When the bool variable is subscript, JavaScript is not allowed.

Jother encoding is the first thing I want to write, for two points: 1. The principle is relatively simple, do not need much knowledge about the algorithm. 2. Interestingly, it is a product that has been spawned after a deep understanding of JavaScript. If you only need to know the Jother encoding and decoding method, then you can skip the article text to see the conclusion section directly. If you want to know the principle then you can take this question with me and start jother exploration.

Before we go, we need to do some preparatory work, just as the desert expedition requires plenty of water and dry food. There are a few things that need readers to prepare: 1.javascript anonymous function-related knowledge. 2. Recursive thinking. Basic knowledge of 3.javascript variable types. 4.javascript some basic functions. 5. A curious heart.

So let's go now. First, an unofficial Jother code definition is given: Jother is an anonymous function method that uses a small number of characters in JavaScript to encode a string. Few of these characters include: "!", "+", "(", ")", "[", "]", "{", "}". The encoding of any string can be accomplished using only these characters, and we can draw two conclusions: 1. Recursion is indispensable. 2. Encoding compression rate is certainly greater than 100% and very high, that is, the length of the encoding is much larger than the original length.

Let's first look at an example of an anonymous function:

[function () {alert (1)} ()];

Use if you save the above code between, and then the saved file end with an HTML suffix, and open in the browser, you will see a box, the contents of the box is "1". It is also possible if you are accustomed to using console.log and not liking alert. Then we modify the original code slightly:

alert ([function () {alert (1)} ()]);

Save it, refresh the page again, we can see the first popup "1", after the popup a blank box.

Our explanation for this phenomenon is that alert (1) was executed for the first time, and the second time the alert (function) was executed. The function is an anonymous function (with a return value), so it pops up the return value of the function itself (if the function without the return value is undefined). If you notice the order of the box, that's good, you are very careful, this is due to the function in the stack and out of the stack, the alert function called the anonymous function, of course, wait for the anonymous function to return, and then to return. What we need to note here is that JavaScript can execute new functions in the alert function, rather than just outputting a string.

Let's change the source code:

alert ([]); Save execution, what do you see? Still play a blank box, this means [] is an anonymous function, and is the simplest anonymous function, it also executes. Because the function body is removed, it causes the "empty shell" of an anonymous function to be left alone. We will continue to modify the source code: alert (+[]);

What did you find out? It popped 0, didn't it? Because of our operator "+", the return value of an empty (void) function that cannot be displayed is cast to the shape of "0". Daosh One, life two, two three, Sansheng everything.

We only "0" How to Live "1"? Don't worry, take a look at the following example:

Alert (![]);

After running, still frame, pop up a false,false is what? is bool (usually referred to as the "Boolbean" operator in JavaScript), why does it become false? is because "!" Forced type conversion is performed on it. But what's the use of it? Don't worry, we use two "!" To try:

Alert (!! []);

This time the screen pops up "true", although still a bool type, but already closer to "1", How to change "true" to "1"? Do not look at the back of the content, please think for a minute. I think most people already have the answer, let's check it out:

Alert (+!! []);

Yes, that's it! Use the plus sign to force type conversions and convert True to "1". 1 is good to do, at least the other numbers we can express, the following to verify your idea:

"+[]",//0 "+!! [] ",//1"!! []+!! [] ",//2"!! []+!! []+!! [] ",//3"!! []+!! []+!! []+!! [] ",//4"!! []+!! []+!! []+!! []+!! [] ",//5"!! []+!! []+!! []+!! []+!! []+!! [] ",//6"!! []+!! []+!! []+!! []+!! []+!! []+!! [] ",//7"!! []+!! []+!! []+!! []+!! []+!! []+!! []+!! [] ",//8"!! []+!! []+!! []+!! []+!! []+!! []+!! []+!! []+!! [] "//9

It's cool, isn't it? Only numbers are not working, we need characters, strings. So how do numbers become strings? Here is a little article to do, I first thought of the ASCII code, but how to convert the ASCII code into a character? We need to introduce a function, but can we not introduce a new function? Let's think about it in a different way: try to generate an array, and then specify the subscript directly with the characters already in the array. For example, we can easily produce a "true", "false". We want to say "a" when a direct way to output a "false", and then set the subscript as "1" (note here "F" subscript is "0", so "a" is "1") is not OK?

Let's check it out:

Alert ((![]) [+!! []]); What do you think? Did you see a? If you answer: "See", then you certainly did not seriously to do. The output here is "undefined", which is why? Because! [] This false is bool type, when we take a bool variable subscript when the JavaScript is not allowed, so here is a undefined. So how do we find a way to convert the bool type into a string? Here is the use of: "! []+[] ". Alert (typeof (![) +[]));

Did you see it? becomes a string. This is how JavaScript casts a "+" operation on the bool type and number type in order to convert it to a string type. You can also use alert (typeof (XXX)) to try to determine whether the types mentioned earlier are correct.

With this approach, we can represent "a", "E", "F", "L", "R", "s", "T", "U". Of course there is a very easy to get string-"undefined", but also to enrich our dictionary. So, there are still a lot of characters that can't be represented, so let's talk about an extension, Object:

Alert ({}); In JavaScript, "{}" represents a simplest class, if you run the above code, it will display "[Object Object]", also this object cannot be directly by the array subscript to get the element, we need to do a conversion: ({}+[]) alert ({}+ [])[+[]]); This allows you to take the No. 0 element: "[". To do this extension is basically to get an important character "o" because we need to use it for the sort function we want to say later. 0x01 function

First, let's add a predecessor concept--javascript the native form of the anonymous function

[] [' sort '] [' constructor '] (' function body ') (2881064151);

Such a construct can execute arbitrary javascript code.

In order to attract the reader's attention, here is the first hint:

Using Jother encoding can be used without letters and numbers to execute arbitrary JS code, this is very useful in XSS attacks, the only disadvantage is that the code is too long, how to shorten the encoding, in fact, there are some ways, and combined with the real attack environment may allow the input of some characters, We can refer to the replacement part of the code. For example, the code in the "alert" filter, whether you can use the Jother re-encoding function, the anonymous function called "alert", when called "alert" only replace the alert in the R, so that the formation of "ale" +xxx (jother) + "T" form.

The following is a formal introduction to the use of Jother encoding to invoke anonymous functions, in the first content we already have some strings, each of the characters in these strings we can use the array subscript positioning the way to take, we look at what these characters have: "true", "false", " Undefined "," [Object Object] "(note there is a very useful word spaces). Let's compare [] [' sort '] [' constructor ']1; what are we missing? In fact, there is nothing missing. Let's construct a form like this, in order to intuitively give the result of the construct directly: [[![] +[])[!! []+!! []+!! []]+({}+[])[+!! []]+(!! []+[])[+!! []]+(!! []+[])[+[]]][({}+[])[!! []+!! []+!! []+!! []+!! []]+({}+[])[+!! []]+({}[[]]+[])[+!! []]+(! []+[])[!! []+!! []+!! []]+(!! []+[])[+[]]+(!! []+[])[+!! []]+({}[[]]+[])[+[]]+({}+[])[!! []+!! []+!! []+!! []+!! []]+(!! []+[])[+[]]+({}+[])[+!! []]+(!! []+[])[+!! []]]((!! []+[])[+!! []]+(!! []+[])[!! []+!! []+!! []]+(!! []+[])[+[]]+({}[[]]+[])[+[]]+(!! []+[])[+!! []]+({}[[]]+[])[+!! []]+({}+[])[!! []+!! []+!! []+!! []+!! []+!! []+!! []]+(! []+[])[!! []+!! []]+({}+[])[+!! []]+({}+[])[!! []+!! []+!! []+!! []+!! []]+(! []+[])[+!! []]+(!! []+[])[+[]]+({}[[]]+[])[!! []+!! []+!! []+!! []+!! []]+({}+[])[+!! []]+({}[[]]+[])[+!! []])()

This example is actually equivalent to:

[] [' sort '] [' constructor '] (' Return location ') () Note that this is the space behind the return that needs to be taken using the [object Object] we mentioned earlier.

With this function we can get a lot of useful characters, such as online, can be taken to "http (s)://" So that there is a new character "P".

With this character we can use escape and the unescape function to combine more letters and special matches, such as Escape ("), get"%20 ", use"% "and a combination of numbers and unescape to get new characters.

You are free to play the things that follow.

Of course, there are other techniques to construct some letters, such as the construction of infinity is actually the use of digital approach infinity, the principle is to find a way to reach e 100,000 times, we are not listed here, Specific ideas can refer to the annex of the Jother.js, this is Jother inventor wrote a section of Jother encode demo.

When the bool variable is subscript, JavaScript is not allowed.