# Exploit Title: wowondersocial user account hijacking # Exploit Author: Al-mamon rasool abdali hussain # Vendor Homepage: http://www.wowonder.com # Version: All # Tested on: linux the Vulnerability in login system that create predictable user id and send its over session when try to check user access the system will check using these session id in file assets/includes/functions_one.php line 86 the function ============================================================================ function Wo_CreateLoginSession($user_id = 0) { global $sqlConnect; if (empty($user_id)) { return false; } $time = strtotime("2 days ago"); $user_id = Wo_Secure($user_id); $hash = sha1(rand(111111111, 999999999)) . md5(microtime()) . rand(11111111, 99999999) . md5(rand(5555, 9999)); $query_one = mysqli_query($sqlConnect, "DELETE FROM " . T_APP_SESSIONS . " WHERE `user_id` = '{$user_id}' AND `platform` = 'web' AND `time` < $time"); $query_two = mysqli_query($sqlConnect, "DELETE FROM " . T_APP_SESSIONS . " WHERE `session_id` = '{$hash}'"); if ($query_two) { $query_three = mysqli_query($sqlConnect, "INSERT INTO " . T_APP_SESSIONS . " (`user_id`, `session_id`, `platform`, `time`) VALUES('{$user_id}', '{$hash}', 'web', " . time() . ")"); if ($query_three) { return $hash; } } } ============================================================================= the id is created in $hash = sha1(rand(111111111, 999999999)) . md5(microtime()) . rand(11111111, 99999999) . md5(rand(5555, 9999)); these id sent over session and also been stored as cookies used to verify the user identity in all the system the exploit is to use social engineering and make the target user login in specific time then do brute force for the rand values and already rand function has been exploited from long time and its value can be predicated in some cases