finds.dev← search

// the find

htr-tech/zphisher

★ 16,324 · HTML · GPL-3.0 · updated Aug 2024

An automated phishing tool with 30+ templates. This Tool is made for educational purpose only ! Author will not be responsible for any misuse of this toolkit !

Zphisher is a Bash script that hosts cloned login pages for 30+ platforms (Facebook, Google, Discord, etc.) and captures submitted credentials via a local PHP server, optionally tunneled through Cloudflare or LocalXpose. It's aimed at people who want a phishing kit without writing one themselves. The 16k stars are from script-kiddie demand, not technical merit.

- Wide template coverage — 30+ sites including less-common targets like Roblox, TikTok, and PlayStation, which saves setup time in authorized phishing simulations

- Tunneling support (Cloudflared, LocalXpose) means you can run it on Termux or a local machine without a public IP, which is genuinely useful for controlled red team demos

- Docker image available, so it can be spun up and torn down cleanly in an isolated environment without polluting the host

- The login page clones are static HTML snapshots that go stale — modern sites change their auth flows constantly, and several templates are already broken or visually outdated

- No logging, reporting, or session management beyond dumping credentials to a flat file; useless for anything resembling a real security assessment that needs evidence

- Zero defenses against being caught: no HTTPS by default on the capture server, no randomized paths, no rate limiting — any spam filter or DNS inspection will flag it immediately

- Last pushed August 2024, and the repo shows no sign of systematic maintenance; issues pile up, PRs from contributors sit unreviewed, and the 'educational purposes only' disclaimer is the author's liability shield, not a usage policy

View on GitHub →

// want more like this?

We dig through GitHub every week and send a few repos picked for what you actually care about — each with an honest take like this one.

Get finds in your inbox → Search again →