研究 XSS 过滤只是很好奇这种 js 是怎么样编码的?

2014-09-28 16:23:57 +08:00
 lshero
xss一些人用unicode字符来替换关键字已经很常见了但是对于这种代码是怎么执行的比较好奇


<script>[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]][([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]])[+!+[]+[+[]]]+([][[]]+[])[+!+[]]+(![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[+!+[]]+([][[]]+[])[+[]]+([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]])[+!+[]+[+[]]]+(!![]+[])[+!+[]]]((![]+[])[+!+[]]+(![]+[])[!+[]+!+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]+(!![]+[])[+[]]+(![]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]])[!+[]+!+[]+[+[]]]+[!+[]+!+[]+!+[]+!+[]]+(!![]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]])[!+[]+!+[]+[+[]]])()</script>
4448 次点击
所在节点    JavaScript
10 条回复
cxe2v
2014-09-28 16:26:20 +08:00
应该是有个map可以映射unicode和关键字
lshero
2014-09-28 16:33:41 +08:00
@cxe2v 搜索了一下貌似是这种映射
http://www.cnblogs.com/pandora/archive/2010/02/27/1674833.html
突然觉得要把 0-9 a-z凑齐的话那也应该算是蛮拼的了吧。
woodthom
2014-09-28 16:34:56 +08:00
http://utf-8.jp/public/jsfuck.html
lshero
2014-09-28 16:35:19 +08:00
@woodthom 好东西收藏之
emric
2014-09-28 17:04:21 +08:00
之前研究过, 这类代码仅在 JS 文件或 Script 标签能运行, 转义好字符就没有太大问题了.
Mutoo
2014-09-28 17:50:20 +08:00
研究过类似的 http://blog.mutoo.im/2014/02/make-the-heart-shape-code.html
ichou
2014-09-28 18:52:32 +08:00
@woodthom 这个已经坏了 =。=-
zzNucker
2014-09-28 19:18:12 +08:00
这不是jsfuck么
willwen
2014-09-28 22:31:33 +08:00
jsfuck,請Google
zqhong
2014-09-30 06:45:00 +08:00
@ichou http://www.jsfuck.com/

这是一个专为移动设备优化的页面(即为了让你能够在 Google 搜索结果里秒开这个页面),如果你希望参与 V2EX 社区的讨论,你可以继续到 V2EX 上打开本讨论主题的完整版本。

https://www.v2ex.com/t/136172

V2EX 是创意工作者们的社区,是一个分享自己正在做的有趣事物、交流想法,可以遇见新朋友甚至新机会的地方。

V2EX is a community of developers, designers and creative people.

© 2021 V2EX