伪随机数

Bkfish

2019-12-03

Web

随机数

在比赛中多次遇到了伪随机数的问题-总结一下

在web安恒测试决赛的题目

 <?php
#这不是抽奖程序的源代码！不许看！
header("Content-Type: textml;charset=utf-8");
session_start();
if(!isset($_SESSION['seed'])){
$_SESSION['seed']=rand(0,999999999);
}

mt_srand($_SESSION['seed']);
$str_long1 = "abcdefghijklmnopqrstuvwxyz0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZ";
$str='';
$len1=20;
for ( $i = 0; $i < $len1; $i++ ){
    $str.=substr($str_long1, mt_rand(0, strlen($str_long1) - 1), 1);       
}
$str_show = substr($str, 0, 10);
echo "<p id='p1'>".$str_show."</p>";


if(isset($_POST['num'])){
    if($_POST['num']===$str){
        echo "<p id=flag>抽奖，就是那么枯燥且无味，给你flag{xxxxxxxxx}</p>";
    }
    else{
        echo "<p id=flag>没抽中哦，再试试吧</p>";
    }
}
show_source("check.php");

参考几篇博客
http://wonderkun.cc/index.html/?p=585
https://www.anquanke.com/post/id/168308
思路就很明显了

Hack

1、安装php_mt_seed

https://www.openwall.com/php_mt_seed/随便下载一个版本，放到linux下make就行了
使用的话直接

1	root@kali:~/桌面/php_mt_seed-3.4# ./php_mt_seed 42 42 0 61 48 48 0 61 0 0 0 61 37 37 0 61 2 2 0 61 11 11 0 61 54 54 0 61 1 1 0 61 37 37 0 61 2 2 0 61

2、整理本题数据

我们先访问一下拿到前10位

从博客参考中我们能看到，还需要整理

<?php
$str = "GMaBclSbBc";
$randStr = "abcdefghijklmnopqrstuvwxyz0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZ";
 
for($i=0;$i<strlen($str);$i++){
   $pos = strpos($randStr,$str[$i]);
   echo $pos." ".$pos." "."0 ".(strlen($randStr)-1)." ";
   //整理成方便 php_mt_seed 测试的格式
  //php_mt_seed VALUE_OR_MATCH_MIN [MATCH_MAX [RANGE_MIN RANGE_MAX]]
}
echo "\n";
?>

生成了

1	42 42 0 61 48 48 0 61 0 0 0 61 37 37 0 61 2 2 0 61 11 11 0 61 54 54 0 61 1 1 0 61 37 37 0 61 2 2 0 61

3、使用php_mt_seed

root@kali:~/桌面/php_mt_seed-3.4# ./php_mt_seed 42 42 0 61 48 48 0 61 0 0 0 61 37 37 0 61 2 2 0 61 11 11 0 61 54 54 0 61 1 1 0 61 37 37 0 61 2 2 0 61 
Pattern: EXACT-FROM-62 EXACT-FROM-62 EXACT-FROM-62 EXACT-FROM-62 EXACT-FROM-62 EXACT-FROM-62 EXACT-FROM-62 EXACT-FROM-62 EXACT-FROM-62 EXACT-FROM-62
Found 0, trying 536870912 - 570425343, speed 115704937 seeds per second 
seed = 552481257
Found 1, trying 4261412864 - 4294967295, speed 109971944 seeds per second 
Found 1

拿到种子552481257
一般而言是会返回你php版本号的，一定要使用特定的版本才能得到正确下一步

4、还原数据

<?php
mt_srand(552481257);
$str_long1 = "abcdefghijklmnopqrstuvwxyz0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZ";
$str='';
$len1=20;
for ( $i = 0; $i < $len1; $i++ ){
    $str.=substr($str_long1, mt_rand(0, strlen($str_long1) - 1), 1);       
}

echo $str;
?>

输出GMaBclSbBcDfVku346h4