[PR #1152] Capture credentials in multipart/form-data #176

New issue

Open

opened 2026-02-26 02:31:30 +03:00 by kerem · 0 comments

kerem commented 2026-02-26 02:31:30 +03:00

Owner

Copy link

📋 Pull Request Information

Original PR: https://github.com/kgretzky/evilginx2/pull/1152
Author: @callightmn
Created: 1/10/2025
Status: 🔄 Open

Base: master ← Head: feature/multipart

---

📝 Commits (2)

• 5f0eb69 added capture of multipart post data (type: 'post/multipart')
• 6bd9c26 added capability to proxy multipart file

📊 Changes

2 files changed (+201 additions, -46 deletions)

View changed files

📝 core/http_proxy.go (+199 -44)
📝 core/phishlet.go (+2 -2)

📄 Description

This PR adds support to :

• Capture credentials in multipart POST requests (with type: 'post/multipart' in credentials section)
• Fix: Prevent conflicts between captured credentials of different types with the same name (matching the same regex/key)
• Patch URL (from phishing to original)
• Force parameters (with type: 'post/multipart' in force_post section)
• Proxy incoming files (if any, even though it may not be useful in proxying login requests)

Capture creds:

Phishlet section:

credentials:
  username:
    key: 'email'
    search: '(.*)'
    type: 'post/multipart'
  password:
    key: 'code'
    search: '(.*)'
    type: 'post/multipart'

Request:

Evilginx:

NB: As said above, incoming phishing URLs will be converted to original/legitimate ones similarly to what is done for regular POST requests (application/x-www-form-urlencoded). Files (if any) are also proxied. The resulting Content-Length is computed by creating a new multipart body (with the same boundary).

Force parameters:

Phishlet section:

force_post:
   - path: '/api/signup.checkEmail'
     search:
     - {key: 'email', search: '.*'}
     force:
       - {key: 'email', value: 'test@test.com'}
     type: 'post/multipart'

Incoming request (sent by the browser to Evilginx through Burp):

Outgoing request (sent by Evilginx to the original site through Burp):

NB: Parameter names for files can be used as search key but the value will be ignored.

---

_{🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.}

## 📋 Pull Request Information **Original PR:** https://github.com/kgretzky/evilginx2/pull/1152 **Author:** [@callightmn](https://github.com/callightmn) **Created:** 1/10/2025 **Status:** 🔄 Open **Base:** `master` ← **Head:** `feature/multipart` --- ### 📝 Commits (2) - [`5f0eb69`](https://github.com/kgretzky/evilginx2/commit/5f0eb693e360e4e2c6af93e068f92d1f9ed36880) added capture of multipart post data (`type: 'post/multipart'`) - [`6bd9c26`](https://github.com/kgretzky/evilginx2/commit/6bd9c26795f275f81b507267c3ca6ec820e3d277) added capability to proxy multipart file ### 📊 Changes **2 files changed** (+201 additions, -46 deletions) <details> <summary>View changed files</summary> 📝 `core/http_proxy.go` (+199 -44) 📝 `core/phishlet.go` (+2 -2) </details> ### 📄 Description This PR adds support to : - Capture credentials in multipart POST requests (with `type: 'post/multipart'` in `credentials` section) - Fix: Prevent conflicts between captured credentials of different types with the same name (matching the same regex/key) - Patch URL (from phishing to original) - Force parameters (with `type: 'post/multipart'` in `force_post` section) - Proxy incoming files (if any, even though it may not be useful in proxying login requests) **Capture creds:** Phishlet section: ``` credentials: username: key: 'email' search: '(.*)' type: 'post/multipart' password: key: 'code' search: '(.*)' type: 'post/multipart' ``` Request: <img width="419" alt="image" src="https://github.com/user-attachments/assets/ef0b40c7-7977-4dc1-8422-316decfa0e8d" /><br> Evilginx: <img width="1313" alt="image" src="https://github.com/user-attachments/assets/fa1f5353-9ac8-4e48-8c29-7acb5e032d09" /><br> NB: As said above, incoming phishing URLs will be converted to original/legitimate ones similarly to what is done for regular POST requests (`application/x-www-form-urlencoded`). Files (if any) are also proxied. The resulting `Content-Length` is computed by creating a new multipart body (with the same boundary). **Force parameters:** Phishlet section: ``` force_post: - path: '/api/signup.checkEmail' search: - {key: 'email', search: '.*'} force: - {key: 'email', value: 'test@test.com'} type: 'post/multipart' ``` Incoming request (sent by the browser to Evilginx through Burp): <img width="422" alt="image" src="https://github.com/user-attachments/assets/2237f6fd-ca19-460e-b4c6-f5e4aa34b931" /><br> Outgoing request (sent by Evilginx to the original site through Burp): <img width="418" alt="image" src="https://github.com/user-attachments/assets/c7c0f9e7-351b-4066-b9cc-3599f0129f61" /><br> NB: Parameter names for files can be used as search `key` but the `value` will be ignored. --- _{🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.}

kerem added the

pull-request

label 2026-02-26 02:31:30 +03:00

Sign in to join this conversation.

No Branch/Tag specified

Branches Tags

master

dependabot/go_modules/golang.org/x/net-0.7.0

dependabot/go_modules/github.com/tidwall/gjson-1.9.3

dependabot/go_modules/github.com/miekg/dns-1.1.25

dev

v3.3.0

v3.2.0

v3.1.0

v3.0.0

2.4.0

2.3.0

2.2.0

2.0.0

Labels

Clear labels   

pull-request

Mirrored from GitHub Pull Request

No labels

pull-request

Milestone

Clear milestone

No items

No milestone

Projects

Clear projects

No items

No project

Assignees

Clear assignees

No assignees

1 participant

Notifications

Subscribe

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference

starred/evilginx2-kgretzky#176

No description provided.