GWCTF2019枯燥的抽奖-PHP伪随机数问题

[GWCTF 2019]枯燥的抽奖

关键js代码

image.png

然后到check.php

直接给了代码

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
<?php
#这不是抽奖程序的源代码!不许看!
header("Content-Type: text/html;charset=utf-8");
session_start();
if(!isset($_SESSION['seed'])){
$_SESSION['seed']=rand(0,999999999);
}

mt_srand($_SESSION['seed']);
$str_long1 = "abcdefghijklmnopqrstuvwxyz0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZ";
$str='';
$len1=20;
for ( $i = 0; $i < $len1; $i++ ){
$str.=substr($str_long1, mt_rand(0, strlen($str_long1) - 1), 1);
}
$str_show = substr($str, 0, 10);
echo "<p id='p1'>".$str_show."</p>";


if(isset($_POST['num'])){
if($_POST['num']===$str){x
echo "<p id=flag>抽奖,就是那么枯燥且无味,给你flag{xxxxxxxxx}</p>";
}
else{
echo "<p id=flag>没抽中哦,再试试吧</p>";
}
}
show_source("check.php");

可以看到种子是存在session里面的,所以抽奖序列是固定的.

然后根据显示的10位数据可以爆破出seed.可以直接用php_mt_seed爆破seed,不过也需要运气

生成php_mt_seed所需参数(php_mt_seed4.0版本更好用)

1
2
3
4
5
6
7
8
9
# -*- coding: utf-8 -*-
s = 'abcdefghijklmnopqrstuvwxyz0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZ'
key = 'FEVzjlfnuz'
m = ''
for i in key:
for j in range(len(s)):
if i == s[j]:
m += "{} {} 0 {} ".format(j,j,len(s)-1)
print(m)

然后再爆破

image.png

然后生成抽奖序列即可

1
2
3
4
5
6
7
8
<?php
mt_srand(0x0185ab6d);
$str_long1 = "abcdefghijklmnopqrstuvwxyz0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZ";
$str='';
for ( $i = 0; $i < 20; $i++ ){
$str.=substr($str_long1, mt_rand(0, 61), 1);
}
echo $str;