mirror of
https://github.com/carlospolop/hacktricks
synced 2024-12-24 20:13:37 +00:00
158 lines
8 KiB
Markdown
158 lines
8 KiB
Markdown
|
# Jira & Confluence
|
||
|
|
||
|
{% hint style="success" %}
|
||
|
Learn & practice AWS Hacking:<img src="../../.gitbook/assets/arte.png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../.gitbook/assets/arte.png" alt="" data-size="line">\
|
||
|
Learn & practice GCP Hacking: <img src="../../.gitbook/assets/grte.png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../.gitbook/assets/grte.png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
|
||
|
|
||
|
<details>
|
||
|
|
||
|
<summary>Support HackTricks</summary>
|
||
|
|
||
|
* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
|
||
|
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
|
||
|
* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
|
||
|
|
||
|
</details>
|
||
|
{% endhint %}
|
||
|
|
||
|
<figure><img src="../../.gitbook/assets/image (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1).png" alt=""><figcaption></figcaption></figure>
|
||
|
|
||
|
If you are interested in **hacking career** and hack the unhackable - **we are hiring!** (_fluent polish written and spoken required_).
|
||
|
|
||
|
{% embed url="https://www.stmcyber.com/careers" %}
|
||
|
|
||
|
## Check Privileges
|
||
|
|
||
|
In Jira, **privileges can be checked** by any user, authenticated or not, through the endpoints `/rest/api/2/mypermissions` or `/rest/api/3/mypermissions`. These endpoints reveal the user's current privileges. A notable concern arises when **non-authenticated users hold privileges**, indicating a **security vulnerability** that could potentially be eligible for a **bounty**. Similarly, **unexpected privileges for authenticated users** also highlight a **vulnerability**.
|
||
|
|
||
|
An important **update** was made on **1st February 2019**, requiring the 'mypermissions' endpoint to include a **'permission' parameter**. This requirement aims to **enhance security** by specifying the privileges being queried: [check it here](https://developer.atlassian.com/cloud/jira/platform/change-notice-get-my-permissions-requires-permissions-query-parameter/#change-notice---get-my-permissions-resource-will-require-a-permissions-query-parameter)
|
||
|
|
||
|
* ADD\_COMMENTS
|
||
|
* ADMINISTER
|
||
|
* ADMINISTER\_PROJECTS
|
||
|
* ASSIGNABLE\_USER
|
||
|
* ASSIGN\_ISSUES
|
||
|
* BROWSE\_PROJECTS
|
||
|
* BULK\_CHANGE
|
||
|
* CLOSE\_ISSUES
|
||
|
* CREATE\_ATTACHMENTS
|
||
|
* CREATE\_ISSUES
|
||
|
* CREATE\_PROJECT
|
||
|
* CREATE\_SHARED\_OBJECTS
|
||
|
* DELETE\_ALL\_ATTACHMENTS
|
||
|
* DELETE\_ALL\_COMMENTS
|
||
|
* DELETE\_ALL\_WORKLOGS
|
||
|
* DELETE\_ISSUES
|
||
|
* DELETE\_OWN\_ATTACHMENTS
|
||
|
* DELETE\_OWN\_COMMENTS
|
||
|
* DELETE\_OWN\_WORKLOGS
|
||
|
* EDIT\_ALL\_COMMENTS
|
||
|
* EDIT\_ALL\_WORKLOGS
|
||
|
* EDIT\_ISSUES
|
||
|
* EDIT\_OWN\_COMMENTS
|
||
|
* EDIT\_OWN\_WORKLOGS
|
||
|
* LINK\_ISSUES
|
||
|
* MANAGE\_GROUP\_FILTER\_SUBSCRIPTIONS
|
||
|
* MANAGE\_SPRINTS\_PERMISSION
|
||
|
* MANAGE\_WATCHERS
|
||
|
* MODIFY\_REPORTER
|
||
|
* MOVE\_ISSUES
|
||
|
* RESOLVE\_ISSUES
|
||
|
* SCHEDULE\_ISSUES
|
||
|
* SET\_ISSUE\_SECURITY
|
||
|
* SYSTEM\_ADMIN
|
||
|
* TRANSITION\_ISSUES
|
||
|
* USER\_PICKER
|
||
|
* VIEW\_AGGREGATED\_DATA
|
||
|
* VIEW\_DEV\_TOOLS
|
||
|
* VIEW\_READONLY\_WORKFLOW
|
||
|
* VIEW\_VOTERS\_AND\_WATCHERS
|
||
|
* WORK\_ON\_ISSUES
|
||
|
|
||
|
Example: `https://your-domain.atlassian.net/rest/api/2/mypermissions?permissions=BROWSE_PROJECTS,CREATE_ISSUES,ADMINISTER_PROJECTS`
|
||
|
|
||
|
```bash
|
||
|
#Check non-authenticated privileges
|
||
|
curl https://jira.some.example.com/rest/api/2/mypermissions | jq | grep -iB6 '"havePermission": true'
|
||
|
```
|
||
|
|
||
|
## Automated enumeration
|
||
|
|
||
|
* [https://github.com/0x48piraj/Jiraffe](https://github.com/0x48piraj/Jiraffe)
|
||
|
* [https://github.com/bcoles/jira\_scan](https://github.com/bcoles/jira_scan)
|
||
|
|
||
|
## Atlasian Plugins
|
||
|
|
||
|
As indicated in this [**blog**](https://cyllective.com/blog/posts/atlassian-audit-plugins), in the documentation about [Plugin modules ↗](https://developer.atlassian.com/server/framework/atlassian-sdk/plugin-modules/) it's possible to check the different types of plugins, like:
|
||
|
|
||
|
* [REST Plugin Module ↗](https://developer.atlassian.com/server/framework/atlassian-sdk/rest-plugin-module): Expose RESTful API endpoints
|
||
|
* [Servlet Plugin Module ↗](https://developer.atlassian.com/server/framework/atlassian-sdk/servlet-plugin-module/): Deploy Java servlets as part of a plugin
|
||
|
* [Macro Plugin Module ↗](https://developer.atlassian.com/server/confluence/macro-module/): Implement Confluence Macros, i.e. parameterised HTML templates
|
||
|
|
||
|
This is an example of the macro plugin type:
|
||
|
|
||
|
```java
|
||
|
package com.atlassian.tutorial.macro;
|
||
|
|
||
|
import com.atlassian.confluence.content.render.xhtml.ConversionContext;
|
||
|
import com.atlassian.confluence.macro.Macro;
|
||
|
import com.atlassian.confluence.macro.MacroExecutionException;
|
||
|
|
||
|
import java.util.Map;
|
||
|
|
||
|
public class helloworld implements Macro {
|
||
|
|
||
|
public String execute(Map<String, String> map, String body, ConversionContext conversionContext) throws MacroExecutionException {
|
||
|
if (map.get("Name") != null) {
|
||
|
return ("<h1>Hello " + map.get("Name") + "!</h1>");
|
||
|
} else {
|
||
|
return "<h1>Hello World!<h1>";
|
||
|
}
|
||
|
}
|
||
|
|
||
|
public BodyType getBodyType() { return BodyType.NONE; }
|
||
|
|
||
|
public OutputType getOutputType() { return OutputType.BLOCK; }
|
||
|
}
|
||
|
```
|
||
|
|
||
|
It's possible to observe that these plugins might be vulnerable to common web vulnerabilities like XSS. For example the previous example is vulnerable because it's reflecting data given by the user. 
|
||
|
|
||
|
Once a XSS is found, in [**this github repo**](https://github.com/cyllective/XSS-Payloads/tree/main/Confluence) you can find some payloads to increase the impact of the XSS.
|
||
|
|
||
|
## Backdoor Plugin
|
||
|
|
||
|
[**This post**](https://cyllective.com/blog/posts/atlassian-malicious-plugin) describes different (malicious) actions that could perform a malicious Jira plugin. You can find [**code example in this repo**](https://github.com/cyllective/malfluence).
|
||
|
|
||
|
These are some of the actions a malicious plugin could perform:
|
||
|
|
||
|
* **Hiding Plugins from Admins**: It's possible to hide the malicious plugin injecting some front-end javascript
|
||
|
* **Exfiltrating Attachments and Pages**: Allow to access and exfiltrate all the data.
|
||
|
* **Stealing Session Tokens**: Add an endpoint that will echo the headers in the response (with the cookie) and some javascript that will contact it and leak the cookies.
|
||
|
* **Command Execution**: Ofc it's possible to create a plugin that will execute code.
|
||
|
* **Reverse Shell**: Or get a reverse shell.
|
||
|
* **DOM Proxying**: If the confluence is inside a private network, it would be possible to establish a connection through the browser of some user with access to it and for example contact the server command executing through it.
|
||
|
|
||
|
|
||
|
|
||
|
<figure><img src="../../.gitbook/assets/image (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1).png" alt=""><figcaption></figcaption></figure>
|
||
|
|
||
|
If you are interested in **hacking career** and hack the unhackable - **we are hiring!** (_fluent polish written and spoken required_).
|
||
|
|
||
|
{% embed url="https://www.stmcyber.com/careers" %}
|
||
|
|
||
|
{% hint style="success" %}
|
||
|
Learn & practice AWS Hacking:<img src="../../.gitbook/assets/arte.png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../.gitbook/assets/arte.png" alt="" data-size="line">\
|
||
|
Learn & practice GCP Hacking: <img src="../../.gitbook/assets/grte.png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../.gitbook/assets/grte.png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
|
||
|
|
||
|
<details>
|
||
|
|
||
|
<summary>Support HackTricks</summary>
|
||
|
|
||
|
* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
|
||
|
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
|
||
|
* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
|
||
|
|
||
|
</details>
|
||
|
{% endhint %}
|