原文:http://discogscounter.getfreehosting.co.uk/js-noalnum.php?txt=alert%28%22hi+there%22%29
请在Firefox下测试
看了下例子:
js代码
<script>
alert("hi there")
</script>
就等价于
<script>
([][(![]+[])[!+[]+!+[]+!+[]]+(!![]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]])[+!+[]+[+[]]]+(!![]+[])[+!+[]]+(!![]+[])[+[]]][([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]]+[])[!+[]+!+[]+!+[]]+(![]+[])[+!+[]]+(![]+[])[!+[]+!+[]]+(![]+[])[!+[]+!+[]]]()[(![]+[])[+!+[]]+(![]+[])[!+[]+!+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]+(!![]+[])[+[]]])([][(![]+[])[!+[]+!+[]+!+[]]+(!![]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]])[+!+[]+[+[]]]+(!![]+[])[+!+[]]+(!![]+[])[+[]]][([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]]+[])[!+[]+!+[]+!+[]]+(![]+[])[+!+[]]+(![]+[])[!+[]+!+[]]+(![]+[])[!+[]+!+[]]]()[(![]+[])[+!+[]]+(!![]+[])[+[]]+(!![]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]])[+!+[]+[+[]]]+([][(![]+[])[!+[]+!+[]+!+[]]+(!![]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]])[+!+[]+[+[]]]+(!![]+[])[+!+[]]+(!![]+[])[+[]]][([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]]+[])[!+[]+!+[]+!+[]]+(![]+[])[+!+[]]+(![]+[])[!+[]+!+[]]+(![]+[])[!+[]+!+[]]]()+[])[!+[]+!+[]]]((![]+[])[+!+[]]+(+[![]]+[])[+[]])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(+[![]]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]])[+!+[]+[+!+[]]]+(!![]+[])[+[]]+[][(![]+[])[!+[]+!+[]+!+[]]+(!![]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]])[+!+[]+[+[]]]+(!![]+[])[+!+[]]+(!![]+[])[+[]]][([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]]+[])[!+[]+!+[]+!+[]]+(![]+[])[+!+[]]+(![]+[])[!+[]+!+[]]+(![]+[])[!+[]+!+[]]]()[(![]+[])[+!+[]]+(!![]+[])[+[]]+(!![]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]])[+!+[]+[+[]]]+([][(![]+[])[!+[]+!+[]+!+[]]+(!![]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]])[+!+[]+[+[]]]+(!![]+[])[+!+[]]+(!![]+[])[+[]]][([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]]+[])[!+[]+!+[]+!+[]]+(![]+[])[+!+[]]+(![]+[])[!+[]+!+[]]+(![]+[])[!+[]+!+[]]]()+[])[!+[]+!+[]]]((![]+[])[+!+[]]+(+[![]]+[])[+[]])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]+(!![]+[])[!+[]+!+[]+!+[]])
</scirpt>
它实现的原理,有一个码表
- (NaN+[]["filter"])[11]',
- ! window["atob"]("If")[0]',
- " ("").fontcolor()[12]',
- # window["atob"]("0iN")[1]',
- $ window["atob"]("0iT")[1]',
- % window["atob"]("0iW")[1]',
- & window["atob"]("0ia")[1]',
- ' window["atob"]("0if")[1]',
- ( (false+[]["filter"])[20]',
- ) (false+[]["filter"])[21]',
- * window["atob"]("0ir")[1]',
- + window["atob"]("0it")[1]',
- , window["atob"]("0iy")[1]',
- - (NaN+window["Date"]())[31]',
- . window["atob"]("1i4")[1]',
- / (true+("")["sub"]())[10]',
- 0-9 ignored*/ ,,,,,,,,,,
- : window["Date"]()[21]',
- ; window["atob"]("O0")[0]',
- < ("")["sub"]()[0]',
- = ("").fontcolor()[11]',
- > ("")["sub"]()[10]',
- ? window["atob"]("0j9")[1]',
- @ window["atob"]("00A")[1]',
- A (+[]+[]["constructor"])[10]',
- B (+[]+(false)["constructor"])[10]',
- C window["atob"]("00N")[1]',
- D window["btoa"](00)[1]',
- E window["btoa"](01)[2]',
- F (0+[]["filter"]["constructor"])[10]',
- G window["btoa"]("0f")[1]',
- H window["btoa"]("0t")[1]',
- I ("Infinity")[0]',
- J window["atob"]("00r")[1]',
- K window["btoa"]("(")[0]',
- L window["btoa"]("/")[0]',
- M window["btoa"](0)[0]',
- N ("NaN")[0]',
- O window["btoa"](8)[0]',
- P window["btoa"]("<")[0]',
- Q window["btoa"]("a")[1]',
- R window["atob"]("01I")[1]',
- S window["btoa"]("I")[0]',
- T window["btoa"]("N")[0]',
- U window["atob"]("01W")[1]',
- V window["atob"]("01a")[1]',
- W (true+window)[12]',
- X window["atob"]("01i")[1]',
- Y window["btoa"]("a")[0]',
- Z window["btoa"]("f")[0]',
- [ (undefined+[]["filter"])[33]',
- \ window["atob"]("01y")[1]',
- ] (true+[]["filter"])[40]',
- ^ window["atob"](014)[1]',
- _ window["atob"](018)[1]',
- ` window["atob"]("02A")[1]',
- a ("false")[1]',
- b (window+[])[2]',
- c ([]["filter"]+[])[3]',
- d ("undefined")[2]',
- e ("true")[3]',
- f ("false")[0]',
- g ([]+("")["constructor"])[14]',
- h window["atob"]("aN")[0]',
- i ([false]+undefined)[10]',
- j (window+[])[3]',
- k window["atob"]("a0")[0]',
- l ("false")[2]',
- m (Number+[])[11]',
- n ("undefined")[1]',
- o (true+[]["filter"])[10]',
- p window["atob"]("cN")[0]',
- q window["atob"]("cf")[0]',
- r ("true")[1]',
- s ("false")[3]',
- t ("true")[0]',
- u ("undefined")[0]',
- v (0+[]["filter"])[30]',
- w ([]["sort"]["call"]()+[])[13]',
- x window["atob"]("eN")[0]',
- y (NaN+[Infinity])[10]',
- z window["atob"]("et")[0]',
- { (NaN+[]["filter"])[21]',
- | window["atob"]("03y")[1]',
- } (NaN+[]["filter"])[41]',
- ~ window["atob"](234)[1]'
拼接出来字符串 "eval",如何把 "eval" 变成 eval() 呢?方法是
[]["sort"]["call"]()["eval"]
其中 []["sort"]["call"]() 等于 [].sort.call() ,等价于 window,所以上面 []["sort"]["call"]()["eval"] 就等价于 window.eval。
然后就是体力活了,把码表对应转换成 eval("blah blah") 这种形式就可以执行任意代码了
不同浏览器的码表不一样。Chrome和Firefox的index就不一样。
其实这个码表还可以通过 ·toLocal*()` 函数族扩展到Unicode,比fromCharCode要简短
