// the find
htr-tech/zphisher
An automated phishing tool with 30+ templates. This Tool is made for educational purpose only ! Author will not be responsible for any misuse of this toolkit !
Zphisher is a Bash script that hosts cloned login pages for 30+ platforms (Facebook, Google, Discord, etc.) and captures submitted credentials via a local PHP server, optionally tunneled through Cloudflare or LocalXpose. It's aimed at people who want a phishing kit without writing one themselves. The 16k stars are from script-kiddie demand, not technical merit.
- Wide template coverage — 30+ sites including less-common targets like Roblox, TikTok, and PlayStation, which saves setup time in authorized phishing simulations
- Tunneling support (Cloudflared, LocalXpose) means you can run it on Termux or a local machine without a public IP, which is genuinely useful for controlled red team demos
- Docker image available, so it can be spun up and torn down cleanly in an isolated environment without polluting the host
- The login page clones are static HTML snapshots that go stale — modern sites change their auth flows constantly, and several templates are already broken or visually outdated
- No logging, reporting, or session management beyond dumping credentials to a flat file; useless for anything resembling a real security assessment that needs evidence
- Zero defenses against being caught: no HTTPS by default on the capture server, no randomized paths, no rate limiting — any spam filter or DNS inspection will flag it immediately
- Last pushed August 2024, and the repo shows no sign of systematic maintenance; issues pile up, PRs from contributors sit unreviewed, and the 'educational purposes only' disclaimer is the author's liability shield, not a usage policy