Evilginx doesn't redirect to URL parameter set with get-url

kgretzky / evilginx2

Standalone man-in-the-middle attack framework used for phishing login credentials along with session cookies, allowing for the bypass of 2-factor authentication

BSD 3-Clause "New" or "Revised" License

10.72k stars 1.94k forks source link

Evilginx doesn't redirect to URL parameter set with get-url #124

Closed Lglaplante closed 5 years ago

Lglaplante commented 5 years ago

Evilginx doesn't redirect properly to links configured with get-url. Instead, it will redirect to the real page, but using the phishing domain Example

I want the user to be redirected to a twitter profile after successfull login

phishlets get-url twitter https://twitter.com/[user]

Link get generated, sent to the victim, victim enter his credentials... but won't be redirected to the URL and instead the real twitter will be activated using the phishing domain (displayed url is your.phishing.hostname.yourdomain.com)

If I set an external link (ex: youtube.com) and then do phishlets get-url twitter https://youtube.com phishlets get-url twitter ""

A new link is generated, but the link redirect automaticly to the specified url instead of displaying the login page Is there something I'm missing or it's a bad behavior ?

kgretzky commented 5 years ago

What exactly do you want to achieve?

Lglaplante commented 5 years ago

Redirecting the Victim on each successfull login

Lglaplante commented 5 years ago

for example If I do phishlets get-url twitter https://www.youtube.com/watch?v=dQw4w9WgXcQ

well the link will fail to actually redirect (evilginx logs will be spammed by [string]redirecting to https://www.youtube.com/watch?v=dQw4w9WgXcQ

ztxq commented 5 years ago

same issue with amazon. any link you set with get-url for amazon phishlet it won't redirect to it, it tries to but not redirecting, it remains in the users page after login but the link in the browser is my own domain link for amazon.

Lglaplante commented 5 years ago

Personnaly woth amaozn, the phishlets just doesn't work Whenever I try logging in, it redirect to the official login page and can't do anything

Vianns commented 5 years ago

Hello,

Same here. Wanted to test with the Facebook phishlet, and here what I get:

https://i.gyazo.com/ff56086f430556fb3d50ee2133c241ee.png

With the "ERR_TOO_MANY_REDIRECTS" error message on Chrome.

kgretzky commented 5 years ago

Try not to set the redirect URL to the URL of the website you are running phishing on. It will constantly try to replace the original URL with the phishing one, creating an infinite loop.

This will be fixed in Evilginx 2.3, making the redirect trigger only once.

Wajahat-Ahmed-NED commented 1 year ago

still facing same problem

ligmaSec commented 7 months ago

the problem still persists

mon0-git commented 1 week ago

The problem still there even 6 years later. I see that correct redirect_url returned to browser from evilginx as a part of dynamic redirect logic, but the browser don't go to this url and keep working on phishing domain