Writeups from challenges and CTFs i take part in.
Let’s take a look at this challenge’s source code:
<script src="hook.js"></script>
<?php
// by escaping the payload you won't break this system, haha! :-)
$escaped = preg_replace("/['\"`&#]/", "", $_GET['payload']);
?>
<h1>Hello, <?= $escaped ?>!</h1>
<h1>inject</h1>
<form>
<input type="text" name="payload" placeholder="your payload here">
<input type="submit" value="GO">
</form>
<h1>src</h1>
<?php highlight_string(file_get_contents(basename(__FILE__))); ?>
This time the preg_replace function we saw in previous challenges is now used to replace the ', ", `, & and # characters with "".
This forces us into using no quotes, but thats’ not a problem for us: the payload from the frost challenge will work perfcetly for this one as it does not have any quotes.
<script>alert(document.domain)</script>