Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Query Param = (Equals) inconsistency + issue #4963

Open
tarunKoyalwar opened this issue Mar 29, 2024 · 0 comments
Open

Query Param = (Equals) inconsistency + issue #4963

tarunKoyalwar opened this issue Mar 29, 2024 · 0 comments
Labels
Type: Bug Inconsistencies or issues which will cause an issue or problem for users or implementors.

Comments

@tarunKoyalwar
Copy link
Member

tarunKoyalwar commented Mar 29, 2024

Nuclei version:

main | latest

Current Behavior:

  • a while ago we introduce support for maintaing/keeping = parameters even if their values is empty (fix missing eq sign #4513) . earlier they were purged completely . but there seems to be some inconsistencies with it
id: CVE-2024-29059

info:
  name: Leaking `ObjRefs` via HTTP .NET Remoting
  author: DhiyaneshDk
  severity: high
  description: .NET Framework Information Disclosure Vulnerability
  reference:
    - https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-29059
    - https://code-white.com/blog/leaking-objrefs-to-exploit-http-dotnet-remoting/
    - https://github.com/codewhitesec/HttpRemotingObjRefLeak
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
    cvss-score: 7.5
    cve-id: CVE-2024-29059
    epss-score: 0.00043
    epss-percentile: 0.07503
  metadata:
    max-request: 1
    shodan-query: "Server: MS .NET Remoting"
  tags: cve,cve2024,remoting,info-leak

http:
  - raw:
      - |+
        GET /RemoteApplicationMetadata.rem?wsdl HTTP/1.1
        Host: {{Hostname}}
        __RequestVerb: POST
        Content-Type: text/xml
    
    # unsafe: true

    matchers:
      - type: regex
        part: body
        regex:
          - '/[0-9a-f_]+/[0-9A-Za-z_+]+_\d+\.rem'

template has unsafe: true

$ ./nuclei -u https://scanme.sh/ -t a.yaml -debug-req

                     __     _
   ____  __  _______/ /__  (_)
  / __ \/ / / / ___/ / _ \/ /
 / / / / /_/ / /__/ /  __/ /
/_/ /_/\__,_/\___/_/\___/_/   v3.2.2

		projectdiscovery.io

[INF] Current nuclei version: v3.2.2 (latest)
[INF] Current nuclei-templates version: v9.8.0 (latest)
[WRN] Scan results upload to cloud is disabled.
[INF] New templates added in latest release: 85
[INF] Templates loaded for current scan: 1
[WRN] Loading 1 unsigned templates for scan. Use with caution.
[INF] Targets loaded for current scan: 1
[INF] [CVE-2024-29059] Dumped HTTP request for https://scanme.sh/RemoteApplicationMetadata.rem?wsdl

GET /RemoteApplicationMetadata.rem?wsdl HTTP/1.1
Host: scanme.sh
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux i686; rv:28.0) Gecko/20100101 Firefox/28.0
Connection: close
Content-Type: text/xml
__RequestVerb: POST
Accept-Encoding: gzip

[INF] No results found. Better luck next time!

template is normal i.e unsafe: false

$ ./nuclei -u https://scanme.sh/ -t a.yaml -debug-req

                     __     _
   ____  __  _______/ /__  (_)
  / __ \/ / / / ___/ / _ \/ /
 / / / / /_/ / /__/ /  __/ /
/_/ /_/\__,_/\___/_/\___/_/   v3.2.2

		projectdiscovery.io

[INF] Current nuclei version: v3.2.2 (latest)
[INF] Current nuclei-templates version: v9.8.0 (latest)
[WRN] Scan results upload to cloud is disabled.
[INF] New templates added in latest release: 85
[INF] Templates loaded for current scan: 1
[WRN] Loading 1 unsigned templates for scan. Use with caution.
[INF] Targets loaded for current scan: 1
[INF] [CVE-2024-29059] Dumped HTTP request for https://scanme.sh/RemoteApplicationMetadata.rem?wsdl

GET /RemoteApplicationMetadata.rem?wsdl HTTP/1.1
Host: scanme.sh
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/94.0.4606.71 Safari/537.36 Edg/94.0.992.38
Connection: close
Content-Type: text/xml
__RequestVerb: POST
Accept-Encoding: gzip

[INF] No results found. Better luck next time!

Expected Behavior:

Steps To Reproduce:

As we can tell from above examples , = is added in unsafe mode while in normal mode it is not .

we currently have enabled includeEquals to true as a default behaviour

cloned.Params.IncludeEquals = true

but as per @princechaddha , this should not be a default or have a switch to disable/enable instead it should be reflected as it was without any changes in a template

Proposed Solution

Anything else:

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Type: Bug Inconsistencies or issues which will cause an issue or problem for users or implementors.
Projects
None yet
Development

No branches or pull requests

1 participant