table of Contents
Function Introduction
mt_scrand() //播种 Mersenne Twister 随机数生成器。
mt_rand() //生成随机数
In simple terms mt_scrand () by distributing seed seed, and then after the seeds have, by mt_rand () generates a random number
Code Testing
<?php
mt_srand(12345);
echo mt_rand()."###";
echo mt_rand()."###";
echo mt_rand()."###";
?>
Results are as follows
and now we have it generate the two random numbers, the following results
the question arises, we will find the same seed when, in fact, generated random number is fixed. And this is a pseudo-random number vulnerability, part ctf title will take this as test sites.
Test sites
1. The random number seed prediction
As Xiao Ming to learn the code on HackingLab audit of this question. Links: Xiao Ming learning code audit
<?php
session_start();
include '_flag.php';
date_default_timezone_set('Asia/Shanghai');
if(isset($_POST['token']) && isset($_SESSION['token']) &&!empty($_POST['token'])&&!empty($_SESSION['token'])){
if($_POST['token']==$_SESSION['token']){
echo "PassResetSuccess! Your Flag is:".$flag;
}else{
echo "Token_error!";
}
}else{
mt_srand(time());
$rand= mt_rand();
$_SESSION['token']=sha1(md5($rand));
echo "Token Generate Ok! now send email to your EmailBox!.....";
if(sendmymail($_SESSION['token'])){
echo "SendOK! \r\n<br> Your password reset Token has been send to your mailbox! <br>Please Check your mail box and fill your token here to reset your password!<br>";
};
}
The key code is previously timestamp generating a random number seed, to the correlation stored encrypted session, and when the value of the token value and token we post the session can be obtained in the same flag.
We also need to set a certain time interval in the same encryption method generates a random number can be.
If your time and the time above the server are not synchronized, i.e., time () values are not the same, the need to shift to a range of about Blasting
Detailed See Xiao Ming learning code audit writeup
The random number seed prediction
A random number generated above example, suppose we know the first random number generation, then how do we expect the seed?
Then use to php_mt_seed this tool.
php_mt_rand tools only for blasting the mt_rand () function of the random number seed value is generated, whether explicit call mt_srand () function seeded, but not for blasting mt_rand (1,1000) and the specified range of this function rand
Once you have downloaded into the appropriate directory. The first time you need to make an input file generated php_mt_seed, the future will not enter.
Use ./php_mt_seed + random number can be. Small partners carefully will find that sometimes predict a lot of seeds, which is a normal phenomenon, you can try the next one by one we just (run out of seeds under normal circumstances will not be many)
we can see the seed ran out of 12345, this is the top seed we set.
Reference: random number of Web Security summary
