[GWCTF 2019]枯燥的抽奖

查看源码，发现check.php

访问check.php得到源码

<?php
#这不是抽奖程序的源代码！不许看！
header("Content-Type: text/html;charset=utf-8");
session_start();
if(!isset($_SESSION['seed'])){
$_SESSION['seed']=rand(0,999999999);
}

mt_srand($_SESSION['seed']);
$str_long1 = "abcdefghijklmnopqrstuvwxyz0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZ";
$str='';
$len1=20;
for ( $i = 0; $i < $len1; $i++ ){
    $str.=substr($str_long1, mt_rand(0, strlen($str_long1) - 1), 1);       
}
$str_show = substr($str, 0, 10);
echo "<p id='p1'>".$str_show."</p>";


if(isset($_POST['num'])){
    if($_POST['num']===$str){x
        echo "<p id=flag>抽奖，就是那么枯燥且无味，给你flag{xxxxxxxxx}</p>";
    }
    else{
        echo "<p id=flag>没抽中哦，再试试吧</p>";
    }
}
show_source("check.php");

 使用了mt_srand()函数播种，并使用mt_rand()函数生成随机数。这里的随机数都是伪随机数，只要得到种子，就可以生成相同的随机数。

使用php_mt_seed4.0工具爆破seed

先生成php_mt_seed4.0所需要的参数

# -*- coding: utf-8 -*-
s = 'abcdefghijklmnopqrstuvwxyz0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZ'
key = 'c1z5DuPZXT'
m = ''
for i in key:
    for j in range(len(s)):
        if i == s[j]:
            m += "{} {} 0 {} ".format(j,j,len(s)-1)
print(m)
#2 2 0 61 27 27 0 61 25 25 0 61 31 31 0 61 39 39 0 61 20 20 0 61 51 51 0 61 61 61 0 61 59 59 0 61 55 55 0 61 

使用php_mt_seed4.0

生成题目要求的字符串

<?php
#version:php7.3.4
mt_srand(744449933);
$str_long1 = "abcdefghijklmnopqrstuvwxyz0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZ";
$str='';
$len1=20;
for ( $i = 0; $i < $len1; $i++ ){
    $str.=substr($str_long1, mt_rand(0, strlen($str_long1) - 1), 1);       
}
echo $str;
#c1z5DuPZXTSDNU66xXTU

将该字符串提交即可得到flag

参考

https://shawroot.hatenablog.com/entry/2019/12/11/GWCTF_2019_WEB-%E6%9E%AF%E7%87%A5%E7%9A%84%E6%8A%BD%E5%A5%96