Projectkey Brute - carnal0wnage/J-PWN GitHub Wiki

Projectkey Brute

Category: [Info Disclosure | Enumeration]

[CG] This module attempts to brute force projectkey names against the url: {url}/rest/api/2/project/{project_key}

module name: projectkey_brute

url: {url}/rest/api/2/project/{project_key}

Example run:

python3 j-pwn.py --single https://JIRASERVER   --module projectkey_brute --path /jira/ --start_id 2 --end_id 3
        
Checking: https://JIRASERVER/jira/
+ JIRA is running on: https://JIRASERVER 

JIRA Server Information:
  Base URL        : https://JIRASERVER/jira
  Version         : 7.1.9
  Deployment Type : Server
  Build Number    : 71013
  Build Date      : 2016-06-27T00:00:00.000-0400
  Server Title    : JIRA

- Running Vuln Checks
[INFO] Running single module: projectkey_brute
[Testing URL]: https://JIRASERVER/jira/rest/api/2/project/AA
[Testing URL]: https://JIRASERVERjira/rest/api/2/project/FF
[Testing URL]: https://JIRASERVER/jira/rest/api/2/project/KK
Testing URL]: https://JIRASERVER/jira/rest/api/2/project/AT
...
+ Found ProjectKey: VL | URL: https://JIRASERVERm/jira/rest/api/2/project/VL
[Testing URL]: https://JIRASERVER/jira/rest/api/2/project/VM

+ Vulnerabilities Found:
+ [Info Disclosure - Project Enumeration] Found ProjectKey: VL | URL: https://JIRASERVER/jira/rest/api/2/project/VL
+ [Info Disclosure - Project Enumeration] Found ProjectKey: AW | URL: https://JIRASERVER/jira/rest/api/2/project/AW