# Adobe Experience Manager (AEM)

Adobe Experience Manager is a comprehensive content management solution commonly used by enterprises. AEM instances are frequently exposed to the internet and can contain various security misconfigurations that lead to information disclosure, remote code execution, or full system compromise.

Source: <https://twitter.com/Alra3ees/status/1410062155248979968?s=20&t=IJ1SKGHYSxj6h1e94oFkdQ>

## Find AEM Instances

Discover AEM instances from a list of URLs:

<https://github.com/0ang3el/aem-hacker>

`python3 aem_discoverer.py --file urls.txt`

## Scan for Vulnerabilities

Automated vulnerability scanner for AEM:

<https://github.com/Raz0r/aemscan>

`aemscan https://target.burmat.co`

## Wordlists

AEM-specific wordlists for content discovery:

<https://github.com/emadshanab/Adobe-Experience-Manager>

## Nuclei Templates

Scan with Nuclei for known AEM vulnerabilities:

`nuclei -l hosts -tags AEM -t /root/nuclei-templates`

## Common Attack Vectors

### Default Credentials

Many AEM instances use default credentials:

* `admin:admin`
* `author:author`
* `replication-receiver:replication-receiver`

### Exposed Servlets

Check for exposed servlets that may leak information or allow code execution:

{% code overflow="wrap" %}

```bash
# Query builder servlet (information disclosure)
curl https://target.burmat.co/bin/querybuilder.json?path=/content

# User enumeration
curl https://target.burmat.co/libs/granite/security/currentuser.json

# Default GET servlet
curl https://target.burmat.co/content.infinity.json

# POST servlet (potential RCE)
curl -X POST https://target.burmat.co/bin/receive
```

{% endcode %}

### SSRF via AEM Externalizer

AEM's externalizer can be abused for SSRF attacks:

`curl -X POST https://target.burmat.co/system/console/jmx/com.adobe.granite.maintenance.impl%3Atype%3DPurgeTask`


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://burmat.gitbook.io/security/hacking/tools-and-services/adobe-experience-manager-aem.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.