Supporting in template payloads for variables in RAW request fuzzing

[ehsandeep]

Example:-

requests:
  - payloads:
      param_a: wordlist_param_a.txt
      param_b: wordlist_param_b.txt
    attack: clusterbomb  # Available options: sniper, pitchfork and clusterbomb
    raw:
      - |
        POST /?param_a={{param_a}}&paramb={{param_b}} HTTP/1.1
        User-Agent: {{param_a}}
        Host: {{Hostname}}
        another_header: {{base64(param_b)}}
        Accept: */*

Instead of using wordlist_param_a.txt or wordlist_param_b.txt from the local system, this will allow users to feed payloads in the templates itself, useful for default password check and more.

[ehsandeep]

Here is a real-world example for the same @Mzack9999, also this will work outside of logics and unrelated to our scripting engine support, this enhances fuzzing experience of the nuclei engine.

requests:
  - payloads:
      username: 
      - admin
      password: 
      - admin
      - guest
      - password
      - test
      - 12345
      - 123456

    attack: clusterbomb
    raw:
      # Request with simple param and header manipulation with DSL functions
      - |
        GET /manager/html HTTP/1.1
        Host: {{Hostname}}
        Authorization: Basic {{base64(username:password)}}
        User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0
        Accept-Encoding: gzip, deflate
        Accept-Language: en-US,en;q=0.9
        Connection: close
    matchers:
      - type: status
        status:
          - 200

[ehsandeep]

This need rework, confirmed not working.

Template used:-

id: test-bruteforce
info:
  name: test-bruteforce
  author: pdteam
  severity: high

requests:
  - payloads:
      username: 
      - admin
      password: 
      - admin
      - guest
      - password
      - test
      - 12345
      - 123456

      # make sure you have your wordlist on the defind path.

    attack: clusterbomb  # Available options: sniper, pitchfork and clusterbomb

    raw:
      # Request with simple param and header manipulation with DSL functions
      - |
        GET /manager/html HTTP/1.1
        Host: {{Hostname}}
        Authorization: Basic {{base64(username:password)}}
        User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0
        Accept-Encoding: gzip, deflate
        Accept-Language: en-US,en;q=0.9
        Connection: close
    matchers:
      - type: status
        status:
          - 200

Output:-

panic: interface conversion: interface {} is int, not string

goroutine 7 [running]:
github.com/projectdiscovery/nuclei/v2/pkg/generators.LoadPayloads(0xc0002f3cb0, 0xc0001fe6c0)
    /Users/bauthard/Documents/GitHub/nuclei/v2/pkg/generators/util.go:27 +0x4b9
github.com/projectdiscovery/nuclei/v2/pkg/requests.(*HTTPRequest).makeHTTPRequestFromRaw.func1(0xc000010cc0, 0xc0001642a0, 0xc00028b660, 0x10, 0xc0002f3dd0)
    /Users/bauthard/Documents/GitHub/nuclei/v2/pkg/requests/http-request.go:142 +0x228
created by github.com/projectdiscovery/nuclei/v2/pkg/requests.(*HTTPRequest).makeHTTPRequestFromRaw
    /Users/bauthard/Documents/GitHub/nuclei/v2/pkg/requests/http-request.go:134 +0xaf

[dwisiswant0]

This need rework, confirmed not working.

Template used:-

id: test-bruteforce
info:
  name: test-bruteforce
  author: pdteam
  severity: high

requests:
  - payloads:
      username: 
      - admin
      password: 
      - admin
      - guest
      - password
      - test
      - 12345
      - 123456

      # make sure you have your wordlist on the defind path.

    attack: clusterbomb  # Available options: sniper, pitchfork and clusterbomb

    raw:
      # Request with simple param and header manipulation with DSL functions
      - |
        GET /manager/html HTTP/1.1
        Host: {{Hostname}}
        Authorization: Basic {{base64(username:password)}}
        User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0
        Accept-Encoding: gzip, deflate
        Accept-Language: en-US,en;q=0.9
        Connection: close
    matchers:
      - type: status
        status:
          - 200

Output:-

panic: interface conversion: interface {} is int, not string

goroutine 7 [running]:
github.com/projectdiscovery/nuclei/v2/pkg/generators.LoadPayloads(0xc0002f3cb0, 0xc0001fe6c0)
  /Users/bauthard/Documents/GitHub/nuclei/v2/pkg/generators/util.go:27 +0x4b9
github.com/projectdiscovery/nuclei/v2/pkg/requests.(*HTTPRequest).makeHTTPRequestFromRaw.func1(0xc000010cc0, 0xc0001642a0, 0xc00028b660, 0x10, 0xc0002f3dd0)
  /Users/bauthard/Documents/GitHub/nuclei/v2/pkg/requests/http-request.go:142 +0x228
created by github.com/projectdiscovery/nuclei/v2/pkg/requests.(*HTTPRequest).makeHTTPRequestFromRaw
  /Users/bauthard/Documents/GitHub/nuclei/v2/pkg/requests/http-request.go:134 +0xaf

I found a similar issue; yaml is valid but the nuclei cannot be unmarshal.

Template:

requests:
  - payloads:
      data:
        - "<username>dwisiswant0</username><password>123456</password>"
      attack: clusterbomb
  - raw:
      - |
        POST /xml-test HTTP/1.1
        Host: {{Hostname}}
        Content-Type: text/xml;charset=UTF-8
        Connection: close        

        <xml-test>{{base64(data)}}</xml-test>

Output:

[ERR] Could not parse file '/tmp/xml-test.yaml': yaml: unmarshal errors:
  line 15: cannot unmarshal !!seq into string

[ehsandeep]

@dwisiswant0 there is known issue with current PR which still needs to be fixed, but this particular feature works for me if you checkout this PR https://github.com/projectdiscovery/nuclei/pull/168, try putting data in-between "

        <xml-test>{{base64("data")}}</xml-test>

PS:- This is still in a testing phase.