编程 Javascript

仅用[]()+!等符号就足以实现几乎任意Javascript代码

Posted in Javascript onMarch 01, 2010

请在Firefox下测试

看了下例子:
js代码
<script>
alert("hi there")
</script>
就等价于
<script>
([][(![]+[])[!+[]+!+[]+!+[]]+(!![]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]])[+!+[]+[+[]]]+(!![]+[])[+!+[]]+(!![]+[])[+[]]][([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]]+[])[!+[]+!+[]+!+[]]+(![]+[])[+!+[]]+(![]+[])[!+[]+!+[]]+(![]+[])[!+[]+!+[]]]()[(![]+[])[+!+[]]+(![]+[])[!+[]+!+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]+(!![]+[])[+[]]])([][(![]+[])[!+[]+!+[]+!+[]]+(!![]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]])[+!+[]+[+[]]]+(!![]+[])[+!+[]]+(!![]+[])[+[]]][([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]]+[])[!+[]+!+[]+!+[]]+(![]+[])[+!+[]]+(![]+[])[!+[]+!+[]]+(![]+[])[!+[]+!+[]]]()[(![]+[])[+!+[]]+(!![]+[])[+[]]+(!![]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]])[+!+[]+[+[]]]+([][(![]+[])[!+[]+!+[]+!+[]]+(!![]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]])[+!+[]+[+[]]]+(!![]+[])[+!+[]]+(!![]+[])[+[]]][([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]]+[])[!+[]+!+[]+!+[]]+(![]+[])[+!+[]]+(![]+[])[!+[]+!+[]]+(![]+[])[!+[]+!+[]]]()+[])[!+[]+!+[]]]((![]+[])[+!+[]]+(+[![]]+[])[+[]])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(+[![]]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]])[+!+[]+[+!+[]]]+(!![]+[])[+[]]+[][(![]+[])[!+[]+!+[]+!+[]]+(!![]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]])[+!+[]+[+[]]]+(!![]+[])[+!+[]]+(!![]+[])[+[]]][([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]]+[])[!+[]+!+[]+!+[]]+(![]+[])[+!+[]]+(![]+[])[!+[]+!+[]]+(![]+[])[!+[]+!+[]]]()[(![]+[])[+!+[]]+(!![]+[])[+[]]+(!![]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]])[+!+[]+[+[]]]+([][(![]+[])[!+[]+!+[]+!+[]]+(!![]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]])[+!+[]+[+[]]]+(!![]+[])[+!+[]]+(!![]+[])[+[]]][([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]]+[])[!+[]+!+[]+!+[]]+(![]+[])[+!+[]]+(![]+[])[!+[]+!+[]]+(![]+[])[!+[]+!+[]]]()+[])[!+[]+!+[]]]((![]+[])[+!+[]]+(+[![]]+[])[+[]])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]+(!![]+[])[!+[]+!+[]+!+[]])
</scirpt>

它实现的原理，有一个码表

(NaN+[]["filter"])[11]', 
! window["atob"]("If")[0]', 
" ("").fontcolor()[12]', 
# window["atob"]("0iN")[1]', 
$ window["atob"]("0iT")[1]', 
% window["atob"]("0iW")[1]', 
& window["atob"]("0ia")[1]', 
' window["atob"]("0if")[1]', 
( (false+[]["filter"])[20]', 
) (false+[]["filter"])[21]', 
* window["atob"]("0ir")[1]', 
+ window["atob"]("0it")[1]', 
, window["atob"]("0iy")[1]', 
- (NaN+window["Date"]())[31]', 
. window["atob"]("1i4")[1]', 
/ (true+("")["sub"]())[10]', 
0-9 ignored*/ ,,,,,,,,,, 
: window["Date"]()[21]', 
; window["atob"]("O0")[0]', 
< ("")["sub"]()[0]', 
= ("").fontcolor()[11]', 
> ("")["sub"]()[10]', 
? window["atob"]("0j9")[1]', 
@ window["atob"]("00A")[1]', 
A (+[]+[]["constructor"])[10]', 
B (+[]+(false)["constructor"])[10]', 
C window["atob"]("00N")[1]', 
D window["btoa"](00)[1]', 
E window["btoa"](01)[2]', 
F (0+[]["filter"]["constructor"])[10]', 
G window["btoa"]("0f")[1]', 
H window["btoa"]("0t")[1]', 
I ("Infinity")[0]', 
J window["atob"]("00r")[1]', 
K window["btoa"]("(")[0]', 
L window["btoa"]("/")[0]', 
M window["btoa"](0)[0]', 
N ("NaN")[0]', 
O window["btoa"](8)[0]', 
P window["btoa"]("<")[0]', 
Q window["btoa"]("a")[1]', 
R window["atob"]("01I")[1]', 
S window["btoa"]("I")[0]', 
T window["btoa"]("N")[0]', 
U window["atob"]("01W")[1]', 
V window["atob"]("01a")[1]', 
W (true+window)[12]', 
X window["atob"]("01i")[1]', 
Y window["btoa"]("a")[0]', 
Z window["btoa"]("f")[0]', 
[ (undefined+[]["filter"])[33]', 
\ window["atob"]("01y")[1]', 
] (true+[]["filter"])[40]', 
^ window["atob"](014)[1]', 
_ window["atob"](018)[1]', 
` window["atob"]("02A")[1]', 
a ("false")[1]', 
b (window+[])[2]', 
c ([]["filter"]+[])[3]', 
d ("undefined")[2]', 
e ("true")[3]', 
f ("false")[0]', 
g ([]+("")["constructor"])[14]', 
h window["atob"]("aN")[0]', 
i ([false]+undefined)[10]', 
j (window+[])[3]', 
k window["atob"]("a0")[0]', 
l ("false")[2]', 
m (Number+[])[11]', 
n ("undefined")[1]', 
o (true+[]["filter"])[10]', 
p window["atob"]("cN")[0]', 
q window["atob"]("cf")[0]', 
r ("true")[1]', 
s ("false")[3]', 
t ("true")[0]', 
u ("undefined")[0]', 
v (0+[]["filter"])[30]', 
w ([]["sort"]["call"]()+[])[13]', 
x window["atob"]("eN")[0]', 
y (NaN+[Infinity])[10]', 
z window["atob"]("et")[0]', 
{ (NaN+[]["filter"])[21]', 
| window["atob"]("03y")[1]', 
} (NaN+[]["filter"])[41]', 
~ window["atob"](234)[1]'

拼接出来字符串 "eval"，如何把 "eval" 变成 eval() 呢？方法是
[]["sort"]["call"]()["eval"]
其中 []["sort"]["call"]() 等于 [].sort.call() ，等价于 window，所以上面 []["sort"]["call"]()["eval"] 就等价于 window.eval。
然后就是体力活了，把码表对应转换成 eval("blah blah") 这种形式就可以执行任意代码了
不同浏览器的码表不一样。Chrome和Firefox的index就不一样。
其实这个码表还可以通过 ·toLocal*()` 函数族扩展到Unicode，比fromCharCode要简短
原文:http://discogscounter.getfreehosting.co.uk/js-noalnum.php?txt=alert%28%22hi+there%22%29

仅用[]()+!等符号就足以实现几乎任意Javascript代码

声明：登载此文出于传递更多信息之目的，并不意味着赞同其观点或证实其描述。

Javascript 相关文章推荐

Javascript & DHTML 实例编程（教程）DOM基础和基本API

Jun 02 Javascript

JavaScript 未结束的字符串常量常见解决方法

Jan 24 Javascript

调试Javascript代码(浏览器F12及VS中debugger关键字)

Jan 25 Javascript

jQuery 删除/替换DOM元素的几种方式

May 20 Javascript

jQuery easyui刷新当前tabs的方法

Sep 23 Javascript

利用angular.copy取消变量的双向绑定与解析

Nov 25 Javascript

TypeScript入门-接口

Mar 30 Javascript

Vue中的$set的使用实例代码

Oct 08 Javascript

JavaScript ES6中的简写语法总结与使用技巧

Dec 30 Javascript

如何使用50行javaScript代码实现简单版的call,apply,bind

Aug 14 Javascript

原生JS实现贪吃蛇小游戏

Mar 09 Javascript

vue keep-alive实现多组件嵌套中个别组件存活不销毁的操作

Oct 30 Javascript

Javascript 网页水印(非图片水印)实现代码

Mar 01 #Javascript

使用js获取QueryString的方法小结

Feb 28 #Javascript

JQuery 将元素显示在屏幕的中央的代码

Feb 27 #Javascript

jquery 最简单易用的表单验证插件

Feb 27 #Javascript

JQuery团队打造的javascript单元测试工具QUnit介绍

Feb 26 #Javascript

getElementsByTagName vs selectNodes效率及兼容的selectNodes实现

Feb 26 #Javascript

JavaScript 空位补零实现代码

Feb 26 #Javascript

You might like

日本收入最高的漫画家：海贼王作者版税年收入高达8.45亿元

2020/03/04 日漫

PHP has encountered an Access Violation at 7C94BD02解决方法

2009/08/24 PHP

php 文件缓存函数

2011/10/08 PHP

Avengerls vs Newbee BO3 第一场2.18

2021/03/10 DOTA

javascript编程起步（第五课）

2007/02/27 Javascript

js利用Array.splice实现Array的insert/remove

2009/01/13 Javascript

ajax 缓存问题 requestheader

2010/08/01 Javascript

面向对象的Javascript之一(初识Javascript)

2012/01/20 Javascript

jQuery实现在下拉列表选择时获取json数据的方法

2015/04/16 Javascript

JavaScript实现单击下拉框选择直接跳转页面的方法

2015/07/02 Javascript

详解JavaScript函数

2015/12/01 Javascript

值得分享的JavaScript实现图片轮播组件

2016/11/21 Javascript

前端JS面试中常见的算法问题总结

2016/12/23 Javascript

详解angular用$sce服务来过滤HTML标签

2017/04/11 Javascript

解决vue2.0动态绑定图片src属性值初始化时报错的问题

2018/03/14 Javascript

JS/jQuery实现简单的开关灯效果【案例】

2019/02/19 jQuery

解析JS在获取当前月的最后一天遇到的坑

2019/08/30 Javascript

微信小程序学习之自定义滚动弹窗

2020/12/20 Javascript

[50:27]OG vs LGD 2018国际邀请赛淘汰赛BO3 第一场 8.26

2018/08/30 DOTA

python计算最大优先级队列实例

2013/12/18 Python

python自然语言编码转换模块codecs介绍

2015/04/08 Python

TF-IDF与余弦相似性的应用（一）自动提取关键词

2017/12/21 Python

python实现简易云音乐播放器

2018/01/04 Python

详解python中的Turtle函数库

2018/11/19 Python

Django如何防止定时任务并发浅析

2019/05/14 Python

Python使用itchat模块实现群聊转发，自动回复功能示例

2019/08/26 Python

PyTorch学习:动态图和静态图的例子

2020/01/06 Python

pycharm部署、配置anaconda环境的教程

2020/03/24 Python

解决tensorflow 释放图,删除变量问题

2020/06/23 Python

联想阿根廷官方网站：Lenovo Argentina

2019/10/14 全球购物

Bandier官网：奢侈、时尚前卫的健身服装首选目的地

2020/07/05 全球购物

事业单位辞职信范文

2014/01/19 职场文书

圣贤教育改变命运观后感

2015/06/16 职场文书

共青团优秀团员申请书（范文）

2019/08/15 职场文书

基于python制作简易版学生信息管理系统

2021/04/20 Python

Mysql使用全文索引(FullText index)的实例代码

2022/04/03 MySQL