Jira & Confluence

Support HackTricks

If you are interested in hacking career and hack the unhackable - we are hiring! (fluent polish written and spoken required).

Check Privileges

Katika Jira, privileges zinaweza kuangaliwa na mtumiaji yeyote, aliyeidhinishwa au la, kupitia endpoints /rest/api/2/mypermissions au /rest/api/3/mypermissions. Endpoints hizi zinaonyesha privileges za sasa za mtumiaji. Wasiwasi mkubwa unatokea wakati watumiaji wasio na uthibitisho wana privileges, ikionyesha udhaifu wa usalama ambao unaweza kuwa na haki ya bounty. Vivyo hivyo, privileges zisizotarajiwa kwa watumiaji walioidhinishwa pia zinaonyesha udhaifu.

Sasisho muhimu lilifanywa tarehe 1 Februari 2019, likihitaji endpoint 'mypermissions' kujumuisha 'parameter ya ruhusa'. Mahitaji haya yanakusudia kuimarisha usalama kwa kubainisha privileges zinazoulizwa: check it here

  • ADD_COMMENTS

  • ADMINISTER

  • ADMINISTER_PROJECTS

  • ASSIGNABLE_USER

  • ASSIGN_ISSUES

  • BROWSE_PROJECTS

  • BULK_CHANGE

  • CLOSE_ISSUES

  • CREATE_ATTACHMENTS

  • CREATE_ISSUES

  • CREATE_PROJECT

  • CREATE_SHARED_OBJECTS

  • DELETE_ALL_ATTACHMENTS

  • DELETE_ALL_COMMENTS

  • DELETE_ALL_WORKLOGS

  • DELETE_ISSUES

  • DELETE_OWN_ATTACHMENTS

  • DELETE_OWN_COMMENTS

  • DELETE_OWN_WORKLOGS

  • EDIT_ALL_COMMENTS

  • EDIT_ALL_WORKLOGS

  • EDIT_ISSUES

  • EDIT_OWN_COMMENTS

  • EDIT_OWN_WORKLOGS

  • LINK_ISSUES

  • MANAGE_GROUP_FILTER_SUBSCRIPTIONS

  • MANAGE_SPRINTS_PERMISSION

  • MANAGE_WATCHERS

  • MODIFY_REPORTER

  • MOVE_ISSUES

  • RESOLVE_ISSUES

  • SCHEDULE_ISSUES

  • SET_ISSUE_SECURITY

  • SYSTEM_ADMIN

  • TRANSITION_ISSUES

  • USER_PICKER

  • VIEW_AGGREGATED_DATA

  • VIEW_DEV_TOOLS

  • VIEW_READONLY_WORKFLOW

  • VIEW_VOTERS_AND_WATCHERS

  • WORK_ON_ISSUES

Mfano: https://your-domain.atlassian.net/rest/api/2/mypermissions?permissions=BROWSE_PROJECTS,CREATE_ISSUES,ADMINISTER_PROJECTS

#Check non-authenticated privileges
curl https://jira.some.example.com/rest/api/2/mypermissions | jq | grep -iB6 '"havePermission": true'

Automated enumeration

Atlasian Plugins

Kama ilivyoonyeshwa katika blog, katika nyaraka kuhusu Plugin modules ↗ inawezekana kuangalia aina tofauti za plugins, kama:

Hii ni mfano wa aina ya macro plugin:

package com.atlassian.tutorial.macro;

import com.atlassian.confluence.content.render.xhtml.ConversionContext;
import com.atlassian.confluence.macro.Macro;
import com.atlassian.confluence.macro.MacroExecutionException;

import java.util.Map;

public class helloworld implements Macro {

public String execute(Map<String, String> map, String body, ConversionContext conversionContext) throws MacroExecutionException {
if (map.get("Name") != null) {
return ("<h1>Hello " + map.get("Name") + "!</h1>");
} else {
return "<h1>Hello World!<h1>";
}
}

public BodyType getBodyType() { return BodyType.NONE; }

public OutputType getOutputType() { return OutputType.BLOCK; }
}

Inapatikana kuangalia kwamba hizi plugins zinaweza kuwa na udhaifu kwa udhaifu wa kawaida wa wavuti kama XSS. Kwa mfano, mfano wa awali una udhaifu kwa sababu unarudisha data iliyotolewa na mtumiaji.

Mara XSS inapopatikana, katika hii github repo unaweza kupata baadhi ya payloads za kuongeza athari ya XSS.

Backdoor Plugin

Post hii inaelezea vitendo tofauti (vibaya) ambavyo vinaweza kufanywa na plugin mbaya ya Jira. Unaweza kupata mfano wa msimbo katika repo hii.

Haya ni baadhi ya vitendo ambavyo plugin mbaya inaweza kufanya:

  • Kuficha Plugins kutoka kwa Wasimamizi: Inawezekana kuficha plugin mbaya kwa kuingiza javascript ya mbele.

  • Kutoa Nambari na Kurasa: Ruhusu kufikia na kutoa data yote.

  • Kuhujumu Token za Kikao: Ongeza mwisho ambao utaecho vichwa katika jibu (pamoja na cookie) na baadhi ya javascript ambayo itawasiliana nayo na kutoa cookies.

  • Kutekeleza Amri: Bila shaka inawezekana kuunda plugin ambayo itatekeleza msimbo.

  • Reverse Shell: Au kupata reverse shell.

  • DOM Proxying: Ikiwa confluence iko ndani ya mtandao wa kibinafsi, itakuwa inawezekana kuanzisha muunganisho kupitia kivinjari cha mtumiaji yeyote mwenye ufikiaji wa hiyo na kwa mfano kuwasiliana na seva ikitekeleza amri kupitia hiyo.

Ikiwa unavutiwa na kazi ya uhalifu na kuhack yasiyoweza kuhack - tunatafuta wafanyakazi! (kuandika na kuzungumza kwa kiswahili vizuri kunahitajika).

Support HackTricks

Last updated