<?php
header
('Content-Type: text/html; charset=UTF-8');
header('X-XSS-Protection: 0');
?>
<meta http-equiv="Content-Security-Policy" content="default-src 'none'; script-src 'self';">

<?php
highlight_string
(file_get_contents(__FILE__true));
$x=$_GET['x'];
$x=str_ireplace('$','',$x); // Use it to bypass WAF,I know it's annoying but I can't disable it :P
$x=str_ireplace('<script','BLOCKED',$x);
$x mb_convert_case($xMB_CASE_UPPER);
echo 
$x;
?>
PAYLOAD