-
Notifications
You must be signed in to change notification settings - Fork 875
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Subdomain issue, DecodeSubdomain #24
Comments
It's replacing the target domain with the phishing domain, because it's actually what makes it work against most of the websites. it's a bit more than just a standard RP ;-) ... there are also few other tricks inside the code. Why are you setting these (usually they are not required to handle that type of fqdns)? Try removing them and run the tool: "targetResources": "abc.mytargetcdn.com", |
I need to replace referer header on requests cause I do referer check on cdn site for each request :) If I try removing the above two configs and try, I get 403 response code due to referer control. |
Hm, Referer header should be also automatically handled and sent as the target domain. -rules parameter currently only replaces content in HTTP response body
|
This is the log of cdn webserver that shows referer header is the still same and not replaced with target domain.. Referer info should be same with target domain info in this scenario to pass referer control in cdn side. x.x.x.x - - [16/Jan/2019:15:11:18 +0100] "GET /xxx/app/xx.js?v=fdfdf28 HTTP/1.1" 403 192 "https://mypishdom.com/" "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/71.0.3578.98 Safari/537.36" "x.x.x.x" |
It seems like a bug. |
I see. No out is displayed when debug mod is on. ./dist/proxy -config myconf.json -debug |
You have to enable it in the JSON config. |
Attached log |
[Wed Jan 16 15:00:45 2019] DBG Patching request Referer [https://mytargetdom.com/] -> [https://mytargetdom.com/] All of the Referer headers seem to be set properly. |
There is no redirection configured at cdn and target domain side and there are some css files that are not displayed debug logs too. |
weird. I would need more info to understand the exact cause of this. if possible please PM your config and I will see what's going on. |
Sure I will. |
By the way, I could not see your email on your profile :) |
What I've realized that Issues are closed without being solved here.. |
please PM on twitter or paste your full config here. Currently there's no bug in the tool based on the what you have sent... |
Hi,
I have scenario that a cdn link with a different domain info is called while loading page, however cdndomain is replaced by target domain by modlishka while proxying..
And I do get following error message "WAR DecodeSubdomain [ wi] contains invalid characters : %!s(MISSING)" for the below config.
What I am doing wrong?
Thanks
{
"phishingDomain": "mypishdom.com",
"listeningPort": "443",
"listeningAddress": "111.1.1.111",
"target": "https://mytargetdom.com",
"targetResources": "abc.mytargetcdn.com",
"targetRules": "YWJjLm15dGFyZ2V0Y2RuLmNvbQ==:YWJjLm15cGlzaGRvbS5jb20=:", #base64(abc.mytargetcdn.com):base64(abc.mypishdom.com)
"terminateTriggers": "",
"terminateRedirectUrl": "",
"trackingCookie": "ident",
"trackingParam": "ident",
"useTls": true,
"jsRules":"",
"debug": false,
"logPostOnly": false,
"disableSecurity": false,
"log": "my.log",
"plugins": "all",
"cert": "-----BEGIN CERTIFICATE-----\nMIID2zCCAsOgA..IBAgIJAODZ0tu5odBZZcJNQcw==\n-----END CERTIFICATE-----\n",
"certKey": "-----BEGIN RSA PRIVATE KEY-----\nMIIEpA..KUba58QN64HHpAIeVJM5g==\n-----END RSA PRIVATE KEY-----\n",
"certPool": ""
}
I can see string replacement in html file source code of target site.
view-source:https://mypishdom.com/
however, app redirects related request to the target domain instead of original cdn domain.
[Wed Jan 16 11:00:03 2019] WAR DecodeSubdomain [ wi] contains invalid characters : %!s(MISSING)
2019/01/16 06:00:04 http: proxy error: dial tcp: lookup abc.mytargetdom.com on 8.8.8.8:53: no such host
The text was updated successfully, but these errors were encountered: