FaiChou
2021-07-14 15:11:25 +08:00
我见过这种的劫持代码:
```
['son']["\x66\x69\x6c\x74\x65\x72"]["\x63\x6f\x6e\x73\x74\x72\x75\x63\x74\x6f\x72"](((['son']+[])["\x63\x6f\x6e\x73\x74\x72\x75\x63\x74\x6f\x72"]['\x66\x72\x6f\x6d\x43\x68\x61\x72\x43\x6f\x64\x65']['\x61\x70\x70\x6c\x79'](null,"xxxxxxxx...xxx"['\x73\x70\x6c\x69\x74'](/[a-zA-Z]{1,}/))))('son');
```
16 进制转成 string 是以下代码, 依然非常模糊
```
['son']["filter"]["constructor"](((['son'] + [])["constructor"]['fromCharCode']['apply'](null, "xxxxxxxx...xxx"['split'](/[a-zA-Z]{1,}/))))('son');
```
拆解下:
```
(['son'] + [])["constructor"]
```
上面👆这个其实是个构造器 `f String() {}`
```
"xxxxxxxx...xxx"['split'](/[a-zA-Z]{1,}/)
```
上面👆执行的是 str.split(/[a-zA-Z]{1,}/) 将 str 的字母部分拿掉, 剩下的用数组形式代表, 以字母切割的数组 `String.fromCharCode([88, 111, 222....])`
最终翻译成就是普通的 js 代码了.