HttpOnly是Cookie中一个属性,用于防止客户端脚本通过document.cookie属性访问Cookie,但毕竟Cookis是一种本地存储机制,全部的数据记录都存放在指定文件中(SQLITE格式,数值加密),所以可以解密此文件,用来获取到HttpOnly cookie等。
代码以 WBVEIW 为例,也可以解密 chrome 和 chrome edge 浏览器的cookie
import win.ui;
import crypt;
import crypt.protectData;
import web.json;
import py3;
import sqlite;
/*DSG{{*/
mainForm = win.form(text="COOKIE抓取";right=523;bottom=541)
mainForm.add(
btnCookie={cls="button";text="从数据文件解析Cookies";left=134;top=8;right=366;bottom=42;z=2};
custom={cls="custom";text="自定义控件";left=25;top=49;right=494;bottom=528;z=1}
)
/*}}*/
import web.view;
var wb = web.view(mainForm.custom,"/");
wb.go("https://passport.baidu.com/")
wb.wait("");
getCookie = function(){
var userDataPath = io.curDir() ++ "EBWebView\"
// 1、从 EBWebView 文件夹下读取 Local State 文件中的encrypted_key值
var ekeyFile = io.open(userDataPath ++ "Local State","r+");
var ekeyArr = web.json.parse( ekeyFile.read() );
var base64_encrypted_key = ekeyArr.os_crypt.encrypted_key;
//2 、 base64解码,DPAPI解密,得到真实的AESGCM key(bytes)
var encrypted_key_with_header = crypt.decodeBin(base64_encrypted_key);
var encrypted_key = string.trimleft(encrypted_key_with_header,"DPAPI");
var key = crypt.protectData.decrypt(encrypted_key,false);
//3、AES-GCM解密,aardio未找到此函数,调用PY处理
pyCode = /**
from cryptography.hazmat.primitives.ciphers.aead import AESGCM
def DecryptString(key,data):
nonce,cipherbytes=data[3:15],data[15:]
aesgcm=AESGCM(key)
plainbytes=aesgcm.decrypt(nonce,cipherbytes,None)
plaintext=plainbytes.decode('utf-8')
return plaintext
**/
py3.exec(pyCode)
//4、从SQLITE格式的COOKIES文件里读取数据
var db = sqlite(userDataPath ++ "Default\Network\Cookies");
var result = {};
var sqlStr = /*
select name,encrypted_value from cookies where host_key like '%passport.baidu.com'
*/
for name,encrypted_value in db.each(sqlStr) {
result[name] = tostring(py3.main.DecryptString(key,encrypted_value));
}
return result;
}
mainForm.btnCookie.oncommand = function(id,event){
mainForm.msgbox( getCookie() )
}
mainForm.show();
win.loopMessage();
评论 (0)