How to quickly build phishing websites based on JXWAF 03/28 Update SLTechnology News&Howtos

How to quickly build phishing websites based on JXWAF

2025-03-28 Update From: SLTechnology News&Howtos shulou NAV: SLTechnology News&Howtos > Network Security >

Shulou(Shulou.com)05/31 Report--

In this issue, the editor will bring you about how to quickly build a fishing website based on JXWAF. The article is rich in content and analyzes and narrates it from a professional point of view. I hope you can get something after reading this article.

I. Preface

Some time ago, in order to strengthen internal security awareness, we need to conduct a phishing email drill, so we quickly set up a phishing website through JXWAF and found that the effect is good. I hereby share it.

II. Rule configuration

First of all, suppose the attack scenario is to obtain the internal OA account of the company, and the internal OA domain name is oa.testing.com. Then the first step is to register the domain name, such as registering the phishing domain name oa.testlng.com at Wanwang, and the address points to the IP address of the phishing website.

For convenience, DVWA is used as an OA to demonstrate here.

First, let's analyze the characteristics of landing success and landing failure.

As shown in the figure, the difference between login failure and login success lies in the direction of Location in response. The failure point is login.php, and the success point is index.php. Then we use this as a feature to set two rules, one to identify the account that failed to log in, and one to identify the account that succeeded in login. Of course, you can also directly set the rules to record the account password entered without having to be so detailed.

At the end of the analysis, the next step is to build JXWAF and configure rules. For more information on building, please see https://github.com/jx-sec/jxwaf. The rules are configured as follows:

First set the first rule (not recommended), regardless of login success or failure directly record the account password, which is a common practice of phishing sites, because they do not have a user database, so they can only deal with it. The rules are configured as follows, which is relatively simple.

The results are as follows:

Set the second rule, which will be recorded only if you fail to verify the username and password (put the rule directly without screenshot)

{

"rule_action": "deny"

"rule_category": "other"

"rule_update_category": "resp"

"rule_log": "true"

"rule_serverity": "high"

"rule_matchs": []

"rule_transform": []

"rule_vars": []

"rule_operator": "rx"

"rule_pattern": "login.php$"

"rule_negated": false

"none"

"rule_var": "RESP_HEADERS"

"rule_specific": []

"Location"

{}

"rule_transform": []

"rule_vars": []

"rule_operator": "rx"

"rule_pattern": "POST"

"rule_negated": false

"none"

"rule_var": "REQUEST_METHOD"

{}

"rule_transform": []

"rule_vars": []

"rule_operator": "rx"

"rule_pattern": "login.php$"

"rule_negated": false

"none"

"rule_var": "URI"

{}

"rule_id": "10011"

"rule_detail": "record user login failed account password"

}

The results are as follows:

Set the third rule, which is recorded only if the username and password is verified successfully (the rule is released directly without screenshot)

{

"rule_action": "deny"

"rule_category": "other"

"rule_update_category": "resp"

"rule_log": "true"

"rule_serverity": "high"

"rule_matchs": []

"rule_transform": []

"rule_vars": []

"rule_operator": "rx"

"rule_pattern": "index.php$"

"rule_negated": "false"

"none"

"rule_var": "RESP_HEADERS"

"rule_specific": []

"Location"

{}

"rule_transform": []

"rule_vars": []

"rule_operator": "rx"

"rule_pattern": "POST"

"rule_negated": "false"

"none"

"rule_var": "REQUEST_METHOD"

{}

"rule_transform": []

"rule_vars": []

"rule_operator": "rx"

"rule_pattern": "login.php$"

"rule_negated": "false"

"none"

"rule_var": "URI"

{}

"rule_id": "10012"

"rule_detail": "record the password of a user's successful login account"

}

The results are as follows:

The above is the editor to share with you how to quickly build a phishing website based on JXWAF. If you happen to have similar doubts, you might as well refer to the above analysis to understand. If you want to know more about it, you are welcome to follow the industry information channel.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.

*The comments in the above article only represent the author's personal views and do not represent the views and positions of this website. If you have more insights, please feel free to contribute and share.