About  Project Blog Resources

Resources

People often ask me "How did you learn how to hack?" The answer: by reading. This page is a collection of the blog posts and other articles that I have accumulated over the years of my journey. Enjoy!

RCE in Microsoft 'signout.live.com'- 113

Peter AdkinsPosted 6 Years Ago
  • AEM is a content management system from Adobe that is written in Java. This is made from blood, sweat and Java lol.
  • The AEM consists of three tiers: author, publish and dispatch. This different tiers have different filters that are unimportant (read the article to learn more).
  • For this vuln, the Publish tier admin resources should not be accessible via the Dispatch tier. However, the filter for 'glob' can be bypassed on the URL by adding HTTP query parameters in the URL! For example, files that end in .css should be accessible to the outside world. While https://Dispatch.example.org/system/console should not be accessible, this filter can be bypassed by adding a .css to the end of it, such as https://Dispatch.example.org/system/console?.css.
  • The Microsoft signout.live.com used the Adobe AEM on the back-end... This meant that the vulnerability above made stuff much more possible. At this point, an authentication page came up. What is the most obvious thing that you can try? Well, let's try admin : admin! This freaking worked!
  • By uploading an extension to this page, a very "lame" and easy RCE had been created.

Maxwell DulinEmail me!TwitterGithubAdminBlog RSS FeedResources RSS Feed