doifans-dl is a Python command-line tool that downloads videos from doifans.vip, a content platform. The README describes doifans.vip as a pirated clone of OnlyFans built on an open-source platform called Sponzy. The tool works by exploiting multiple security vulnerabilities in that platform. The download process follows five steps as described in the README. The first step forges a fake payment confirmation at the platform's Stripe webhook endpoint, which has no signature verification, to add credit to a wallet. The second step uses a specific HTTP header to bypass a login restriction. The third uses the wallet credit to purchase a subscription to any creator's page. The fourth scrapes video URLs from the creator's page. The fifth downloads the videos directly, since the platform serves video files without any authentication check. Installation requires Python 3.10 or later and a network proxy if the site is blocked in your region. The tool includes built-in credentials and does not require creating an account. The command-line interface accepts a creator's username along with optional arguments for the output directory and whether to list video URLs as JSON rather than download files. Already-downloaded files are skipped on subsequent runs. The README also lists additional security vulnerabilities the authors found in the platform but did not use in this tool, including a debug mode that exposes source code, a publicly readable log file containing password hashes and user emails, and a free-subscription bypass via a trailing slash in the URL. The disclaimer at the end states the project is for educational and authorized security research purposes only.
← sophomoresty on gitmyhub — every repo by this author, as a profile.
Verify against the repo before relying on details.