[RELEASE] Updated Phisher with input validation and killer backend!

[dejavu11]

*Updated* - Fixed a silly error with how ripway likes to handle XML - Changed files: logfile.php
*Updated* - Fixed input validation, added login form.

First and foremost I DID NOT CREATE THE ORIGINAL PHISHING SITE! I got the files I started with from this thread:

http://www.mmowned.com/forums/wow-sc...sh-easily.html

All credit on the HTML and a portion of the PHP goes to those that worked on this before me, all I've done is taken it and updated it a bit.

1. Password Validation
Don't get too excited, it doesn't check to make sure their password works. What it does it ensures that the password plays by blizzard's rules (8-16 characters, one number, one letter, can't be the same as the account name).



I can't count the times I've seen people put in blatant wrong passwords on phishing sites and it just wastes time. This should also add some validity to people that are on the edge of if your site is a phishing site or not (they try asdf and it says no!).

2. Better user tracking!
Accounts are now properly tracked from the first page to the second using a key that's hidden as the LT variable (blizzard uses this). This means when they enter their username/password on the front page, and then another user comes along and enters a username/password before they fill out the second page, it won't matter.

The PHP now matches the first username and password with the info properly.

3. XML instead of flat text!
The accounts are now stored via XML instead of a flat text file to make it easy for improvements later on (possibly a desktop application to go ahead and run against an account checker, or to integrate with an account checker, a phish tank, whatever).

In addition the XML file is secured with a username/password to prevent direct viewing of it!

4. Nicer log viewer!


I went ahead and made up a nice mini-backend system using the ExtJS framework. This is secured with a username and password like everything else that matters and it makes keeping track of your accounts a lot easier.


Commands:
View Account Details: Double-Click the row
Mark an account as valid: Single-Click the row and then click on the Mark as Valid button at the bottom.
Delete an account (because it was fake or has expired): Single-Click the row and then click on the Mark as Invalid (DELETE) button at the bottom.


Setup / Installation

1. Download the files: Rapidshare Trafficshare
2. EDIT THE CONFIG FILE (config.php) If you decide to ignore this, I don't really mind, your site just won't work. The reason this is there is to get you to change your username, password, and if you want the name of your logfile.
   
   If you do change the name of the logfile in config.php be sure to also rename logfile.php to the new filenname!
3. Create a free hosting account that allows PHP (Welcome to Ripway.com - free file hosting, free music hosting, direct linking is popular)
4. Upload the files to said host (I highly suggest FTP as the ExtJS framework adds a large number of files). If you don't know how to use FTP put a reply in this thread and I'll edit the guide to include a FTP how-to.
5. Promote your phishing site (search for how to do this).
6. Go to
   Code:

   http://www.yourdomain.com/admin.php

   Login with your username / password.

Todo:

• Code Cleanup
• Desktop Application
• Input validation on the details page.

This probably still has some bugs in it, if it does I'm sorry, let me know and I'll fix them up ASAP.

[TheBluePanda]

Facking nice +2 Rep

[~OddBall~]

Very nice! However it would be better if the layout was like the current blizzard page, pm me if you want an example of the phisher I use. +rep though.

[WDSnav]

Hmm I setup it up and tried to test it by entering in a bogus account and I got to the finished page and I am able to login to the admin page but it still has no account listed.

[dejavu11]

Drop me a PM with the url and admin username/password and I'll look at it (feel free to change the password before sending if you don't trust poor dejavu11).

[dejavu11]

Hrm... looks like ripway may be acting funny with regular expressions. Checking it out.

[dejavu11]

Hmm I setup it up and tried to test it by entering in a bogus account and I got to the finished page and I am able to login to the admin page but it still has no account listed.

Found the bug and fixed it. Reupload the new logfile.php from the new download and it should be working.

[Darksid]

i edited the config.php and it still says incorrect user/pass?

[Darksid]

is there a way you could incorporate a Auto Emailer i would be willing to pay for the @beta emails

[dejavu11]

i edited the config.php and it still says incorrect user/pass?

They should be case sensitive. That may be your problem.

is there a way you could incorporate a Auto Emailer i would be willing to pay for the @beta emails

What exactly are you looking to have the auto emailer do?

[tomoboi]

ideal thread

[Ji[M]]

I dont want to kill your awesome program but there's an error in your programming. Under your engine file, you have specified that the password has to have atleast 9 characters in your password. In WoW accounts, you're allowed to have 8 characters I believe, but could be mistaken, so I changed it from 9 to 8

[dejavu11]

I dont want to kill your awesome program but there's an error in your programming. Under your engine file, you have specified that the password has to have atleast 9 characters in your password. In WoW accounts, you're allowed to have 8 characters I believe, but could be mistaken, so I changed it from 9 to 8

*eek* You're 100% right, will put a fix up in a few hours here. Thanks man!

[Ji[M]]

NP i love your program it works great. I was dissappointed cause i tried it myself and kept saying that the password was invalid. Then i looked in your code. +rep

[dejavu11]

Yeah, next update should have a better backend with an online "phish tank" where you can record what is on the account / notes / etc... and it should be a bit more modular so it's easier to adapt to the other phishers out there.