Aggregator

CVE-2019-8449 Jira 枚举用户漏洞的利用

BaCde's Blog
6 years 2 months ago

一个很攻击门槛很低的漏洞。可结合其它漏洞配合来进行攻击。

首先来简单说一下这个漏洞,该漏洞就是在Jira 8.4.0以前的版本,攻击者可以在不经过授权的情况下访问/rest/api/latest/groupuserpicker这个路径来枚举用户。漏洞危害评级中危。

2020年2月3日在exploit-db上公布了该漏洞利用脚本。地址:
Jira 8.3.4 - Information Disclosure (Username Enumeration)

其漏洞很简单,只需要访问 http://target/rest/api/latest/groupuserpicker?query=admin (target为目标jira系统地址)。如果返回的是json字符串就说明存在漏洞。如果返回"You are not authenticated. Authentication required to perform this operation." 则说明不存在这个漏洞。

那漏洞应该如何利用呢?
1、通过字典方式,探测用户是否存在。
2、如果存在漏洞,那么一旦匹配到结果,则会返回json格式的字符串,其中包含来用户民、邮箱、和显示的名字信息。在实际测试中发现,请求的参数不一定是用户的全拼,例如我们输入c,也是可以返回相关结果的。我们可以改变query参数的值,从a至z遍历。这样就可以获取系统中的用户名列表。

通过以上获取信息后,可以进行后续的利用。比如爆破用户密码,邮箱密码,发送钓鱼邮件等等。具体根据实际场景和相关经验进行扩展。

相关连接

  1. Jira 8.3.4 - Information Disclosure (Username Enumeration)

  2. More Jira Enumeration (usernames) – CVE-2019-8449

  3. User enumeration through the groupuserpicker api resource - CVE-2019-8449

Web Application Security Principles Revisited

Embrace The Red
6 years 2 months ago
Final Year Project - Web Application Security Principles

About 18 years ago I worked on the final year project for my Bachelor’s degree in Computer Science. I had just gotten interested in security and was learning about security principles.

The title of the project was “Web Application Security Principles - Designing Secure Web Based Enterprise Solutions”.

Looking back, a really cool thing was that I had just started working at Microsoft as an Associate Development Consultant and was bold enough to send the paper last minute over to Michael Howard - who responded and indeed reviewed it! That was so cool! :)

All You Need Is Love (And Security Controls)!

F5 Labs
6 years 2 months ago
We all know we need to use security controls to protect our networks, but that's easier said than done. F5 Labs' Ray Pompon writes for ISBuzz News, discussing how to prioritize your security control options and how to actually get some of them done.

February 2020 security updates are available

Microsoft Update Tuesday
6 years 2 months ago
We have released the February security updates to provide additional protections against malicious attackers. As a best practice, we encourage customers to turn on automatic updates. More information about this month’s security updates can be found in the Security Update Guide.

Supporting COVID-19 Vaccine Rollouts with Vaccine Edge

The Akamai Blog
6 years 2 months ago
Global efforts to produce and distribute the COVID-19 vaccine continue to race ahead. But in many cases, that race is an uphill climb. Beyond the challenges in making enough of the vaccine, educating the public, and the logistics of distributing the doses, there is a new challenge. Bots.
Ari Weil

Zero Trust and Disabling Remote Management Endpoints

Embrace The Red
6 years 2 months ago

This post highlights a simple mitigation to improve the security posture of your organization. The idea is to, by practical means, limit attack surface and prevent spreading of automated malware, as well as limiting lateral movement by adversaries.

Network security over the last 15 years

Malware can spread fast and damage businesses at scale.

SQL Slammer [1] and WannaCry [2] are two well-known cases that showed how quickly and damaging this can be. Interstingly, both of these disasters were nearly 15 years apart.

Managed ad