在看一本名为ctf训练营的书的时候
讲到了一种名为jsFuck的东西
当时就很奇怪,这玩意是什么?
带着疑惑打开了百度,随后就是震惊三观的操作
带大家看一段js代码
[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]][([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]])[+!+[]+[+[]]]+([][[]]+[])[+!+[]]+(![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[+!+[]]+([][[]]+[])[+[]]+([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]])[+!+[]+[+[]]]+(!![]+[])[+!+[]]]((![]+[])[+!+[]]+(![]+[])[!+[]+!+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]+(!![]+[])[+[]]+(![]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]])[!+[]+!+[]+[+[]]]+[+!+[]]+(!![]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]])[!+[]+!+[]+[+[]]])()
复制到控制台你就会发现居然弹出了一个1
是不是很神奇!
仅仅使用[ ] ( ) + ! 组合居然能实现 alert(1)的效果
现在我们来进行一波分解,看看到底是怎么回事
![] // false
如果只是一个简单的 [ ] 那就只是一个空数组,但是加上 ! 时就会发生强制类型转换,变为 false
但仅仅是这样还不够
![]+[] // 'false'
刚才只是得到了一个布尔类型的false,现在经过转换得到的是一个字符串
[ ]+[ ] 会得到一个空串,那![ ]会装换false,false+[ ]自然就变成字符串的false了,得到了字符串那是不是可以干很多事了呢
比如取字符
(![]+[])[+[]] // 'f'
等同于js
'false'[0] // 'f'
![ ]+[ ]我们知道会变成 ’false‘,
+[]会强制类型转换为false
false此时就装换成了0,因此就取得了字符 f
除此之外还能组成undefined、true、false、NaN等关键字的字符
有了这些我们足够组成我们需要的字符
那alert(1)到底是怎么实现的呢
执行这段代码也会弹出 1
Function("alert(1)")()
我们得到数组上的一个filter方法,再通过这个方法取得Function
[]["filter"]["constructor"] // Function
上面的字符都可以通过js的关键字找到,一个一个拼接最后得到这些字符串
是不是很神奇呢
常见取值的表
false => ![]
true => !![]
undefined => [][[]]
NaN => +[![]]
0 => +[]
1 => +!+[]
2 => !+[]+!+[]
10 => [+!+[]]+[+[]]
Array => []
Number => +[]
String => []+[]
Boolean => ![]
Function => []["filter"]
eval => []["filter"]["constructor"]( CODE )()
window => []["filter"]["constructor"]("return this")()