0x00 知識點
種子爆破
工具
http://www.openwall.com/php_mt_seed
0x01 解題
查看源碼進入check.php
zOHF0Cxp49
<?php
#這不是抽獎程序的源代碼!不許看!
header("Content-Type: text/html;charset=utf-8");
session_start();
if(!isset($_SESSION['seed'])){
$_SESSION['seed']=rand(0,999999999);
}
mt_srand($_SESSION['seed']);
$str_long1 = "abcdefghijklmnopqrstuvwxyz0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZ";
$str='';
$len1=20;
for ( $i = 0; $i < $len1; $i++ ){
$str.=substr($str_long1, mt_rand(0, strlen($str_long1) - 1), 1);
}
$str_show = substr($str, 0, 10);
echo "<p id='p1'>".$str_show."</p>";
if(isset($_POST['num'])){
if($_POST['num']===$str){x
echo "<p id=flag>抽獎,就是那么枯燥且無味,給你flag{xxxxxxxxx}</p>";
}
else{
echo "<p id=flag>沒抽中哦,再試試吧</p>";
}
}
show_source("check.php");
發現mt_scrand(),mt_rand()這倆函數; 並且session是用的隨機數設置的;
先用腳本將偽隨機數轉換成php_mt_seed可以識別的數據
str1='abcdefghijklmnopqrstuvwxyz0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZ'
str2='zOHF0Cxp49'
str3 = str1[::-1]
length = len(str2)
res=''
for i in range(len(str2)):
for j in range(len(str1)):
if str2[i] == str1[j]:
res+=str(j)+' '+str(j)+' '+'0'+' '+str(len(str1)-1)+' '
break
print res
得到
將這一串拿到工具里去使用
爆破出偽隨機數和php版本
./php_mt_seed 25 25 0 61 50 50 0 61 43 43 0 61 41 41 0 61 26 26 0 61 38 38 0 61 23 23 0 61 15 15 0 61 30 30 0 61 35 35 0 61
將send設置為:819101489,如下
改寫源碼,生成完整字符串(如爆破到的seed是830701381)
<?php
mt_srand(819101489);
$str_long1 = "abcdefghijklmnopqrstuvwxyz0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZ";
$str='';
$len1=20;
for ( $i = 0; $i < $len1; $i++ ){
$str.=substr($str_long1, mt_rand(0, strlen($str_long1) - 1), 1);
}
echo $str;
?>
拿着得到得字符轉提交
