Ethical Hacking Automation

Automate Recon and scanning process with Vidoc. All security teams in one place

AEM QueryBuilder Internal Path Read

By kannthu

Medium
Vidoc logoVidoc Module
#aem
Description

What is the "AEM QueryBuilder Internal Path Read" module?

The "AEM QueryBuilder Internal Path Read" module is a test case designed to detect a specific vulnerability in Adobe Experience Manager (AEM) web applications. This module focuses on identifying misconfigurations related to the internal path read functionality in AEM QueryBuilder.

This module has a medium severity level, indicating that if the vulnerability is present, it could potentially lead to unauthorized access or information disclosure.

This module was authored by DhiyaneshDk.

Impact

If the vulnerability targeted by this module is present, it could allow an attacker to read internal paths within the AEM system. This could potentially expose sensitive information or provide insights into the structure and organization of the application, which could aid in further attacks.

How does the module work?

The "AEM QueryBuilder Internal Path Read" module sends HTTP requests to the AEM server, specifically targeting the "/bin/querybuilder.json" endpoint. It includes various parameters to retrieve specific paths within the AEM system, such as "/home" and "/etc".

The module then applies matching conditions to the responses received from the server. It checks for a successful HTTP status code (200) and the presence of specific words like "jcr:path" and "success" in the response body. If all the matching conditions are met, the module reports a vulnerability.

Here is an example of an HTTP request sent by the module:

GET /bin/querybuilder.json.;%0aa.css?path=/home&p.hits=full&p.limit=-1

The matching conditions used by this module are:

- Check for a successful HTTP status code (200) - Check for the presence of the words "jcr:path" and "success" in the response body

If all the matching conditions are satisfied, the module identifies the vulnerability and reports it.

Reference:

- https://speakerdeck.com/0ang3el/aem-hacker-approaching-adobe-experience-manager-webapps-in-bug-bounty-programs?slide=91

Metadata:

shodan-query: http.component:"Adobe Experience Manager"

Module preview

Concurrent Requests (1)
1. HTTP Request template
GET/bin/querybuilder.js.../bin/querybuilder.js.../bin/querybuilder.js...(+1 paths)
Matching conditions
status: 200and
word: jcr:path, success
Passive global matcher
No matching conditions.
On match action
Report vulnerability