Ability to send captured sessions to gophish (needs gophish update)

[callightmn]

Hello there,

By default, Evilginx does not send session information to Gophish. This is on purpose not to expose credentials and keep them in Evilginx only. Nevertheless, having credentials readily available in Gophish could be a nice feature to have, provided Gophish's admin interface is properly secured (with a firewall for instance).

The main (second) commit introduces the ability to send captured sessions to Gophish via a config flag (config gophish sessions). This is an opt-in feature to keep the default behavior, which does not expose credentials and keeps them in Evilginx only.

NB: This update requires the ability for Gophish to receive session information (see kgretzky/gophish#3).

Default behavior (or after config gophish sessions false in Evilginx' terminal):

After config gophish sessions true in Evilginx' terminal:

The feature takes into account all three types of credentials (username, password and custom) and all three types of auth_tokens (cookies, body and HTTP tokens).

---

The first commit contains two fixes regarding request interception and HTTP token capture.

Request interception:

The value of req.Host contains the legitimate remote host and not the phishing host anymore after commit e3bef9433c3cc95d3e523533e498c834506739f0 enabling the capture of credentials in intercepted requests. The comparison fails and the request is not intercepted.

HTTP token capture:

The header should be captured from the response (resp.Header) and not the request (resp.Request.Header). The check should not be performed on every endpoint, but taking into account the domain and path specified in the phishlet (v.domain and v.path).

[callightmn]

Closed as already done by #1081.