Web345(None空加密算法-空加密算法（攻击头部不使用加密）)

 

解析JWT数据
JWT在线解析：https://jwt.io/

jwt利用工具
https://github.com/ticarpi/jwt_tool

HTTP/1.1 200 OK
Access-Control-Allow-Credentials: true
Access-Control-Allow-Headers: DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Authorization,x-auth-token,Cookies,Aaa,Date,Server,Content-Length,Connection
Access-Control-Allow-Methods: GET,POST,PUT,DELETE,OPTIONS
Access-Control-Expose-Headers: Content-Type,Cookies,Aaa,Date,Server,Content-Length,Connection
Access-Control-Max-Age: 1728000
Connection: keep-alive
Content-Encoding: gzip
Content-Type: text/html; charset=UTF-8
Date: Mon, 19 May 2025 06:15:20 GMT
Server: nginx/1.20.1
Set-Cookie: auth=eyJhbGciOiJOb25lIiwidHlwIjoiand0In0.W3siaXNzIjoiYWRtaW4iLCJpYXQiOjE3NDc2MzUzMjAsImV4cCI6MTc0NzY0MjUyMCwibmJmIjoxNzQ3NjM1MzIwLCJzdWIiOiJ1c2VyIiwianRpIjoiOTg4ZTYzZGUxYTgwYWYzZGJkZWRjMzk2YzFiNzM5ZmUifV0
Transfer-Encoding: chunked
X-Powered-By: PHP/7.3.22


where is flag?
<!-- /admin -->

签名算法可被修改为none，JWT支持将算法设定为 "None" 。如果 "alg" 字段设为 "None" ，那么签名会被置空，这样任何token都是有效的。

  这里只需要改一下sub为admin即可。

注意：由于这里是空加密，所以只有两部分组成，少了签名这一部分，所以只需要经过base64更改即可。

 

 

 

事实上就是base64