Jira & Confluence

Learn & practice AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE) Learn & practice GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)

Support HackTricks

Check the subscription plans!
Join the 💬 Discord group or the telegram group or follow us on Twitter 🐦 @hacktricks_live.
Share hacking tricks by submitting PRs to the HackTricks and HackTricks Cloud github repos.

If you are interested in hacking career and hack the unhackable - we are hiring! (fluent polish written and spoken required).

Careers | stmcyber.com | penetration testingstmcyber.com

Check Privileges

Katika Jira, privileges zinaweza kuangaliwa na mtumiaji yeyote, aliyeidhinishwa au la, kupitia endpoints /rest/api/2/mypermissions au /rest/api/3/mypermissions. Endpoints hizi zinaonyesha privileges za sasa za mtumiaji. Wasiwasi mkubwa unatokea wakati watumiaji wasio na uthibitisho wana privileges, ikionyesha udhaifu wa usalama ambao unaweza kuwa na haki ya bounty. Vivyo hivyo, privileges zisizotarajiwa kwa watumiaji waliothibitishwa pia zinaonyesha udhaifu.

Sasisho muhimu lilifanywa tarehe 1 Februari 2019, likihitaji endpoint 'mypermissions' kujumuisha 'parameter ya ruhusa'. Mahitaji haya yanakusudia kuimarisha usalama kwa kubainisha privileges zinazoulizwa: check it here

ADD_COMMENTS
ADMINISTER
ADMINISTER_PROJECTS
ASSIGNABLE_USER
ASSIGN_ISSUES
BROWSE_PROJECTS
BULK_CHANGE
CLOSE_ISSUES
CREATE_ATTACHMENTS
CREATE_ISSUES
CREATE_PROJECT
CREATE_SHARED_OBJECTS
DELETE_ALL_ATTACHMENTS
DELETE_ALL_COMMENTS
DELETE_ALL_WORKLOGS
DELETE_ISSUES
DELETE_OWN_ATTACHMENTS
DELETE_OWN_COMMENTS
DELETE_OWN_WORKLOGS
EDIT_ALL_COMMENTS
EDIT_ALL_WORKLOGS
EDIT_ISSUES
EDIT_OWN_COMMENTS
EDIT_OWN_WORKLOGS
LINK_ISSUES
MANAGE_GROUP_FILTER_SUBSCRIPTIONS
MANAGE_SPRINTS_PERMISSION
MANAGE_WATCHERS
MODIFY_REPORTER
MOVE_ISSUES
RESOLVE_ISSUES
SCHEDULE_ISSUES
SET_ISSUE_SECURITY
SYSTEM_ADMIN
TRANSITION_ISSUES
USER_PICKER
VIEW_AGGREGATED_DATA
VIEW_DEV_TOOLS
VIEW_READONLY_WORKFLOW
VIEW_VOTERS_AND_WATCHERS
WORK_ON_ISSUES

Mfano: https://your-domain.atlassian.net/rest/api/2/mypermissions?permissions=BROWSE_PROJECTS,CREATE_ISSUES,ADMINISTER_PROJECTS

#Check non-authenticated privileges
curl https://jira.some.example.com/rest/api/2/mypermissions | jq | grep -iB6 '"havePermission": true'

Automated enumeration

Atlasian Plugins

Kama ilivyoonyeshwa katika blog, katika nyaraka kuhusu Plugin modules ↗ inawezekana kuangalia aina tofauti za plugins, kama:

REST Plugin Module ↗: Fichua mwisho wa API za RESTful
Servlet Plugin Module ↗: Weka servlets za Java kama sehemu ya plugin
Macro Plugin Module ↗: Tekeleza Macros za Confluence, yaani, templeti za HTML zenye vigezo

Hii ni mfano wa aina ya macro plugin:

package com.atlassian.tutorial.macro;

import com.atlassian.confluence.content.render.xhtml.ConversionContext;
import com.atlassian.confluence.macro.Macro;
import com.atlassian.confluence.macro.MacroExecutionException;

import java.util.Map;

public class helloworld implements Macro {

public String execute(Map<String, String> map, String body, ConversionContext conversionContext) throws MacroExecutionException {
if (map.get("Name") != null) {
return ("<h1>Hello " + map.get("Name") + "!</h1>");
} else {
return "<h1>Hello World!<h1>";
}
}

public BodyType getBodyType() { return BodyType.NONE; }

public OutputType getOutputType() { return OutputType.BLOCK; }
}

Ni rahisi kuona kwamba hizi plugins zinaweza kuwa na udhaifu wa kawaida wa wavuti kama XSS. Kwa mfano, mfano wa awali una udhaifu kwa sababu unarudisha data iliyotolewa na mtumiaji.

Mara XSS inapopatikana, katika hii github repo unaweza kupata baadhi ya payloads za kuongeza athari za XSS.

Plugin ya Backdoor

Post hii inaelezea vitendo tofauti (vibaya) ambavyo vinaweza kufanywa na plugin mbaya ya Jira. Unaweza kupata mfano wa code katika repo hii.

Hizi ni baadhi ya vitendo ambavyo plugin mbaya inaweza kufanya:

Kuficha Plugins kutoka kwa Wasimamizi: Inawezekana kuficha plugin mbaya kwa kuingiza javascript ya mbele.
Kuchukua Viambatisho na Kurasa: Ruhusu kufikia na kuchukua data yote.
Kuhujumu Tokens za Kikao: Ongeza endpoint ambayo itarudisha vichwa katika jibu (pamoja na cookie) na javascript fulani ambayo itawasiliana nayo na kuhujumu cookies.
Kutekeleza Amri: Bila shaka inawezekana kuunda plugin ambayo itatekeleza code.
Shell ya Reverse: Au kupata shell ya reverse.
Proxy ya DOM: Ikiwa confluence iko ndani ya mtandao wa kibinafsi, itakuwa inawezekana kuanzisha muunganisho kupitia kivinjari cha mtumiaji yeyote mwenye ufikiaji wa hiyo na kwa mfano kuwasiliana na seva ikitekeleza amri kupitia hiyo.

Ikiwa unavutiwa na kazi ya hacking na kuhack yasiyoweza kuhackika - tunatafuta wafanyakazi! (kuandika na kuzungumza kwa kiswahili vizuri kunahitajika).

Careers | stmcyber.com | penetration testingstmcyber.com

Support HackTricks

Angalia mpango wa usajili!
Jiunge na 💬 kikundi cha Discord au kikundi cha telegram au fuata sisi kwenye Twitter 🐦 @hacktricks_live.
Shiriki mbinu za hacking kwa kuwasilisha PRs kwa HackTricks na HackTricks Cloud github repos.

PreviousJBOSS NextJoomla

Last updated 6 days ago