编程 Javascript

仅用[]()+!等符号就足以实现几乎任意Javascript代码

Posted in Javascript onMarch 01, 2010

请在Firefox下测试

看了下例子:
js代码
<script>
alert("hi there")
</script>
就等价于
<script>
([][(![]+[])[!+[]+!+[]+!+[]]+(!![]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]])[+!+[]+[+[]]]+(!![]+[])[+!+[]]+(!![]+[])[+[]]][([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]]+[])[!+[]+!+[]+!+[]]+(![]+[])[+!+[]]+(![]+[])[!+[]+!+[]]+(![]+[])[!+[]+!+[]]]()[(![]+[])[+!+[]]+(![]+[])[!+[]+!+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]+(!![]+[])[+[]]])([][(![]+[])[!+[]+!+[]+!+[]]+(!![]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]])[+!+[]+[+[]]]+(!![]+[])[+!+[]]+(!![]+[])[+[]]][([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]]+[])[!+[]+!+[]+!+[]]+(![]+[])[+!+[]]+(![]+[])[!+[]+!+[]]+(![]+[])[!+[]+!+[]]]()[(![]+[])[+!+[]]+(!![]+[])[+[]]+(!![]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]])[+!+[]+[+[]]]+([][(![]+[])[!+[]+!+[]+!+[]]+(!![]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]])[+!+[]+[+[]]]+(!![]+[])[+!+[]]+(!![]+[])[+[]]][([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]]+[])[!+[]+!+[]+!+[]]+(![]+[])[+!+[]]+(![]+[])[!+[]+!+[]]+(![]+[])[!+[]+!+[]]]()+[])[!+[]+!+[]]]((![]+[])[+!+[]]+(+[![]]+[])[+[]])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(+[![]]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]])[+!+[]+[+!+[]]]+(!![]+[])[+[]]+[][(![]+[])[!+[]+!+[]+!+[]]+(!![]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]])[+!+[]+[+[]]]+(!![]+[])[+!+[]]+(!![]+[])[+[]]][([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]]+[])[!+[]+!+[]+!+[]]+(![]+[])[+!+[]]+(![]+[])[!+[]+!+[]]+(![]+[])[!+[]+!+[]]]()[(![]+[])[+!+[]]+(!![]+[])[+[]]+(!![]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]])[+!+[]+[+[]]]+([][(![]+[])[!+[]+!+[]+!+[]]+(!![]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]])[+!+[]+[+[]]]+(!![]+[])[+!+[]]+(!![]+[])[+[]]][([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]]+[])[!+[]+!+[]+!+[]]+(![]+[])[+!+[]]+(![]+[])[!+[]+!+[]]+(![]+[])[!+[]+!+[]]]()+[])[!+[]+!+[]]]((![]+[])[+!+[]]+(+[![]]+[])[+[]])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]+(!![]+[])[!+[]+!+[]+!+[]])
</scirpt>

它实现的原理，有一个码表

(NaN+[]["filter"])[11]', 
! window["atob"]("If")[0]', 
" ("").fontcolor()[12]', 
# window["atob"]("0iN")[1]', 
$ window["atob"]("0iT")[1]', 
% window["atob"]("0iW")[1]', 
& window["atob"]("0ia")[1]', 
' window["atob"]("0if")[1]', 
( (false+[]["filter"])[20]', 
) (false+[]["filter"])[21]', 
* window["atob"]("0ir")[1]', 
+ window["atob"]("0it")[1]', 
, window["atob"]("0iy")[1]', 
- (NaN+window["Date"]())[31]', 
. window["atob"]("1i4")[1]', 
/ (true+("")["sub"]())[10]', 
0-9 ignored*/ ,,,,,,,,,, 
: window["Date"]()[21]', 
; window["atob"]("O0")[0]', 
< ("")["sub"]()[0]', 
= ("").fontcolor()[11]', 
> ("")["sub"]()[10]', 
? window["atob"]("0j9")[1]', 
@ window["atob"]("00A")[1]', 
A (+[]+[]["constructor"])[10]', 
B (+[]+(false)["constructor"])[10]', 
C window["atob"]("00N")[1]', 
D window["btoa"](00)[1]', 
E window["btoa"](01)[2]', 
F (0+[]["filter"]["constructor"])[10]', 
G window["btoa"]("0f")[1]', 
H window["btoa"]("0t")[1]', 
I ("Infinity")[0]', 
J window["atob"]("00r")[1]', 
K window["btoa"]("(")[0]', 
L window["btoa"]("/")[0]', 
M window["btoa"](0)[0]', 
N ("NaN")[0]', 
O window["btoa"](8)[0]', 
P window["btoa"]("<")[0]', 
Q window["btoa"]("a")[1]', 
R window["atob"]("01I")[1]', 
S window["btoa"]("I")[0]', 
T window["btoa"]("N")[0]', 
U window["atob"]("01W")[1]', 
V window["atob"]("01a")[1]', 
W (true+window)[12]', 
X window["atob"]("01i")[1]', 
Y window["btoa"]("a")[0]', 
Z window["btoa"]("f")[0]', 
[ (undefined+[]["filter"])[33]', 
\ window["atob"]("01y")[1]', 
] (true+[]["filter"])[40]', 
^ window["atob"](014)[1]', 
_ window["atob"](018)[1]', 
` window["atob"]("02A")[1]', 
a ("false")[1]', 
b (window+[])[2]', 
c ([]["filter"]+[])[3]', 
d ("undefined")[2]', 
e ("true")[3]', 
f ("false")[0]', 
g ([]+("")["constructor"])[14]', 
h window["atob"]("aN")[0]', 
i ([false]+undefined)[10]', 
j (window+[])[3]', 
k window["atob"]("a0")[0]', 
l ("false")[2]', 
m (Number+[])[11]', 
n ("undefined")[1]', 
o (true+[]["filter"])[10]', 
p window["atob"]("cN")[0]', 
q window["atob"]("cf")[0]', 
r ("true")[1]', 
s ("false")[3]', 
t ("true")[0]', 
u ("undefined")[0]', 
v (0+[]["filter"])[30]', 
w ([]["sort"]["call"]()+[])[13]', 
x window["atob"]("eN")[0]', 
y (NaN+[Infinity])[10]', 
z window["atob"]("et")[0]', 
{ (NaN+[]["filter"])[21]', 
| window["atob"]("03y")[1]', 
} (NaN+[]["filter"])[41]', 
~ window["atob"](234)[1]'

拼接出来字符串 "eval"，如何把 "eval" 变成 eval() 呢？方法是
[]["sort"]["call"]()["eval"]
其中 []["sort"]["call"]() 等于 [].sort.call() ，等价于 window，所以上面 []["sort"]["call"]()["eval"] 就等价于 window.eval。
然后就是体力活了，把码表对应转换成 eval("blah blah") 这种形式就可以执行任意代码了
不同浏览器的码表不一样。Chrome和Firefox的index就不一样。
其实这个码表还可以通过 ·toLocal*()` 函数族扩展到Unicode，比fromCharCode要简短
原文:http://discogscounter.getfreehosting.co.uk/js-noalnum.php?txt=alert%28%22hi+there%22%29

仅用[]()+!等符号就足以实现几乎任意Javascript代码

声明：登载此文出于传递更多信息之目的，并不意味着赞同其观点或证实其描述。

Javascript 相关文章推荐

javascript延时重复执行函数 lLoopRun.js

Jun 29 Javascript

动态样式类封装JS代码

Sep 02 Javascript

IE6/7/8中Option元素未设value时Select将获取空字符串

Apr 07 Javascript

JS Pro-深入面向对象的程序设计之继承的详解

May 07 Javascript

javascript中setInterval的用法

Jul 19 Javascript

ionic 上拉菜单(ActionSheet)实例代码

Jun 06 Javascript

整理关于Bootstrap排版的慕课笔记

Mar 29 Javascript

Vue实现带进度条的文件拖动上传功能

Feb 23 Javascript

react 创建单例组件的方法

Apr 26 Javascript

如何使用puppet替换文件中的string

Dec 06 Javascript

js实现无缝轮播图特效

May 09 Javascript

如何在VUE中使用vue-awesome-swiper

Jan 04 Vue.js

Javascript 网页水印(非图片水印)实现代码

Mar 01 #Javascript

使用js获取QueryString的方法小结

Feb 28 #Javascript

JQuery 将元素显示在屏幕的中央的代码

Feb 27 #Javascript

jquery 最简单易用的表单验证插件

Feb 27 #Javascript

JQuery团队打造的javascript单元测试工具QUnit介绍

Feb 26 #Javascript

getElementsByTagName vs selectNodes效率及兼容的selectNodes实现

Feb 26 #Javascript

JavaScript 空位补零实现代码

Feb 26 #Javascript

You might like

php学习之数组声明

2011/06/09 PHP

mac下安装nginx和php

2013/11/04 PHP

CI框架实现框架前后端分离的方法详解

2016/12/30 PHP

修改yii2.0用户登录使用的user表为其它的表实现方法(推荐)

2017/08/01 PHP

在laravel中实现ORM模型使用第二个数据库设置

2019/10/24 PHP

juqery 学习之五文档处理包裹、替换、删除、复制

2011/02/11 Javascript

瀑布流布局代码一例

2014/04/11 Javascript

JS使用for循环遍历Table的所有单元格内容

2014/08/21 Javascript

javascript trim函数在IE下不能用的解决方法

2014/09/12 Javascript

js与C#进行时间戳转换

2014/11/14 Javascript

使用CDN和AJAX加速WordPress中jQuery的加载

2015/12/05 Javascript

详解vue-router和vue-cli以及组件之间的传值

2017/07/04 Javascript

JavaScript上传文件时不用刷新页面方法总结（推荐）

2017/08/15 Javascript

Cropper.js 实现裁剪图片并上传(PC端)

2017/08/20 Javascript

bootstrap switch开关组件使用方法详解

2017/08/22 Javascript

vue2.0 和 animate.css的结合使用

2017/12/12 Javascript

React Form组件的实现封装杂谈

2018/05/07 Javascript

微信小程序methods中定义的方法互相调用的实例代码

2018/08/07 Javascript

详解vue-cli@2.x项目迁移日志

2019/06/06 Javascript

如何使用50行javaScript代码实现简单版的call,apply,bind

2019/08/14 Javascript

[02:04]2016国际邀请赛中国区预选赛VG.R晋级之路

2016/07/01 DOTA

轻松实现python搭建微信公众平台

2016/02/16 Python

Python实现二维数组输出为图片

2018/04/03 Python

Django框架中间件定义与使用方法案例分析

2019/11/28 Python

Python求两个字符串最长公共子序列代码实例

2020/03/05 Python

用HTML5制作烟火效果的教程

2015/05/12 HTML / CSS

JDK安装目录下有哪些内容

2014/08/25 面试题

简历中个人求职的自我评价模板

2013/11/29 职场文书

文秘专业个人求职信

2013/12/22 职场文书

商务考察邀请函范文

2014/01/21 职场文书

洗发露广告词

2014/03/14 职场文书

加强党性修养心得体会

2016/01/21 职场文书

2016简单的租房合同范本

2016/03/18 职场文书

2019餐饮行业创业计划书！

2019/06/27 职场文书

原来闭幕词是这样写的呀！

2019/07/01 职场文书

OpenStack虚拟机快照和增量备份实现方法

2022/04/04 Servers