codeimpossible/gist:1537211

Created December 30, 2011 01:47

Star () You must be signed in to star a gist
Fork () You must be signed in to fork a gist

Learn more about clone URLs
Clone this repository at <script src="https://gist.github.com/codeimpossible/1537211.js"></script>
Save codeimpossible/1537211 to your computer and use it in GitHub Desktop.

Download ZIP

get reference to window with obfuscated javascript

Raw

gistfile1.js

$=((([])[(![]+[])[!+[]+!+[]+!+[]]+(!![]+[][(![]+[])[+[]]+(![]+[]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]])[+!+[]+[+[]]]+(!![]+[])[+!+[]]+(!![]+[])[+[]]]));$()["eval"]("alert(1)")

Author

codeimpossible commented Dec 30, 2011

this takes advantage of a bug in javascripts implementation of Array.prototype.sort. When you assign the sort function to a global variable and call it with no arguments it will return this, which when called normally on an array would return the current array, but when it's called on the globally scoped variable it returns the window object.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment