PHP Srand Time Abusing

Last modified: 2023-03-09


If the website uses “srand(time())” to generate random strings in PHP, we can get the non-random strings by manipulating the attribute of the “srand()” function.


function generate_random_number() {
	// Some code for generating random number...
	return random_numbers;

For example, assume website uses the above function that generates random numbers or strings to be used for authentications such as activation code, multi-factor security code.
In such cases, we can replace the “time()” function with the “strtotime()” to make the result to be non-random.


1. Send Request

First off, send the request for executing the desired function e.g. “generate_random_number” that uses “srand(time())”.
See the HTTP response header.

Date: Thu, 09 Mar 2023 08:31:35 GMT

We can get the time such as “08:31:35” so copy this.

2. Generate Non-Random Result

We can insert the above Date time as the attribute of “strtotime()” function as follow.

function generate_random_number() {
    // Some code for generating random number...
    echo random_numbers;

Now execute the above function in PHP playground.
We can get the same result no matter how many times we run it.