[GWCTF 2019]枯燥的抽奖-CSDN博客

本文链接：https://blog.csdn.net/wp568/article/details/133274714

<code>
	<span style="color: #000000">
		<span style="color: #0000BB">&lt;?php
			<br />
		</span>
		<span style="color: #FF8000">#这不是抽奖程序的源代码！不许看！
			<br />
		</span>
		<span style="color: #0000BB">header</span>
		<span style="color: #007700">(</span>
		<span style="color: #DD0000">"Content-Type:&nbsp;text/html;charset=utf-8"</span>
		<span style="color: #007700">);
			<br />
		</span>
		<span style="color: #0000BB">session_start</span>
		<span style="color: #007700">();
			<br />if(!isset(</span>
		<span style="color: #0000BB">$_SESSION</span>
		<span style="color: #007700">[</span>
		<span style="color: #DD0000">'seed'</span>
		<span style="color: #007700">])){
			<br />
		</span>
		<span style="color: #0000BB">$_SESSION</span>
		<span style="color: #007700">[</span>
		<span style="color: #DD0000">'seed'</span>
		<span style="color: #007700">]=</span>
		<span style="color: #0000BB">rand</span>
		<span style="color: #007700">(</span>
		<span style="color: #0000BB">0</span>
		<span style="color: #007700">,</span>
		<span style="color: #0000BB">999999999</span>
		<span style="color: #007700">);
			<br />}
			<br />
			<br />
		</span>
		<span style="color: #0000BB">mt_srand</span>
		<span style="color: #007700">(</span>
		<span style="color: #0000BB">$_SESSION</span>
		<span style="color: #007700">[</span>
		<span style="color: #DD0000">'seed'</span>
		<span style="color: #007700">]);
			<br />
		</span>
		<span style="color: #0000BB">$str_long1&nbsp;</span>
		<span style="color: #007700">=&nbsp;</span>
		<span style="color: #DD0000">"abcdefghijklmnopqrstuvwxyz0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZ"</span>
		<span style="color: #007700">;
			<br />
		</span>
		<span style="color: #0000BB">$str</span>
		<span style="color: #007700">=</span>
		<span style="color: #DD0000">''</span>
		<span style="color: #007700">;
			<br />
		</span>
		<span style="color: #0000BB">$len1</span>
		<span style="color: #007700">=</span>
		<span style="color: #0000BB">20</span>
		<span style="color: #007700">;
			<br />for&nbsp;(&nbsp;</span>
		<span style="color: #0000BB">$i&nbsp;</span>
		<span style="color: #007700">=&nbsp;</span>
		<span style="color: #0000BB">0</span>
		<span style="color: #007700">;&nbsp;</span>
		<span style="color: #0000BB">$i&nbsp;</span>
		<span style="color: #007700">&lt;&nbsp;</span>
		<span style="color: #0000BB">$len1</span>
		<span style="color: #007700">;&nbsp;</span>
		<span style="color: #0000BB">$i</span>
		<span style="color: #007700">++&nbsp;){
			<br />&nbsp;&nbsp;&nbsp;&nbsp;</span>
		<span style="color: #0000BB">$str</span>
		<span style="color: #007700">.=</span>
		<span style="color: #0000BB">substr</span>
		<span style="color: #007700">(</span>
		<span style="color: #0000BB">$str_long1</span>
		<span style="color: #007700">,&nbsp;</span>
		<span style="color: #0000BB">mt_rand</span>
		<span style="color: #007700">(</span>
		<span style="color: #0000BB">0</span>
		<span style="color: #007700">,&nbsp;</span>
		<span style="color: #0000BB">strlen</span>
		<span style="color: #007700">(</span>
		<span style="color: #0000BB">$str_long1</span>
		<span style="color: #007700">)&nbsp;-&nbsp;</span>
		<span style="color: #0000BB">1</span>
		<span style="color: #007700">),&nbsp;</span>
		<span style="color: #0000BB">1</span>
		<span style="color: #007700">);&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
			<br />}
			<br />
		</span>
		<span style="color: #0000BB">$str_show&nbsp;</span>
		<span style="color: #007700">=&nbsp;</span>
		<span style="color: #0000BB">substr</span>
		<span style="color: #007700">(</span>
		<span style="color: #0000BB">$str</span>
		<span style="color: #007700">,&nbsp;</span>
		<span style="color: #0000BB">0</span>
		<span style="color: #007700">,&nbsp;</span>
		<span style="color: #0000BB">10</span>
		<span style="color: #007700">);
			<br />echo&nbsp;</span>
		<span style="color: #DD0000">"&lt;p&nbsp;id='p1'&gt;"</span>
		<span style="color: #007700">.</span>
		<span style="color: #0000BB">$str_show</span>
		<span style="color: #007700">.</span>
		<span style="color: #DD0000">"&lt;/p&gt;"</span>
		<span style="color: #007700">;
			<br />
			<br />
			<br />if(isset(</span>
		<span style="color: #0000BB">$_POST</span>
		<span style="color: #007700">[</span>
		<span style="color: #DD0000">'num'</span>
		<span style="color: #007700">])){
			<br />&nbsp;&nbsp;&nbsp;&nbsp;if(</span>
		<span style="color: #0000BB">$_POST</span>
		<span style="color: #007700">[</span>
		<span style="color: #DD0000">'num'</span>
		<span style="color: #007700">]===</span>
		<span style="color: #0000BB">$str</span>
		<span style="color: #007700">){</span>
		<span style="color: #0000BB">x
			<br />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;</span>
		<span style="color: #007700">echo&nbsp;</span>
		<span style="color: #DD0000">"&lt;p&nbsp;id=flag&gt;抽奖，就是那么枯燥且无味，给你flag{xxxxxxxxx}&lt;/p&gt;"</span>
		<span style="color: #007700">;
			<br />&nbsp;&nbsp;&nbsp;&nbsp;}
			<br />&nbsp;&nbsp;&nbsp;&nbsp;else{
			<br />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;echo&nbsp;</span>
		<span style="color: #DD0000">"&lt;p&nbsp;id=flag&gt;没抽中哦，再试试吧&lt;/p&gt;"</span>
		<span style="color: #007700">;
			<br />&nbsp;&nbsp;&nbsp;&nbsp;}
			<br />}
			<br />
		</span>
		<span style="color: #0000BB">show_source</span>
		<span style="color: #007700">(</span>
		<span style="color: #DD0000">"check.php"</span>
		<span style="color: #007700">);</span>
	</span>
</code>

F12查看，发现check.php

jl7g91UtTg

<?php
#这不是抽奖程序的源代码！不许看！
header("Content-Type: text/html;charset=utf-8");
session_start();
if(!isset($_SESSION['seed'])){
$_SESSION['seed']=rand(0,999999999);
}

mt_srand($_SESSION['seed']);
$str_long1 = "abcdefghijklmnopqrstuvwxyz0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZ";
$str='';
$len1=20;
for ( $i = 0; $i < $len1; $i++ ){
    $str.=substr($str_long1, mt_rand(0, strlen($str_long1) - 1), 1);       
}
$str_show = substr($str, 0, 10);
echo "<p id='p1'>".$str_show."</p>";


if(isset($_POST['num'])){
    if($_POST['num']===$str){x
        echo "<p id=flag>抽奖，就是那么枯燥且无味，给你flag{xxxxxxxxx}</p>";
    }
    else{
        echo "<p id=flag>没抽中哦，再试试吧</p>";
    }
}
show_source("check.php");

分析源代码

mt_rand()存在的问题

mt_rand()如何生成的随机整数，它与设置的seed值和调用该函数的次数有关，假设使用mt_srand(12345)进行了一次播种，那么第一次调用mt_rand生成的数值为a，第二次为b，第三次为c。所以当有人拿到与你一串一模一样的seed时，所执行的结果都是跟刚刚描述的一样，这样就可以预测出接下来的数值是多少

<?php  
mt_srand(123);    
echo mt_rand(0,1000)."<br/>";

mt_srand(123); 
echo mt_rand(0,1000)."<br/>";

mt_srand(123); 
echo mt_rand(0,1000)."<br/>";
?>

输出结果

$php main.php
58<br/>58<br/>58<br/>

现在知道十个字符，那就可以通过工具php_mt_seed爆破 seed

kali中php_mt_seed-4.0的用法：

先cd到php_mt_seed-4.0文件夹，然后输入命令:

./php_mt_seed 3 3 0 61 60 60 0 61 4 4 0 61 40 40 0 61 28 28 0 61 59 59 0 61 58 58 0 61 4 4 0 61 31 31 0 61 5 5 0 61

格式为数字 数字 0 61,搞十个mt_srand()播种后mt_rand()取得的随机数，就能爆破出来seed,然后就能加密了

先用生成已知的十个字符“oS7tocGlzN”的格式为“数字数字，后两个是mt_rand输出的值区间”的字符，通过脚本，得到：

str1 ='oS7tocGlzN'
str2 = "abcdefghijklmnopqrstuvwxyz0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZ"
result =''


length = str(len(str2)-1)
for i in range(0,len(str1)):
    for j in range(0,len(str2)):
        if str1[i] ==  str2[j]:
            result += str(j) + ' ' +str(j) + ' ' + '0' + ' ' + length + ' '
            #前两是值，后两个是mt_rand输出的值区间
            break

print(result)

14 14 0 61 54 54 0 61 33 33 0 61 19 19 0 61 14 14 0 61 2 2 0 61 42 42 0 61 11 11 0 61 25 25 0 61 49 49 0 61

使用php_mt_seed爆破seed得到：455472525

再把种子放进php程序中，生成字符串

<?php
mt_srand(455472525);
$str_long1 = "abcdefghijklmnopqrstuvwxyz0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZ";
$str='';
$len1=20;
for ( $i = 0; $i < $len1; $i++ ){
    $str.=substr($str_long1, mt_rand(0, strlen($str_long1) - 1), 1);       
}
$str_show = substr($str, 0, 10);
echo $str;
?>