As i suspected the first batch of [X] is indeed the 'UUID' for the domain (much smaller than i originally thought) where the cookie is needed and is NOT randomized, Well it cannot be, due to the browser needing to know where that cookie really came from among the millions of SMF users (catch my drift).. Now like a good WiFi device i will now shout creds until i'm heard...
THS 'UUID' = 3845
EZ 'UUID' = 22407
How these are distributed i don't know yet, One would think it's just numerical order or could well be randomly assigned.. This matters not, Just curious. Point is, Short numerical code.
Now it gets interesting, The second batch of [X] is all about the user & seems to consist of 40 chars, ONLY lower case and numbers. So that may sound safe too you right, gotta love RNG etc.. Well, It's not RNG(ed).... SMF assigns this cookie content based on the time you have chosen to stay logged in, No not like a random timestamp. i.e;
If you check the box, "always stay signed in" it will 'generate' the same cookie over and over, Same 40 chars etc.. Exactly the same if you choose X amount of minutes to stay logged in.. Basically it assigns you one of 2 cookies.. nothing is random, both 'static' cookies leaving room for many ways to exploit this.. Now i am looking at how to change the content of said cookie, See if this were password cracking and you knew you were compromised.. Change your pw & BAAM! HA, You can change all the creds you want, once you botain this 40 char 'master-key' you got persistence baby.. $Profit
Yours sincerely,
Gwyneth
EDIT: One solution/fix seems to be to delete you cookies completely and sign in with a new allocated time. Logging out and in does not seem to change the cookies value.
EDIT-2: Even this seems to be a flawed method. All has something to do with the logout buttons URL;
https://evilzone.org/logout/?d2d627p=4b613789a9ae67d9a5515878b4e1021oe3
So "d2d627p=4b613789a9ae67d9a5515878b4e1021oe3" somehow translates to "please reset/banish my cookie". If you say close the browser, uninstall said browser, use Ccleaner, DBAN then proceed to your storage medium with your weapon of choice, WITHOUT using the logout button.. Your cookie creds will remain the same and you can use them to log back in without a username or password. Thus leaving my first edit pretty false but i'm getting there.
Now my next assumtion is that "d2d627p=4b613789a9ae67d9a5515878b4e1021oe3" is a two part obfuscation of:
1, Domain 'UUID' = "d2d627p
2, PHPSESSID = 4b613789a9ae67d9a5515878b4e1021oe3
Hence when you sign in next, SMF knows to allocate you a "new cookie". In saying all that, May i remind you that SMF cares not about the PHPSESSID or Timestamp at login, ONLY the 40 char string..
