Saturday, September 17, 2011

CQ related google queries

This query returns many CQ sites:
http://www.google.com/search?q=inurl:/content/geometrixx
Many of the sites accept .json rendering (-1.json, 34324232.json ...etc). Some also accept .query.json?statement=//*
Easy for content grabbing and DOS attack.

Also, this:
http://www.google.com/search?q=inurl:/content/dam
Usually,  /content/dam.xml is large. Easy for DOS attack.

And,
http://www.google.com/search?q=%22/etc/designs/*.css%22
Many sites block .json on /content. But they still let .json on /etc.

This queries shows a few author instances (try default cq logins other than admin:admin such as author:author):
http://www.google.com/search?q=%22cq5%20login%22
http://www.google.com/search?q=inurl:%22/etc/replication%22

Once you locate a CQ site, you can try various paths:
/system/console
/admin
/etc/replication
/crx
/crxde
/bin/crxde/logs
/libs/cq/core/content/login.html
/libs/crxde/resources/welcome.html

Also, try json servlets:
http://www.adobe.com/etc/pagetables/feed_proxies.tidy.-2345.json?asdf

format is:
/some/resource.<depth>.json


If things are blocked, try with some of characters replaced with url encoding.

For example, this is 404:
https://author.day.com/libs/cq/core/content/login.query.json?statement=//element%28*,cq:Page%29

But this returns:
https://author.day.com/libs/cq/core/content/login.qu%65ry.js%6Fn?statement=//element(*,cq:Page)

e in query is replaced with %65 and o in json is replaced with %6F

Most of these are possible because of Sling: http://sling.apache.org/
Usually, databases use different port (and different protocol other than HTTP) to communicate with HTTP applications. Even databases that use HTTP (such as couchdb http://couchdb.apache.org/) can be configured to use different port from HTML rendering server. But Sling exposes entire database (JCR) content on the same port for HTTP clients to access.

Sling does have access control mechanism. But, common development paradigm for Sling is to expose all resources to everyone.

You could expose few resources and have resourceType to query/access actual content resource.
For example, instead of exposing the following:
/content/a.html
/content/b.html
/content/c.html
....

You can expose only one resource:
/content/pages

And, have resourceType of /content/pages handle GET requests to:
/content/pages.a.html
/content/pages.b.html
/content/pages.c.html
...
by reading actual content from:
/hidden/a
/hidden/b
/hidden/c
...

Or, you can have a proxy server blocking various paths that could be used maliciously. For example, CQ has dispatcher module for Apache httpd. You can configure dispatcher.any to deny access to various globs.


1 comment:

  1. Los Angeles …Look at the site…News about residential income/rental property in Los Angeles.
    Los Angeles Housing Dept

    ReplyDelete