[Websec.fr] Easy - Level19

얼마 전 CTF에서 capcha와 관련 문제를 풀었는데  마침 엇비슷해 보이는 문제가 있어 풀어보았다.

<?php
session_start ();

include 'random.php';
include 'email.php';
include 'anti_csrf.php';
include 'captcha.php';

init_token ();

if (isset ($_POST['captcha']) and isset ($_SESSION['captcha'])) {
    if ($_SESSION['captcha'] === $_POST['captcha']) {
        check_and_refresh_token();
        $email_addr = 'level19' . '@' . $_SERVER['HTTP_HOST'];  // less hassle if we move to another domain
        send_flag_by_email ($email_addr);
        $message = "<p class='alert alert-success'>Password recovery email sent.</p>";
    } else {
        $message = "<p class='alert alert-danger'>Invalid captcha</p>";
    }
} else {
    $_SESSION['captcha'] = generate_random_text (255 / 10.0);
}
?>

<?php
$height = 64;
$width = 255;

function show_image () {
    global $height;
    global $width;

    if (! isset ($_SESSION['captcha'])) {
        die ('This is not how you are supposed to use it.');
    }

    $image = @imagecreatetruecolor ($width, 64) or die ("Cannot Initialize new GD image stream");

    $bg = imagecolorallocate ($image, 255, 255, 255);
    imagefill ($image, 0, 0, $bg);
    imagecolordeallocate ($image, $bg);

    for($i = 0; $i <= $width / 10.0; $i++) {
        $color = imagecolorallocate ($image, rand (0, 128), rand (0, 128), rand (0, 128));
        imagechar ($image, rand (1, 5), $i * rand (20, 40), rand (10, $height - 10), $_SESSION['captcha'][$i], $color);
        imagecolordeallocate ($image, $color);
    }

    /* Yay, dots! */
    for($i=0; $i < 1024; $i++) {
        $color = imagecolorallocate ($image, rand (0, 255), rand (0, 255), rand (0, 255));
        imagesetthickness ($image, rand (1, 5));
        imagefilledellipse ($image, rand (0, $width), rand (0, $height), 3, 3, $color);
        imagecolordeallocate ($image, $color);
    }

    /* Yay, lines! */
    imagesetthickness ($image, 1);
    for ($i=0; $i < 8; $i++) {
        $color = imagecolorallocate ($image, rand (0, 255), rand (0, 255), rand (0, 255));
        imageline($image, rand (0, $width), 0, rand (0, $width), $height, $color);
        imagecolordeallocate ($image, $color);
    }

    /* Php doesn't offer a method to output images to a variable. */
    ob_start ();
    imagepng ($image);
    $str_image = ob_get_contents ();
    ob_end_clean ();
    imagedestroy ($image);

    return base64_encode ($str_image);
}

?>

<?php

function init_token() {
    if ((! isset ($_SESSION['token'])) or empty ($_SESSION['token'])) {
        $_SESSION['token'] = generate_random_text (32);
    }
}

function check_and_refresh_token() {
    if (! isset ($_POST['token'])) {
        die ('Please sumbit the anti-csrf token.');
    } elseif ( hash_equals ($_SESSION['token'], $_POST['token'])) {
        $_SESSION['token'] = generate_random_text (32);
    } else {
        $_SESSION['token'] = generate_random_text (32);
        die ('Invalid session token.');
    }
}
?>

<?php

// https://secure.php.net/manual/en/function.srand.php#90215
srand (microtime (true));

function generate_random_text ($length) {
    $chars  = "abcdefghijklmnopqrstuvwxyz";
    $chars .= "ABCDEFGHIJKLMNOPQRSTUVWXYZ";
    $chars .= "1234567890";

    $text = '';
    for($i = 0; $i < $length; $i++) {
        $text .= $chars[rand () % strlen ($chars)];
    }
    return $text;
}

 

이문제는 srand() 가 int를 사용하고 있고 , true로 생성된 float가 int로 변환된다.

이것을 통해서 브루트 포스를 생각할 수 있다.

 

<? php
function submit_captcha( $captcha, $csrf_token, $session) {
	//$url = "-----";
	$url = "http://websec.fr/level19/index.php";
	$data = array('token'=>$csrf_token, 'captcha'=>$captcha);
	$data = http_build_query($data);
	$options = array(
	  'http'=>array(
	    'method'=>"POST",
	    'header'=>"Host: 
                      "Accept-language: "
                      "Content-type:  " 
                      "Content-Length: " 
		      "Cookie: PHPSESSID=" . $session . "\r\n" .  
		      "User-Agent: ";
	  )
	);
	echo "built query";
  ?>