Welcome to the J-PWN wiki!

Installing j-pwn

python3  -m venv j-pwn
source j-pwn/bin/activate
pip3 install -r requirements

Running j-pwn

python3 j-pwn.py -h                                                                             


             ██╗      ██████╗ ██╗    ██╗███╗   ██╗
             ██║      ██╔══██╗██║    ██║████╗  ██║
             ██║█████╗██████╔╝██║ █╗ ██║██╔██╗ ██║
        ██   ██║╚════╝██╔═══╝ ██║███╗██║██║╚██╗██║
        ╚█████╔╝      ██║     ╚███╔███╔╝██║ ╚████║
         ╚════╝       ╚═╝      ╚══╝╚══╝ ╚═╝  ╚═══╝
         ** Hack the Planet ** [carnal0wnage]
        
usage: j-pwn.py [-h] [--single URL] [--path PATH] [--list FILE] [--module MODULE] [--start_id START_ID] [--end_id END_ID]

Check if JIRA is running on a server or list of servers

options:
  -h, --help            show this help message and exit
  --single URL, -s URL  Check if JIRA is running on a single server
  --path PATH, -p PATH  Specify the API path to check (default: /)
  --list FILE, -l FILE  Check if JIRA is running on a list of servers
  --module MODULE, -m MODULE
                        Specify the single module to run (e.g., check_open_jira_signup)
  --start_id START_ID   Start ID for issue enumeration (default: 10000)
  --end_id END_ID       End ID for issue enumeration (default: 20000)

Single host run (all checks):

python3 j-pwn.py --single 5.6.7.8

Single host run (all checks) with /jira/ path added:

python3 j-pwn.py --single 1.2.3.4 -p /jira/

Single host with single module check

python3 j-pwn.py --single http://1.2.3.4:8080 --module check_open_jira_signup

python3 j-pwn.py --single http://1.2.3.4:8888 --module check_unauthenticated_admin_projects -p /jira/

python3 j-pwn.py --single http://1.2.3.4:8080 --module check_cve_2020_14185 --start_id 10001 --end_id 10200

python3 j-pwn.py --single http://1.2.3.4:8080 --module check_cve_2020_14185 --end_id 12222

List of hosts (all checks)

python3 j-pwn.py --list ../jira-hosts.txt
[INFO] Processing: URL = http://1.2.3.4:8080, Path = /
[Scanning] : http://1.2.3.4:8080
Checking: http://http://1.2.3.4:8080
+ JIRA is running on: http://1.2.3.4:8080
...
[INFO] Processing: URL = https://5.6.7.8, Path = /
[Scanning] : https://5.6.7.8
Checking: https://5.6.7.8/
- Initial request failed: HTTP 404
- Retrying with path: /jira/
+ JIRA is running on (retry): https://5.6.7.8/jira/ 

[Note] If running all checks j-pwn will automatically attempt to add /jira/ for you if it cant find jira on /. If the path is anything else you need to provide it.

List of hosts single module check

python3 j-pwn.py --list ../jira-hosts2.txt   --module check_unauthenticated_admin_projects

[INFO] Processing: URL = http://JIRASERVER1:8001, Path = /

INFO: Checking for Unauthenticated Access to JIRA Admin Projects
[Testing URL]: http://JIRASERVER1:8001/rest/menu/latest/admin?maxResults=1000

+ Unauthenticated Access to JIRA Admin Projects Detected
  URL: http://JIRASERVER1:8001/rest/menu/latest/admin?maxResults=1000

  Admin Projects Details:
    - Key: admin
      Link: http://192.168.30.31:8001/secure/project/BrowseProjects.jspa?s=view_projects
      Label: XXXXXX administration
      Tooltip: 
      Local: True
      Self: True
      Application Type: jira

[INFO] Processing: URL = https://JIRASERVER2/, Path = /jira/

INFO: Checking for Unauthenticated Access to JIRA Admin Projects
[Testing URL]: https://JIRASERVER2/jira/rest/menu/latest/admin?maxResults=1000

+ Unauthenticated Access to JIRA Admin Projects Detected
  URL: https://JIRASERVER2/jira/rest/menu/latest/admin?maxResults=1000

  Admin Projects Details:
    - Key: admin
      Link: https://JIRASERVER2/jira/secure/project/ViewProjects.jspa
      Label: JIRA administration
      Tooltip: 
      Local: True
      Self: True
      Application Type: jira

jira-hosts.txt format:

http://ip:port,
https://domain:port,/jira/

Server vs. Cloud

This tool is primarily to run against Jira Server/DataCenter dont expect much for companyjira.atlassian.net aka cloud.

The unauthenticated checks might yield something via the info disclosure issues but CVEs are most certainly not going to work.

You might catch a break with the login/signup checks

---

Module Descriptions

Basic Info Gathering

• JIRA Server Info

• JIRA Service Desk Info

Information Disclosure

• Check Permissions as Anonymous User

• Unauthenticated Access to JIRA Dashboards

• Unauthenticated Access to JIRA Project Categories

• Unauthenticated Access to JIRA Projects

• Unauthenticated Access to JIRA Admin Projects

• Unauthenticated Access to JIRA Resolutions

• Unauthenticated Access to JIRA Popular Dashboard

• Unauthenticated User Enumeration via UserPickerBrowser.jspa

• Unauthenticated Access to User Search API

• Unauthenticated Access to Installed Gadgets

• Unauthenticated Issues (With Content)

• Unauthenticated Access to Issue Link Type API

• Unauthenticated Access to Screens

• Unauthenticated Access to Greenhopper User Config API

• Unauthenticated Access to Priority API

Initial Access

• Open JIRA Signup

• Open Service Desk Signup

CVE Checks

• CVE-2017-9506 [SSRF]

• CVE-2018-20824 [XSS]

• CVE-2019-3401 [Info Disclosure]

• CVE-2019-3402 [XSS]

• CVE-2019-3403 [Info Disclosure]

• CVE-2019-8442 [Info Disclosure]

• CVE-2019-8449 [Username Enumeration]

• CVE-2019-8451 [SSRF]

• CVE-2019-11581 [Potential RCE]

• CVE-2020-14178 [Info Disclosure - Project Enumeration]

• CVE-2020-14179 [Info Disclosure]

• CVE‐2020‐14181 [Username Enumeration]

• CVE-2020-29453 [Info Disclosure]

• CVE-2020-36238 | CVE-2021-39118 [Username Enumeration]

• CVE-2020-36286 [Info Disclosure]

• CVE-2020-36289 [Username Enumeration]

• CVE-2021-26086 [Info Disclosure]

• CVE-2022-0540 [Potenital RCE]

• CVE-2022-39960 [Info Disclosure]

• CVE-2023-26255 | CVE-2023-26256 [LFI]

Manual Modules

These modules need to be run manually due to the amount of requests. There is less smart checking the urls need to be correct

Issue Enumeration | Brute Force

• CVE‐2020‐14185 | CVE‐2021‐26069 [Info Disclosure | Enumeration]

• Unauthenticated Public Access to Issue Attachments [Info Disclosure | Enumeration]

ProjectKey Enumeration | Brute Force

• Unauthenticated Projectkey Enumeration & Users Assignable to Projects [Info Disclosure | Enumeration]

• Projectkey Brute [Info Disclosure | Enumeration]

• CVE-2020-14178 Brute [Info Disclosure | Enumeration]

Username Enumeration | Brute Foce

• CVE-2019-3403 Brute [Info Disclosure | Enumeration]

• CVE-2019-8449 Brute [Info Disclosure | Enumeration]

python3 j-pwn.py --single http://1.2.3.4:8080 --module check_cve_2020_14185 --start_id 10001 --end_id 10200
python3 j-pwn.py --single http://1.2.3.4:8080 --module check_cve_2020_14185 --end_id 12222
python3 j-pwn.py --single https://JIRASERVER --module projectkey_brute --path /jira/ --start_id 2 --end_id 3
python3 j-pwn.py --single http://JIRASRVER --module cve_2019_8449_brute --dict ../jira.users.txt

Post Auth CVEs [Manual]

• CVE-2019-14994 [Post Auth Directory Traversal & Info Disclosure]

Why J-PWN?

See Creditz for examples but many of these jira scanners didn't work well. For example:

• some assumed Jira was always at /jira/ and gave no way to change it

• others assumed Jira was always at / and gave no way to change it

• didn't handle SSL errors, so if you hit https://ipaddress the tool wouldn't run

• many of the checks returned false positives

• most of the checks wouldn't print the data from unauthenticated information disclosure to screen. Found MANY "findings" were 200 with no results but being listed as vulnerable

• can i just run $othertool like Nuclei? - yeah probably

Creditz

• https://github.com/anmolksachan/JIRAya
• https://github.com/netspooky/jLoot
• https://github.com/0x48piraj/Jiraffe
• https://github.com/bcoles/jira_scan
• https://github.com/MayankPandey01/Jira-Lens
• Various JIRA nuclei templates