代码里的随机数生成其实是伪随机的,给定种子,生成的随机数序列就能固定下来。
题目提供了flag中的前10位,需要我们完善20位,肯定不能爆破。
查看代码check.php:
2vRheEpPK8
<?php
#这不是抽奖程序的源代码!不许看!
header("Content-Type: text/html;charset=utf-8");
session_start();
if(!isset($_SESSION['seed'])){
$_SESSION['seed']=rand(0,999999999);
}
mt_srand($_SESSION['seed']);
$str_long1 = "abcdefghijklmnopqrstuvwxyz0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZ";
$str='';
$len1=20;
for ( $i = 0; $i < $len1; $i++ ){
$str.=substr($str_long1, mt_rand(0, strlen($str_long1) - 1), 1);
}
$str_show = substr($str, 0, 10);
echo "<p id='p1'>".$str_show."</p>";
if(isset($_POST['num'])){
if($_POST['num']===$str){x
echo "<p id=flag>抽奖,就是那么枯燥且无味,给你flag{xxxxxxxxx}</p>";
}
else{
echo "<p id=flag>没抽中哦,再试试吧</p>";
}
}
show_source("check.php");
不知道随机数种子,根据提供的信息,可以用 php_mt_seed来爆破,生成工具需要的参数
str1='abcdefghijklmnopqrstuvwxyz0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZ'
str2='2vRheEpPK8'
res=''
for i in range(len(str2)):
for j in range(len(str1)):
if str2[i] == str1[j]:
res+=str(j)+' '+str(j)+' '+'0'+' '+str(len(str1)-1)+' '
break
print(res)
结果是:28 28 0 61 21 21 0 61 53 53 0 61 7 7 0 61 4 4 0 61 40 40 0 61 15 15 0 61 51 51 0 61 46 46 0 61 34 34 0 61
php_mt_seed - PHP mt_rand() seed cracker 下载工具php_mt_seed,在kali中解压,
tar --extract -f php_mt_seed-4.0.tar.gz ;进入make,运行程序得到种子488725513
根据种子运行代码得到flag:
<?php
mt_srand(488725513);
$str_long1 = "abcdefghijklmnopqrstuvwxyz0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZ";
$str='';
$len1=20;
for ( $i = 0; $i < $len1; $i++ ){
$str.=substr($str_long1, mt_rand(0, strlen($str_long1) - 1), 1);
}
echo $str;
2vRheEpPK8YFwjot5avX