Let’s start by analyzing the code first
As the previous levels, we pass a value with GET parameter called ‘mafia’
then we only get the first 50 characters passed, so there’s a limit for how many characters we can pass.
then it checks if the word “alert” is passed and replace it with “_”
in the end we run what ever we passed into eval function.
So let’s start researching, we can’t use the brackets , ‘+’ or any characters used by JSFuck, and we can’t call the function alert.
after some research on how to call a function with different ways, you can check the following site , we can call a function by unicode escaping couple of letters from the function , there are different methods like ES6 , ES6 with zero padded , etc.
for example alert(1337) would like this using ES6 encoding
but sadly this method won’t work since the code is filtering the ‘\’ character, so that way is left out.
with a bit more of research, there’s another way which is passing numbers then converting those numbers to letters that can be executed inside an eval().
there are two ways to convert numbers to string, one of them is using String.fromCharCode() and the other one is toString().
After we try the first one and try to put it inside eval()
you will see that the number of characters is 51, so it will be sliced by the slice function (yep, it’s one extra character)
the other toString() function takes a float number and then uses a mathematical operation to get the representation of it depending on a base passed to it ( for example: base 2 is binary, 16 is hexa)
toString takes base from 2 to 36, so let’s take the maximum number and open a calculator for it, you can access it from here
and now, you can type alert and it should give you the following number “17795081”, so to run our payload, we have to do what we did in the previous code but we will replace it
we put .0 to convert it to float, and 36 is the base we did the calculation on, and the code would finally work perfectly.
and that would be it for Mafia PwnFunction level, hope you got something new out of this post.