Saturday, September 24, 2011

vlt prints password

so, you want to use vlt

read -p "password: " -s p
vlt -q rcp -q -b 1000 -t 1 - u "http://user:$p@foo/crx/-/jcr:root/content" "http://user:$p@bar/crx/-/jcr:root/content"

and it prints stuff like
Connecting via JCR remoting to http://user:r34lp455w0rd!!@localhost:4502/crx/server

I could not find a way to disable that. so,
vlt -q rcp -q -b 1000 -t 1 - u "http://user:$p@foo/crx/-/jcr:root/content" "http://user:$p@bar/crx/-/jcr:root/content" |grep -v "http://" >> your.log

Saturday, September 17, 2011

CQ related google queries

This query returns many CQ sites:
http://www.google.com/search?q=inurl:/content/geometrixx
Many of the sites accept .json rendering (-1.json, 34324232.json ...etc). Some also accept .query.json?statement=//*
Easy for content grabbing and DOS attack.

Also, this:
http://www.google.com/search?q=inurl:/content/dam
Usually,  /content/dam.xml is large. Easy for DOS attack.

And,
http://www.google.com/search?q=%22/etc/designs/*.css%22
Many sites block .json on /content. But they still let .json on /etc.

This queries shows a few author instances (try default cq logins other than admin:admin such as author:author):
http://www.google.com/search?q=%22cq5%20login%22
http://www.google.com/search?q=inurl:%22/etc/replication%22

Once you locate a CQ site, you can try various paths:
/system/console
/admin
/etc/replication
/crx
/crxde
/bin/crxde/logs
/libs/cq/core/content/login.html
/libs/crxde/resources/welcome.html

Also, try json servlets:
http://www.adobe.com/etc/pagetables/feed_proxies.tidy.-2345.json?asdf

format is:
/some/resource.<depth>.json


If things are blocked, try with some of characters replaced with url encoding.

For example, this is 404:
https://author.day.com/libs/cq/core/content/login.query.json?statement=//element%28*,cq:Page%29

But this returns:
https://author.day.com/libs/cq/core/content/login.qu%65ry.js%6Fn?statement=//element(*,cq:Page)

e in query is replaced with %65 and o in json is replaced with %6F

Most of these are possible because of Sling: http://sling.apache.org/
Usually, databases use different port (and different protocol other than HTTP) to communicate with HTTP applications. Even databases that use HTTP (such as couchdb http://couchdb.apache.org/) can be configured to use different port from HTML rendering server. But Sling exposes entire database (JCR) content on the same port for HTTP clients to access.

Sling does have access control mechanism. But, common development paradigm for Sling is to expose all resources to everyone.

You could expose few resources and have resourceType to query/access actual content resource.
For example, instead of exposing the following:
/content/a.html
/content/b.html
/content/c.html
....

You can expose only one resource:
/content/pages

And, have resourceType of /content/pages handle GET requests to:
/content/pages.a.html
/content/pages.b.html
/content/pages.c.html
...
by reading actual content from:
/hidden/a
/hidden/b
/hidden/c
...

Or, you can have a proxy server blocking various paths that could be used maliciously. For example, CQ has dispatcher module for Apache httpd. You can configure dispatcher.any to deny access to various globs.


Wednesday, September 14, 2011

datastore garbage collection

My instance had 12GB datastore
$ df -h
Filesystem            Size  Used Avail Use% Mounted on
/dev/sda5             169G   73G   88G  46% /
none                  5.9G  672K  5.9G   1% /dev
none                  5.9G  196K  5.9G   1% /dev/shm
none                  5.9G  104K  5.9G   1% /var/run
none                  5.9G     0  5.9G   0% /var/lock
/dev/sda2              98G   12G   81G  13% /mnt/datastore



I ran datastore garbage collection, which ran for 5 hours. and it's now 2GB:
 $ df -h
Filesystem            Size  Used Avail Use% Mounted on
/dev/sda5             169G   73G   88G  46% /
none                  5.9G  672K  5.9G   1% /dev
none                  5.9G  296K  5.9G   1% /dev/shm
none                  5.9G  108K  5.9G   1% /var/run
none                  5.9G     0  5.9G   0% /var/lock
/dev/sda2              98G  2.0G   91G   3% /mnt/datastore


I have datastore out of crx-quickstart on a different drive for easy back up.. etc.
    <DataStore class="com.day.crx.core.data.ClusterDataStore">
        <param name="path" value="/mnt/datastore"/>
    </DataStore>


The script for running datastore garbage collection is here:

/crx/login.jsp

there are curl command examples:
http://dev.day.com/docs/en/crx/current/administering/backup_and_restore.html#Automating%20Backup%20Creation?

For example,

curl -c login.txt "http://localhost:7402/crx/login.jsp?UserId=admin&Password=xyz&Workspace=crx.default"

Of course they don't work.

You need this instead:
curl -c login.txt -F"_charset_=UTF-8"  -F"UserId=admin" -F"Password=admin" -F"Workspace=crx.default" "http://localhost:7402/crx/login.jsp"

You need POST request.. and also include _charset_ param.