How I found my first AEM related bug.

Vedant Tekale
InfoSec Write-ups
Published in
4 min readSep 11, 2021

Hello all the amazing hackers and cyber security enthusiasts. My name is Vedant(Also known as Vegeta on TwitteršŸ˜) and Iā€™m an aspiring bug bounty hunter and a cyber security enthusiast. Today I want to share with you a story about how I found my first AEM related bug :) First of all I want to tell you that Iā€™m still learning about AEM and I found this issue just by applying whatever Iā€™ve learnt so far. So without any further ado, letā€™s get started.

Background:-

So before understanding the actual bug, youā€™ve to learn about few things. First, what is AEM? ā€œAdobe Experience Manager (AEM), is a comprehensive content management solution for building websites, mobile apps and forms. And it makes it easy to manage your marketing content and assets.ā€ Basically AEM is a CMS just like Wordpress and Drupal.

Moving on next is Querybuilder servlet, ā€œAEM Query Builder is a framework developed by adobe to build queries (JCR XPath underneath) for a query engine (OAK Query Engine) which are simple to compose. A query can be described as simple set of predicates in key value form.ā€ you can learn more about it here.

And last but not least, Dispatcher. ā€œDispatcher is Adobe Experience Managerā€™s caching and/or load balancing tool. Using AEMā€™s Dispatcher also helps to protect AEM server from attackā€ you can think of AEM dispatcher like a WAF.

The vulnerability:-

So in July I got lotā€™s of duplicates and informative bugs on Hackerone platform and I was a little frustrated because of that. Whenever I feel demotivated while hunting for bugs I remember this quote, ā€œIf your life just got harder, youā€™ve just leveled upā€ I decided to learn about some new bug types and after searching for a while I found this awesome talk from Mikhail Egorov where he talked about AEM related bugs. This was completely new for me so I decided to explore more and read all the write-ups I could find about AEM related vulnerabilities. I got a basic idea about some things and decided to apply what I learned so far. So I selected one program to hack on. I already had gathered subdomains and tried to find vulnerabilities in them multiple times but couldnā€™t find any, but this time it was different.

I checked every subdomain and using wappalyzer I was checking for a subdomain which was using AEM and after a while I came across a subdomain which was built using AEM. Then I started fuzzing for finding querybuilder servlet and by exploiting it an attacker could read internal path. I was fuzzing manually because itā€™s very fun trying to bypass the dispatcher šŸ˜. I tried the following payload and the site was always responding with a 404 error but I kept trying some payloads to bypass the dispatcher.

Credits to Mikhail Egorov.

As you can see in above image we can use things like /a.css , /a.png etc to confuse the dispatcher to give us the access to querybuilder servlet. So after trying out similar payloads like this, one worked successfully! The final payload looked something like this,

Payload:-

ā€˜ /bin/querybuilder.json.;%0aa.css?path=/etc&p.hits=full&p.limit=-1ā€™

I could read the contents of directories like /etc, /home, /content etc. You can find such bugs using automation also, there are many nuclei templates for AEM related bugs, you can check them out here. I quickly reported this issue and after 2 days the issue was triaged! and after a week I was awarded with a $$ bounty for it :)

There are a lot more interesting AEM related vulnerabilities out there and AEM is really a vast topic but very fun to explore. I hope you learned something new reading this write-up and if you have any questions about it you can reach out to me here . If you enjoyed reading the write-up please do clap and share it with your friends. Thank you!

Free

Distraction-free reading. No ads.

Organize your knowledge with lists and highlights.

Tell your story. Find your audience.

Membership

Read member-only stories

Support writers you read most

Earn money for your writing

Listen to audio narrations

Read offline with the Medium app

Published in InfoSec Write-ups

A collection of write-ups from the best hackers in the world on topics ranging from bug bounties and CTFs to vulnhub machines, hardware challenges and real life encounters. Subscribe to our weekly newsletter for the coolest infosec updates: https://weekly.infosecwriteups.com/

Written by Vedant Tekale

Iā€™m a self learner & cybersecurity enthusiast.

Responses (4)

What are your thoughts?

i have found something like this only how to exploit it more

2

What resources u follow to learn aem related bug?

1

Hello Vedant! Nice informative article.
Can you tell me where do you report the bugs and how do you get the bounty?