search

projectdiscovery / nuclei

Fast and customizable vulnerability scanner based on simple YAML based DSL.
https://docs.projectdiscovery.io/tools/nuclei
MIT License
19.88k stars 2.45k forks source link

Suggestion: Implement multiple matchers in one template. #380

Closed SecGus closed 3 years ago

SecGus commented 3 years ago

Hi,

I have been using the tool a lot recently to build my own templates for bugbounty automation, and have found on of the most limiting issues to be the lack of ability to define multiple matchers. For example, imagine there is an application that is vulnerable to some sort of RCE, in the request, we tell the payload to run to be echo 'RANDOM STRING OF CHARS'; uname -a. It would be ideal to be able to tell the matchers to look for the random string AND a uname keyword, such as ubuntu, although not all systems will run ubuntu, so ideally, we would want to define the AND matcher for the random string, and an OR matcher to pass the condition multiple valid strings, such as ubuntu OR darwin.

Let me know what you think, maybe the syntax could be something along the lines of:

    matchers:
      - condition: and
        - type: word
          words:
            - "application/json"
          part: header
        - type: status
          status:
            - 200
      - condition: or
        -type: word
          words:
            - "This is valid"
            - "This is also valid"
ehsandeep commented 3 years ago

Hey @SecGus,

Thank you for sharing your feedback and feature request, we will work on the document to share all the existing possibilities to use nuclei and it's matchers, for example, what you have requested above is already possible with DSL matcher. 

    matchers:
      - type: dsl
        dsl:
          - contains(all_headers,'application/json') && status_code==200 || contains(body, 'This is valid') || contains(body, 'This is also valid')

You can expand this the way you want for any condition, let me know if have any questions on this.

SecGus commented 3 years ago

Brilliant! I haven't heard of DSL before, so will certainly read up on it and get to creating some nuclei templates. Thank you for the response.

ehsandeep commented 3 years ago

np @SecGus, as said we still need to do more work on the documentation part, but here you can get basic information to get started with DSL matcher https://nuclei.projectdiscovery.io/templating-guide/#matchers.

ehsandeep commented 3 years ago

@SecGus let me know if you still have any questions otherwise we can close this out.

ehsandeep commented 3 years ago

Closing as this is already possible as shared above.