Talking about jsfuck coding

参考: https://zh.wikipedia.org/wiki/JSFuckhttps://blog.csdn.net/qq_36539075/category_7591719.htmlhttps://chinese.freecodecamp.org/news/javascript-implicit-type-conversion/

前言

第一次看到jsfuckcoding is stillhgame 2022的week1中一个在线小游戏的ctf题目,Just found a paragraph in the comments that has a lot[]的内容,After searching it was foundjsfuck编码,Execute it in the console and getflag,其实也不是很懂jsfuck的原理,It just feels weird,I saw it again today in a security-related articlejsfuck cheat sheetSo I want to know about the deeplyjsfuck.

什么是jsfuck

先贴一段wiki对jsfuck的解释,JSFuck是一种深奥的 JavaScript编程风格.written in this style代码中仅使用 [、]、(、)、! 和 + 六种字符.this programming style名字派生Since writing code using fewer symbolsBrainfuck语言.与其他深奥的编程语言不同,以JSFuckCode written in style does not require additional编译器或解释器来执行,无论浏览器或JavaScript引擎中的原生 JavaScript 解释器皆可直接运行.鉴于 JavaScript 是弱类型语言,编写者可以用数量有限的字符重写 JavaScript 中的所有功能,且可以用这种方式执行任何类型的表达式.

Why can just use6character encodingjs

obviously a paragraphjscode only6character to write,There is no doubt that many keywords can be bypassed,But before using it, there will be a question why it is possible to encode a paragraph like thisjs代码.

其实这是由于js的隐式类型转换导致的,对于逻辑表达式[]==![],js会返回true

First, let's talk about operators==的运算规则

• NaN和其他任何类型比较永远返回false（包括和他自己）NaN == NaN // false
• Boolean 和其他任何类型比较,Boolean 首先被转换为 Number 类型.true == '2' // false true -> 1
• String和Number比较,先将String转换为Number类型.123 == '123' // true, '123' -> 123
• null == undefined比较结果是true,除此之外,null、undefined和其他任何结果的比较值都为false.
• 原始类型和引用类型做比较时,引用类型会依照ToPrimitive规则转换为原始类型.

️ToPrimitive规则,是引用类型向原始类型转变的规则,它遵循先valueOf后toString的模式期望得到一个原始类型.如果还是没法得到一个原始类型,就会抛出 TypeError.

我们再来看看[]==![],Negative operation has the highest priority,[]是空数组,Negate an empty array to getfalse,那么[]==![] 会变成 []==false,然后因为Boolean 和其他任何类型比较,Boolean 首先被转换为 Number 类型,false -> 0,变成[]==0,然后再因为原始类型和引用类型做比较时,引用类型会依照ToPrimitive规则转换为原始类型,[].valueOf().toString()的值为'',String和``Numbercomparison willString转换成Number,也就是‘’ -> 0,最终变成0==0`得到true.

After understanding the above example, you will find that,jsThe implicit type conversion allows us to combine the above6symbols to replace some of the characters we want,symbols, etc.,所以这也是为什么jsThe code can be as simple as this6symbols used to express,Of course, it's hard to believe that,Let's analyze how to usejsfuck编码alert().

Digital is simpler1有0We keep adding as much as we want,Then we definitely need26characters right?,That character is actually intercepted.,alert的话我们可以用true和falseIntercept can be achieved

'a' == 'false'[1] == (false + '')[1] == (![]+[])[+!+[]]
'l' == 'false'[2] ==  (false + '')[2] == (![]+[])[!+[]+!+[]]
'e' == 'true'[0] == (true + '')[3] == (!![]+[])[!+[]+!+[]+!+[]]
'r' == 'true'[0] == (true + '')[1] == (!![]+[])[+!+[]] 
't' == 'true'[0] == (true + '')[0] == (!![]+[])[+[]]
'alert' == (![]+[])[+!+[]] + (![]+[])[!+[]+!+[]] + (!![]+[])[!+[]+!+[]+!+[]] + (!![]+[])[+!+[]] + (!![]+[])[+[]]

但是26How about the other letters?,我们这里看一下jsfuck的官方仓库How to get the specified character in,The more characters need to seejsfuck的源码啦

'a':   '(false+"")[1]',
'b':   '([]["entries"]()+"")[2]',
'c':   '([]["flat"]+"")[3]',
'd':   '(undefined+"")[2]',
'e':   '(true+"")[3]',
'f':   '(false+"")[0]',
'g':   '(false+[0]+String)[20]',
'h':   '(+(101))["to"+String["name"]](21)[1]',
'i':   '([false]+undefined)[10]',
'j':   '([]["entries"]()+"")[3]',
'k':   '(+(20))["to"+String["name"]](21)',
'l':   '(false+"")[2]',
'm':   '(Number+"")[11]',
'n':   '(undefined+"")[1]',
'o':   '(true+[]["flat"])[10]',
'p':   '(+(211))["to"+String["name"]](31)[1]',
'q':   '("")["fontcolor"]([0]+false+")[20]',
'r':   '(true+"")[1]',
's':   '(false+"")[3]',
't':   '(true+"")[0]',
'u':   '(undefined+"")[0]',
'v':   '(+(31))["to"+String["name"]](32)',
'w':   '(+(32))["to"+String["name"]](33)',
'x':   '(+(101))["to"+String["name"]](34)[1]',
'y':   '(NaN+[Infinity])[10]',
'z':   '(+(35))["to"+String["name"]](36)',

利用jsfuck绕过过滤

​ 因为jsfuck只用6个字符编码,In this way, you can often bypass some detection of malicious code,See most of penetration testsjsfuckThe use is to circumventXSS的过滤,比如这篇文章,文章中xss的payload结合jsfuck编码绕过对alertUse of some dangerous functions.ctfI have never seenjsfuckBypassing the Filtering Question,only saw onejsdirectly in the codeflag的题,So no chance to study them carefully,也许明年hgameYou can make an interesting testhhh.