1. What is WoWonder?
WoWonder is the leading PHP Social Network Script which allows you to start your own social network website. Currently it's one of the best and most sold PHP script in Envato.
3. How did I hack it?
WoWonder script can create an amazing social network. It allows a feature where user can post URL link and the script will fetch URL details like Link Title, Description and OG image but this all is done on client-side. Once you paste URL link it will fetch details and insert them in inputs. The og image input value is the link to og image in Meta tag but after submission the server saves the OG image and new file link will be displayed.
So, I just changed the og image to './config.php' this way it copied config.php to new file in server and the extension was JPG. I could save the JPG file and read the mysql details.
6. What next?
I reported it to the Author and this issue was fixed in WoWonder v1.5 and I was rewarded. Lol!
This might have been fixed in WoWonder but these kind of bugs can be found in many websites. Keep Exploring but don't be evil :)
