Man-Just-Left-of-MiddlePosted by Kos on 03/14/2010 at 8:48 am | Last modified: 11/08/2011 6:04 pm
XSS Phishing Attack Tool.
This README applies specifically to the PHP version of this script.
There is a Python version which acts the same, but has XML logging.
The Python version does not yet have the same options as the PHP version.
This is not an exploit tool, it’s more of a payload tool.
just stick this in there.
You’re pretty much set.
## What exactly this does…
- The page is loaded with the script inconspicuously place.
- Once the script is hit, the script will look at the HTTP REFERER
- With the HTTP REFERER in hand, it uses get_file_contents() to fetch the URL [all that is supported at this thime, cURL and Socket will be added later]
- Since the server doesn’t have the authentication that the user does (presumably) the server is prompted with a an unauthenticated page, which often contains a form to login.
- When you submit, it loads an image with the input fields as get parameters. sleep() is called (it sucks, gotta replace it.)
## A few things
allow_url_fopen = On
For now. I’ll add in suport for cURL and Socket later.
Proper HTTP Referers sent by the victim. If this is spoofed, or disabled, there will be odd results.
By default, the script will grab anything from $_POST and throw it in a file labeled “posts”
Create that file, make ir writeable, but non-readable. Right now there’s no functionality to
forward posts from the server spoofed page, but that will change in the future, and adding it
manually isn’t hard.
# Future plans
Expanded support for passing proper browser headers, instead of php headers.
cURL. Socket, because it’s probably faster.
Caching. (Save the page, then server that until X minutes/hours/days have passed, then recache it.)
# Anything else?
I suggest using .htaccess, or some other method, to slim down the URL.
|| RewriteRule ^a$ man-just-left-of-middle/thebiz.php
This will make http://ATTACKER.COM/a the script, and it will execute as normal, juts with a rewritten URL.
Will not work with URL redirection, because the HTTP referer is strippid.
Check the LICENSE file for licensing, GPLv2, etc etc.
WARNING: I have not completely bug tested this against vulns. I might have made a stupid mistake somewhere.
This is also doing some bandwidth intensive actoins (well, compared to none at all.)
Mileage may vary.
Kyle “Kos” Osborn