[GWCTF 2019]枯燥的抽奖 关键js代码
然后到check.php
直接给了代码
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 <?php header("Content-Type: text/html;charset=utf-8" ); session_start(); if (!isset ($_SESSION ['seed' ])){$_SESSION ['seed' ]=rand(0 ,999999999 );} mt_srand($_SESSION ['seed' ]); $str_long1 = "abcdefghijklmnopqrstuvwxyz0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZ" ;$str ='' ;$len1 =20 ;for ( $i = 0 ; $i < $len1 ; $i ++ ){ $str .=substr($str_long1 , mt_rand(0 , strlen($str_long1 ) - 1 ), 1 ); } $str_show = substr($str , 0 , 10 );echo "<p id='p1'>" .$str_show ."</p>" ;if (isset ($_POST ['num' ])){ if ($_POST ['num' ]===$str ){x echo "<p id=flag>抽奖,就是那么枯燥且无味,给你flag{xxxxxxxxx}</p>" ; } else { echo "<p id=flag>没抽中哦,再试试吧</p>" ; } } show_source("check.php" );
可以看到种子是存在session里面的,所以抽奖序列是固定的.
然后根据显示的10位数据可以爆破出seed.可以直接用php_mt_seed爆破seed,不过也需要运气
生成php_mt_seed所需参数(php_mt_seed4.0版本更好用)
1 2 3 4 5 6 7 8 9 s = 'abcdefghijklmnopqrstuvwxyz0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZ' key = 'FEVzjlfnuz' m = '' for i in key: for j in range (len (s)): if i == s[j]: m += "{} {} 0 {} " .format (j,j,len (s)-1 ) print(m)
然后再爆破
然后生成抽奖序列即可
1 2 3 4 5 6 7 8 <?php mt_srand(0x0185ab6d ); $str_long1 = "abcdefghijklmnopqrstuvwxyz0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZ" ;$str ='' ;for ( $i = 0 ; $i < 20 ; $i ++ ){ $str .=substr($str_long1 , mt_rand(0 , 61 ), 1 ); } echo $str ;
