forked from as0ler/BinaryCookieReader
-
Notifications
You must be signed in to change notification settings - Fork 0
/
BinaryCookieReader.py
131 lines (103 loc) · 5.54 KB
/
BinaryCookieReader.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
#*******************************************************************************#
# BinaryCookieReader: Written By Satishb3 (http://www.securitylearn.net) #
# #
# For any bug fixes contact me: [email protected] #
# #
# Usage: Python BinaryCookieReader.py Cookie.Binarycookies-FilePath #
# #
# Safari browser and iOS applications store the persistent cookies in a binary #
# file names Cookies.binarycookies.BinaryCookieReader is used to dump all the #
# cookies from the binary Cookies.binarycookies file. #
# #
#*******************************************************************************#
import io
import sys
from struct import unpack
from time import strftime, gmtime
if len(sys.argv)!=2:
print("\nUsage: Python BinaryCookieReader.py [Full path to Cookies.binarycookies file] \n")
print("Example: Python BinaryCookieReader.py C:\Cookies.binarycookies")
sys.exit(0)
FilePath=sys.argv[1]
try:
binary_file=open(FilePath,'rb')
except IOError as e:
print('File Not Found :'+ FilePath)
sys.exit(0)
file_header=binary_file.read(4) #File Magic String:cook
if str(file_header)!='b\'cook\'':
print("Not a Cookies.binarycookie file")
sys.exit(0)
num_pages=unpack('>i',binary_file.read(4))[0] #Number of pages in the binary file: 4 bytes
page_sizes=[]
for np in range(num_pages):
page_sizes.append(unpack('>i',binary_file.read(4))[0]) #Each page size: 4 bytes*number of pages
pages=[]
for ps in page_sizes:
pages.append(binary_file.read(ps)) #Grab individual pages and each page will contain >= one cookie
print("#*************************************************************************#")
print("# BinaryCookieReader: developed by Satishb3: http://www.securitylearn.net #")
print("#*************************************************************************#")
for page in pages:
page=io.BytesIO(page) #Converts the string to a file. So that we can use read/write operations easily.
page.read(4) #page header: 4 bytes: Always 00000100
num_cookies=unpack('<i',page.read(4))[0] #Number of cookies in each page, first 4 bytes after the page header in every page.
cookie_offsets=[]
for nc in range(num_cookies):
cookie_offsets.append(unpack('<i',page.read(4))[0]) #Every page contains >= one cookie. Fetch cookie starting point from page starting byte
page.read(4) #end of page header: Always 00000000
cookie=''
for offset in cookie_offsets:
page.seek(offset) #Move the page pointer to the cookie starting point
cookiesize=unpack('<i',page.read(4))[0] #fetch cookie size
cookie=io.BytesIO(page.read(cookiesize)) #read the complete cookie
cookie.read(4) #unknown
flags=unpack('<i',cookie.read(4))[0] #Cookie flags: 1=secure, 4=httponly, 5=secure+httponly
cookie_flags=''
if flags==0:
cookie_flags=''
elif flags==1:
cookie_flags='Secure'
elif flags==4:
cookie_flags='HttpOnly'
elif flags==5:
cookie_flags='Secure; HttpOnly'
else:
cookie_flags='Unknown'
cookie.read(4) #unknown
urloffset=unpack('<i',cookie.read(4))[0] #cookie domain offset from cookie starting point
nameoffset=unpack('<i',cookie.read(4))[0] #cookie name offset from cookie starting point
pathoffset=unpack('<i',cookie.read(4))[0] #cookie path offset from cookie starting point
valueoffset=unpack('<i',cookie.read(4))[0] #cookie value offset from cookie starting point
endofcookie=cookie.read(8) #end of cookie
expiry_date_epoch= unpack('<d',cookie.read(8))[0]+978307200 #Expiry date is in Mac epoch format: Starts from 1/Jan/2001
expiry_date=strftime("%a, %d %b %Y ",gmtime(expiry_date_epoch))[:-1] #978307200 is unix epoch of 1/Jan/2001 //[:-1] strips the last space
create_date_epoch=unpack('<d',cookie.read(8))[0]+978307200 #Cookies creation time
create_date=strftime("%a, %d %b %Y ",gmtime(create_date_epoch))[:-1]
#print(create_date)
cookie.seek(urloffset-4) #fetch domaain value from url offset
url=''
u=cookie.read(1)
while unpack('<b',u)[0]!=0:
url=url+str(u.decode('utf-8'))
u=cookie.read(1)
cookie.seek(nameoffset-4) #fetch cookie name from name offset
name=''
n=cookie.read(1)
while unpack('<b',n)[0]!=0:
name=name+str(n.decode('utf-8'))
n=cookie.read(1)
cookie.seek(pathoffset-4) #fetch cookie path from path offset
path=''
pa=cookie.read(1)
while unpack('<b',pa)[0]!=0:
path=path+str(pa.decode('utf-8'))
pa=cookie.read(1)
cookie.seek(valueoffset-4) #fetch cookie value from value offset
value=''
va=cookie.read(1)
while unpack('<b',va)[0]!=0:
value=value+str(va.decode('utf-8'))
va=cookie.read(1)
print('Cookie : '+name+'\nValue='+value+'\ndomain='+url+'\npath='+path+'\n'+'expires='+expiry_date+'\n'+cookie_flags+'\n\n')
binary_file.close()