Merge pull request #3888 from DhiyaneshGeek/master

Additional Paths Added
patch-1
Sandeep Singh 2022-03-14 20:56:22 +05:30 committed by GitHub
commit 2877624443
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
3 changed files with 36 additions and 7 deletions

View File

@ -3,13 +3,24 @@ info:
author: DhiyaneshDk
name: AEM DefaultGetServlet
severity: low
reference: https://speakerdeck.com/0ang3el/hunting-for-security-bugs-in-aem-webapps?slide=43
tags: aem
description: Sensitive information might be exposed via AEM DefaultGetServlet.
reference:
- https://speakerdeck.com/0ang3el/hunting-for-security-bugs-in-aem-webapps?slide=43
- https://github.com/thomashartm/burp-aem-scanner/blob/master/src/main/java/burp/actions/dispatcher/GetServletExposed.java
tags: aem,adobe
requests:
- method: GET
path:
- '{{BaseURL}}/etc'
- '{{BaseURL}}/var'
- '{{BaseURL}}/apps'
- '{{BaseURL}}/home'
- '{{BaseURL}}///etc'
- '{{BaseURL}}///var'
- '{{BaseURL}}///apps'
- '{{BaseURL}}///home'
- '{{BaseURL}}/.json'
- '{{BaseURL}}/.1.json'
- '{{BaseURL}}/....4.2.1....json'

View File

@ -4,15 +4,21 @@ info:
author: DhiyaneshDk
name: AEM Login Status
severity: info
reference: https://www.slideshare.net/0ang3el/hunting-for-security-bugs-in-aem-webapps-129262212
tags: aem
description: LoginStatusServlet is exposed, it allows to bruteforce credentials.
reference:
- https://www.slideshare.net/0ang3el/hunting-for-security-bugs-in-aem-webapps-129262212
- https://github.com/thomashartm/burp-aem-scanner/blob/master/src/main/java/burp/actions/dispatcher/LoginStatusServletExposed.java
tags: aem,adobe
requests:
- method: GET
path:
- '{{BaseURL}}/system/sling/loginstatus'
- '{{BaseURL}}/system/sling/loginstatus.css'
- '{{BaseURL}}///system///sling///loginstatus'
stop-at-first-match: true
matchers-condition: and
matchers:
- type: status

View File

@ -4,14 +4,26 @@ info:
author: DhiyaneshDk
name: AEM QueryBuilder Json Servlet
severity: info
reference: https://helpx.adobe.com/experience-manager/6-3/sites/developing/using/querybuilder-predicate-reference.html
tags: aem
description: Sensitive information might be exposed via AEMs QueryBuilderServlet or QueryBuilderFeedServlet.
reference:
- https://helpx.adobe.com/experience-manager/6-3/sites/developing/using/querybuilder-predicate-reference.html
- https://github.com/thomashartm/burp-aem-scanner/blob/master/src/main/java/burp/actions/dispatcher/QueryBuilderExposed.java
tags: aem,adobe
requests:
- method: GET
path:
- '{{BaseURL}}/bin/querybuilder.json'
- '{{BaseURL}}/bin/querybuilder.json.servlet'
- '{{BaseURL}}///bin///querybuilder.json'
- '{{BaseURL}}///bin///querybuilder.json.servlet'
- '{{BaseURL}}/bin/querybuilder.feed'
- '{{BaseURL}}/bin/querybuilder.feed.servlet'
- '{{BaseURL}}///bin///querybuilder.feed'
- ' {{BaseURL}}///bin///querybuilder.feed.servlet'
stop-at-first-match: true
matchers-condition: and
matchers:
- type: status