From ac73ec224d6af623334b28c60b070fb2f9c805d6 Mon Sep 17 00:00:00 2001
From: Thomas Hartmann <thomas.hartmann@netcentric.biz>
Date: Sat, 4 Aug 2018 13:20:32 +0200
Subject: [PATCH 1/3] Added Adobe AEM to the list of known platforms

---
 lib/arachni/platform/manager.rb | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/lib/arachni/platform/manager.rb b/lib/arachni/platform/manager.rb
index f939576927..6d2205a59b 100644
--- a/lib/arachni/platform/manager.rb
+++ b/lib/arachni/platform/manager.rb
@@ -113,7 +113,8 @@ class Manager
         :django,
         :aspx_mvc,
         :jsf,
-        :cherrypy
+        :cherrypy,
+        :adobeaem
     ]
 
     PLATFORM_NAMES = {
@@ -172,7 +173,8 @@ class Manager
         rails:    'Ruby on Rails',
         aspx_mvc: 'ASP.NET MVC',
         jsf:      'JavaServer Faces',
-        cherrypy: 'CherryPy'
+        cherrypy: 'CherryPy',
+        adobeaem: 'Adobe AEM'
     }
 
     PLATFORM_CACHE_SIZE = 500

From b881a7eeea06e79877613fe2b8378254c37cf8b2 Mon Sep 17 00:00:00 2001
From: Thomas Hartmann <thomas.hartmann@netcentric.biz>
Date: Sat, 4 Aug 2018 13:27:08 +0200
Subject: [PATCH 2/3] Fingerprinter to detect if the scanned system is an
 instance of the Adobe Experience Manager (AEM), which is java based content
 management framework commonly used in big enterprises. Checks wether certain
 specific paths can be identified or a servlet engine specific response header
 value is set.

---
 .../fingerprinters/frameworks/adobeaem.rb     | 34 +++++++++++++++++++
 .../frameworks/adobeaem_spec.rb               | 31 +++++++++++++++++
 2 files changed, 65 insertions(+)
 create mode 100644 components/fingerprinters/frameworks/adobeaem.rb
 create mode 100644 spec/components/fingerprinters/frameworks/adobeaem_spec.rb

diff --git a/components/fingerprinters/frameworks/adobeaem.rb b/components/fingerprinters/frameworks/adobeaem.rb
new file mode 100644
index 0000000000..2ce038c808
--- /dev/null
+++ b/components/fingerprinters/frameworks/adobeaem.rb
@@ -0,0 +1,34 @@
+=begin
+=begin
+    Copyright 2010-2017 Sarosys LLC <http://www.sarosys.com>
+
+    This file is part of the Arachni Framework project and is subject to
+    redistribution and commercial restrictions. Please see the Arachni Framework
+    web site for more information on licensing and terms of use.
+=end
+
+module Arachni
+module Platform::Fingerprinters
+
+# Identifies Adobe AEM specific resources. 
+# Adobe AEM is a java and OSGi based CMS framework commonly used among big enterprises.
+# AEM can be fingerprinted by very specific paths starting with /etc/designs or granite.
+# Old AEM versions also expose the term Day Servlet engine in the server header
+#
+# @author Thomas Hartmann <thomysec@gmx.org>
+# @version 0.1
+class AdobeAem < Platform::Fingerprinter
+
+    def run
+        if uri.path =~ /.etc\/designs\d*\/*/ || 
+            uri.path =~ /.granite\d*\/*/ ||
+            server_or_powered_by_include?( 'Day' )
+
+             platforms << :java << :adobeaem
+        end
+    end
+
+end
+
+end
+end
\ No newline at end of file
diff --git a/spec/components/fingerprinters/frameworks/adobeaem_spec.rb b/spec/components/fingerprinters/frameworks/adobeaem_spec.rb
new file mode 100644
index 0000000000..f5419c593f
--- /dev/null
+++ b/spec/components/fingerprinters/frameworks/adobeaem_spec.rb
@@ -0,0 +1,31 @@
+require 'spec_helper'
+
+describe Arachni::Platform::Fingerprinters::AdobeAem do
+    include_examples 'fingerprinter'
+
+    def platforms
+        [:java]
+    end
+
+    context 'when the page has a /etc/design directory in a path' do
+        it 'identifies it as Adobe AEM' do
+            check_platforms Arachni::Page.from_data( url: 'http://stuff.com/etc/designs/we-retail/components/mainnav/menunav/publish.0.20180724073205.min.js' )
+        end
+    end
+
+    context 'when the page has a granite token in the path' do
+        it 'identifies it as Adobe AEM' do
+            check_platforms Arachni::Page.from_data( url: 'http://stuff.com/libs/granite/csrf/token.json' )
+        end
+    end
+
+    context 'when there is a Day-Servlet-Engine header' do
+        it 'identifies it as Adobe AEM' do
+            check_platforms Arachni::Page.from_data(
+                url:     'http://stuff.com/blah',
+                response: { headers: { 'Server' => 'Day-Servlet-Engine/4.1.24'  } }
+            )
+        end
+    end
+
+end
\ No newline at end of file

From 24dec2e1915fc3764e5fa5359e7efc07de1b0016 Mon Sep 17 00:00:00 2001
From: Thomas Hartmann <thomas.hartmann@netcentric.biz>
Date: Sat, 4 Aug 2018 15:21:25 +0200
Subject: [PATCH 3/3] Clientlibs proxy path and jackrabbit/crx _jcr_content
 nodes mapped into the URL can beused to identify the website as an AEM driven
 project

---
 components/fingerprinters/frameworks/adobeaem.rb   |  8 +++++---
 .../fingerprinters/frameworks/adobeaem_spec.rb     | 14 +++++++++++++-
 2 files changed, 18 insertions(+), 4 deletions(-)

diff --git a/components/fingerprinters/frameworks/adobeaem.rb b/components/fingerprinters/frameworks/adobeaem.rb
index 2ce038c808..4e4bc0ccef 100644
--- a/components/fingerprinters/frameworks/adobeaem.rb
+++ b/components/fingerprinters/frameworks/adobeaem.rb
@@ -12,8 +12,8 @@ module Platform::Fingerprinters
 
 # Identifies Adobe AEM specific resources. 
 # Adobe AEM is a java and OSGi based CMS framework commonly used among big enterprises.
-# AEM can be fingerprinted by very specific paths starting with /etc/designs or granite.
-# Old AEM versions also expose the term Day Servlet engine in the server header
+# AEM can be fingerprinted by very specific paths starting with /etc/designs, etc.clientlibs, _jcr_content or containing the granite element in it's path.
+# Old AEM versions also expose the name Day-Servlet-Engine in the server header
 #
 # @author Thomas Hartmann <thomysec@gmx.org>
 # @version 0.1
@@ -21,8 +21,10 @@ class AdobeAem < Platform::Fingerprinter
 
     def run
         if uri.path =~ /.etc\/designs\d*\/*/ || 
+            uri.path =~ /.etc\.clientlib\d*\/*/ ||
+            uri.path =~ /.jcr_content\d*\/*/ ||
             uri.path =~ /.granite\d*\/*/ ||
-            server_or_powered_by_include?( 'Day' )
+            server_or_powered_by_include?( 'Day-Servlet-Engine' )
 
              platforms << :java << :adobeaem
         end
diff --git a/spec/components/fingerprinters/frameworks/adobeaem_spec.rb b/spec/components/fingerprinters/frameworks/adobeaem_spec.rb
index f5419c593f..a619c3a90d 100644
--- a/spec/components/fingerprinters/frameworks/adobeaem_spec.rb
+++ b/spec/components/fingerprinters/frameworks/adobeaem_spec.rb
@@ -7,7 +7,7 @@ def platforms
         [:java]
     end
 
-    context 'when the page has a /etc/design directory in a path' do
+    context 'when the page has a /etc/design segment in a path' do
         it 'identifies it as Adobe AEM' do
             check_platforms Arachni::Page.from_data( url: 'http://stuff.com/etc/designs/we-retail/components/mainnav/menunav/publish.0.20180724073205.min.js' )
         end
@@ -19,6 +19,18 @@ def platforms
         end
     end
 
+    context 'when the page has a _jcr_content element in the path' do
+        it 'identifies it as Adobe AEM' do
+            check_platforms Arachni::Page.from_data( url: 'http://stuff.com/content/we-retail/us/en/_jcr_content/root/responsivegrid/category_teaser_465639357.thumb.png' )
+        end
+    end
+
+    context 'when the page has a /etc.clientlibs element in the path' do
+        it 'identifies it as Adobe AEM' do
+            check_platforms Arachni::Page.from_data( url: 'http://stuff.com/etc.clientlibs/we-retail/components/chat.0.20180724073205.min.css' )
+        end
+    end
+
     context 'when there is a Day-Servlet-Engine header' do
         it 'identifies it as Adobe AEM' do
             check_platforms Arachni::Page.from_data(