]+!+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]+(!![]+[])[+[]]])([][(![]+[])[!+[]+!+[]+!+[]]+(!![]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]])[+!+[]+[+[]]]+(!![]+[])[+!+[]]+(!![]+[])[+[]]][([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]]+[])[!+[]+!+[]+!+[]]+(![]+[])[+!+[]]+(![]+[])[!+[]+!+[]]+(![]+[])[!+[]+!+[]]]()[(![]+[])[+!+[]]+(!![]+[])[+[]]+(!![]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]])[+!+[]+[+[]]]+([][(![]+[])[!+[]+!+[]+!+[]]+(!![]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]])[+!+[]+[+[]]]+(!![]+[])[+!+[]]+(!![]+[])[+[]]][([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]]+[])[!+[]+!+[]+!+[]]+(![]+[])[+!+[]]+(![]+[])[!+[]+!+[]]+(![]+[])[!+[]+!+[]]]()+[])[!+[]+!+[]]]((![]+[])[+!+[]]+(+[![]]+[])[+[]])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(+[![]]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]])[+!+[]+[+!+[]]]+(!![]+[])[+[]]+[][(![]+[])[!+[]+!+[]+!+[]]+(!![]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]])[+!+[]+[+[]]]+(!![]+[])[+!+[]]+(!![]+[])[+[]]][([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]]+[])[!+[]+!+[]+!+[]]+(![]+[])[+!+[]]+(![]+[])[!+[]+!+[]]+(![]+[])[!+[]+!+[]]]()[(![]+[])[+!+[]]+(!![]+[])[+[]]+(!![]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]])[+!+[]+[+[]]]+([][(![]+[])[!+[]+!+[]+!+[]]+(!![]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]])[+!+[]+[+[]]]+(!![]+[])[+!+[]]+(!![]+[])[+[]]][([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]]+[])[!+[]+!+[]+!+[]]+(![]+[])[+!+[]]+(![]+[])[!+[]+!+[]]+(![]+[])[!+[]+!+[]]]()+[])[!+[]+!+[]]]((![]+[])[+!+[]]+(+[![]]+[])[+[]])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]+(!![]+[])[!+[]+!+[]+!+[]])
</scirpt>

它实现的原理,有一个码表
复制代码 代码如下:
(NaN+[]["filter"])[11]",
! window["atob"]("If")[0]",
" ("").fontcolor()[12]",
# window["atob"]("0iN")[1]",
$ window["atob"]("0iT")[1]",
% window["atob"]("0iW")[1]",
& window["atob"]("0ia")[1]",
" window["atob"]("0if")[1]",
( (false+[]["filter"])[20]",
) (false+[]["filter"])[21]",
* window["atob"]("0ir")[1]",
+ window["atob"]("0it")[1]",
, window["atob"]("0iy")[1]",
- (NaN+window["Date"]())[31]",
. window["atob"]("1i4")[1]",
/ (true+("")["sub"]())[10]",
0-9 ignored*/ ,,,,,,,,,,
: window["Date"]()[21]",
; window["atob"]("O0")[0]",
< ("")["sub"]()[0]",
= ("").fontcolor()[11]",
> ("")["sub"]()[10]",
? window["atob"]("0j9")[1]",
@ window["atob"]("00A")[1]",
A (+[]+[]["constructor"])[10]",
B (+[]+(false)["constructor"])[10]",
C window["atob"]("00N")[1]",
D window["btoa"](00)[1]",
E window["btoa"](01)[2]",
F (0+[]["filter"]["constructor"])[10]",
G window["btoa"]("0f")[1]",
H window["btoa"]("0t")[1]",
I ("Infinity")[0]",
J window["atob"]("00r")[1]",
K window["btoa"]("(")[0]",
L window["btoa"]("/")[0]",
M window["btoa"](0)[0]",
N ("NaN")[0]",
O window["btoa"](8)[0]",
P window["btoa"]("<")[0]",
Q window["btoa"]("a")[1]",
R window["atob"]("01I")[1]",
S window["btoa"]("I")[0]",
T window["btoa"]("N")[0]",
U window["atob"]("01W")[1]",
V window["atob"]("01a")[1]",
W (true+window)[12]",
X window["atob"]("01i")[1]",
Y window["btoa"]("a")[0]",
Z window["btoa"]("f")[0]",
[ (undefined+[]["filter"])[33]",
window["atob"]("01y")[1]",
] (true+[]["filter"])[40]",
^ window["atob"](014)[1]",
_ window["atob"](018)[1]",
` window["atob"]("02A")[1]",
a ("false")[1]",
b (window+[])[2]",
c ([]["filter"]+[])[3]",
d ("undefined")[2]",
e ("true")[3]",
f ("false")[0]",
g ([]+("")["constructor"])[14]",
h window["atob"]("aN")[0]",
i ([false]+undefined)[10]",
j (window+[])[3]",
k window["atob"]("a0")[0]",
l ("false")[2]",
m (Number+[])[11]",
n ("undefined")[1]",
o (true+[]["filter"])[10]",
p window["atob"]("cN")[0]",
q window["atob"]("cf")[0]",
r ("true")[1]",
s ("false")[3]",
t ("true")[0]",
u ("undefined")[0]",
v (0+[]["filter"])[30]",
w ([]["sort"]["call"]()+[])[13]",
x window["atob"]("eN")[0]",
y (NaN+[Infinity])[10]",
z window["atob"]("et")[0]",
{ (NaN+[]["filter"])[21]",
| window["atob"]("03y")[1]",
} (NaN+[]["filter"])[41]",
~ window["atob"](234)[1]"

拼接出来字符串 "eval",如何把 "eval" 变成 eval() 呢?方法是
[]["sort"]["call"]()["eval"]
其中 []["sort"]["call"]() 等于 [].sort.call() ,等价于 window,所以上面 []["sort"]["call"]()["eval"] 就等价于 window.eval。
然后就是体力活了,把码表对应转换成 eval("blah blah") 这种形式就可以执行任意代码了
不同浏览器的码表不一样。Chrome和Firefox的index就不一样。
其实这个码表还可以通过 ·toLocal*()` 函数族扩展到Unicode,比fromCharCode要简短
原文:http://discogscounter.getfreehosting.co.uk/js-noalnum.php?txt=alert%28%22hi+there%22%29
版权所有©石家庄振强科技有限公司2024 冀ICP备08103738号-5 网站地图