[bug] incorrect domain substitution with certain yaml configs about evilginx2 HOT 7 CLOSED

I amended open PR #59 to address this.

from evilginx2.

As mentioned in #57 this is intented behavior.
domain in the phishlet should be the same as the original domain of the phished website and it does not reflect its presence in the phishing hostname.

from evilginx2.

Ok thanks for the explanation. Could you give me an example of a sub_filter that targets ssl.xyz.phishdomain.com which is being proxied as ssl2.abc.phishdomain.com according to your example in #57?

from evilginx2.

You can proxy ssl.xyz.com as ssl2.phishdomain.com with this:

  - {phish_sub: 'ssl2', orig_sub: 'ssl', domain: 'xyz.com', session: false, is_landing: false}

Depends later how you set up the hostname for the phishlet.

from evilginx2.

Yes, I got that from your example in the other issue. I'm asking about sub_filter specifically.

Would it just be?:

sub_filters:
   -  {hostname: 'oath.abc.com', sub: 'ssl', domain: 'xyz.com', search: '{hostname}', replace: '{hostname}, mimes: ['...']}

And evilginx just knows the difference?
{hostname} in
search: ssl.xyz.com
replace: ssl2.abc.com

from evilginx2.

Yes, Evilginx will know the difference with {hostname} to look for ssl.xyz.com in HTML body and replace it with ssl2.phishdomain.com. It will then search and replace only on sites with domain oath.abc.com.

from evilginx2.

Right on, thanks. I'll go ahead and close. I'm lucky in this aspect since the ssl.xyz.com traffic happens in the background with JavaScript and not in the URL bar.

from evilginx2.