Coder Social home page Coder Social logo

jloot's Introduction

jLoot - JIRA Secure Attachment Looter

jLoot is a tool that can be used to enumerate attachments to JIRA tickets.

When files are attached to issues in JIRA, they are given a sequential number and stored. While there are access controls on most installations, if a JIRA was meant to be public, or if it was misconfigured by the organization, the files are easily iterable.

jLoot simplifies the iteration process by checking if a file exists at a given ID number, and downloading it.

jLoot comes with a basic set of yara rules to check incoming files for sensitive words. If a rule matches, it will appear highlighted in red next to the file name. You can use the -y flag to specify your own yara rules, or edit jLoot.yar

If a file matches a yara rule, it has the word "CHECK_" appended to the beginning of the filename for easy recall of sensitive files.

Command Line Options

The following command line options are supported:

 -u baseURL     The base url of the JIRA instance
 -s start_id    The starting attachment ID (attachments start at 10000)
 -l limit       The limit for file downloads
 -o out_dir     The output directory (default is loot/)
 -y yara_rules  Specify custom yara rules

Setup

If you don't have yara installed, you can use this guide to install it. Install yara for python using python3 -m pip install yara-python

If you get an error about yara not being able to find libyara, run these commands:

sudo sh -c 'echo "/usr/local/lib" >> /etc/ld.so.conf'
sudo ldconfig

How do I not let this be a thing?

JIRA is meant to be public, and as such, has default weak configurations that allow for anyone to access public aspects of your boards. There are a few mitigations you can implement:

  • Server Side Rate-Limiting
  • Firewall Rules
  • Granular File Permissions on JIRA
  • Require Authentication to JIRA

Here are some links for reference:

Shouts

Big shoutout to hermit for finding the initial dorks that led to this tool. Shoutout to ThugCrowd and all the Safari Zone Game Wardens.

jloot's People

Contributors

netspooky avatar

Watchers

avatar

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    ๐Ÿ–– Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. ๐Ÿ“Š๐Ÿ“ˆ๐ŸŽ‰

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google โค๏ธ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.