mirror of
https://github.com/lunchcat/sif.git
synced 2026-07-09 05:39:03 -07:00
2c9bb4bad7
add recon modules for self-hosted automation servers whose api is reachable without credentials when misconfigured: jenkins /api/json answers when anonymous read access is enabled and lists every job, view and node, and apache nifi /nifi-api/flow/about answers when the instance runs without security; each open instance reaches a script console or processor that runs arbitrary code, while a jenkins without anonymous read returns 403 and a secured nifi returns 401 and neither is flagged.