# Jira & Confluence
{% hint style="success" %}
Leer & oefen AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\
Leer & oefen GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte)
Ondersteun HackTricks
* Kyk na die [**subskripsie planne**](https://github.com/sponsors/carlospolop)!
* **Sluit aan by die** 💬 [**Discord groep**](https://discord.gg/hRep4RUj7f) of die [**telegram groep**](https://t.me/peass) of **volg** ons op **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.**
* **Deel hacking truuks deur PR's in te dien na die** [**HackTricks**](https://github.com/carlospolop/hacktricks) en [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
{% endhint %}
As jy belangstel in 'n **hacking loopbaan** en die onhackbare hack - **ons is op soek na personeel!** (_vloeiend in geskryf en gesproke Pools vereis_).
{% embed url="https://www.stmcyber.com/careers" %}
## Kontroleer Privileges
In Jira, **kan enige gebruiker, geverifieer of nie, privileges kontroleer** deur die eindpunte `/rest/api/2/mypermissions` of `/rest/api/3/mypermissions`. Hierdie eindpunte onthul die gebruiker se huidige privileges. 'n Noemenswaardige bekommernis ontstaan wanneer **nie-geverifieerde gebruikers privileges hou**, wat 'n **veiligheidskwesbaarheid** aandui wat moontlik in aanmerking kan kom vir 'n **bounty**. Net so beklemtoon **onverwagte privileges vir geverifieerde gebruikers** ook 'n **kwesbaarheid**.
'n Belangrike **opdatering** is gemaak op **1 Februarie 2019**, wat vereis dat die 'mypermissions' eindpunt 'n **'permission' parameter** insluit. Hierdie vereiste is daarop gemik om **veiligheid te verbeter** deur die privileges wat gevra word spesifiek aan te dui: [kontroleer dit hier](https://developer.atlassian.com/cloud/jira/platform/change-notice-get-my-permissions-requires-permissions-query-parameter/#change-notice---get-my-permissions-resource-will-require-a-permissions-query-parameter)
* ADD\_COMMENTS
* ADMINISTER
* ADMINISTER\_PROJECTS
* ASSIGNABLE\_USER
* ASSIGN\_ISSUES
* BROWSE\_PROJECTS
* BULK\_CHANGE
* CLOSE\_ISSUES
* CREATE\_ATTACHMENTS
* CREATE\_ISSUES
* CREATE\_PROJECT
* CREATE\_SHARED\_OBJECTS
* DELETE\_ALL\_ATTACHMENTS
* DELETE\_ALL\_COMMENTS
* DELETE\_ALL\_WORKLOGS
* DELETE\_ISSUES
* DELETE\_OWN\_ATTACHMENTS
* DELETE\_OWN\_COMMENTS
* DELETE\_OWN\_WORKLOGS
* EDIT\_ALL\_COMMENTS
* EDIT\_ALL\_WORKLOGS
* EDIT\_ISSUES
* EDIT\_OWN\_COMMENTS
* EDIT\_OWN\_WORKLOGS
* LINK\_ISSUES
* MANAGE\_GROUP\_FILTER\_SUBSCRIPTIONS
* MANAGE\_SPRINTS\_PERMISSION
* MANAGE\_WATCHERS
* MODIFY\_REPORTER
* MOVE\_ISSUES
* RESOLVE\_ISSUES
* SCHEDULE\_ISSUES
* SET\_ISSUE\_SECURITY
* SYSTEM\_ADMIN
* TRANSITION\_ISSUES
* USER\_PICKER
* VIEW\_AGGREGATED\_DATA
* VIEW\_DEV\_TOOLS
* VIEW\_READONLY\_WORKFLOW
* VIEW\_VOTERS\_AND\_WATCHERS
* WORK\_ON\_ISSUES
Voorbeeld: `https://your-domain.atlassian.net/rest/api/2/mypermissions?permissions=BROWSE_PROJECTS,CREATE_ISSUES,ADMINISTER_PROJECTS`
```bash
#Check non-authenticated privileges
curl https://jira.some.example.com/rest/api/2/mypermissions | jq | grep -iB6 '"havePermission": true'
```
## Geoutomatiseerde enumerasie
* [https://github.com/0x48piraj/Jiraffe](https://github.com/0x48piraj/Jiraffe)
* [https://github.com/bcoles/jira\_scan](https://github.com/bcoles/jira\_scan)
## Atlasian Plugins
Soos aangedui in hierdie [**blog**](https://cyllective.com/blog/posts/atlassian-audit-plugins), in die dokumentasie oor [Plugin modules ↗](https://developer.atlassian.com/server/framework/atlassian-sdk/plugin-modules/) is dit moontlik om die verskillende tipes plugins te kontroleer, soos:
* [REST Plugin Module ↗](https://developer.atlassian.com/server/framework/atlassian-sdk/rest-plugin-module): Stel RESTful API eindpunte bloot
* [Servlet Plugin Module ↗](https://developer.atlassian.com/server/framework/atlassian-sdk/servlet-plugin-module/): Ontplooi Java servlets as deel van 'n plugin
* [Macro Plugin Module ↗](https://developer.atlassian.com/server/confluence/macro-module/): Implementeer Confluence Macros, d.w.s. geparametriseerde HTML-sjablone
Dit is 'n voorbeeld van die makro plugin tipe:
```java
package com.atlassian.tutorial.macro;
import com.atlassian.confluence.content.render.xhtml.ConversionContext;
import com.atlassian.confluence.macro.Macro;
import com.atlassian.confluence.macro.MacroExecutionException;
import java.util.Map;
public class helloworld implements Macro {
public String execute(Map map, String body, ConversionContext conversionContext) throws MacroExecutionException {
if (map.get("Name") != null) {
return ("
Hello " + map.get("Name") + "!
");
} else {
return "
Hello World!
";
}
}
public BodyType getBodyType() { return BodyType.NONE; }
public OutputType getOutputType() { return OutputType.BLOCK; }
}
```
It's possible to observe that these plugins might be vulnerable to common web vulnerabilities like XSS. For example the previous example is vulnerable because it's reflecting data given by the user.
Sodra 'n XSS gevind is, kan jy in [**hierdie github repo**](https://github.com/cyllective/XSS-Payloads/tree/main/Confluence) 'n paar payloads vind om die impak van die XSS te verhoog.
## Backdoor Plugin
[**Hierdie pos**](https://cyllective.com/blog/posts/atlassian-malicious-plugin) beskryf verskillende (kwaadwillige) aksies wat 'n kwaadwillige Jira plugin kan uitvoer. Jy kan [**kode voorbeeld in hierdie repo**](https://github.com/cyllective/malfluence) vind.
Hierdie is sommige van die aksies wat 'n kwaadwillige plugin kan uitvoer:
* **Plugins van Admins wegsteek**: Dit is moontlik om die kwaadwillige plugin weg te steek deur 'n paar front-end javascript in te voeg.
* **Exfiltrating Attachments and Pages**: Laat toe om toegang te verkry en al die data te exfiltreer.
* **Stealing Session Tokens**: Voeg 'n eindpunt by wat die headers in die antwoord (met die koekie) sal weergee en 'n paar javascript wat dit sal kontak en die koekies sal lek.
* **Command Execution**: Of dit is moontlik om 'n plugin te skep wat kode sal uitvoer.
* **Reverse Shell**: Of kry 'n reverse shell.
* **DOM Proxying**: As die confluence binne 'n private netwerk is, sal dit moontlik wees om 'n verbinding deur die blaaskans van 'n gebruiker met toegang daartoe te vestig en byvoorbeeld die bediener opdragte deur dit uit te voer.
If you are interested in **hacking career** and hack the unhackable - **we are hiring!** (_vloeiend Pools geskryf en gesproke vereis_).
{% embed url="https://www.stmcyber.com/careers" %}
{% hint style="success" %}
Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\
Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte)
Support HackTricks
* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.**
* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
{% endhint %}
 (1) (1) (1) (1) (1) (1) (1) (1) (1).png)
[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)
[**HackTricks Training GCP Red Team Expert (GRTE)**