一个神奇的JS混淆,JSFuck!
2024-09-26 22:54:50
JSFuck,整体由6个字符[, ], (, ), !, +组成,但却是可以正常运行的JS代码,JSFuck程序可以在任何Web浏览器或引擎中运行解释JavaScript!
看一段代码,源代码为:document.write('FuckJS');
看着很牛逼的样子,但是它有个很致命的缺点,就是太长……看下图行数↓
一句document.write('FuckJS');用JSFuck编写的话代码能达到惊人的1000+行36474个字符。
但是,如果从渗透测试人员的角度想呢?这样混淆的话是不是大多过滤都过滤不掉了?所以JSFuck还可用于绕过网站上提交的恶意代码的检测,例如跨站点脚本(XSS)攻击。
一些简单的JS语句还是比较短的,比如alert(1)
<script type="text/javascript">
[][(![] + [])[+[]] + ([![]] + [][
[]
])[+!+[] + [+[]]] + (![] + [])[!+[] + !+[]] + (!![] + [])[+[]] + (!![] + [])[!+[] + !+[] + !+[]] + (!![] + [])[+!+[]]]
[([][(![] + [])[+[]] + ([![]] + [][
[]
])[+!+[] + [+[]]] + (![] + [])[!+[] + !+[]] + (!![] + [])[+[]] + (!![] + [])[!+[] + !+[] + !+[]] + (!![] + [])[+!
+[]]] + [])[!+[] + !+[] + !+[]] + (!![] + [][(![] + [])[+[]] + ([![]] + [][
[]
])[+!+[] + [+[]]] + (![] + [])[!+[] + !+[]] + (!![] + [])[+[]] + (!![] + [])[!+[] + !+[] + !+[]] + (!![] + [])[+!
+[]]])[+!+[] + [+[]]] + ([][
[]
] + [])[+!+[]] + (![] + [])[!+[] + !+[] + !+[]] + (!![] + [])[+[]] + (!![] + [])[+!+[]] + ([][
[]
] + [])[+[]] + ([][(![] + [])[+[]] + ([![]] + [][
[]
])[+!+[] + [+[]]] + (![] + [])[!+[] + !+[]] + (!![] + [])[+[]] + (!![] + [])[!+[] + !+[] + !+[]] + (!![] + [])[+!
+[]]] + [])[!+[] + !+[] + !+[]] + (!![] + [])[+[]] + (!![] + [][(![] + [])[+[]] + ([![]] + [][
[]
])[+!+[] + [+[]]] + (![] + [])[!+[] + !+[]] + (!![] + [])[+[]] + (!![] + [])[!+[] + !+[] + !+[]] + (!![] + [])[+!
+[]]])[+!+[] + [+[]]] + (!![] + [])[+!+[]]]((![] + [])[+!+[]] + (![] + [])[!+[] + !+[]] + (!![] + [])[!+[] + !+[] +
!+[]] + (!![] + [])[+!+[]] + (!![] + [])[+[]] + (![] + [][(![] + [])[+[]] + ([![]] + [][
[]
])[+!+[] + [+[]]] + (![] + [])[!+[] + !+[]] + (!![] + [])[+[]] + (!![] + [])[!+[] + !+[] + !+[]] + (!![] + [])[+!
+[]]])[!+[] + !+[] + [+[]]] + [+!+[]] + (!![] + [][(![] + [])[+[]] + ([![]] + [][
[]
])[+!+[] + [+[]]] + (![] + [])[!+[] + !+[]] + (!![] + [])[+[]] + (!![] + [])[!+[] + !+[] + !+[]] + (!![] + [])[+!
+[]]])[!+[] + !+[] + [+[]]])()
</script>
所以还是有两大优点的
1、脚本注入时防止过滤
2、一定程度加密关键代码(生成代码很长,不适合加密大量代码。只能一定程度上加密,不能依赖)
感兴趣的可以看一下维基百科:https://en.wikipedia.org/wiki/JSFuck
或者JSFuck的Github:https://github.com/aemkei/jsfuck
还有JSFuck的官网:http://www.jsfuck.com/
反混淆的话可以借鉴一下这篇文章:https://www.jianshu.com/p/1dc99e3d927c
最新文章
- IIS服务器运行一段时间后卡死,且无法打开网站(IIS管理无响应,必须重启电脑)
- c++中char*\wchar_t*\string\wstring之间的相互转换
- 20145120 《Java程序设计》第5周学习总结
- Careercup - Facebook面试题 - 23869663
- Angular2组件与指令的小实践
- JSTL之c:set
- 洛谷 [P3110] 驮运
- Windows Server 2016-部署RODC只读域控制器
- AngularJs 指令directive之require
- 3.Flask-SQLAlchemy
- 从PRISM开始学WPF(三)Prism-Region-更新至Prism7.1
- MongoDB副本集功能及节点属性梳理
- Layout-3相关代码:3列布局代码演化[二]
- Python os.access() 方法
- MySQL5.7 多源复制监控脚本
- sqli-labs less 5-6
- 常用的oh-my-zsh插件
- Opencv 入门学习之图片人脸识别
- MySQL的mysql.sock文件作用(转)
- URAL 1997 Those are not the droids you&#39;re looking for 二分图最大匹配