- Published on
🛡️Unveiling My Journey - The Discovery of My First AEM Related Bug!
- Authors
- Name
- Bounty Advice
- @BountyAdvice
Greetings to all the incredible Hackers 👋and enthusiasts of cyber security! I go by the name BountyAdvice on Twitter, and I am a passionate individual aspiring to become a bug bounty hunter and cyber security enthusiast. Today, I would like to recount a tale of my discovery of my first bug related to AEM (Adobe Experience Manager). Before we begin, I must emphasize that I am still in the process of learning about AEM, and it was through the application of my current knowledge that I stumbled upon this particular issue. Without any more delays, let us dive right into the story.
Background & AEM Fundamentals
In order to grasp the underlying bug, it is important to familiarize yourself with a few concepts. Let's start by discussing AEM, which stands for Adobe Experience Manager. AEM is a comprehensive content management solution that enables the creation of websites, mobile apps, and forms. It simplifies the management of marketing content and assets. Essentially, AEM functions as a content management system similar to Wordpress and Drupal.
AEM Dispatcher In theory, a front-end system provides an additional security layer to your Adobe Experience Manager (AEM) infrastructure. However, in practice, it often becomes the sole security layer as administrators tend to neglect updating and securely configuring all components on the publish instance. Overall, the AEM Dispatcher plays a crucial role in enhancing the performance, scalability, and reliability of AEM-powered websites by caching content and optimizing the distribution of requests.
Querybuilder Servlet The AEM Query Builder is a framework created by Adobe to construct queries (based on JCR XPath) for the query engine known as OAK Query Engine. It provides a simplified approach to building queries, where a query can be described as a straightforward collection of predicates in key-value format. For further information, .you can refer to the provided link to learn more about it.
AEM Deployment Model
How to detect AEM
Using the wappalyzer - If the application is built on AEM, Wappalyzer will automatically detect it.
Inspect the HTML source code: AEM-powered websites often include specific HTML comments or elements that can provide clues about their usage. Look for patterns like
data-sling-model
,cq:
, ordata-cq-component
. You can view the HTML source code of the webpage either by using the browser's developer tools or by saving the response content obtained fromhttpx
to a file and opening it in a text editor.
Vulnerability
During this incredible journey, some hidden information was discovered, including protected passwords, internal email IDs, email storage, and other personal data. It's crucial to understand the impact of such discoveries because they could potentially allow unauthorized access, data breaches, and the compromising of sensitive user information.
Keep exploring beyond just the exposure of UUIDs: Identifying UUIDs is a crucial starting point, but it doesn't necessarily imply a vulnerability on its own. To uncover more significant discoveries, try manually searching for hashed passwords, passwords, database names, database passwords, and other sensitive information. This approach can lead to more substantial findings.
How To Test / Steps To Reproduce
I came across multiple subdomains with AEM login pages, so I began fuzzing using various tools. However, I usually prefer using Dirsearch to discover the querybuilder servlet. By exploiting it, an attacker could potentially read internal paths. Instead of automated fuzzing, I enjoy manually fuzzing because it's quite exciting to try and bypass the dispatcher. 😁
Now, let's attempt to visit the querybuilder servlet endpoint observed here . However, it seems that we are getting an error during while accessing the enddpoint.
Lets try some bypasses ,As shown in the image bellow image, we can utilize payloads like "/a.css", "/a.png", and similar variations to confuse the dispatcher and gain access to the querybuilder servlet. After experimenting with similar payloads, one of them successfully worked!
The final payload resembled something like this
/bin/querybuilder.json.;%0aa.css?path=/etc&p.hits=full&p.limit=-1
I was able to successfully read the contents of directories such as /etc, /home, /content, and others.
Automation
Indeed, automation tools like Nuclei provide a wide range of templates specifically designed to identify various AEM-related vulnerabilities and bugs. These templates can significantly streamline the process of detecting such issues. I encourage you to explore the available nuclei templates for AEM to enhance your bug hunting and security assessment efforts.
Create a text file (e.g., targets.txt) containing a list of potential AEM targets that you wish to investigate.
To initiate the execution of Nuclei, please enter the following command in your preferred terminal
nuclei -l targets.txt -t ~/root/nuclei-templates/http/misconfiguration/aem -timeout 15 -rl 50
There are many interesting vulnerabilities related to AEM, and exploring AEM can be a lot of fun due to its vastness. I hope you learned something new from this write-up. If you have any questions about it, you can contact me here BountyAdvice . If you enjoyed reading the write-up, please share it with your friends. Thank you!