阿峰博客 阿峰'S blog

阿根廷的程序员Patricio Palladino 近期发布了一款工具，可以将JavaScript 代码转为 ()[]{}!+ 字符，各位跨站师，你懂得，春天来了。

Patricio Palladino提到开发该工具的原因是一位朋友在在IRC上问他一个问题，提到了sla.ckers.org上面有文章提到 “如何建立一些像alert(1)一样功能的但是非字母数字的字符”。这样就可以绕过一些IDS、IPS和WAF。所以他就开发了这款转换工具。

以下为该款工具的一些特性：

[和] 用来访问数组元素，对象的属性，得到数字和其他元素转换为字符串(和) 调用函数和避免解析错误+ 追加字符串! 元素转换为布尔类型{} 取得NaN和"[object Object]"

以下为该款工具转换出来的一段例子：

[][(![]+[])[+[]+!![]+!![]+!![]]+({}+[])[+!![]]+(!![]+[])[+!![]]+(!![]+[])[+[]]][({}+[])[!+[]+!+[]+!+[]+!+[]+!+[]]+({}+[])[+!![]]+([][+[]]+[])[+!![]]+(![]+[])[+[]+!![]+!![]+!![]]+(!![]+[])[+[]]+(!![]+[])[+!![]]+([][+[]]+[])[+[]]+({}+[])[!+[]+!+[]+!+[]+!+[]+!+[]]+(!![]+[])[+[]]+({}+[])[+!![]]+(!![]+[])[+!![]]]((!![]+[])[+!![]]+(!![]+[])[!+[]+!![]+!![]]+(!![]+[])[+[]]+([][+[]]+[])[+[]]+(!![]+[])[+!![]]+([][+[]]+[])[+!![]]+({}+[])[!+[]+!![]+!![]+!![]+!![]+!![]+!![]]+([][+[]]+[])[+[]]+([][+[]]+[])[+!![]]+(!![]+[])[!+[]+!![]+!![]]+(![]+[])[+[]+!![]+!![]+!![]]+({}+[])[!+[]+!+[]+!+[]+!+[]+!+[]]+(+{}+[])[+!![]]+([]+[][(![]+[])[+[]+!![]+!![]+!![]]+({}+[])[+!![]]+(!![]+[])[+!![]]+(!![]+[])[+[]]][({}+[])[!+[]+!+[]+!+[]+!+[]+!+[]]+({}+[])[+!![]]+([][+[]]+[])[+!![]]+(![]+[])[+[]+!![]+!![]+!![]]+(!![]+[])[+[]]+(!![]+[])[+!![]]+([][+[]]+[])[+[]]+({}+[])[!+[]+!+[]+!+[]+!+[]+!+[]]+(!![]+[])[+[]]+({}+[])[+!![]]+(!![]+[])[+!![]]]((!![]+[])[+!![]]+(!![]+[])[!+[]+!![]+!![]]+(!![]+[])[+[]]+([][+[]]+[])[+[]]+(!![]+[])[+!![]]+([][+[]]+[])[+!![]]+({}+[])[!+[]+!![]+!![]+!![]+!![]+!![]+!![]]+(![]+[])[+[]+!![]+!![]]+({}+[])[+!![]]+({}+[])[!+[]+!+[]+!+[]+!+[]+!+[]]+(+{}+[])[+!![]]+(!![]+[])[+[]]+([][+[]]+[])[!+[]+!![]+!![]+!![]+!![]]+({}+[])[+!![]]+([][+[]]+[])[+!![]])())[!+[]+!![]+!![]]+(!![]+[])[!+[]+!![]+!![]])()([][(![]+[])[+[]+!![]+!![]+!![]]+({}+[])[+!![]]+(!![]+[])[+!![]]+(!![]+[])[+[]]][({}+[])[!+[]+!+[]+!+[]+!+[]+!+[]]+({}+[])[+!![]]+([][+[]]+[])[+!![]]+(![]+[])[+[]+!![]+!![]+!![]]+(!![]+[])[+[]]+(!![]+[])[+!![]]+([][+[]]+[])[+[]]+({}+[])[!+[]+!+[]+!+[]+!+[]+!+[]]+(!![]+[])[+[]]+({}+[])[+!![]]+(!![]+[])[+!![]]]((!![]+[])[+!![]]+(!![]+[])[!+[]+!![]+!![]]+(!![]+[])[+[]]+([][+[]]+[])[+[]]+(!![]+[])[+!![]]+([][+[]]+[])[+!![]]+({}+[])[!+[]+!![]+!![]+!![]+!![]+!![]+!![]]+(!![]+[])[!+[]+!![]+!![]]+(![]+[])[+[]+!![]+!![]+!![]]+({}+[])[!+[]+!+[]+!+[]+!+[]+!+[]]+(+{}+[])[+!![]]+([]+[][(![]+[])[+[]+!![]+!![]+!![]]+({}+[])[+!![]]+(!![]+[])[+!![]]+(!![]+[])[+[]]][({}+[])[!+[]+!+[]+!+[]+!+[]+!+[]]+({}+[])[+!![]]+([][+[]]+[])[+!![]]+(![]+[])[+[]+!![]+!![]+!![]]+(!![]+[])[+[]]+(!![]+[])[+!![]]+([][+[]]+[])[+[]]+({}+[])[!+[]+!+[]+!+[]+!+[]+!+[]]+(!![]+[])[+[]]+({}+[])[+!![]]+(!![]+[])[+!![]]]((!![]+[])[+!![]]+(!![]+[])[!+[]+!![]+!![]]+(!![]+[])[+[]]+([][+[]]+[])[+[]]+(!![]+[])[+!![]]+([][+[]]+[])[+!![]]+({}+[])[!+[]+!![]+!![]+!![]+!![]+!![]+!![]]+(![]+[])[+[]+!![]+!![]]+({}+[])[+!![]]+({}+[])[!+[]+!+[]+!+[]+!+[]+!+[]]+(+{}+[])[+!![]]+(!![]+[])[+[]]+([][+[]]+[])[!+[]+!![]+!![]+!![]+!![]]+({}+[])[+!![]]+([][+[]]+[])[+!![]])())[!+[]+!![]+!![]]+(!![]+[])[!+[]+!![]+!![]])()(({}+[])[+[]])[+[]]+HEXA_VALUE) 这段代码的好处（对于黑客）是，它不包含任何字符或数字，可以逃过某些过滤器的检查。比如说，如果假定一个AJAX请求将返回一个只包含数字的 JSON，于是很可能会简单判断了一下其中不含字母就直接eval了，结果给黑客们留下了后门。上面的代码功能很简单，但使用同样的原理，完全可以干出更 复杂的事，例alert(document.cookie)。更重要的是，这段代码再一次提醒我们，黑客的想象力是无限的。

无需下载，属于在线工具：http://patriciopalladino.com/files/hieroglyphy/