Uncover six characters in JavaScript

Source: Internet
Author: User

JavaScript is a strange and interesting language, and we can write some crazy but still valid code. It tries to help us transform things into specific types based on how we treat them.

If we add a string, JavaScript assumes that we want to represent it as text, so we convert it to a string. If we add a positive and negative prefix symbol, JavaScript assumes that we want to represent the numeric form, and, if possible, to us and convert the string to a number. If we add a negative symbol, JavaScript will convert the string to a Boolean value.

We can use JavaScript,,, and [ ] ( ) ! + These six symbols to write some magical code. If you are not on the phone now, you can open the browser's console and you can paste any code sample into the console, and the code value is true.

Let's start with the basics and remember some of the golden rules:

!Subsequent characters are converted to Boolean values

+Subsequent characters are converted to numeric values.

[]Followed characters are converted to strings

Take a look at the following example:

![] === false+[] === 0[]+[] === ""

The other thing you should know is that it can retrieve specific letters from a string using square brackets, like this:

"hello"[0] === "h"

Remember that multiple numeric numbers can be represented together by adding strings, and then the entire expression is converted to a number:

+("1" + "1") === 11

We continue to combine some things together to get the lettersa

![] === false![]+[] === "false"+!![] === 1------------------------(![]+[])[+!![]] === "a"  // same as "false"[1]

Extrapolate

We can pass and get similar letters,,,,,,, true false a e f l r s t u then can we get the letters from somewhere else?

We can get the [][[]] undefined other letters by using the golden rules we talked about, and, by some special formulas d i n .

`[][[]] + [] === "undefined"`

So far, using all the letters we've got, we can spell fill , filter and find . Of course there are some other words that we can also spell, but the most important of these words is that they are all arrays of methods. This means that they are part of an array object and can invoke an array instance directly, such as: [2,1].sort() .

Another important feature of understanding JavaScript now is that the properties of an object can be accessed through point symbols . or square brackets [] . The array method above is the property of the array object itself, and we can call these methods with square brackets instead of point symbols.

Therefore [2,1]["sort"]() equivalent to [2,1].sort() .

We continue to look at what happens when we try to use an array of methods, and we can use letters that we have spelled so far but have not been called.

[]["fill"]

This will get function fill() { [native code] } , we can put this method head as a string again using our Golden rule:

[]["fill"]+[] === "function fill() { [native code] }"

So now we get another character:,,,,,,, c o v ( ) { [ ] , } .

As we get new c and we o can now form constructor this word. A constructor is a method in which all JS objects return only their own constructors.

So far we have handled the object, and we can get it in a string representation of the constructor function:

True["Constructor"] + [] ===  function Boolean () {[native code]} "    0  [" constructor "]   +   []       = = =   "function number () {[native code]}"     ""  [  "Constructor" ]   +   []     = = =   "function String () {[ Native code]} "  [[" constructor "]   +   []     = = =   function Array () {[native code]} "  ({}) [" constructor "]   +   []   = = =   "function Object () {[native code]}"          

With these formulas, we can add the following characters to our library:,,,,,,,, B N S A O m b g y j .

Now we can construct a function that we can use square brackets "toString", and we can call it this way:

(10)["toString"]() === "10"

Using our golden rule, we can already convert anything we want into a string, but how does it work?

Well, I tell you, the Number type of toString method has a radix secret argument called ("Cardinal"). It can convert a value to a string before converting it to a radix, like this:

   ( ) [ ' toString ' ] ( ten )   = =   "Ten"  &NBSP //Decimal   ( ) [ "ToString" ] ( 2 )   = = =   "1100"  //binary   ( 8 ) [ "ToString" ] ( + )   = = =   "+"    //Eight binary   ( + ) [ "ToString" ] ( + )   = = =   "C"    //16 binary            

But why is the cardinality only written to 16? The maximum value is 36, including all the characters 0 - 9 and a - z so now we can get any alphanumeric we want:

(10)["toString"](36) === "a"(35)["toString"](36) === "z"

That's great! But are other symbols such as punctuation and capital letters? We went on to explore.

Depending on your JS execution, it may or may not access specific predefined objects or data. If you run it in a browser, then you can access some of the existing HTML wrapper methods.

For example, bold a string method that is wrapped in a <> label.

"test"["bold"]() === "<b>test</b>"

Through this we get <> and / two characters.

You may have heard of the escape method, which mainly converts a string into a URI-friendly format that can be interpreted by a simple browser. If we pass a space character, we get the "%20".

Here's a tool to automatically convert each character automatically. Tool Address: http://www.jsfuck.com/source code Address: Https://raw.githubusercontent.com/aemkei/jsfuck/master/jsfuck.js

Why do these words have use?

It's not something bad ebay does, not long ago allowing sellers to execute JS in the page using only these characters, but it's a fairly rare attack vector. Some people say confusion, but in fact, there are better ways to confuse.

Finally, I hope you will enjoy the journey of this expedition.

Resources:

Https://en.wikipedia.org/wiki/JSFuck

Https://esolangs.org/wiki/JSFuck

Http://patriciopalladino.com/blog/2012/08/09/non-alphanumeric-javascript.html

Https://raw.githubusercontent.com/aemkei/jsfuck/master/jsfuck.js

Uncover six characters in JavaScript

Related Article

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.