Build XSS vectors without letters

Build XSS vectors without letters

Requirements

Previously, when I was playing an XSS game, I suddenly had some ideas. Based on the sharing principle, I got this article. Here, I will share an XSS attack vector that I have never touched before.

At the same level, no letters are used in the attack vector and alert (1) must be called ).

Let's talk less about it here:

""[(!1+"")[3]+(!0+"")[2]+(''+{})[2]][(''+{})[5]+(''+{})[1]+((""[(!1+"")[3]+(!0+"")[2]+(''+{})[2]])+"")[2]+(!1+'')[3]+(!0+'')[0]+(!0+'')[1]+(!0+'')[2]+(''+{})[5]+(!0+'')[0]+(''+{})[1]+(!0+'')[1]](((!1+"")[1]+(!1+"")[2]+(!0+"")[3]+(!0+"")[1]+(!0+"")[0])+"(1)")()

What have we done? Next, let me give it to you.

Analysis

First, start with an empty string, and then we access the brackets instead of the attributes of the dot symbol we are familiar.

Please note that in the next minute we will build a string and will not use point-to-point characters to construct the object attributes of the string name. Now we switch to brackets.

What properties are we accessing now? The following is the "string"

(!1+"")[3]+(!0+"")[2]+(''+{})[2]

Next! 1 (false), adding "" to a non-String value is a fast and direct method, so (! 1 + ") We get false

Add the character to "false" in index 3 (the result is switched to s (! 0 + ") [2] or" true "[2] Try again and you will get the letter u. Finally, you can import the character to the index 2 string "[object Object]" and you will get the letter B.

No letters are used to construct a string to access the "sub" attribute of an empty string object. However, sub is not only an attribute, but also a function!

At this moment, you may think that I will destroy filtering by calling the String. sub function. This may also work, but I chose a more in-depth approach. What built-in attributes does a function have? How to construct a function?

If you open a JavaScript console and type "" ["sub"] ["constructor"], what do you see? Why do you get the Function! It seems that we have something to do...

Here is a prompt for you: n

((""[(!1+"")[3]+(!0+"")[2]+(''+{})[2]])+"")[2]

We have a familiar "" ["sub"]:

((""["sub"])+"")[2]

Add "" to it to obtain function sub () {[native code]}. Add the character to index 2 to obtain the letter n.

Summary

Now we get the "" ["sub"] ["constructor"] equivalent to Function (), and call it to define a Function. When we try to call alert (1), we need to connect more "true" and "false" to construct the alert string, followed by + "(1 )".

Now we call the Function ("alert (1)"). It is done. Now we only need one call, and an anonymous Function will be returned for the pop-up.

// empty string""// ["sub"][(!1+"")[3]+(!0+"")[2]+(''+{})[2]]// ["constructor"][(''+{})[5]+(''+{})[1]+((""[(!1+"")[3]+(!0+"")[2]+(''+{})[2]])+"")[2]+(!1+'')[3]+(!0+'')[0]+(!0+'')[1]+(!0+'')[2]+(''+{})[5]+(!0+'')[0]+(''+{})[1]+(!0+'')[1]]// ("alert(1)")(((!1+"")[1]+(!1+"")[2]+(!0+"")[3]+(!0+"")[1]+(!0+"")[0])+"(1)")// call anonymous function returned by Function()()

The Function ("alert (1)") () at the beginning of this article is indeed very confusing, and it is really difficult to identify without any identifiable strings. You can type "javascript:" in the address bar, copy and paste the above Code, and click the Enter key for testing.