Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Incomplete Data Received with Nuclei's JavaScript NetConn ('nuclei/net') #4285

Closed
iamnoooob opened this issue Oct 24, 2023 · 0 comments · Fixed by #4313
Closed

Incomplete Data Received with Nuclei's JavaScript NetConn ('nuclei/net') #4285

iamnoooob opened this issue Oct 24, 2023 · 0 comments · Fixed by #4313
Assignees
@tarunKoyalwar
Labels
Status: Completed Nothing further to be done with this issue. Awaiting to be closed. Type: Bug Inconsistencies or issues which will cause an issue or problem for users or implementors.

Comments

@iamnoooob
Copy link

Based on the implementation of Recv() or similar family function it is expected to receive 4096 bytes from the socket by default. However, the number of bytes you want to receive can also be passed as an argument. https://github.com/projectdiscovery/nuclei/blob/main/pkg/js/libs/net/net.go#L116-L117

However, for some reason, the number of bytes specified in the argument are not getting considered. This behavior is only observed when using OpenTLS instead of Open to open a socket.

Nuclei version:

[INF] Nuclei Engine Version: v3.0.1

Current Behavior:

Example:
nuclei -t simplejs.yaml -u vps.noob.ninja

id: js_test

info:
  name: Testing JS
  author: rahulmaini
  severity: info


javascript:
  - code: |
      let m = require('nuclei/net');
      let name=Host+':'+Port;
      let conn = m.OpenTLS('tcp', name);
      conn.Send('GET / HTTP/1.1\r\nHost:'+name+'\r\n\r\n');
      resp = conn.RecvString()
      console.log(resp) // I just get response headers

    args:
      Host: "{{Host}}"
      Port: "443"

Outputs:

[INF] HTTP/1.1 200 OK
Date: Tue, 24 Oct 2023 08:39:43 GMT
Server: Apache/2.4.18 (Ubuntu)
Access-Control-Allow-Origin: *
Cache-Control: no-cache
Transfer-Encoding: chunked
Content-Type: application/json

Expected Behavior:

Should output

[INF] HTTP/1.1 200 OK
Date: Tue, 24 Oct 2023 08:41:13 GMT
Server: Apache/2.4.18 (Ubuntu)
Access-Control-Allow-Origin: *
Transfer-Encoding: chunked
Content-Type: application/json

155
{
    "swagger": "2.0",
    "info": {
        "title": "xxxxxxx",
        "description": "test",
        "version": "2017-06-04T22:56:06+00:00",
        "contact": {
            "name": "test",
            "url": "javascript:alert(document.domain)",
            "email": "xx.team@%0D%0Ajavascript%3Aalert(1)%2F%2F%0A.com"
        }
    }
}


0

Steps To Reproduce:

  1. Run the following template with this command nuclei -t simplejs.yaml -u vps.noob.ninja
id: js_test

info:
  name: Testing JS
  author: rahulmaini
  severity: info


javascript:
  - code: |
      let m = require('nuclei/net');
      let name=Host+':'+Port;
      let conn = m.OpenTLS('tcp', name);
      conn.Send('GET / HTTP/1.1\r\nHost:'+name+'\r\n\r\n');
      resp = conn.RecvString()
      console.log(resp) // I just get response headers

    args:
      Host: "{{Host}}"
      Port: "443"
  1. Notice, only response headers are logged:
[INF] HTTP/1.1 200 OK
Date: Tue, 24 Oct 2023 08:39:43 GMT
Server: Apache/2.4.18 (Ubuntu)
Access-Control-Allow-Origin: *
Cache-Control: no-cache
Transfer-Encoding: chunked
Content-Type: application/json
  1. Re-run with the following template and notice that only after calling RecvString() second time, the response body is logged.
id: js_test

info:
  name: Testing JS
  author: rahulmaini
  severity: info


javascript:
  - code: |
      let m = require('nuclei/net');
      let name=Host+':'+Port;
      let conn = m.OpenTLS('tcp', name);
      conn.Send('GET / HTTP/1.1\r\nHost:'+name+'\r\n\r\n');
      resp = conn.RecvString()
      console.log(resp) // I just get response headers
      resp = conn.RecvString() // upon calling RecvString again
      console.log(resp)      // I'd get response body

    args:
      Host: "{{Host}}"
      Port: "443"

Outputs:

[INF] HTTP/1.1 200 OK
Date: Tue, 24 Oct 2023 08:38:35 GMT
Server: Apache/2.4.18 (Ubuntu)
Access-Control-Allow-Origin: *
Cache-Control: no-cache
Transfer-Encoding: chunked
Content-Type: application/json

[INF] 155
{
    "swagger": "2.0",
    "info": {
        "title": "xxxxxxx",
        "description": "test",
        "version": "2017-06-04T22:56:06+00:00",
        "contact": {
            "name": "test",
            "url": "javascript:alert(document.domain)",
            "email": "xx.team@%0D%0Ajavascript%3Aalert(1)%2F%2F%0A.com"
        }
    }
}

Anything else:
@iamnoooob iamnoooob added the Type: Bug Inconsistencies or issues which will cause an issue or problem for users or implementors. label Oct 24, 2023
@tarunKoyalwar tarunKoyalwar self-assigned this Oct 30, 2023
@tarunKoyalwar tarunKoyalwar mentioned this issue Oct 30, 2023
Merged
@tarunKoyalwar tarunKoyalwar linked a pull request Oct 30, 2023 that will close this issue
bug fixes in js , network protocol and flow #4313
Merged
@ehsandeep ehsandeep added the Status: Completed Nothing further to be done with this issue. Awaiting to be closed. label Nov 2, 2023
@tarunKoyalwar tarunKoyalwar mentioned this issue Dec 17, 2023
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@tarunKoyalwar tarunKoyalwar

Labels
Status: Completed Nothing further to be done with this issue. Awaiting to be closed. Type: Bug Inconsistencies or issues which will cause an issue or problem for users or implementors.
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

bug fixes in js , network protocol and flow projectdiscovery/nuclei
3 participants
@ehsandeep @iamnoooob @tarunKoyalwar