websec.fr level17&level25 writeup
level17
<?php include "flag.php"; function sleep_rand() { /* I wish php5 had random_int() */ $range = 100000; $bytes = (int) (log($range, 2) / 8) + 1; do { /* Side effect: more random cpu cycles wasted ;) */ $rnd = hexdec(bin2hex(openssl_random_pseudo_bytes($bytes))); } while ($rnd >= $range); usleep($rnd); } ?> <?php if (! strcasecmp ($_POST['flag'], $flag)) echo '<div class="alert alert-success">Here is your flag: <mark>' . $flag . '</mark>.</div>'; else echo '<div class="alert alert-danger">Invalid flag, sorry.</div>'; ?>
level25
<?php if (!isset($_GET['page'])) { header('Location: http://websec.fr/level25/index.php?page=main'); die(); } ?> <?php parse_str(parse_url($_SERVER['REQUEST_URI'])['query'], $query); foreach ($query as $k => $v) { if (stripos($v, 'flag') !== false) die('You are not allowed to get the flag, sorry :/'); } include $_GET['page'] . '.txt'; ?>
parse_url
对严重不合格的 URL,parse_url() 可能会返回 false