某比赛实在有点坑人,题目涉嫌抄袭不说,还不停改来改去。算了不吐槽了,说一则javascript小特性吧。
toUpperCase()是javascript中将小写转换成大写的函数。toLowerCase()是javascript中将大写转换成小写的函数。但是这俩函数真的只有这两个功能么?
不如我们来fuzz一下,看看toUpperCase功能如何?
if (!String.fromCodePoint) { (function() { var defineProperty = (function() { // IE 8 only supports `Object.defineProperty` on DOM elements try { var object = {}; var $defineProperty = Object.defineProperty; var result = $defineProperty(object, object, object) && $defineProperty; } catch(error) {} return result; }()); var stringFromCharCode = String.fromCharCode; var floor = Math.floor; var fromCodePoint = function() { var MAX_SIZE = 0x4000; var codeUnits = []; var highSurrogate; var lowSurrogate; var index = -1; var length = arguments.length; if (!length) { return ''; } var result = ''; while (++index < length) { var codePoint = Number(arguments[index]); if ( !isFinite(codePoint) || // `NaN`, `+Infinity`, or `-Infinity` codePoint < 0 || // not a valid Unicode code point codePoint > 0x10FFFF || // not a valid Unicode code point floor(codePoint) != codePoint // not an integer ) { throw RangeError('Invalid code point: ' + codePoint); } if (codePoint <= 0xFFFF) { // BMP code point codeUnits.push(codePoint); } else { // Astral code point; split in surrogate halves // http://mathiasbynens.be/notes/javascript-encoding#surrogate-formulae codePoint -= 0x10000; highSurrogate = (codePoint >> 10) + 0xD800; lowSurrogate = (codePoint % 0x400) + 0xDC00; codeUnits.push(highSurrogate, lowSurrogate); } if (index + 1 == length || codeUnits.length > MAX_SIZE) { result += stringFromCharCode.apply(null, codeUnits); codeUnits.length = 0; } } return result; }; if (defineProperty) { defineProperty(String, 'fromCodePoint', { 'value': fromCodePoint, 'configurable': true, 'writable': true }); } else { String.fromCodePoint = fromCodePoint; } }()); } for (var j = 'A'.charCodeAt(); j <= 'Z'.charCodeAt(); j++){ var s = String.fromCodePoint(j); for (var i = 0; i < 0x10FFFF; i++) { var e = String.fromCodePoint(i); if (s == e.toUpperCase() && s != e) { document.write("char: "+e+"<br/>"); }; }; }
结果我们可以看到:
其中混入了两个奇特的字符”ı“、”ſ“。
这两个字符的“大写”是I和S。也就是说“ı“.toUpperCase() == ‘I’,”ſ“.toUpperCase() == ‘S’。通过这个小特性可以绕过一些限制。
同样,toLowerCase也有同样的字符:
这个”K“的“小写”字符是k,也就是”K“.toLowerCase() == ‘k’.
用这个特性可以完成 http://prompt.ml/9 。还有某比赛的神题,当然有更简单的方法。
早前一个被我捂烂的漏洞,其实不是要捂的,当注入交到乌云,审核比较忙测试的时候没复现,就给打回来了。我一直想写个详细的再交,结果没时间就没写,这两天上去一看鸡毛都没了,全补完了,shell也掉光了,后台也进不去…… 想想算了不挖了。还好我有记笔记的习惯,拿出来分…
© 版权声明
文章版权归作者所有,未经允许请勿转载。
THE END
喜欢就支持一下吧
请登录后发表评论
注册