Jira & Confluence

If you are interested in hacking career and hack the unhackable - we are hiring! (fluent polish written and spoken required).

Check Privileges

Katika Jira, privileges zinaweza kuangaliwa na mtumiaji yeyote, aliyeidhinishwa au la, kupitia endpoints /rest/api/2/mypermissions au /rest/api/3/mypermissions. Endpoints hizi zinaonyesha privileges za sasa za mtumiaji. Wasiwasi mkubwa unatokea wakati watumiaji wasio na uthibitisho wana privileges, ikionyesha udhaifu wa usalama ambao unaweza kuwa na haki ya bounty. Vivyo hivyo, privileges zisizotarajiwa kwa watumiaji waliothibitishwa pia zinaonyesha udhaifu.

Sasisho muhimu lilifanywa tarehe 1 Februari 2019, likihitaji endpoint 'mypermissions' kujumuisha 'parameter ya ruhusa'. Mahitaji haya yanakusudia kuimarisha usalama kwa kubainisha privileges zinazoulizwa: check it here

• ADD_COMMENTS

• ADMINISTER

• ADMINISTER_PROJECTS

• ASSIGNABLE_USER

• ASSIGN_ISSUES

• BROWSE_PROJECTS

• BULK_CHANGE

• CLOSE_ISSUES

• CREATE_ATTACHMENTS

• CREATE_ISSUES

• CREATE_PROJECT

• CREATE_SHARED_OBJECTS

• DELETE_ALL_ATTACHMENTS

• DELETE_ALL_COMMENTS

• DELETE_ALL_WORKLOGS

• DELETE_ISSUES

• DELETE_OWN_ATTACHMENTS

• DELETE_OWN_COMMENTS

• DELETE_OWN_WORKLOGS

• EDIT_ALL_COMMENTS

• EDIT_ALL_WORKLOGS

• EDIT_ISSUES

• EDIT_OWN_COMMENTS

• EDIT_OWN_WORKLOGS

• LINK_ISSUES

• MANAGE_GROUP_FILTER_SUBSCRIPTIONS

• MANAGE_SPRINTS_PERMISSION

• MANAGE_WATCHERS

• MODIFY_REPORTER

• MOVE_ISSUES

• RESOLVE_ISSUES

• SCHEDULE_ISSUES

• SET_ISSUE_SECURITY

• SYSTEM_ADMIN

• TRANSITION_ISSUES

• USER_PICKER

• VIEW_AGGREGATED_DATA

• VIEW_DEV_TOOLS

• VIEW_READONLY_WORKFLOW

• VIEW_VOTERS_AND_WATCHERS

• WORK_ON_ISSUES

Mfano: https://your-domain.atlassian.net/rest/api/2/mypermissions?permissions=BROWSE_PROJECTS,CREATE_ISSUES,ADMINISTER_PROJECTS

#Check non-authenticated privileges
curl https://jira.some.example.com/rest/api/2/mypermissions | jq | grep -iB6 '"havePermission": true'

Automated enumeration

• https://github.com/0x48piraj/Jiraffe

• https://github.com/bcoles/jira_scan

Atlasian Plugins

Kama ilivyoonyeshwa katika blog hii, katika nyaraka kuhusu Plugin modules ↗ inawezekana kuangalia aina tofauti za plugins, kama:

• REST Plugin Module ↗: Fichua ncha za API za RESTful

• Servlet Plugin Module ↗: Weka servlets za Java kama sehemu ya plugin

• Macro Plugin Module ↗: Tekeleza Macros za Confluence, yaani, templeti za HTML zenye vigezo

Hii ni mfano wa aina ya macro plugin:

package com.atlassian.tutorial.macro;

import com.atlassian.confluence.content.render.xhtml.ConversionContext;
import com.atlassian.confluence.macro.Macro;
import com.atlassian.confluence.macro.MacroExecutionException;

import java.util.Map;

public class helloworld implements Macro {

public String execute(Map<String, String> map, String body, ConversionContext conversionContext) throws MacroExecutionException {
if (map.get("Name") != null) {
return ("<h1>Hello " + map.get("Name") + "!</h1>");
} else {
return "<h1>Hello World!<h1>";
}
}

public BodyType getBodyType() { return BodyType.NONE; }

public OutputType getOutputType() { return OutputType.BLOCK; }
}

Ni rahisi kuona kwamba hizi plugins zinaweza kuwa na udhaifu wa kawaida wa wavuti kama XSS. Kwa mfano, mfano wa awali una udhaifu kwa sababu unarejelea data iliyotolewa na mtumiaji.

Mara XSS inapopatikana, katika hii github repo unaweza kupata baadhi ya payloads za kuongeza athari za XSS.

Backdoor Plugin

Post hii inaelezea vitendo tofauti (vibaya) ambavyo vinaweza kufanywa na plugin mbaya ya Jira. Unaweza kupata mfano wa code katika repo hii.

Haya ni baadhi ya vitendo ambavyo plugin mbaya inaweza kufanya:

• Kuficha Plugins kutoka kwa Wasimamizi: Inawezekana kuficha plugin mbaya kwa kuingiza javascript ya mbele.

• Kuchukua Viambatisho na Kurasa: Ruhusu kufikia na kuchukua data yote.

• Kuhujumu Token za Session: Ongeza endpoint ambayo itarejelea vichwa katika jibu (pamoja na cookie) na javascript fulani ambayo itawasiliana nayo na kuvuja cookies.

• Kutekeleza Amri: Bila shaka inawezekana kuunda plugin ambayo itatekeleza code.

• Reverse Shell: Au kupata reverse shell.

• DOM Proxying: Ikiwa confluence iko ndani ya mtandao wa kibinafsi, itakuwa inawezekana kuanzisha muunganisho kupitia kivinjari cha mtumiaji yeyote mwenye ufikiaji wa hiyo na kwa mfano kuwasiliana na seva ikitekeleza amri kupitia hiyo.

Ikiwa unavutiwa na kazi ya uhalifu na kuhack yasiyoweza kuhackwa - tunatafuta wafanyakazi! (kuandika na kuzungumza kwa ufasaha kwa kipolandi kunahitajika).