Ethical Hacking Automation

Automate Recon and scanning process with Vidoc. All security teams in one place

Query hashed password via QueryBuilder Servlet

By kannthu

Medium
Vidoc logoVidoc Module
#aem
Description

What is "Query hashed password via QueryBuilder Servlet?"

The "Query hashed password via QueryBuilder Servlet" module is a test case designed to detect vulnerabilities in the Adobe Experience Manager (AEM) software. It focuses on querying the hashed password using the QueryBuilder Servlet. This module has a medium severity level and was authored by DhiyaneshDk.

Impact

If this module detects a vulnerability, it indicates that the QueryBuilder Servlet in AEM may be misconfigured, allowing unauthorized access to hashed passwords. This can potentially lead to a breach of user credentials and compromise the security of the system.

How the module works?

The module sends an HTTP GET request to the QueryBuilder Servlet endpoint, targeting the "/bin/querybuilder.json" path. It includes specific query parameters to retrieve the full details of the "rep:authorizableId" property for users of type "rep:User".

The module then applies matching conditions to the response to determine if a vulnerability exists. It checks if the HTTP status code is 200 and if the response contains the words "\"success\":true" and "rep:password". If both conditions are met, the module reports a vulnerability.

Example HTTP request:

GET /bin/querybuilder.json.;%0aa.css?p.hits=full&property=rep:authorizableId&type=rep:User HTTP/1.1
Host: {%Hostname%}
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate

The module's matching conditions:

- Status code: 200 - Response contains the words "\"success\":true" and "rep:password"

Note: The module is part of the Vidoc platform, which utilizes multiple modules to perform scanning and testing for various vulnerabilities, misconfigurations, and software detection.

Module preview

Concurrent Requests (1)
1. HTTP Request template
Raw request
Matching conditions
status: 200and
word: "success":true, rep:password
Passive global matcher
No matching conditions.
On match action
Report vulnerability