Finding entry points
Branch analysis from position: 0
2 jumps found. (Code = 43) Position 1 = 3, Position 2 = 91
Branch analysis from position: 3
2 jumps found. (Code = 43) Position 1 = 11, Position 2 = 13
Branch analysis from position: 11
1 jumps found. (Code = 79) Position 1 = -2
Branch analysis from position: 13
2 jumps found. (Code = 43) Position 1 = 18, Position 2 = 19
Branch analysis from position: 18
1 jumps found. (Code = 79) Position 1 = -2
Branch analysis from position: 19
2 jumps found. (Code = 43) Position 1 = 26, Position 2 = 27
Branch analysis from position: 26
2 jumps found. (Code = 43) Position 1 = 34, Position 2 = 39
Branch analysis from position: 34
1 jumps found. (Code = 108) Position 1 = -2
Branch analysis from position: 39
2 jumps found. (Code = 46) Position 1 = 41, Position 2 = 43
Branch analysis from position: 41
2 jumps found. (Code = 43) Position 1 = 44, Position 2 = 51
Branch analysis from position: 44
1 jumps found. (Code = 42) Position 1 = 91
Branch analysis from position: 91
2 jumps found. (Code = 46) Position 1 = 94, Position 2 = 97
Branch analysis from position: 94
2 jumps found. (Code = 43) Position 1 = 98, Position 2 = 101
Branch analysis from position: 98
1 jumps found. (Code = 62) Position 1 = -2
Branch analysis from position: 101
Branch analysis from position: 97
Branch analysis from position: 51
Branch analysis from position: 43
Branch analysis from position: 27
Branch analysis from position: 91
Found catch point at position: 77
Branch analysis from position: 77
2 jumps found. (Code = 107) Position 1 = 78, Position 2 = -2
Branch analysis from position: 78
2 jumps found. (Code = 46) Position 1 = 94, Position 2 = 97
Branch analysis from position: 94
Branch analysis from position: 97
filename: /in/u2dhs
function name: (null)
number of ops: 103
compiled vars: !0 = $url, !1 = $ch, !2 = $result, !3 = $e
line #* E I O op fetch ext return operands
-------------------------------------------------------------------------------------
3 0 E > FETCH_IS ~4 '_POST'
1 ISSET_ISEMPTY_DIM_OBJ 0 ~4, 'submit'
2 > JMPZ ~5, ->91
4 3 > FETCH_R global ~6 '_POST'
4 FETCH_DIM_R ~7 ~6, 'url'
5 ASSIGN !0, ~7
7 6 INIT_FCALL 'preg_match'
7 SEND_VAL '%2F%5Bhttps%3F%7C%5Bst%5D%3Fftp%7Cdict%7Cgopher%7Cscp%7Ctelnet%7Cldaps%3F%5D%5C%3A%5C%2F%5C%2F.%2A%28%5Cd%2B%7C%5B0-9%5D%7B1%2C3%7D%5C.%5B0-9%5D%7B1%2C3%7D%5C.%5B0-9%5D%7B1%2C3%7D%5C.%5B0-9%5D%7B1%2C3%7D%29%2Fi'
8 SEND_VAR !0
9 DO_ICALL $9
10 > JMPZ $9, ->13
8 11 > > EXIT 'Please+do+not+access+by+IP.'
12* JMP ->19
9 13 > INIT_FCALL 'preg_match'
14 SEND_VAL '%2Flocalhost%2Fi'
15 SEND_VAR !0
16 DO_ICALL $10
17 > JMPZ $10, ->19
10 18 > > EXIT 'Please+do+not+access+localhost.'
13 19 > INIT_FCALL 'stripos'
20 SEND_VAR !0
21 SEND_VAL '%2F'
22 SEND_VAL -1
23 DO_ICALL $11
24 IS_NOT_IDENTICAL $11, '%2F'
25 > JMPZ ~12, ->27
26 > ASSIGN_OP 8 !0, '%2F'
14 27 > ASSIGN_OP 8 !0, 'index.php'
17 28 INIT_FCALL_BY_NAME 'curl_init'
29 SEND_VAR_EX !0
30 DO_FCALL 0 $15
31 ASSIGN !1, $15
19 32 TYPE_CHECK 4 !1
33 > JMPZ ~17, ->39
20 34 > NEW $18 'Exception'
35 SEND_VAL_EX 'failed+to+initialize'
36 DO_FCALL 0
37 > THROW 0 $18
38* JMP ->51
21 39 > DEFINED ~20 'CURLOPT_IPRESOLVE'
40 > JMPZ_EX ~20 ~20, ->43
41 > DEFINED ~21 'CURL_IPRESOLVE_V4'
42 BOOL ~20 ~21
43 > > JMPZ ~20, ->51
22 44 > INIT_FCALL_BY_NAME 'curl_setopt'
45 SEND_VAR_EX !1
46 FETCH_CONSTANT ~22 'CURLOPT_IPRESOLVE'
47 SEND_VAL_EX ~22
48 FETCH_CONSTANT ~23 'CURL_IPRESOLVE_V4'
49 SEND_VAL_EX ~23
50 DO_FCALL 0
24 51 > INIT_FCALL_BY_NAME 'curl_setopt'
52 SEND_VAR_EX !1
53 FETCH_CONSTANT ~25 'CURLOPT_RETURNTRANSFER'
54 SEND_VAL_EX ~25
55 SEND_VAL_EX <true>
56 DO_FCALL 0
25 57 INIT_FCALL_BY_NAME 'curl_setopt'
58 SEND_VAR_EX !1
59 FETCH_CONSTANT ~27 'CURLOPT_FOLLOWLOCATION'
60 SEND_VAL_EX ~27
61 SEND_VAL_EX <false>
62 DO_FCALL 0
26 63 INIT_FCALL_BY_NAME 'curl_setopt'
64 SEND_VAR_EX !1
65 FETCH_CONSTANT ~29 'CURLOPT_SSL_VERIFYPEER'
66 SEND_VAL_EX ~29
67 SEND_VAL_EX <false>
68 DO_FCALL 0
27 69 INIT_FCALL_BY_NAME 'curl_exec'
70 SEND_VAR_EX !1
71 DO_FCALL 0 $31
72 ASSIGN !2, $31
28 73 INIT_FCALL_BY_NAME 'curl_close'
74 SEND_VAR_EX !1
75 DO_FCALL 0
76 > JMP ->91
29 77 E > > CATCH last 'Exception'
30 78 > INIT_FCALL 'trigger_error'
79 INIT_FCALL 'sprintf'
80 SEND_VAL 'Curl+failed+with+%23%25d%3A+%25s'
81 INIT_METHOD_CALL !3, 'getCode'
82 DO_FCALL 0 $34
83 SEND_VAR $34
84 INIT_METHOD_CALL !3, 'getMessage'
85 DO_FCALL 0 $35
86 SEND_VAR $35
87 DO_ICALL $36
88 SEND_VAR $36
89 SEND_VAL 256
90 DO_ICALL
34 91 > ECHO '+%0A%3C%21DOCTYPE+html%3E%0A%3Chtml%3E%0A%3Chead%3E%0A++++%3Ctitle%3E%23WebSec+Level+Six%3C%2Ftitle%3E%0A++++%3Clink+rel%3D%22stylesheet%22+href%3D%22..%2Fstatic%2Fbootstrap.min.css%22+%2F%3E%0A++++%3C%21--+23%3A10%3A41+%3CMantis%3E+I+have+locked+down+flag.php+-+It+can+only+be+accessed+locally.+--%3E%0A%3C%2Fhead%3E%0A%3Cbody%3E++++%0A++++%3Cdiv+id%3D%22main%22%3E%0A++++++++%3Cdiv+class%3D%22container%22%3E%0A++++++++++++%3Cdiv+class%3D%22row%22%3E%0A++++++++++++++++%3Ch1%3ELevel+Six+%3Csmall%3E-+URL+Grabber%3C%2Fsmall%3E%3C%2Fh1%3E%0A++++++++++++%3C%2Fdiv%3E%0A++++++++++++%3Cdiv+class%3D%22row%22%3E%0A++++++++++++++++%3Cp+class%3D%22lead%22%3E%0A++++++++++++++++++++So+we+created+a+URL+grabber+which+fetches+remote+URLs.%3Cbr+%2F%3E%0A++++++++++++++++++++Of+course+you+can+view+the+source+code+%3Ca+href%3D%22source.php%22%3Ehere%3C%2Fa%3E%0A++++++++++++++++%3C%2Fp%3E%0A++++++++++++%3C%2Fdiv%3E%0A++++++++%3C%2Fdiv%3E%0A++++++++%3Cdiv+class%3D%22container%22%3E%0A++++++++++++%3Cdiv+class%3D%22row%22%3E%0A++++++++++++++++%3Clabel+for%3D%22url%22%3EEnter+the+URL+you+wish+to+fetch%3A%3C%2Flabel%3E%0A++++++++++++++++%3Cform+class%3D%22form-inline%22+action%3D%22%22+method%3D%22post%22%3E%0A++++++++++++++++++++%3Cdiv+class%3D%22form-group%22%3E%0A++++++++++++++++++++++++%3Cdiv+class%3D%22input-group%22%3E%0A++++++++++++++++++++++++++++%3Cdiv+class%3D%22input-group-addon%22%3E%3Cspan+class%3D%22glyphicon+glyphicon-save%22+aria-hidden%3D%22true%22%3E%3C%2Fspan%3E%3C%2Fdiv%3E%0A++++++++++++++++++++++++++++%3Cinput+type%3D%22text%22+name%3D%22url%22+id%3D%22url%22+placeholder%3D%22http%3A%2F%2Fexample.com%2Ffile_to_get%22+class%3D%22form-control%22+required%2F%3E%0A++++++++++++++++++++++++%3C%2Fdiv%3E%0A++++++++++++++++++++++++%3Cinput+type%3D%22submit%22+name%3D%22submit%22+value%3D%22Submit%22+class%3D%22form-control+btn+btn-default%22+%2F%3E%0A++++++++++++++++++++%3C%2Fdiv%3E%0A++++++++++++++++%3C%2Fform%3E%0A++++++++++++%3C%2Fdiv%3E%0A++++++++%3C%2Fdiv%3E%0A++++++++'
69 92 ISSET_ISEMPTY_CV ~38 !2
93 > JMPZ_EX ~38 ~38, ->97
94 > BOOL_NOT ~39 !2
95 BOOL_NOT ~40 ~39
96 BOOL ~38 ~40
97 > > JMPZ ~38, ->101
70 98 > ECHO '++++++++%3Chr%3E%0A++++++++%3Cdiv+class%3D%22container%22%3E%0A++++++++++++%3Cdiv+class%3D%22row%22%3E++++%0A++++++++++++++++%3Cdiv+class%3D%22well%22%3E%0A++++++++++++++++++++'
74 99 ECHO !2
75 100 ECHO '++++++++++++++++%3C%2Fdiv%3E%0A++++++++++++%3C%2Fdiv%3E++++%0A++++++++%3C%2Fdiv%3E++++%0A++++++++'
79 101 > ECHO '++++%3C%2Fdiv%3E%0A%3C%2Fbody%3E%0A%3C%2Fhtml%3E'
81 102 > RETURN 1
Generated using Vulcan Logic Dumper, using php 8.0.0