Finding entry points Branch analysis from position: 0 2 jumps found. (Code = 43) Position 1 = 3, Position 2 = 91 Branch analysis from position: 3 2 jumps found. (Code = 43) Position 1 = 11, Position 2 = 13 Branch analysis from position: 11 1 jumps found. (Code = 79) Position 1 = -2 Branch analysis from position: 13 2 jumps found. (Code = 43) Position 1 = 18, Position 2 = 19 Branch analysis from position: 18 1 jumps found. (Code = 79) Position 1 = -2 Branch analysis from position: 19 2 jumps found. (Code = 43) Position 1 = 26, Position 2 = 27 Branch analysis from position: 26 2 jumps found. (Code = 43) Position 1 = 34, Position 2 = 39 Branch analysis from position: 34 1 jumps found. (Code = 108) Position 1 = -2 Branch analysis from position: 39 2 jumps found. (Code = 46) Position 1 = 41, Position 2 = 43 Branch analysis from position: 41 2 jumps found. (Code = 43) Position 1 = 44, Position 2 = 51 Branch analysis from position: 44 1 jumps found. (Code = 42) Position 1 = 91 Branch analysis from position: 91 2 jumps found. (Code = 46) Position 1 = 94, Position 2 = 97 Branch analysis from position: 94 2 jumps found. (Code = 43) Position 1 = 98, Position 2 = 101 Branch analysis from position: 98 1 jumps found. (Code = 62) Position 1 = -2 Branch analysis from position: 101 Branch analysis from position: 97 Branch analysis from position: 51 Branch analysis from position: 43 Branch analysis from position: 27 Branch analysis from position: 91 Found catch point at position: 77 Branch analysis from position: 77 2 jumps found. (Code = 107) Position 1 = 78, Position 2 = -2 Branch analysis from position: 78 2 jumps found. (Code = 46) Position 1 = 94, Position 2 = 97 Branch analysis from position: 94 Branch analysis from position: 97 filename: /in/u2dhs function name: (null) number of ops: 103 compiled vars: !0 = $url, !1 = $ch, !2 = $result, !3 = $e line #* E I O op fetch ext return operands ------------------------------------------------------------------------------------- 3 0 E > FETCH_IS ~4 '_POST' 1 ISSET_ISEMPTY_DIM_OBJ 0 ~4, 'submit' 2 > JMPZ ~5, ->91 4 3 > FETCH_R global ~6 '_POST' 4 FETCH_DIM_R ~7 ~6, 'url' 5 ASSIGN !0, ~7 7 6 INIT_FCALL 'preg_match' 7 SEND_VAL '%2F%5Bhttps%3F%7C%5Bst%5D%3Fftp%7Cdict%7Cgopher%7Cscp%7Ctelnet%7Cldaps%3F%5D%5C%3A%5C%2F%5C%2F.%2A%28%5Cd%2B%7C%5B0-9%5D%7B1%2C3%7D%5C.%5B0-9%5D%7B1%2C3%7D%5C.%5B0-9%5D%7B1%2C3%7D%5C.%5B0-9%5D%7B1%2C3%7D%29%2Fi' 8 SEND_VAR !0 9 DO_ICALL $9 10 > JMPZ $9, ->13 8 11 > > EXIT 'Please+do+not+access+by+IP.' 12* JMP ->19 9 13 > INIT_FCALL 'preg_match' 14 SEND_VAL '%2Flocalhost%2Fi' 15 SEND_VAR !0 16 DO_ICALL $10 17 > JMPZ $10, ->19 10 18 > > EXIT 'Please+do+not+access+localhost.' 13 19 > INIT_FCALL 'stripos' 20 SEND_VAR !0 21 SEND_VAL '%2F' 22 SEND_VAL -1 23 DO_ICALL $11 24 IS_NOT_IDENTICAL $11, '%2F' 25 > JMPZ ~12, ->27 26 > ASSIGN_OP 8 !0, '%2F' 14 27 > ASSIGN_OP 8 !0, 'index.php' 17 28 INIT_FCALL_BY_NAME 'curl_init' 29 SEND_VAR_EX !0 30 DO_FCALL 0 $15 31 ASSIGN !1, $15 19 32 TYPE_CHECK 4 !1 33 > JMPZ ~17, ->39 20 34 > NEW $18 'Exception' 35 SEND_VAL_EX 'failed+to+initialize' 36 DO_FCALL 0 37 > THROW 0 $18 38* JMP ->51 21 39 > DEFINED ~20 'CURLOPT_IPRESOLVE' 40 > JMPZ_EX ~20 ~20, ->43 41 > DEFINED ~21 'CURL_IPRESOLVE_V4' 42 BOOL ~20 ~21 43 > > JMPZ ~20, ->51 22 44 > INIT_FCALL_BY_NAME 'curl_setopt' 45 SEND_VAR_EX !1 46 FETCH_CONSTANT ~22 'CURLOPT_IPRESOLVE' 47 SEND_VAL_EX ~22 48 FETCH_CONSTANT ~23 'CURL_IPRESOLVE_V4' 49 SEND_VAL_EX ~23 50 DO_FCALL 0 24 51 > INIT_FCALL_BY_NAME 'curl_setopt' 52 SEND_VAR_EX !1 53 FETCH_CONSTANT ~25 'CURLOPT_RETURNTRANSFER' 54 SEND_VAL_EX ~25 55 SEND_VAL_EX <true> 56 DO_FCALL 0 25 57 INIT_FCALL_BY_NAME 'curl_setopt' 58 SEND_VAR_EX !1 59 FETCH_CONSTANT ~27 'CURLOPT_FOLLOWLOCATION' 60 SEND_VAL_EX ~27 61 SEND_VAL_EX <false> 62 DO_FCALL 0 26 63 INIT_FCALL_BY_NAME 'curl_setopt' 64 SEND_VAR_EX !1 65 FETCH_CONSTANT ~29 'CURLOPT_SSL_VERIFYPEER' 66 SEND_VAL_EX ~29 67 SEND_VAL_EX <false> 68 DO_FCALL 0 27 69 INIT_FCALL_BY_NAME 'curl_exec' 70 SEND_VAR_EX !1 71 DO_FCALL 0 $31 72 ASSIGN !2, $31 28 73 INIT_FCALL_BY_NAME 'curl_close' 74 SEND_VAR_EX !1 75 DO_FCALL 0 76 > JMP ->91 29 77 E > > CATCH last 'Exception' 30 78 > INIT_FCALL 'trigger_error' 79 INIT_FCALL 'sprintf' 80 SEND_VAL 'Curl+failed+with+%23%25d%3A+%25s' 81 INIT_METHOD_CALL !3, 'getCode' 82 DO_FCALL 0 $34 83 SEND_VAR $34 84 INIT_METHOD_CALL !3, 'getMessage' 85 DO_FCALL 0 $35 86 SEND_VAR $35 87 DO_ICALL $36 88 SEND_VAR $36 89 SEND_VAL 256 90 DO_ICALL 34 91 > ECHO '+%0A%3C%21DOCTYPE+html%3E%0A%3Chtml%3E%0A%3Chead%3E%0A++++%3Ctitle%3E%23WebSec+Level+Six%3C%2Ftitle%3E%0A++++%3Clink+rel%3D%22stylesheet%22+href%3D%22..%2Fstatic%2Fbootstrap.min.css%22+%2F%3E%0A++++%3C%21--+23%3A10%3A41+%3CMantis%3E+I+have+locked+down+flag.php+-+It+can+only+be+accessed+locally.+--%3E%0A%3C%2Fhead%3E%0A%3Cbody%3E++++%0A++++%3Cdiv+id%3D%22main%22%3E%0A++++++++%3Cdiv+class%3D%22container%22%3E%0A++++++++++++%3Cdiv+class%3D%22row%22%3E%0A++++++++++++++++%3Ch1%3ELevel+Six+%3Csmall%3E-+URL+Grabber%3C%2Fsmall%3E%3C%2Fh1%3E%0A++++++++++++%3C%2Fdiv%3E%0A++++++++++++%3Cdiv+class%3D%22row%22%3E%0A++++++++++++++++%3Cp+class%3D%22lead%22%3E%0A++++++++++++++++++++So+we+created+a+URL+grabber+which+fetches+remote+URLs.%3Cbr+%2F%3E%0A++++++++++++++++++++Of+course+you+can+view+the+source+code+%3Ca+href%3D%22source.php%22%3Ehere%3C%2Fa%3E%0A++++++++++++++++%3C%2Fp%3E%0A++++++++++++%3C%2Fdiv%3E%0A++++++++%3C%2Fdiv%3E%0A++++++++%3Cdiv+class%3D%22container%22%3E%0A++++++++++++%3Cdiv+class%3D%22row%22%3E%0A++++++++++++++++%3Clabel+for%3D%22url%22%3EEnter+the+URL+you+wish+to+fetch%3A%3C%2Flabel%3E%0A++++++++++++++++%3Cform+class%3D%22form-inline%22+action%3D%22%22+method%3D%22post%22%3E%0A++++++++++++++++++++%3Cdiv+class%3D%22form-group%22%3E%0A++++++++++++++++++++++++%3Cdiv+class%3D%22input-group%22%3E%0A++++++++++++++++++++++++++++%3Cdiv+class%3D%22input-group-addon%22%3E%3Cspan+class%3D%22glyphicon+glyphicon-save%22+aria-hidden%3D%22true%22%3E%3C%2Fspan%3E%3C%2Fdiv%3E%0A++++++++++++++++++++++++++++%3Cinput+type%3D%22text%22+name%3D%22url%22+id%3D%22url%22+placeholder%3D%22http%3A%2F%2Fexample.com%2Ffile_to_get%22+class%3D%22form-control%22+required%2F%3E%0A++++++++++++++++++++++++%3C%2Fdiv%3E%0A++++++++++++++++++++++++%3Cinput+type%3D%22submit%22+name%3D%22submit%22+value%3D%22Submit%22+class%3D%22form-control+btn+btn-default%22+%2F%3E%0A++++++++++++++++++++%3C%2Fdiv%3E%0A++++++++++++++++%3C%2Fform%3E%0A++++++++++++%3C%2Fdiv%3E%0A++++++++%3C%2Fdiv%3E%0A++++++++' 69 92 ISSET_ISEMPTY_CV ~38 !2 93 > JMPZ_EX ~38 ~38, ->97 94 > BOOL_NOT ~39 !2 95 BOOL_NOT ~40 ~39 96 BOOL ~38 ~40 97 > > JMPZ ~38, ->101 70 98 > ECHO '++++++++%3Chr%3E%0A++++++++%3Cdiv+class%3D%22container%22%3E%0A++++++++++++%3Cdiv+class%3D%22row%22%3E++++%0A++++++++++++++++%3Cdiv+class%3D%22well%22%3E%0A++++++++++++++++++++' 74 99 ECHO !2 75 100 ECHO '++++++++++++++++%3C%2Fdiv%3E%0A++++++++++++%3C%2Fdiv%3E++++%0A++++++++%3C%2Fdiv%3E++++%0A++++++++' 79 101 > ECHO '++++%3C%2Fdiv%3E%0A%3C%2Fbody%3E%0A%3C%2Fhtml%3E' 81 102 > RETURN 1
Generated using Vulcan Logic Dumper, using php 8.0.0