Completed
QueryBuilder - In the wild
Class Central Classrooms beta
YouTube videos curated by Class Central.
Classroom Contents
AEM Hacker - Approaching Adobe Experience Manager Webapps in Bug Bounty Programs
Automatically move to the next video in the Classroom when playback concludes
- 1 Intro
- 2 Why this talk?
- 3 Topics to discuss
- 4 Public VPD with AEM targets in scope
- 5 Personal achievements in 2018
- 6 Previous works
- 7 AEM architecture
- 8 Common AEM deployment
- 9 AEM Dispatcher bypasses
- 10 Using CVE-2016-0957
- 11 Bypasses for "interesting" servlets
- 12 Add multiple slashes
- 13 Using SSRF
- 14 AEM RCE bundle, build yourself For AEM 6.0 or newer
- 15 AEM hacker toolset
- 16 aem_hacker.py - checks 1/3
- 17 aem_discoverer.py
- 18 aem_enum.py
- 19 aem_ssrf2rce.py & aem_server.py
- 20 RCE via exposed Groovy console
- 21 RCE via ACS AEM Tools
- 22 How to get valid creds?
- 23 RCE via credentials of privileged user
- 24 RCE via uploading OSGI bundle
- 25 Author user
- 26 Non-privileged user
- 27 Tricks to get persistent XSS
- 28 Anonymous user & SVG
- 29 Anonymous user & HTML prop
- 30 Anonymous user & upload file
- 31 Extracting secrets from JCR
- 32 Why is it possible?
- 33 What to use
- 34 DefaultGetServlet - How to grab
- 35 DefaultGetServlet - What to grab
- 36 DefaultGetServlet - In the wild
- 37 QueryBuilder servlets
- 38 QueryBuilder - In the wild
- 39 Opensocial (Shindig) proxy
- 40 Reporting Services ProxyServlet
- 41 Salesforce SecretServlet
- 42 SiteCatalystServlet
- 43 Auto ProvisioningServlet
- 44 SSRF RCE
- 45 ExternalJobPostServlet
- 46 XXE via WebDAV
- 47 Check WebDAV support
- 48 Vectors
- 49 Video Player.swf
- 50 WCMDebugFilter
- 51 SuggestionHandlerServlet
- 52 Conclusion
