Fuzz中的javascript大小写特性

    某比赛实在有点坑人,题目涉嫌抄袭不说,还不停改来改去。算了不吐槽了,说一则javascript小特性吧。

    toUpperCase()是javascript中将小写转换成大写的函数。toLowerCase()是javascript中将大写转换成小写的函数。但是这俩函数真的只有这两个功能么?

    不如我们来fuzz一下,看看toUpperCase功能如何?

if (!String.fromCodePoint) {
	(function() {
		var defineProperty = (function() {
			// IE 8 only supports `Object.defineProperty` on DOM elements
			try {
				var object = {};
				var $defineProperty = Object.defineProperty;
				var result = $defineProperty(object, object, object) && $defineProperty;
			} catch(error) {}
			return result;
		}());
		var stringFromCharCode = String.fromCharCode;
		var floor = Math.floor;
		var fromCodePoint = function() {
			var MAX_SIZE = 0x4000;
			var codeUnits = [];
			var highSurrogate;
			var lowSurrogate;
			var index = -1;
			var length = arguments.length;
			if (!length) {
				return '';
			}
			var result = '';
			while (++index < length) {
				var codePoint = Number(arguments[index]);
				if (
					!isFinite(codePoint) || // `NaN`, `+Infinity`, or `-Infinity`
					codePoint < 0 || // not a valid Unicode code point
					codePoint > 0x10FFFF || // not a valid Unicode code point
					floor(codePoint) != codePoint // not an integer
				) {
					throw RangeError('Invalid code point: ' + codePoint);
				}
				if (codePoint <= 0xFFFF) { // BMP code point
					codeUnits.push(codePoint);
				} else { // Astral code point; split in surrogate halves
					// http://mathiasbynens.be/notes/javascript-encoding#surrogate-formulae
					codePoint -= 0x10000;
					highSurrogate = (codePoint >> 10) + 0xD800;
					lowSurrogate = (codePoint % 0x400) + 0xDC00;
					codeUnits.push(highSurrogate, lowSurrogate);
				}
				if (index + 1 == length || codeUnits.length > MAX_SIZE) {
					result += stringFromCharCode.apply(null, codeUnits);
					codeUnits.length = 0;
				}
			}
			return result;
		};
		if (defineProperty) {
			defineProperty(String, 'fromCodePoint', {
				'value': fromCodePoint,
				'configurable': true,
				'writable': true
			});
		} else {
			String.fromCodePoint = fromCodePoint;
		}
	}());
}
for (var j = 'A'.charCodeAt(); j <= 'Z'.charCodeAt(); j++){
	var s = String.fromCodePoint(j);
	for (var i = 0; i < 0x10FFFF; i++) {
		var e = String.fromCodePoint(i);
		if (s == e.toUpperCase() && s != e) {
			document.write("char: "+e+"<br/>");
	};
};
}

    结果我们可以看到:

    001.jpg

    其中混入了两个奇特的字符”ı“、”ſ“。

    这两个字符的“大写”是I和S。也就是说ı“.toUpperCase() == ‘I’,”ſ“.toUpperCase() == ‘S’。通过这个小特性可以绕过一些限制。

    同样,toLowerCase也有同样的字符:

    002.jpg

    这个”“的“小写”字符是k,也就是”“.toLowerCase() == ‘k’.

    用这个特性可以完成 http://prompt.ml/9 。还有某比赛的神题,当然有更简单的方法。

相关推荐: 那些年我拿下的demo站之方维O2O

早前一个被我捂烂的漏洞,其实不是要捂的,当注入交到乌云,审核比较忙测试的时候没复现,就给打回来了。我一直想写个详细的再交,结果没时间就没写,这两天上去一看鸡毛都没了,全补完了,shell也掉光了,后台也进不去…… 想想算了不挖了。还好我有记笔记的习惯,拿出来分…

© 版权声明
THE END
喜欢就支持一下吧
点赞0
分享
评论 抢沙发

请登录后发表评论