随便提交抓个包看看
发现提交到了check.php
进去看看
FpCyLNvPOj
<?php
#这不是抽奖程序的源代码!不许看!
header("Content-Type: text/html;charset=utf-8");
session_start();
if(!isset($_SESSION['seed'])){
$_SESSION['seed']=rand(0,999999999);
}
mt_srand($_SESSION['seed']);
$str_long1 = "abcdefghijklmnopqrstuvwxyz0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZ";
$str='';
$len1=20;
for ( $i = 0; $i < $len1; $i++ ){
$str.=substr($str_long1, mt_rand(0, strlen($str_long1) - 1), 1);
}
$str_show = substr($str, 0, 10);
echo "<p id='p1'>".$str_show."</p>";
if(isset($_POST['num'])){
if($_POST['num']===$str){x
echo "<p id=flag>抽奖,就是那么枯燥且无味,给你flag{xxxxxxxxx}</p>";
}
else{
echo "<p id=flag>没抽中哦,再试试吧</p>";
}
}
show_source("check.php");
知识点
php伪随机数漏洞
漏洞在于mt_srand()这个函数,php中,mt_rand()生成的是一个伪随机数,是通过算法生成出来的,所以我们可以根据这个来进行破解,从而得到mt_srand()里的种子
根据那篇文章,我们需要将给出前十个密码解析成php_mt_seed需要的参数(参考文章已给出exp)
exp如下(php)
<?php
$pass_now = "FpCyLNvPOj";
$allowable_characters = 'abcdefghijklmnopqrstuvwxyz0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZ';
$length = strlen($allowable_characters) - 1;
for ($j = 0; $j < strlen($pass_now); $j++) {
for ($i = 0; $i < $length; $i++) {
if ($pass_now[$j] == $allowable_characters[$i]) {
echo "$i $i 0 $length ";
break;
}
}
}
?>
看到好多web都是用python 写的
再放上python写的exp
```python
str1 ='FpCyLNvPOj'
str2 = "abcdefghijklmnopqrstuvwxyz0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZ"
result =''
length = str(len(str2)-1)
for i in range(0,len(str1)):
for j in range(0,len(str2)):
if str1[i] == str2[j]:
result += str(j) + ' ' +str(j) + ' ' + '0' + ' ' + length + ' '
break
print(result)
接着放到kali下php伪随机数破解工具
将seed设置为490664240
生成密文提交后即可得到flag
mt_srand(490664240);
$str_long1 = "abcdefghijklmnopqrstuvwxyz0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZ";
$str='';
$len1=20;
for ( $i = 0; $i < $len1; $i++ ){
$str.=substr($str_long1, mt_rand(0, strlen($str_long1) - 1), 1);
}
echo $str;