一个“神奇”的工具:把 JavaScript 代码转为 ()[]{}!+ 字符

2012-08-13 868216人围观 ,发现 13 个不明物体 工具

阿根廷的程序员Patricio Palladino 近期发布了一款工具,可以将JavaScript 代码转为 ()[]{}!+ 字符,各位跨站师,你懂得,春天来了。

Patricio Palladino提到开发该工具的原因是一位朋友在在IRC上问他一个问题,提到了sla.ckers.org上面有文章提到 “如何建立一些像alert(1)一样功能的但是非字母数字的字符”。这样就可以绕过一些IDS、IPS和WAF。所以他就开发了这款转换工具。

以下为该款工具的一些特性:

[和] 用来访问数组元素,对象的属性,得到数字和其他元素转换为字符串
(和) 调用函数和避免解析错误
+ 追加字符串
! 元素转换为布尔类型
{}  取得NaN和"[object Object]"

以下为该款工具转换出来的一段例子:

[][(![]+[])[+[]+!![]+!![]+!![]]+({}+[])[+!![]]+(!![]+[])[+!![]]+(!![]+[])[+[]]][({}+[])[!+[]+!+[]+!+[]+!+[]+!+[]]+({}+[])[+!![]]+([][+[]]+[])[+!![]]+(![]+[])[+[]+!![]+!![]+!![]]+(!![]+[])[+[]]+(!![]+[])[+!![]]+([][+[]]+[])[+[]]+({}+[])[!+[]+!+[]+!+[]+!+[]+!+[]]+(!![]+[])[+[]]+({}+[])[+!![]]+(!![]+[])[+!![]]]((!![]+[])[+!![]]+(!![]+[])[!+[]+!![]+!![]]+(!![]+[])[+[]]+([][+[]]+[])[+[]]+(!![]+[])[+!![]]+([][+[]]+[])[+!![]]+({}+[])[!+[]+!![]+!![]+!![]+!![]+!![]+!![]]+([][+[]]+[])[+[]]+([][+[]]+[])[+!![]]+(!![]+[])[!+[]+!![]+!![]]+(![]+[])[+[]+!![]+!![]+!![]]+({}+[])[!+[]+!+[]+!+[]+!+[]+!+[]]+(+{}+[])[+!![]]+([]+[][(![]+[])[+[]+!![]+!![]+!![]]+({}+[])[+!![]]+(!![]+[])[+!![]]+(!![]+[])[+[]]][({}+[])[!+[]+!+[]+!+[]+!+[]+!+[]]+({}+[])[+!![]]+([][+[]]+[])[+!![]]+(![]+[])[+[]+!![]+!![]+!![]]+(!![]+[])[+[]]+(!![]+[])[+!![]]+([][+[]]+[])[+[]]+({}+[])[!+[]+!+[]+!+[]+!+[]+!+[]]+(!![]+[])[+[]]+({}+[])[+!![]]+(!![]+[])[+!![]]]((!![]+[])[+!![]]+(!![]+[])[!+[]+!![]+!![]]+(!![]+[])[+[]]+([][+[]]+[])[+[]]+(!![]+[])[+!![]]+([][+[]]+[])[+!![]]+({}+[])[!+[]+!![]+!![]+!![]+!![]+!![]+!![]]+(![]+[])[+[]+!![]+!![]]+({}+[])[+!![]]+({}+[])[!+[]+!+[]+!+[]+!+[]+!+[]]+(+{}+[])[+!![]]+(!![]+[])[+[]]+([][+[]]+[])[!+[]+!![]+!![]+!![]+!![]]+({}+[])[+!![]]+([][+[]]+[])[+!![]])())[!+[]+!![]+!![]]+(!![]+[])[!+[]+!![]+!![]])()([][(![]+[])[+[]+!![]+!![]+!![]]+({}+[])[+!![]]+(!![]+[])[+!![]]+(!![]+[])[+[]]][({}+[])[!+[]+!+[]+!+[]+!+[]+!+[]]+({}+[])[+!![]]+([][+[]]+[])[+!![]]+(![]+[])[+[]+!![]+!![]+!![]]+(!![]+[])[+[]]+(!![]+[])[+!![]]+([][+[]]+[])[+[]]+({}+[])[!+[]+!+[]+!+[]+!+[]+!+[]]+(!![]+[])[+[]]+({}+[])[+!![]]+(!![]+[])[+!![]]]((!![]+[])[+!![]]+(!![]+[])[!+[]+!![]+!![]]+(!![]+[])[+[]]+([][+[]]+[])[+[]]+(!![]+[])[+!![]]+([][+[]]+[])[+!![]]+({}+[])[!+[]+!![]+!![]+!![]+!![]+!![]+!![]]+(!![]+[])[!+[]+!![]+!![]]+(![]+[])[+[]+!![]+!![]+!![]]+({}+[])[!+[]+!+[]+!+[]+!+[]+!+[]]+(+{}+[])[+!![]]+([]+[][(![]+[])[+[]+!![]+!![]+!![]]+({}+[])[+!![]]+(!![]+[])[+!![]]+(!![]+[])[+[]]][({}+[])[!+[]+!+[]+!+[]+!+[]+!+[]]+({}+[])[+!![]]+([][+[]]+[])[+!![]]+(![]+[])[+[]+!![]+!![]+!![]]+(!![]+[])[+[]]+(!![]+[])[+!![]]+([][+[]]+[])[+[]]+({}+[])[!+[]+!+[]+!+[]+!+[]+!+[]]+(!![]+[])[+[]]+({}+[])[+!![]]+(!![]+[])[+!![]]]((!![]+[])[+!![]]+(!![]+[])[!+[]+!![]+!![]]+(!![]+[])[+[]]+([][+[]]+[])[+[]]+(!![]+[])[+!![]]+([][+[]]+[])[+!![]]+({}+[])[!+[]+!![]+!![]+!![]+!![]+!![]+!![]]+(![]+[])[+[]+!![]+!![]]+({}+[])[+!![]]+({}+[])[!+[]+!+[]+!+[]+!+[]+!+[]]+(+{}+[])[+!![]]+(!![]+[])[+[]]+([][+[]]+[])[!+[]+!![]+!![]+!![]+!![]]+({}+[])[+!![]]+([][+[]]+[])[+!![]])())[!+[]+!![]+!![]]+(!![]+[])[!+[]+!![]+!![]])()(({}+[])[+[]])[+[]]+HEXA_VALUE)

这段代码的好处(对于黑客)是,它不包含任何字符或数字,可以逃过某些过滤器的检查。比如说,如果假定一个AJAX请求将返回一个只包含数字的JSON,于是很可能会简单判断了一下其中不含字母就直接eval了,结果给黑客们留下了后门。上面的代码功能很简单,但使用同样的原理,完全可以干出更复杂的事,例alert(document.cookie)。更重要的是,这段代码再一次提醒我们,黑客的想象力是无限的…

工具下载地址

GitHub地址

更多详细内容查看

这些评论亮了

  • 我想问一下,怎么把(![]+[])[+[]]+(![]+[])[!![]+!![]]+(![]+[])[+!![]]+[][(![]+[])这些变成正常的javascript啊?
    )140( 亮了
  • n0wthk 回复
    说白了就是为了绕过JS代码文本的安全检查:使用“较安全”的运算符做到保留字能做到的事。像以下这些字符串,都可以通过纯运算符运行出来:
    function、true、false、object、input、select.....
    以及完全包含26个字母了吧。几乎可以得到任何KEYWORD(保留字)了。其实老外开发开发这工具,是想引起关注:目前XSS漏洞解决方案仅靠输出时的check+filter仍旧不安全!
    )15( 亮了
  • zero 回复
    当年blackhat也放出了类似的编码,但是没工具出来,有位仁兄用这个东东alert了“I love you",作为情人节送给老婆的礼物,可以看这里
    http://stackoverflow.com/questions/5001529/how-can-i-say-love-without-character-or-digits-in-javascript
    )12( 亮了
  • hxxh (1级) 回复
    @ 我说, 把代码放到火狐的firebug的consloe窗口,把字符搞进去,应该就可以
    )6( 亮了
发表评论

已有 13 条评论

取消
Loading...
css.php