關注我們
QRcode 郵件聯系

XSS跨站必備之JavaScript轉換工具

 feng  3,363 ℃  0條點評

阿根廷的程序員Patricio Palladino 近期發布了一款工具,可以將JavaScript 代碼轉為 ()[]{}!+ 字符,各位跨站師,你懂得,春天來了。

Patricio Palladino提到開發該工具的原因是一位朋友在在IRC上問他一個問題,提到了sla.ckers.org上面有文章提到 “如何建立一些像alert(1)一樣功能的但是非字母數字的字符”。這樣就可以繞過一些IDS、IPS和WAF。所以他就開發了這款轉換工具。

以下為該款工具的一些特性:

[和] 用來訪問數組元素,對象的屬性,得到數字和其他元素轉換為字符串(和) 調用函數和避免解析錯誤+ 追加字符串! 元素轉換為布爾類型{} 取得NaN和"[object Object]"

以下為該款工具轉換出來的一段例子:

[][(![]+[])[+[]+!![]+!![]+!![]]+({}+[])[+!![]]+(!![]+[])[+!![]]+(!![]+[])[+[]]][({}+[])[!+[]+!+[]+!+[]+!+[]+!+[]]+({}+[])[+!![]]+([][+[]]+[])[+!![]]+(![]+[])[+[]+!![]+!![]+!![]]+(!![]+[])[+[]]+(!![]+[])[+!![]]+([][+[]]+[])[+[]]+({}+[])[!+[]+!+[]+!+[]+!+[]+!+[]]+(!![]+[])[+[]]+({}+[])[+!![]]+(!![]+[])[+!![]]]((!![]+[])[+!![]]+(!![]+[])[!+[]+!![]+!![]]+(!![]+[])[+[]]+([][+[]]+[])[+[]]+(!![]+[])[+!![]]+([][+[]]+[])[+!![]]+({}+[])[!+[]+!![]+!![]+!![]+!![]+!![]+!![]]+([][+[]]+[])[+[]]+([][+[]]+[])[+!![]]+(!![]+[])[!+[]+!![]+!![]]+(![]+[])[+[]+!![]+!![]+!![]]+({}+[])[!+[]+!+[]+!+[]+!+[]+!+[]]+(+{}+[])[+!![]]+([]+[][(![]+[])[+[]+!![]+!![]+!![]]+({}+[])[+!![]]+(!![]+[])[+!![]]+(!![]+[])[+[]]][({}+[])[!+[]+!+[]+!+[]+!+[]+!+[]]+({}+[])[+!![]]+([][+[]]+[])[+!![]]+(![]+[])[+[]+!![]+!![]+!![]]+(!![]+[])[+[]]+(!![]+[])[+!![]]+([][+[]]+[])[+[]]+({}+[])[!+[]+!+[]+!+[]+!+[]+!+[]]+(!![]+[])[+[]]+({}+[])[+!![]]+(!![]+[])[+!![]]]((!![]+[])[+!![]]+(!![]+[])[!+[]+!![]+!![]]+(!![]+[])[+[]]+([][+[]]+[])[+[]]+(!![]+[])[+!![]]+([][+[]]+[])[+!![]]+({}+[])[!+[]+!![]+!![]+!![]+!![]+!![]+!![]]+(![]+[])[+[]+!![]+!![]]+({}+[])[+!![]]+({}+[])[!+[]+!+[]+!+[]+!+[]+!+[]]+(+{}+[])[+!![]]+(!![]+[])[+[]]+([][+[]]+[])[!+[]+!![]+!![]+!![]+!![]]+({}+[])[+!![]]+([][+[]]+[])[+!![]])())[!+[]+!![]+!![]]+(!![]+[])[!+[]+!![]+!![]])()([][(![]+[])[+[]+!![]+!![]+!![]]+({}+[])[+!![]]+(!![]+[])[+!![]]+(!![]+[])[+[]]][({}+[])[!+[]+!+[]+!+[]+!+[]+!+[]]+({}+[])[+!![]]+([][+[]]+[])[+!![]]+(![]+[])[+[]+!![]+!![]+!![]]+(!![]+[])[+[]]+(!![]+[])[+!![]]+([][+[]]+[])[+[]]+({}+[])[!+[]+!+[]+!+[]+!+[]+!+[]]+(!![]+[])[+[]]+({}+[])[+!![]]+(!![]+[])[+!![]]]((!![]+[])[+!![]]+(!![]+[])[!+[]+!![]+!![]]+(!![]+[])[+[]]+([][+[]]+[])[+[]]+(!![]+[])[+!![]]+([][+[]]+[])[+!![]]+({}+[])[!+[]+!![]+!![]+!![]+!![]+!![]+!![]]+(!![]+[])[!+[]+!![]+!![]]+(![]+[])[+[]+!![]+!![]+!![]]+({}+[])[!+[]+!+[]+!+[]+!+[]+!+[]]+(+{}+[])[+!![]]+([]+[][(![]+[])[+[]+!![]+!![]+!![]]+({}+[])[+!![]]+(!![]+[])[+!![]]+(!![]+[])[+[]]][({}+[])[!+[]+!+[]+!+[]+!+[]+!+[]]+({}+[])[+!![]]+([][+[]]+[])[+!![]]+(![]+[])[+[]+!![]+!![]+!![]]+(!![]+[])[+[]]+(!![]+[])[+!![]]+([][+[]]+[])[+[]]+({}+[])[!+[]+!+[]+!+[]+!+[]+!+[]]+(!![]+[])[+[]]+({}+[])[+!![]]+(!![]+[])[+!![]]]((!![]+[])[+!![]]+(!![]+[])[!+[]+!![]+!![]]+(!![]+[])[+[]]+([][+[]]+[])[+[]]+(!![]+[])[+!![]]+([][+[]]+[])[+!![]]+({}+[])[!+[]+!![]+!![]+!![]+!![]+!![]+!![]]+(![]+[])[+[]+!![]+!![]]+({}+[])[+!![]]+({}+[])[!+[]+!+[]+!+[]+!+[]+!+[]]+(+{}+[])[+!![]]+(!![]+[])[+[]]+([][+[]]+[])[!+[]+!![]+!![]+!![]+!![]]+({}+[])[+!![]]+([][+[]]+[])[+!![]])())[!+[]+!![]+!![]]+(!![]+[])[!+[]+!![]+!![]])()(({}+[])[+[]])[+[]]+HEXA_VALUE) 這段代碼的好處(對于黑客)是,它不包含任何字符或數字,可以逃過某些過濾器的檢查。比如說,如果假定一個AJAX請求將返回一個只包含數字的 JSON,于是很可能會簡單判斷了一下其中不含字母就直接eval了,結果給黑客們留下了后門。上面的代碼功能很簡單,但使用同樣的原理,完全可以干出更 復雜的事,例alert(document.cookie)。更重要的是,這段代碼再一次提醒我們,黑客的想象力是無限的。

無需下載,屬于在線工具:http://patriciopalladino.com/files/hieroglyphy/

本文標簽:
201212期烏云wooyun月爆(報)第一期
使用cdn加速到底對搜索引擎有沒有影響?
黑客游戲Watch Dogs PC版正式發布下載地址黑客游戲Watch Dogs PC版正式發布下載地址百度網盤35G(兩年)+10G(永久)免費擴容百度網盤35G(兩年)+10G(永久)免費擴容社交網站Facebook數據庫下載 2.8G社交網站Facebook數據庫下載 2.8G教你用107.6元開16個月年費黃鉆教你用107.6元開16個月年費黃鉆

已有0條評論,歡迎點評!

smiley smiley smiley smiley smiley smiley smiley smiley smiley smiley smiley smiley smiley smiley smiley smiley

國際慣例, 沙發拿下 . . .


河北家乡麻将下载 捕鸟达人最老版本 天天南通长牌 手机版 秒速赛车人工计划 江苏快三走势和值跨度 吉林麻将小鸡飞蛋规则 正规的可以提现的棋牌 江西多乐彩11选5开奖公告 北京快3一定牛基本走势 河南十一选五遗漏 全民欢乐捕鱼礼包兑换码 星悦浙江宁波麻将 二十一点赢钱概率 手机网上斗地主真钱 腾讯分分彩开奖记录官网 北京快3官方软件 广东11选5助手下载