仅用[]()+!等符号就足以实现几乎任意Javascript代码

请在Firefox下测试

看了下例子:

js代码

alert("hi there")

</script>

就等价于

([][(![]+[])[!+[]+!+[]+!+[]]+(!![]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]])[+!+[]+[+[]]]+(!![]+[])[+!+[]]+(!![]+[])[+[]]][([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]]+[])[!+[]+!+[]+!+[]]+(![]+[])[+!+[]]+(![]+[])[!+[]+!+[]]+(![]+[])[!+[]+!+[]]]()[(![]+[])[+!+[]]+(![]+[])[!+[]+!+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]+(!![]+[])[+[]]])([][(![]+[])[!+[]+!+[]+!+[]]+(!![]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]])[+!+[]+[+[]]]+(!![]+[])[+!+[]]+(!![]+[])[+[]]][([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]]+[])[!+[]+!+[]+!+[]]+(![]+[])[+!+[]]+(![]+[])[!+[]+!+[]]+(![]+[])[!+[]+!+[]]]()[(![]+[])[+!+[]]+(!![]+[])[+[]]+(!![]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]])[+!+[]+[+[]]]+([][(![]+[])[!+[]+!+[]+!+[]]+(!![]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]])[+!+[]+[+[]]]+(!![]+[])[+!+[]]+(!![]+[])[+[]]][([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]]+[])[!+[]+!+[]+!+[]]+(![]+[])[+!+[]]+(![]+[])[!+[]+!+[]]+(![]+[])[!+[]+!+[]]]()+[])[!+[]+!+[]]]((![]+[])[+!+[]]+(+[![]]+[])[+[]])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(+[![]]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]])[+!+[]+[+!+[]]]+(!![]+[])[+[]]+[][(![]+[])[!+[]+!+[]+!+[]]+(!![]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]])[+!+[]+[+[]]]+(!![]+[])[+!+[]]+(!![]+[])[+[]]][([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]]+[])[!+[]+!+[]+!+[]]+(![]+[])[+!+[]]+(![]+[])[!+[]+!+[]]+(![]+[])[!+[]+!+[]]]()[(![]+[])[+!+[]]+(!![]+[])[+[]]+(!![]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]])[+!+[]+[+[]]]+([][(![]+[])[!+[]+!+[]+!+[]]+(!![]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]])[+!+[]+[+[]]]+(!![]+[])[+!+[]]+(!![]+[])[+[]]][([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]]+[])[!+[]+!+[]+!+[]]+(![]+[])[+!+[]]+(![]+[])[!+[]+!+[]]+(![]+[])[!+[]+!+[]]]()+[])[!+[]+!+[]]]((![]+[])[+!+[]]+(+[![]]+[])[+[]])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]+(!![]+[])[!+[]+!+[]+!+[]])

</scirpt>

它实现的原理，有一个码表

复制代码代码如下:

(NaN+[]["filter"])[11]',

! window["atob"]("If")[0]',

" ("").fontcolor()[12]',

# window["atob"]("0iN")[1]',

$ window["atob"]("0iT")[1]',

% window["atob"]("0iW")[1]',

& window["atob"]("0ia")[1]',

' window["atob"]("0if")[1]',

( (false+[]["filter"])[20]',

) (false+[]["filter"])[21]',

* window["atob"]("0ir")[1]',

+ window["atob"]("0it")[1]',

, window["atob"]("0iy")[1]',

- (NaN+window["Date"]())[31]',

. window["atob"]("1i4")[1]',

/ (true+("")["sub"]())[10]',

0-9 ignored*/ ,,,,,,,,,,

: window["Date"]()[21]',

; window["atob"]("O0")[0]',

< ("")["sub"]()[0]',

= ("").fontcolor()[11]',

> ("")["sub"]()[10]',

? window["atob"]("0j9")[1]',

@ window["atob"]("00A")[1]',

A (+[]+[]["constructor"])[10]',

B (+[]+(false)["constructor"])[10]',

C window["atob"]("00N")[1]',

D window["btoa"](00)[1]',

E window["btoa"](01)[2]',

F (0+[]["filter"]["constructor"])[10]',

G window["btoa"]("0f")[1]',

H window["btoa"]("0t")[1]',

I ("Infinity")[0]',

J window["atob"]("00r")[1]',

K window["btoa"]("(")[0]',

L window["btoa"]("/")[0]',

M window["btoa"](0)[0]',

N ("NaN")[0]',

O window["btoa"](8)[0]',

P window["btoa"]("<")[0]',

Q window["btoa"]("a")[1]',

R window["atob"]("01I")[1]',

S window["btoa"]("I")[0]',

T window["btoa"]("N")[0]',

U window["atob"]("01W")[1]',

V window["atob"]("01a")[1]',

W (true+window)[12]',

X window["atob"]("01i")[1]',

Y window["btoa"]("a")[0]',

Z window["btoa"]("f")[0]',

[ (undefined+[]["filter"])[33]',

window["atob"]("01y")[1]',

] (true+[]["filter"])[40]',

^ window["atob"](014)[1]',

_ window["atob"](018)[1]',

` window["atob"]("02A")[1]',

a ("false")[1]',

b (window+[])[2]',

c ([]["filter"]+[])[3]',

d ("undefined")[2]',

e ("true")[3]',

f ("false")[0]',

g ([]+("")["constructor"])[14]',

h window["atob"]("aN")[0]',

i ([false]+undefined)[10]',

j (window+[])[3]',

k window["atob"]("a0")[0]',

l ("false")[2]',

m (Number+[])[11]',

n ("undefined")[1]',

o (true+[]["filter"])[10]',

p window["atob"]("cN")[0]',

q window["atob"]("cf")[0]',

r ("true")[1]',

s ("false")[3]',

t ("true")[0]',

u ("undefined")[0]',

v (0+[]["filter"])[30]',

w ([]["sort"]["call"]()+[])[13]',

x window["atob"]("eN")[0]',

y (NaN+[Infinity])[10]',

z window["atob"]("et")[0]',

{ (NaN+[]["filter"])[21]',

| window["atob"]("03y")[1]',

} (NaN+[]["filter"])[41]',

~ window["atob"](234)[1]'

拼接出来字符串 "eval"，如何把 "eval" 变成 eval() 呢？方法是

[]["sort"]["call"]()["eval"]

其中 []["sort"]["call"]() 等于 [].sort.call() ，等价于 window，所以上面 []["sort"]["call"]()["eval"] 就等价于 window.eval。

然后就是体力活了，把码表对应转换成 eval("blah blah") 这种形式就可以执行任意代码了

不同浏览器的码表不一样。Chrome和Firefox的index就不一样。

其实这个码表还可以通过 ·toLocal*()` 函数族扩展到Unicode，比fromCharCode要简短

原文:http://discogscounter.getfreehosting.co.uk/js-noalnum.php?txt=alert%28%22hi+there%22%29