fix missing results in flow template + feature: internal matchers using internal: true
#4582
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
tarunKoyalwar
changed the title
internal: true
Example Templateid: flow-multi-events
info:
name: Flow Multiple Events
author: pdteam
severity: info
flow: |
dns()
for(var i = 0; i < 5; i++) {
http();
}
dns:
- name: "{{FQDN}}"
type: NS
matchers:
- type: word
words:
- "IN\tNS"
internal: true
http:
- method: GET
path:
- "{{BaseURL}}"
matchers:
- type: status
status:
- 200Nuclei$ ./nuclei -u scanme.sh -t a.yaml
__ _
____ __ _______/ /__ (_)
/ __ \/ / / / ___/ / _ \/ /
/ / / / /_/ / /__/ / __/ /
/_/ /_/\__,_/\___/_/\___/_/ v3.1.4-dev
projectdiscovery.io
[INF] Current nuclei version: v3.1.4-dev (development)
[INF] Current nuclei-templates version: v9.7.2 (latest)
[WRN] Scan results upload to cloud is disabled.
[INF] New templates added in latest release: 61
[INF] Templates loaded for current scan: 1
[WRN] Executing 1 unsigned templates. Use with caution.
[INF] Targets loaded for current scan: 1
[INF] Running httpx on input host
[INF] Found 1 URL from httpx
[flow-multi-events] [http] [info] https://scanme.sh
[flow-multi-events] [http] [info] https://scanme.sh
[flow-multi-events] [http] [info] https://scanme.sh
[flow-multi-events] [http] [info] https://scanme.sh
[flow-multi-events] [http] [info] https://scanme.sh |
|
this also seems to fix #4443 , where nuclei < 3.1.4 found match was being replaced / overwritten in flow id: flow_matcher_bug
info:
name: Flow matcher bug
author: Levente Kovats
severity: medium
description: Matches from further redirected responses are lost when executed from Flow
reference:
- https://docs.projectdiscovery.io/templates/protocols/http/basic-http
- https://developer.mozilla.org/en-US/docs/Web/HTTP/Redirections
flow: http();
http:
- method: GET
path:
- "{{BaseURL}}"
redirects: true # Follow HTTP redirects
matchers:
# detects the final page that does not redirect any further
- type: status
status:
- 200
extractors:
# export the original URL because Nuclei output the matched one, which is probably after the redirection(s)
- type: kval
name: original-URL
kval:
- host
internal: true
# export the status code
- type: kval
name: status
kval:
- status_codeBefore this PR / fix (match found but no result event)$ nuclei -target "https://httpbin.org/redirect-to?url=https%3A%2F%2Fscanme.sh%2F" -v -matcher-status -follow-redirects -t tmp.yaml -debug
__ _
____ __ _______/ /__ (_)
/ __ \/ / / / ___/ / _ \/ /
/ / / / /_/ / /__/ / __/ /
/_/ /_/\__,_/\___/_/\___/_/ v3.1.3
projectdiscovery.io
[INF] Current nuclei version: v3.1.3 (latest)
[INF] Current nuclei-templates version: v9.7.2 (latest)
[WRN] Scan results upload to cloud is disabled.
[INF] New templates added in latest release: 61
[INF] Templates loaded for current scan: 1
[WRN] Executing 1 unsigned templates. Use with caution.
[INF] Targets loaded for current scan: 1
[INF] [flow_matcher_bug] Dumped HTTP request for https://httpbin.org/redirect-to?url=https%3A%2F%2Fscanme.sh%2F
GET /redirect-to?url=https%3A%2F%2Fscanme.sh%2F HTTP/1.1
Host: httpbin.org
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/34.0.1847.137 Safari/4E423F
Connection: close
Accept: */*
Accept-Language: en
Accept-Encoding: gzip
[DBG] [flow_matcher_bug] Dumped HTTP response https://httpbin.org/redirect-to?url=https%3A%2F%2Fscanme.sh%2F
HTTP/1.1 200 OK
Connection: close
Content-Length: 2
Content-Type: text/plain; charset=utf-8
Date: Fri, 05 Jan 2024 19:11:42 GMT
ok
[DBG] [flow_matcher_bug] Dumped HTTP response https://httpbin.org/redirect-to?url=https%3A%2F%2Fscanme.sh%2F
HTTP/1.1 302 FOUND
Connection: close
Access-Control-Allow-Credentials: true
Access-Control-Allow-Origin: *
Content-Type: text/html; charset=utf-8
Date: Fri, 05 Jan 2024 19:11:41 GMT
Location: https://scanme.sh/
Server: gunicorn/19.9.0
Content-Length: 0This PR / fix$ ./nuclei -target "https://httpbin.org/redirect-to?url=https%3A%2F%2Fscanme.sh%2F" -v -matcher-status -follow-redirects -t tmp.yaml -debug
__ _
____ __ _______/ /__ (_)
/ __ \/ / / / ___/ / _ \/ /
/ / / / /_/ / /__/ / __/ /
/_/ /_/\__,_/\___/_/\___/_/ v3.1.4-dev
projectdiscovery.io
[INF] Current nuclei version: v3.1.4-dev (development)
[INF] Current nuclei-templates version: v9.7.2 (latest)
[WRN] Scan results upload to cloud is disabled.
[INF] New templates added in latest release: 61
[INF] Templates loaded for current scan: 1
[WRN] Executing 1 unsigned templates. Use with caution.
[INF] Targets loaded for current scan: 1
[INF] [flow_matcher_bug] Dumped HTTP request for https://httpbin.org/redirect-to?url=https%3A%2F%2Fscanme.sh%2F
GET /redirect-to?url=https%3A%2F%2Fscanme.sh%2F HTTP/1.1
Host: httpbin.org
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2762.73 Safari/537.36
Connection: close
Accept: */*
Accept-Language: en
Accept-Encoding: gzip
[DBG] [flow_matcher_bug] Dumped HTTP response https://httpbin.org/redirect-to?url=https%3A%2F%2Fscanme.sh%2F
HTTP/1.1 200 OK
Connection: close
Content-Length: 2
Content-Type: text/plain; charset=utf-8
Date: Fri, 05 Jan 2024 19:11:53 GMT
ok
[flow_matcher_bug:status-1] [matched] [http] [medium] https://scanme.sh/ [200]
[DBG] [flow_matcher_bug] Dumped HTTP response https://httpbin.org/redirect-to?url=https%3A%2F%2Fscanme.sh%2F
HTTP/1.1 302 FOUND
Connection: close
Access-Control-Allow-Credentials: true
Access-Control-Allow-Origin: *
Content-Type: text/html; charset=utf-8
Date: Fri, 05 Jan 2024 19:11:52 GMT
Location: https://scanme.sh/
Server: gunicorn/19.9.0
Content-Length: 0
|
closes #4058setup
$ cat data.txt
https://banlek-28e05.firebaseio.com/nuclei.json
https://byclean-1525737949784.firebaseio.com/nuclei.json
https://byclean-152573794978d.firebaseio.com/nuclei.json Templateid: insecure-firebase-database-Beta-v3
info:
name: Insecure Firebase Database
author: rafaelwdornelas
severity: high
description: If the owner of the app have set the security rules as true for both "read" & "write" an attacker can probably dump database and write his own data to firebase database.
reference:
- https://blog.securitybreached.org/2020/02/04/exploiting-insecure-firebase-database-bugbounty
metadata:
verified: true
tags: firebase,google,misconfig
flow: |
file();
for (let token of template.tokens){
set("token", token)
http();
}
file:
- extensions:
- all
extractors:
- type: regex
name: tokens
internal: true
regex:
- "[a-z0-9.-]+\\.firebaseio\\.com"
- "[a-z0-9.-]+\\.firebaseapp\\.com"
http:
- method: GET
path:
- "https://{{token}}/{{randstr}}.json"
matchers-condition: and
matchers:
- type: word
part: header
words:
- "application/json"
- type: status
status:
- 200$ ./nuclei -u data.txt -t tmp.yaml
__ _
____ __ _______/ /__ (_)
/ __ \/ / / / ___/ / _ \/ /
/ / / / /_/ / /__/ / __/ /
/_/ /_/\__,_/\___/_/\___/_/ v3.1.4-dev
projectdiscovery.io
[INF] Current nuclei version: v3.1.4-dev (development)
[INF] Current nuclei-templates version: v9.7.2 (latest)
[WRN] Scan results upload to cloud is disabled.
[INF] New templates added in latest release: 61
[INF] Templates loaded for current scan: 1
[WRN] Executing 1 unsigned templates. Use with caution.
[INF] Targets loaded for current scan: 1
[INF] Running httpx on input host
[INF] Found 0 URL from httpx
[insecure-firebase-database-Beta-v3] [http] [high] https://banlek-28e05.firebaseio.com/2aYA5LPmlndKvu2cITFugKurwMh.json
[insecure-firebase-database-Beta-v3] [http] [high] https://byclean-1525737949784.firebaseio.com/2aYA5LPmlndKvu2cITFugKurwMh.json |
ehsandeep
approved these changes
Jan 7, 2024
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Proposed Changes
scan.ScanContextinternal: trueinternal: trueinternal: true#4580flow#4581Note
Nuclei before this PR < 3.1.4 only printed/logged last event / final result when using flow with
matchersbut this implicit behaviour caused issue (see: #4581 ) . Hence this now needs to be done explicitly in much cleaner and controlled way by addinginternal: trueto matchers