Maerisec's blog - pentesting, malware, gaming

From the project webpage : "OpenText™ Solutions Business Manager is enterprise-scale business process automation software. It helps IT quickly create, adapt, deploy, and govern process-based apps and workflows for humans and systems across the organization." Summary If the SMB application has anonymous submit enabled on any project, it creates a session for "Anonymous" user upon opening the AnonymousSubmitPage page. This session can be used to enumerate application users and retrieve personal information. Without the Anonymous user session, the vulnerable endpoint throws authentication failure. Details listed: email address, full name, mobile phone, application role, etc. Exploit Step 1: Search for available AnonymousSubmitPage by iterating "projectid" parameter: https://example.com/tmtrack/tmtrack.dll?AnonymousSubmitPage&projectid=1 Once a project with anonymous submit is found, copy cookies from the response for the next step. Step 2: Search for user...

  AEM is well-known in bug bounty programs. While Adobe frequently releases new CVEs (though, they are mainly undisclosed XSS vulnerabilities) through its private bug bounty program, no new AEM exploits have appeared on the market. However, as pentesters working under NDAs, we still encounter these applications for reqular checks, and we must pay close attention to every little detail to produce valuable and interesting reports. Here I describe my approach to AEM pentesting conducted mainly on production hosts. At the time of writing the newest version is 6.5.21.0 with no known CVEs: list . Google dork for AEMs inurl:/libs/granite/core Contents aem-hacker Testing for SSRF WCM Debug Filter Vulnerable Javascript libraries Information disclosure Files Bypass techniques Reflected XSS (2021) HTML Injection Summary I will update this post in the future with more examples. aem-hacker Always start with the toolset called aem-hacker. Though it was developed 6 years ago and the vulnerab...