当前位置:网站首页>Talking about jsfuck coding
Talking about jsfuck coding
2022-08-10 23:32:00 【ek1ng】
参考: https://zh.wikipedia.org/wiki/JSFuckhttps://blog.csdn.net/qq_36539075/category_7591719.htmlhttps://chinese.freecodecamp.org/news/javascript-implicit-type-conversion/
前言
第一次看到jsfuckcoding is stillhgame 2022的week1中一个在线小游戏的ctf题目,Just found a paragraph in the comments that has a lot[]的内容,After searching it was foundjsfuck编码,Execute it in the console and getflag,其实也不是很懂jsfuck的原理,It just feels weird,I saw it again today in a security-related articlejsfuck cheat sheetSo I want to know about the deeplyjsfuck.
什么是jsfuck
先贴一段wiki对jsfuck的解释,JSFuck是一种深奥的 JavaScript编程风格.written in this style代码中仅使用 [
、]
、(
、)
、!
和 +
六种字符.this programming style名字派生Since writing code using fewer symbolsBrainfuck语言.与其他深奥的编程语言不同,以JSFuckCode written in style does not require additional编译器或解释器来执行,无论浏览器或JavaScript引擎中的原生 JavaScript 解释器皆可直接运行.鉴于 JavaScript 是弱类型语言,编写者可以用数量有限的字符重写 JavaScript 中的所有功能,且可以用这种方式执行任何类型的表达式.
Why can just use6character encodingjs
obviously a paragraphjscode only6character to write,There is no doubt that many keywords can be bypassed,But before using it, there will be a question why it is possible to encode a paragraph like thisjs代码.
其实这是由于js的隐式类型转换导致的,对于逻辑表达式[]==![]
,js会返回true
First, let's talk about operators==
的运算规则
NaN
和其他任何类型比较永远返回false
(包括和他自己)NaN == NaN // false
Boolean
和其他任何类型比较,Boolean 首先被转换为 Number 类型.true == '2' // false true -> 1
String
和Number
比较,先将String
转换为Number
类型.123 == '123' // true, '123' -> 123
null == undefined
比较结果是true
,除此之外,null
、undefined
和其他任何结果的比较值都为false
.原始类型
和引用类型
做比较时,引用类型会依照ToPrimitive
规则转换为原始类型.
️
ToPrimitive
规则,是引用类型向原始类型转变的规则,它遵循先valueOf
后toString
的模式期望得到一个原始类型.如果还是没法得到一个原始类型,就会抛出TypeError
.
我们再来看看[]==![]
,Negative operation has the highest priority,[]
是空数组,Negate an empty array to getfalse
,那么[]==![]
会变成 []==false
,然后因为Boolean
和其他任何类型比较,Boolean 首先被转换为 Number 类型,false -> 0
,变成[]==0
,然后再因为原始类型
和引用类型
做比较时,引用类型会依照ToPrimitive
规则转换为原始类型,[].valueOf().toString()
的值为''
,String
和``Numbercomparison will
String转换成
Number,也就是
‘’ -> 0,最终变成
0==0`得到true.
After understanding the above example, you will find that,jsThe implicit type conversion allows us to combine the above6symbols to replace some of the characters we want,symbols, etc.,所以这也是为什么jsThe code can be as simple as this6symbols used to express,Of course, it's hard to believe that,Let's analyze how to usejsfuck编码alert()
.
Digital is simpler1有0We keep adding as much as we want,Then we definitely need26characters right?,That character is actually intercepted.,alert
的话我们可以用true
和false
Intercept can be achieved
'a' == 'false'[1] == (false + '')[1] == (![]+[])[+!+[]]
'l' == 'false'[2] == (false + '')[2] == (![]+[])[!+[]+!+[]]
'e' == 'true'[0] == (true + '')[3] == (!![]+[])[!+[]+!+[]+!+[]]
'r' == 'true'[0] == (true + '')[1] == (!![]+[])[+!+[]]
't' == 'true'[0] == (true + '')[0] == (!![]+[])[+[]]
'alert' == (![]+[])[+!+[]] + (![]+[])[!+[]+!+[]] + (!![]+[])[!+[]+!+[]+!+[]] + (!![]+[])[+!+[]] + (!![]+[])[+[]]
但是26How about the other letters?,我们这里看一下jsfuck的官方仓库How to get the specified character in,The more characters need to seejsfuck的源码啦
'a': '(false+"")[1]',
'b': '([]["entries"]()+"")[2]',
'c': '([]["flat"]+"")[3]',
'd': '(undefined+"")[2]',
'e': '(true+"")[3]',
'f': '(false+"")[0]',
'g': '(false+[0]+String)[20]',
'h': '(+(101))["to"+String["name"]](21)[1]',
'i': '([false]+undefined)[10]',
'j': '([]["entries"]()+"")[3]',
'k': '(+(20))["to"+String["name"]](21)',
'l': '(false+"")[2]',
'm': '(Number+"")[11]',
'n': '(undefined+"")[1]',
'o': '(true+[]["flat"])[10]',
'p': '(+(211))["to"+String["name"]](31)[1]',
'q': '("")["fontcolor"]([0]+false+")[20]',
'r': '(true+"")[1]',
's': '(false+"")[3]',
't': '(true+"")[0]',
'u': '(undefined+"")[0]',
'v': '(+(31))["to"+String["name"]](32)',
'w': '(+(32))["to"+String["name"]](33)',
'x': '(+(101))["to"+String["name"]](34)[1]',
'y': '(NaN+[Infinity])[10]',
'z': '(+(35))["to"+String["name"]](36)',
利用jsfuck绕过过滤
因为jsfuck只用6个字符编码,In this way, you can often bypass some detection of malicious code,See most of penetration testsjsfuckThe use is to circumventXSS的过滤,比如这篇文章,文章中xss的payload结合jsfuck编码绕过对alert
Use of some dangerous functions.ctfI have never seenjsfuckBypassing the Filtering Question,only saw onejsdirectly in the codeflag的题,So no chance to study them carefully,也许明年hgameYou can make an interesting testhhh.
边栏推荐
- PlaidCTF 2022 Amongst Ourselves: Shipmate writeup
- HGAME 2022 Final writeup
- HGAME 2022 复盘 writeup
- 【uniapp】uniapp微信小程序开发:启动微信开发者工具提示no such file or directory错误
- 鹏城杯 2022 web/misc writeup
- 面试官: AMS在Android起到什么作用,简单的分析下Android的源码
- 实例053:按位异或
- Kotlin 由浅入深,带你搞懂协程异常处理的那点事
- HCTF 2018 WarmUP writeup
- Tencent Cloud Lightweight Application Server Configuration and Website Building Tutorial
猜你喜欢
随机推荐
高精度减法
房间虚拟样板间vr制作及价格
Kotlin 由浅入深,带你搞懂协程异常处理的那点事
CW617N锡青铜 CuZn40Pb2对应牌号
风控逻辑利器---规则引擎
如何利用fiddler连接手机抓包APP
怎么关闭电脑广告
正交基(线性代数)
有趣并发性能分享:线程池为什么设计成这样?
【秋招】【更新中ing】手撕代码系列
PlaidCTF 2022 Amongst Ourselves: Shipmate writeup
XSLeaks 侧信道攻击 (unfinished)
完全自定义MaterialButtonToggleGroup颜色。
服务器上行带宽和下行带宽指的是什么
二叉树 | 层序遍历 | leecode刷题笔记
Kubernetes 维护技术分享
DASCTF 2022 7月赋能赛 writeup
Android面试冲刺:2022全新面试题——剑指Offer(备战金九银十)
信息系统项目管理师核心考点(六十五)信息安全基础知识网络安全
mysql数据库高级操作