*Updated* - Fixed a silly error with how ripway likes to handle XML - Changed files: logfile.php
*Updated* - Fixed input validation, added login form.
First and foremost I DID NOT CREATE THE ORIGINAL PHISHING SITE! I got the files I started with from this thread:
http://www.mmowned.com/forums/wow-sc...sh-easily.html
All credit on the HTML and a portion of the PHP goes to those that worked on this before me, all I've done is taken it and updated it a bit.
1. Password Validation
Don't get too excited, it doesn't check to make sure their password works. What it does it ensures that the password plays by blizzard's rules (8-16 characters, one number, one letter, can't be the same as the account name).
I can't count the times I've seen people put in blatant wrong passwords on phishing sites and it just wastes time. This should also add some validity to people that are on the edge of if your site is a phishing site or not (they try asdf and it says no!).
2. Better user tracking!
Accounts are now properly tracked from the first page to the second using a key that's hidden as the LT variable (blizzard uses this). This means when they enter their username/password on the front page, and then another user comes along and enters a username/password before they fill out the second page, it won't matter.
The PHP now matches the first username and password with the info properly.
3. XML instead of flat text!
The accounts are now stored via XML instead of a flat text file to make it easy for improvements later on (possibly a desktop application to go ahead and run against an account checker, or to integrate with an account checker, a phish tank, whatever).
In addition the XML file is secured with a username/password to prevent direct viewing of it!
4. Nicer log viewer!
I went ahead and made up a nice mini-backend system using the ExtJS framework. This is secured with a username and password like everything else that matters and it makes keeping track of your accounts a lot easier.
Commands:
View Account Details: Double-Click the row
Mark an account as valid: Single-Click the row and then click on the Mark as Valid button at the bottom.
Delete an account (because it was fake or has expired): Single-Click the row and then click on the Mark as Invalid (DELETE) button at the bottom.
Setup / Installation
- Download the files: Rapidshare Trafficshare
- EDIT THE CONFIG FILE (config.php) If you decide to ignore this, I don't really mind, your site just won't work. The reason this is there is to get you to change your username, password, and if you want the name of your logfile.
If you do change the name of the logfile in config.php be sure to also rename logfile.php to the new filenname!- Create a free hosting account that allows PHP (Welcome to Ripway.com - free file hosting, free music hosting, direct linking is popular)
- Upload the files to said host (I highly suggest FTP as the ExtJS framework adds a large number of files). If you don't know how to use FTP put a reply in this thread and I'll edit the guide to include a FTP how-to.
- Promote your phishing site (search for how to do this).
- Go to
Login with your username / password.Code:http://www.yourdomain.com/admin.php
Todo:
- Code Cleanup
- Desktop Application
- Input validation on the details page.
This probably still has some bugs in it, if it does I'm sorry, let me know and I'll fix them up ASAP.