Welcome to OStack Knowledge Sharing Community for programmer and developer-Open, Learning and Share
Welcome To Ask or Share your Answers For Others

Categories

0 votes
874 views
in Technique[技术] by (71.8m points)

javascript - JSFuck: call sequence of functions with 2 (or more) parameters without nesting

This is continuation of this question with more difficult case. Suppose I want to call string function with 2 parameters e.g.

console.log(
  "truefalse".replace("true",1)
)
See Question&Answers more detail:os

与恶龙缠斗过久,自身亦成为恶龙;凝视深渊过久,深渊将回以凝视…
Welcome To Ask or Share your Answers For Others

1 Answer

0 votes
by (71.8m points)

Yes, it is possible.

So we start with the expression that omits the comma, and only consists of string literals and the JSF characters:

["true"]["concat"]("1")["reduce"](""["replace"]["bind"]("truefalse"))

For a moment, I will phrase this expression using the more readable dot notation, and go back to the comma separator for array literals:

["true", "1"].reduce("".replace.bind("truefalse"))

This has the input of the replacement, i.e. "truefalse", sitting at the end. The parameters, on the other hand, are located at the left, i.e. "true" and "1". We could try to make "truefalse" also an argument, so that we could move it to the left.

For that purpose we can use "".replace.apply instead of "".replace as callback to reduce. The first argument of apply is the this-binding for the replace call. The second argument should be the array of arguments to pass to replace, so that is the array we currently have at the left.

And then the apply method itself should also get a this-binding. We get this expression:

console.log(
    ["truefalse", ["true", "1"]].reduce("".replace.apply.bind("".replace))
);

与恶龙缠斗过久,自身亦成为恶龙;凝视深渊过久,深渊将回以凝视…
Welcome to OStack Knowledge Sharing Community for programmer and developer-Open, Learning and Share
Click Here to Ask a Question

...