domingo, 21 de abril de 2013

Getting a file out of your squid cache

I suppose there may be some tools out there to do this, maybe even the squidclient can do this, but hey... doing it with a script is always funnier, and learning how squid does things is great, so... The first thing we must do is to identify our target, if I was to try to get the Android Quadrant Standard apk file out of my squid cache I should first look at my (I'm assuming Debian paths, as always) /var/log/squid/store.log* and look for it. As a hint, if you look for android apks you sould be looking for application/ (which is the mime type they use). You should find something like this: 1366393264.443 SWAPOUT 00 00009545 29D0FF2BA5A2F31424F3C49102C91657 200 1366364657 1339281848 2147368447 application/ 1452291/1452291 GET And in here the fourth entry is the file name under which squid stored the content it has cached, so the path for this file would be /var/spool/squid/sedond_byte_of_name/third_byte_of_name, in this case... /var/spool/squid/00/95/00009545 But you won't even need to compute that, just get that fourth entry (yes, that weird number) and type it on this little script... read filename; file="/var/spool/squid/${filename:2:2}/${filename:4:2}/$filename"; file_length=$(ls -l $file|cut -d " " -f5); content_length=$(head $file|sed -n "s/Content-Length: \(.*\)\r$/\1/p"); dd if=$file bs=$(($file_length-$content_length)) skip=1 of=/tmp/wanted.apk and you'll get at /tmp/wanted.apk the file you wanted. The script can be written on one line without spaces if you want to have it as an alias or whatever, I just inserted the lines to make it more readable on the web. The logic on the script makes the full pathname of the file from the filename you type (followed by return) on its input, then gets the length of that squid file and the content length (which is the length of the apk) from the header of the squid file, then uses these two values to compute the length of the squid header and skips it on dd copying the rest of it to /tmp/wanted.apk. BTW... you may be wondering why the \r$ on the sed expresion... yes, there seems to be a \r at the end of the Content-Length line, don't know why, but it is there, at least on my system That's it!

2 comentarios:

Anónimo dijo...

Hi there! Useful post! Do you know what's the extension of the app's binary that is retrieved by the request that is sent from Play Store client to the Play server? Is it .apk or something else?

Santiago García Mantiñán dijo...

The concept of extension is completely weird, it only has some meaning on windows. If you look at the url that I wrote on the blog it is which doesn't mention any extension.