{"id":18001419,"url":"https://github.com/mgeeky/phishingpost","last_synced_at":"2025-07-05T06:34:07.856Z","repository":{"id":41380774,"uuid":"100035697","full_name":"mgeeky/PhishingPost","owner":"mgeeky","description":"PHP Script intdended to be used during Phishing campaigns as a credentials collector linked to backdoored HTML \u003cform\u003e action parameter","archived":false,"fork":false,"pushed_at":"2021-10-24T21:17:01.000Z","size":21,"stargazers_count":58,"open_issues_count":2,"forks_count":18,"subscribers_count":6,"default_branch":"master","last_synced_at":"2025-04-07T04:51:09.230Z","etag":null,"topics":["hacking","harvester","penetration","pentest","phishing","testing"],"latest_commit_sha":null,"homepage":"","language":"PHP","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"gpl-3.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/mgeeky.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null}},"created_at":"2017-08-11T13:40:11.000Z","updated_at":"2025-01-25T05:13:00.000Z","dependencies_parsed_at":"2022-08-25T11:40:52.943Z","dependency_job_id":null,"html_url":"https://github.com/mgeeky/PhishingPost","commit_stats":null,"previous_names":[],"tags_count":1,"template":false,"template_full_name":null,"purl":"pkg:github/mgeeky/PhishingPost","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/mgeeky%2FPhishingPost","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/mgeeky%2FPhishingPost/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/mgeeky%2FPhishingPost/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/mgeeky%2FPhishingPost/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/mgeeky","download_url":"https://codeload.github.com/mgeeky/PhishingPost/tar.gz/refs/heads/master","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/mgeeky%2FPhishingPost/sbom","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":263697359,"owners_count":23497766,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["hacking","harvester","penetration","pentest","phishing","testing"],"created_at":"2024-10-29T23:17:25.645Z","updated_at":"2025-07-05T06:34:07.800Z","avatar_url":"https://github.com/mgeeky.png","language":"PHP","funding_links":[],"categories":[],"sub_categories":[],"readme":"# PhishingPost\n\nPHP Script intdended to be used during Phishing campaigns as a credentials collector linked to backdoored HTML `\u003cform\u003e` action parameter.\nOriginally this script had been developed in the following [gist](https://gist.github.com/mgeeky/32375178621a5920e8c810d2d7e3b2e5).\n\n---\n\n## Configuration\n\nFirstly, one has to apply this script in backdoored form's `action` parameter, for instance like so:\n\n```\n\u003cform [...] action=\"/post.php\" [...]\u003e\n```\n\nThen, this script shall be named as `post.php` to get it working. \n\n#### Most important configuration parameters to set:\n\n- **`$harvest_filename`**\n        Filename for harvested data. For CSV logging method, the `.csv` extension will be appended.\n        Remember to keep the filename not guessable, to avoid forceful browsing against your own\n        phishing box!\n\n- **`$post_url`**\n        This is target URL used for posting form (form's `action` attribute value).\n\n- **`$resend_post_data`**\n\t\tResend post data to the `$post_url` address? \n\t\tIf set to false, the user will be simply redirected to the `$redirect` address or if it's empty to the `$post_url` address.\n\n- **`$wrong_password_url`**\n        URL for \"wrong password\" message redirection (applicable only if `$password_retry` is set to more than 1). You can use here something like:\n    ```\n    '/login.html?wrong_pass=1' . (isset($_GET['redir']) ? '\u0026redir=' . $_GET['redir'] : '');\n    ```\n    Having a `login.html` as your phish login form saved to the HTML file, one can make the HTML\n    file know that it must display the _'wrong password'_ error message and also to let the\n    the backend script (this very file) know where to redirect user after couple of \n    login tries (`$password_retry`)\n    \n    **Notice**: If left empty - the page will be simply reloaded.\n\n- **`$redirect`**\n        Target address to redirect victim to after collecting his input data, in case of an **error** or \n        when `$resend_post_data = false`. In other words, if we don't want to transmit data to the\n        target (or we are unable to do so) this variable states where to redirect user after grabbing his POST data.\n        \n    **Notice**:\n    You can dynamically overwrite this variable by using `$_GET['redir']`\n    If You leave this empty (default), script will use `$post_url` value\n\n\nOne can also specify something like this in his `action` parameter value:\n```\n\u003cform [...] action=\"/post.php?redir=https://TARGET.SITE/\u003c?php echo $_SERVER['REQUEST_URI'];?\u003e\"\u003e\n```\n\nTo make the PHP construct GET `redir` parameter denoting where to move the user after he has submitted his credentials (_not to confuse with where to POST credentials after logging them_).\n\nThen this script could be configured as follows:\n```$redirect = \"\";\n$post_url = \"https://TARGET.SITE/LOGIN-FORM-ACTION\";\n```\n\nThe POST data collected from the phished form will then be transmited to the `LOGIN-FORM-ACTION`, whereas the `$redirect` will take the value of `$_GET['redir']` and move the user to the same page as he came from upon some error or after stealing data and deciding not to transmit them along (`$resend_post_data = false`). This `$_GET['redir']` way is an example of creating redirection address in a dynamic manner.\n\nWhen crafting HTML login page, one can use the PHP session variable: \n\n```\n$_SESSION['phished_already']\n```\nto add forced redirection to the target site in his HTML files through the inline PHP code.\n\n---\n\n\n### How it works?\n\nHaving phished for instance login form of the target website, this login form will have it's action attribute changed to direct into this very script. Then, the script will collect the `$_POST` data and store them in file (in a `print_r` format, `csv` list or both, depending on setting `$log_format`). This script also takes care of issuing the warning message of having typed wrong password (or rather of redirecting the user onto file capable of displaying such message, via `$wrong_password_url` variable). Then, the script keeps _wrong passwords_ typed numer in a session variable to detect whether specific user has been phished already and he should be redirected to the **target site** immediately (in order to prevent him looking at the webpage and inspecing it). \n\n\n---\n\n### Authors\n\n- Mariusz Banach / mgeeky\n- Jakub M. / [unkn0w](https://github.com/unkn0w)\n\n---\n\n\n### Changelog\n\n - **v0.1** - init\n - **v0.2** - added metadata gathering\n - **v0.2.1** - unkn0w adds redirection to faked 'wrong password' message\n - **v0.3** - added CSV reporting method\n - **v0.4** - unkn0w have added redirection facility and improved nested POST arrays handling\n - **v0.5** - unkn0w added support for $post_url variable to support pages that have separate URLs for login form and login backend\n - **v0.5.1** - mgeeky: fixed issue with nested POST arrays by flattening it\n\n---\n\n### TODO:\n\n- Refactor the code to make it more readable and configurable\n\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fmgeeky%2Fphishingpost","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fmgeeky%2Fphishingpost","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fmgeeky%2Fphishingpost/lists"}