Exploit Notes

PHP Srand Time Abusing

Last modified: 2023-03-09

Web

If the website uses “srand(time())” to generate random strings in PHP, we can get the non-random strings by manipulating the attribute of the “srand()” function.

Investigation

function generate_random_number() {
	srand(time());
	// Some code for generating random number...
	return random_numbers;
}

For example, assume website uses the above function that generates random numbers or strings to be used for authentications such as activation code, multi-factor security code.
In such cases, we can replace the “time()” function with the “strtotime()” to make the result to be non-random.


Exploitation

1. Send Request

First off, send the request for executing the desired function e.g. “generate_random_number” that uses “srand(time())”.
See the HTTP response header.

Date: Thu, 09 Mar 2023 08:31:35 GMT

We can get the time such as “08:31:35” so copy this.

2. Generate Non-Random Result

We can insert the above Date time as the attribute of “strtotime()” function as follow.

function generate_random_number() {
    srand(strtotime("08:31:35"));
    // Some code for generating random number...
    echo random_numbers;
}

Now execute the above function in PHP playground.
We can get the same result no matter how many times we run it.

Tools by HDKS

Fuzzagotchi

Automatic web fuzzer.

aut0rec0n

Auto reconnaissance CLI.

Hash Cracker

Hash identifier.