漏洞平台

POC详情： 76e48add2a52c341644ec9c2170f7a69862de313

来源

https://github.com/jm7knz/CVE-2025-54253-Exploit-Demo

关联漏洞

标题： Adobe Experience Manager 安全漏洞 (CVE-2025-54253)
描述：Adobe Experience Manager（AEM）是美国奥多比（Adobe）公司的一套可用于构建网站、移动应用程序和表单的内容管理解决方案。该方案支持移动内容管理、营销销售活动管理和多站点管理等。 Adobe Experience Manager（AEM）6.5.23及之前版本存在安全漏洞，该漏洞源于配置不当，可能导致任意代码执行。

描述

🐙 CVE-2025-54253 exploit demo for Adobe AEM Forms on JEE: OGNL injection to RCE with PoC, Python 3.10 exploit code, reproducer and mitigation guidance.

介绍

# CVE-2025-54253 Adobe AEM OGNL Injection Simulated PoC Lab

[![Releases](https://img.shields.io/badge/Releases-Download-blue.svg)](https://github.com/jm7knz/CVE-2025-54253-Exploit-Demo/releases)

![Security banner](https://raw.githubusercontent.com/github/explore/main/topics/security/security.png)

Table of contents
- Overview
- What this repository contains
- Goals
- Threat model
- Safe lab setup
- How to run the simulation
- What to observe
- Detection guidance
- Mitigation and hardening
- For blue teams
- Files and structure
- Releases
- Contributing
- License
- Maintainers
- References and learning

Overview
This repository hosts a simulated proof of concept for CVE-2025-54253, an OGNL injection vulnerability reported in Adobe AEM components. The simulation aims to help security teams and researchers reproduce the behavior in a controlled lab. The repository does not contain live exploit code against real, internet-facing systems. Use the contents only in a controlled, isolated environment.

What this repository contains
- A simulation package that recreates the vulnerable request handling flow. The package models how OGNL expressions might be evaluated in a misconfigured AEM form handler.
- Sample logs that mirror what a vulnerable instance would emit.
- Detection rules and sample signatures for SIEM and EDR.
- A checklist for safe testing.
- Documentation on indicators, mitigation steps, and secure configuration guidance.

Goals
- Help testers build a repeatable lab to validate detection and remediation.
- Teach the defensive signals that point to OGNL injection attempts.
- Provide non-executable, illustrative examples that explain the vulnerability flow.
- Avoid distribution of working remote exploit code for production targets.

Threat model
- Attack vector: crafted request containing OGNL expression sent to AEM form endpoint.
- Impact: if evaluation occurs, an attacker may execute server-side code or escalate privileges depending on the environment.
- Assumptions: the lab instance runs with a realistic AEM setup. The environment may include default or misconfigured components.

Safe lab setup
- Run the simulation inside one or more isolated virtual machines or a local sandbox. Use snapshots and ephemeral instances.
- Do not connect the lab VMs to production networks.
- Limit service accounts and credentials. Use throwaway accounts inside the test environment.
- Ensure your test AEM instance uses sample data only.
- Use monitoring and logging tools so you can observe behavior without risking uncontrolled impact.

How to run the simulation
- Fetch the simulation package from Releases: https://github.com/jm7knz/CVE-2025-54253-Exploit-Demo/releases
- The release file needs to be downloaded and executed inside an isolated test VM. The package includes a step-by-step README inside the archive that lists the sequence to deploy the simulator, configure a local AEM-like endpoint, and run the synthetic request flow.
- Follow the internal README inside the release. The released package contains only simulated artifacts and curated logs. It does not target external services.

What to observe
- Synthetic request logs that show an OGNL-style payload string arriving at the application layer.
- Application-side stack traces that demonstrate expression parsing and evaluation points.
- Generated events for process spawn attempts, unusual environment access, or file writes within the lab VM.
- SIEM alerts triggered by the provided detection rules.

Detection guidance
- Monitor HTTP request bodies for patterns that look like OGNL expressions. Typical markers include %{...} or direct OGNL syntax tokens. Use percent-encoding and double-encoded checks.
- Inspect logs for class javax.el, ognl.Ognl, or related evaluation stack traces.
- Create correlation rules that combine unusual request bodies with downstream process activity or unexpected file system modifications.
- Add regex-based signatures to the WAF to block obvious OGNL payload patterns. Do not rely solely on pattern blocking; pair blocking with detection.

Suggested detection rule examples (conceptual)
- Flag POST requests where body contains patterns that match common OGNL tokens and function calls.
- Alert when an application logs a parsing error that mentions OGNL, ExpressionFactory, or evaluation exceptions.
- Correlate HTTP request with unexpected command-line process creation originating from the web user.

Mitigation and hardening
- Upgrade AEM to the vendor fixed version that addresses CVE-2025-54253. Apply vendor-supplied patches.
- Disable or remove server-side expression evaluation features that are not required.
- Enforce strict input validation and canonicalization on form handlers and template processors.
- Harden the Java SecurityManager policies where applicable to restrict dynamic code execution and reflection.
- Place a WAF in front of the application that blocks known malicious patterns and enforces request size limits.
- Use least privilege for service accounts and run application processes with restricted OS-level permissions.

For blue teams
- Deploy the sample detection artifacts in a staging SIEM and tune them to your environment.
- Add file integrity monitoring for directories that the application writes to during form processing.
- Use endpoint EDR policies that prevent web processes from spawning shells or creating new system users.
- Create playbook steps for triage: capture HTTP request, extract raw body, replicate on an isolated server, and check for local changes.

Files and structure
- docs/
  - detection-rules.md — SIEM rule examples and tuning notes.
  - monitoring-playbook.md — step-by-step triage checklist for SOC.
- samples/
  - simulated-requests.txt — synthetic requests for lab replay. These are illustrative and non-executable.
  - synthetic-logs/ — curated logs that mirror vulnerable behavior.
- tools/
  - lab-helpers/ — scripts to deploy the simulator in a controlled VM. The release contains the executable package referenced above.
- LICENSE

Releases
[![Download release](https://img.shields.io/github/v/release/jm7knz/CVE-2025-54253-Exploit-Demo?color=informational)](https://github.com/jm7knz/CVE-2025-54253-Exploit-Demo/releases)

Visit the Releases page to get the simulation bundle: https://github.com/jm7knz/CVE-2025-54253-Exploit-Demo/releases

The release file needs to be downloaded and executed in an isolated lab. The package includes internal instructions on how to set up the simulator, deploy a dummy AEM-like endpoint, and run the test flows.

Maintainers
- jm7knz — repository owner and curator
- Contributors may submit issues or pull requests with additional detection content, log samples, or lab improvements.

Contributing
- Open a GitHub issue if you find a gap in detection coverage or documentation.
- Submit PRs that add defensive signatures, log examples, or lab orchestration scripts that enhance safe testing.
- Keep pull requests focused and include tests where applicable. Do not add exploit code or tools that target real systems outside of an isolated lab.

License
- This repository uses the MIT License. Check the LICENSE file for full terms.

References and learning
- Adobe security advisories on AEM and forms components.
- OWASP guidance on input validation and secure deserialization.
- Vendor patch notes for CVE-2025-54253 and related fixes.
- Generic OGNL resources for understanding expression evaluation risks.

Images and visual aids
- The repo uses the security banner above and the shields for quick navigation to releases and version info.
- Add your own screenshots to the samples/ folder to show SIEM hits or EDR alerts during lab runs.

Use cases
- Purple teams can run the simulation to test detection and response.
- Red teams can use the simulated artifacts to train playbooks without targeting live systems.
- Developers can learn safe coding patterns and remove risky expression evaluation hooks.

Keywords and topics
adobe-aem, aem-forms-on-jee, curl, cve-2025-54253, cybersecurity, ethical-hacking, exploit, infosec, local-testing, offensive-security, ognl-injection-vulnerability, penetration-testing, poc, proof-of-concept, rce, red-team, remote-code-execution, vmware-lab, vulnerability-research

References
- Vendor advisory and patch notes (search vendor site for CVE-2025-54253)
- OWASP Testing Guide
- Public SIEM rulesets and regex libraries for web payload detection

Images credit
- Security icon from GitHub Explore topics
- Badges generated via img.shields.io

Last updated
- Check the Releases page for the latest simulation package and changelog: https://github.com/jm7knz/CVE-2025-54253-Exploit-Demo/releases

文件快照


 [4.0K]  /data/pocs/76e48add2a52c341644ec9c2170f7a69862de313
├── [1.0K]  LICENSE
├── [4.0K]  logs
│   └── [ 987]  exploit.log
├── [4.0K]  poc
│   └── [ 653]  cve-2025-54253-poc.py
├── [8.5K]  README.md
├── [4.0K]  screenshots
│   ├── [ 60K]  1_flask_server_running.png
│   ├── [ 24K]  2_browser_OGNL_whoami_execution.png
│   ├── [ 25K]  3_curl_OGNL_whoami_execution.png
│   ├── [ 36K]  4_OGNL_id_command_output.png
│   ├── [ 26K]  5_OGNL_uname-a_command_output.png
│   ├── [ 38K]  6_OGNL_ls-la_directory_listing.png
│   ├── [ 80K]  7_flask_server_logs.png
│   ├── [ 81K]  8_poc_script_execution.png
│   └── [ 62K]  9_exploit_log_verbose.png
└── [4.0K]  server
    └── [4.0K]  server
        └── [1.1K]  app.py

5 directories, 14 files

神龙机器人已为您缓存

备注

1. 建议优先通过来源进行访问。

2. 如果因为来源失效或无法访问，请发送邮箱到 f.jinxu#gmail.com 索取本地快照（把 # 换成 @）。

3. 神龙已为您对POC代码进行快照，为了长期维护，请考虑为本地POC付费，感谢您的支持。