search

projectdiscovery / nuclei

Nuclei is a fast, customizable vulnerability scanner powered by the global security community and built on a simple YAML-based DSL, enabling collaboration to tackle trending vulnerabilities on the internet. It helps you find vulnerabilities in your applications, APIs, networks, DNS, and cloud configurations.
https://docs.projectdiscovery.io/tools/nuclei
MIT License
20.59k stars 2.51k forks source link

Erroneous extractor logic - 28 checks failing to detect issues #4993

Closed denandz closed 7 months ago

denandz commented 7 months ago

While triaging issue projectdiscovery/nuclei-templates#9479 I determined a template pattern that leads to checks silently failing. I have tested this against multiple default credentials checks to confirm. There is a potential of 251 affected checks which are currently faulty and failing to detect their respective vulnerabilities.

When a template specifies an extractor, such as to retrieve a CSRF token or similar, but only defines one entry in the http object array, the extractor fails and the template will not work. Sometimes this returns an undefined variable error with -v, sometimes it silently fails. An example of the erroneous check and the fix for the check is available in pull request projectdiscovery/nuclei-templates#9480

Here is an example broken check. The issue is the single http object and extractor to grab the token variable. There should be two http objects, one to get the value and the second that uses it.

id: tiny-filemanager-default-login

info:
  name: Tiny File Manager - Default Login
...omitted for brevity... 

http:
  - raw:
      - |
        GET / HTTP/1.1
        Host: {{Hostname}}
      - |
        POST / HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/x-www-form-urlencoded

        fm_usr={{user}}&fm_pwd={{pass}}&token={{token}}
      - |
        GET /?p= HTTP/1.1
        Host: {{Hostname}}

    attack: pitchfork
...yoink...
    extractors:
      - type: regex
        name: token
        part: body
        regex:
          - '([a-f0-9]{64})'
        internal: true

I have tested this against Wazuh, TinyFileUploader, Kanboard and phpmyadmin. The later two also fail due to the DSL matcher logic being incorrect. Repro information is included below, along with a patch file showing the fixed check.

To determine which other checks may be broken, I listed all http modules which have one http array entry, multiple raw request entries under http[0], and an extractor. These are most likely to be broken. More broken checks likely exist, such as templates with 1 http object using multiple method requests. I will continue to dig as time permits and update this issue.

At this stage it looks like all of these checks needs to be manually reviewed, along with any others that use extractor logic to pull information from response, and a single http array object.

This raises another issue about the lack of unit testing for checks. I assume these checks worked at some point, and due to extractor logic or yaml parsing changes now are broken. Some form of automated template testing would really benefit the project and help with Nuclei's trustworthiness regarding false-negatives.

Nuclei Version:

nuclei --version
[INF] Nuclei Engine Version: v3.2.3
[INF] Nuclei Config Directory: /home/doi/.config/nuclei
[INF] Nuclei Cache Directory: /home/doi/.cache/nuclei
[INF] PDCP Directory: /home/doi/.pdcp

Command to reproduce:

One example is available in issue projectdiscovery/nuclei-templates#9479 and pull projectdiscovery/nuclei-templates#9480

Three more examples are included below:

TinyFileUploader:

Run a test version with docker run -d -p 80:80 --rm tinyfilemanager/tinyfilemanager:master

Broken check: 

$ nuclei -t http/default-logins/tiny-file-manager-default-login.yaml -u http://127.0.0.1/

                     __     _
   ____  __  _______/ /__  (_)
  / __ \/ / / / ___/ / _ \/ /
 / / / / /_/ / /__/ /  __/ /
/_/ /_/\__,_/\___/_/\___/_/   v3.2.3

        projectdiscovery.io

[INF] Current nuclei version: v3.2.3 (latest)
[INF] Current nuclei-templates version: v9.8.0 (latest)
[WRN] Scan results upload to cloud is disabled.
[INF] New templates added in latest release: 85
[INF] Templates loaded for current scan: 1
[INF] Executing 1 signed templates from projectdiscovery/nuclei-templates
[INF] Targets loaded for current scan: 1
[INF] No results found. Better luck next time!

Patch - create two http objects with the extractor on the first one

diff --git a/http/default-logins/tiny-file-manager-default-login.yaml b/http/default-logins/tiny-file-manager-default-login.yaml
index 994cc8da31..f296bc070c 100644
--- a/http/default-logins/tiny-file-manager-default-login.yaml
+++ b/http/default-logins/tiny-file-manager-default-login.yaml
@@ -23,6 +23,14 @@ http:
       - |
         GET / HTTP/1.1
         Host: {{Hostname}}
+    extractors:
+      - type: regex
+        name: token
+        part: body
+        regex:
+          - '([a-f0-9]{64})'
+        internal: true
+  - raw:
       - |
         POST / HTTP/1.1
         Host: {{Hostname}}
@@ -56,12 +64,5 @@ http:
         status:
           - 200

-    extractors:
-      - type: regex
-        name: token
-        part: body
-        regex:
-          - '([a-f0-9]{64})'
-        internal: true

 # digest: 490a0046304402203a6d1f960ddfa4db3523830d956bd204b0b45293b82f04cfb4f9ef2e12197d19022027eb9849b05622c8350ed6179482e038a785a90d0748cf23625e223b85395479:922c64590222798bb761d5b6d8e72950

Fixed check:

nuclei -t http/default-logins/tiny-file-manager-default-login.yaml -u http://127.0.0.1/

                     __     _
   ____  __  _______/ /__  (_)
  / __ \/ / / / ___/ / _ \/ /
 / / / / /_/ / /__/ /  __/ /
/_/ /_/\__,_/\___/_/\___/_/   v3.2.3

        projectdiscovery.io

[INF] Current nuclei version: v3.2.3 (latest)
[INF] Current nuclei-templates version: v9.8.0 (latest)
[WRN] Scan results upload to cloud is disabled.
[INF] New templates added in latest release: 85
[INF] Templates loaded for current scan: 1
[WRN] Loading 1 unsigned templates for scan. Use with caution.
[INF] Targets loaded for current scan: 1
[tiny-filemanager-default-login] [http] [high] http://127.0.0.1/index.php?p= [pass="admin@123",user="admin"]

Kanboard

Run a test version with docker run --rm -d --name kanboard -p 8082:80 -t kanboard/kanboard:v1.2.8

Broken check:

nuclei -t http/default-logins/kanboard-default-login.yaml -u http://127.0.0.1:8082/ 

                     __     _
   ____  __  _______/ /__  (_)
  / __ \/ / / / ___/ / _ \/ /
 / / / / /_/ / /__/ /  __/ /
/_/ /_/\__,_/\___/_/\___/_/   v3.2.3

        projectdiscovery.io

[INF] Current nuclei version: v3.2.3 (latest)
[INF] Current nuclei-templates version: v9.8.0 (latest)
[WRN] Scan results upload to cloud is disabled.
[INF] New templates added in latest release: 85
[INF] Templates loaded for current scan: 1
[INF] Executing 1 signed templates from projectdiscovery/nuclei-templates
[INF] Targets loaded for current scan: 1
[INF] No results found. Better luck next time!

Patch file - note the DSL check here was also faulty so I had to change it to correctly detect the successful login:

diff --git a/http/default-logins/kanboard-default-login.yaml b/http/default-logins/kanboard-default-login.yaml
index b3595760a0..1de4d85b67 100644
--- a/http/default-logins/kanboard-default-login.yaml
+++ b/http/default-logins/kanboard-default-login.yaml
@@ -24,6 +24,15 @@ http:
       - |
         GET /?controller=AuthController&action=login HTTP/1.1
         Host: {{Hostname}}
+    extractors:
+      - type: regex
+        name: csrf_token
+        part: body
+        group: 1
+        regex:
+          - "hidden\" name=\"csrf_token\" value=\"([0-9a-z]+)\""
+        internal: true
+  - raw:
       - |
         POST /?controller=AuthController&action=check HTTP/1.1
         Host: {{Hostname}}
@@ -38,19 +47,9 @@ http:
       pass:
         - admin

-    extractors:
-      - type: regex
-        name: csrf_token
-        part: body
-        group: 1
-        regex:
-          - "hidden\" name=\"csrf_token\" value=\"([0-9a-z]+)\""
-        internal: true
     matchers:
       - type: dsl
         dsl:
-          - contains(location, 'controller=DashboardController&action=show')
           - status_code == 302
-        condition: and

Fixed check:

nuclei -t http/default-logins/kanboard-default-login.yaml -u http://127.0.0.1:8082/  

                     __     _
   ____  __  _______/ /__  (_)
  / __ \/ / / / ___/ / _ \/ /
 / / / / /_/ / /__/ /  __/ /
/_/ /_/\__,_/\___/_/\___/_/   v3.2.3

        projectdiscovery.io

[INF] Current nuclei version: v3.2.3 (latest)
[INF] Current nuclei-templates version: v9.8.0 (latest)
[WRN] Scan results upload to cloud is disabled.
[INF] New templates added in latest release: 85
[INF] Templates loaded for current scan: 1
[WRN] Loading 1 unsigned templates for scan. Use with caution.
[INF] Targets loaded for current scan: 1
[kanboard-default-login] [http] [high] http://127.0.0.1:8082/?controller=AuthController&action=check [pass="admin",user="admin"]

Phpmyadmin

Phpmyadmin default creds check was not working due to the erroneous extractor logic too. This one also had a broken DSL matcher. The patch file below is included for testing purposes, more work is reqiured to fix this check so it grabs a new CSRF token for every request the clusterbomb run makes.

Ran with docker compose using the following compose file:

version: '3'

networks:
    mysql-phpmyadmin:
        driver: bridge

services:
    mysql:
        image: mysql:8.0
        container_name: mysql
        environment:
            MYSQL_ROOT_PASSWORD: root
            MYSQL_DATABASE: database_name
            MYSQL_USER: mysql
            MYSQL_PASSWORD: mysql
        ports:
            - 6033:3306
        networks:
            mysql-phpmyadmin:
                aliases:
                - mysql

    phpmyadmin:
        image: phpmyadmin:5.2.0
        container_name: phpmyadmin
        links:
            - mysql
        environment:
            PMA_HOST: 172.18.0.1
            PMA_PORT: 6033
        ports:
            - 8081:80
        networks:
            mysql-phpmyadmin:
                aliases:
                - phpmyadmin

Broken check:

nuclei -t http/default-logins/phpmyadmin/phpmyadmin-default-login.yaml -u http://127.0.0.1:8081/

                     __     _
   ____  __  _______/ /__  (_)
  / __ \/ / / / ___/ / _ \/ /
 / / / / /_/ / /__/ /  __/ /
/_/ /_/\__,_/\___/_/\___/_/   v3.2.3

        projectdiscovery.io

[INF] Current nuclei version: v3.2.3 (latest)
[INF] Current nuclei-templates version: v9.8.0 (latest)
[WRN] Scan results upload to cloud is disabled.
[INF] New templates added in latest release: 85
[INF] Templates loaded for current scan: 1
[INF] Executing 1 signed templates from projectdiscovery/nuclei-templates
[INF] Targets loaded for current scan: 1
[INF] No results found. Better luck next time!

Patch file:

diff --git a/http/default-logins/phpmyadmin/phpmyadmin-default-login.yaml b/http/default-logins/phpmyadmin/phpmyadmin-default-login.yaml
index cebc1db613..296a577d01 100644
--- a/http/default-logins/phpmyadmin/phpmyadmin-default-login.yaml
+++ b/http/default-logins/phpmyadmin/phpmyadmin-default-login.yaml
@@ -1,7 +1,7 @@
 id: phpmyadmin-default-login

 info:
-  name: phpMyAdmin - Default Login
+  name: phpMyAdmin - Default Login TESTING ONLY DO NOT COMMIT
   author: Natto97,notwhy
   severity: high
   description: phpMyAdmin contains a default login vulnerability. An attacker can obtain access to user accounts and access sensitive information, modify data, and/or execute unauthorized operations.
@@ -22,25 +22,6 @@ http:
       - |
         GET /index.php HTTP/1.1
         Host: {{Hostname}}
-      - |
-        POST /index.php HTTP/1.1
-        Host: {{Hostname}}
-        Content-Type: application/x-www-form-urlencoded
-        Cookie: phpMyAdmin={{token2}}; pma_lang=en
-
-        set_session={{session}}&pma_username={{user}}&pma_password={{password}}&server=1&route=%2F&token={{token}}
-
-    attack: clusterbomb
-    payloads:
-      user:
-        - root
-        - mysql
-      password:
-        - 123456
-        - root
-        - mysql
-        - toor
-
     extractors:
       - type: regex
         name: token
@@ -63,15 +44,26 @@ http:
         group: 2
         regex:
           - "phpMyAdmin(_https)?=([0-9a-z]+)" # for HTTPS
+  - raw:
+      - |
+        POST /index.php HTTP/1.1
+        Host: {{Hostname}}
+        Content-Type: application/x-www-form-urlencoded
+        Cookie: phpMyAdmin={{token2}}; pma_lang=en
+
+        set_session={{session}}&pma_username={{user}}&pma_password={{password}}&server=1&route=%2F&token={{token}}
+
     stop-at-first-match: true
+    attack: clusterbomb
+    payloads:
+      user:
+        - root
+      password:
+        - root

-    matchers-condition: and
     matchers:
-      - type: dsl
-        dsl:
-          - contains(header_2, "phpMyAdmin=") && contains(header_2, "pmaUser-1=")
-          - status_code_2 == 302
-          - contains(header_2, 'index.php?collation_connection=utf8mb4_unicode_ci') || contains(header_2, '/index.php?route=/&route=%2F')
-        condition: and
+      - type: status
+        status: 
+          - 302 

 # digest: 4a0a00473045022100c2bb516f2d7be7f4affe92092982ab1664aa72dcc62046cf7343ad742c4e1b26022016a9f0a2ea4a1a9d3920d7ed88d94cc02b103d8363a35c2fd8ec377c4eed9234:922c64590222798bb761d5b6d8e72950

Fixed check:

$ nuclei -t http/default-logins/phpmyadmin/phpmyadmin-default-login.yaml -u http://127.0.0.1:8081/  -v --proxy http://127.0.0.1:8080

                     __     _
   ____  __  _______/ /__  (_)
  / __ \/ / / / ___/ / _ \/ /
 / / / / /_/ / /__/ /  __/ /
/_/ /_/\__,_/\___/_/\___/_/   v3.2.3

        projectdiscovery.io

[VER] Using http://127.0.0.1:8080 as proxy server
[VER] Started metrics server at localhost:9092
[INF] Current nuclei version: v3.2.3 (latest)
[INF] Current nuclei-templates version: v9.8.0 (latest)
[WRN] Scan results upload to cloud is disabled.
[INF] New templates added in latest release: 85
[INF] Templates loaded for current scan: 1
[WRN] Loading 1 unsigned templates for scan. Use with caution.
[INF] Targets loaded for current scan: 1
[VER] [phpmyadmin-default-login] Sent HTTP request to http://127.0.0.1:8081/index.php
[VER] [phpmyadmin-default-login] Sent HTTP request to http://127.0.0.1:8081/index.php
[phpmyadmin-default-login] [http] [high] http://127.0.0.1:8081/index.php [password="root",user="root"]

Template files:

I used the following one-liner to find all the potentially problematic test files. These are the most-likely to false-negative due to broken logic. As mentioned above, I'm only looking at raw http objects, others may be broken too.

doi@DESKTOP-B49A2DEE:/dev/shm/nuclei-templates/http$ ack extractors | cut -f1 -d: | while read f; do echo "$f:" `yq '.http | length' < $f` ":" `yq '.http[0].raw | length' < $f`; done  | grep -v ': 0$' | grep -v ': 1$' | grep ': 1 :' | wc -l
251

This greps for extractors, then counts the length of the http array and the raw array, then greps out only the ones that have a single http object and multiple raw objects. This one liner is quick and dirty, a proper script that checked for the broken condition would be much much better.

The one liner produces the following checks:

denandz commented 7 months ago

I wrote the following little bit of code to find all templates which used multiple HTTP raw requests with extractors and variables.

This has highlighted 225 checks that may be broken and need further triage.

package main

import (
    "fmt"
    "log"
    "os"
    "strings"

    "github.com/projectdiscovery/nuclei/v3/pkg/templates"
    "gopkg.in/yaml.v2"
)

func main() {

    if len(os.Args) != 2 {
        log.Fatal("run as ./nucleilint <pathtoyaml>.yaml")
    }

    bin, err := os.ReadFile(os.Args[1])
    if err != nil {
        log.Fatal(err)
    }

    var yamlTemplate templates.Template
    err = yaml.Unmarshal(bin, &yamlTemplate)
    if err != nil {
        log.Fatal(err)
    }

    //  fmt.Printf("Processing: %s\n", yamlTemplate.ID)

    http := yamlTemplate.RequestsHTTP

    // no http object, or more than one http object, not checking...
    if len(http) != 1 {
        return
    }

    // no extractors, return
    if len(http[0].Operators.Extractors) == 0 {
        return
    }

    // only one raw request, issue affects two raw requests
    if len(http[0].Raw) < 2 {
        return
    }

    // loop each extractor, if the variable name is in the raw requests
    // then we have an extractor bug
    for _, e := range http[0].Operators.Extractors {
        // var has no name, how could it be used in a subsequent raw template?
        if e.Name == "" {
            continue
        }

        for _, raw := range http[0].Raw {
            if strings.Contains(raw, "{{"+e.Name+"}}") {
                fmt.Printf("[!] Buggy extractor use found - template: %s var: %s\n", yamlTemplate.ID, e.Name)
            }
        }
    }
}

Output of find /dev/shm/nuclei-templates/http/ -name '*.yaml' -exec ./nucleilint {} \; below:

[!] Buggy extractor use found - template: yonyou-u8-crm-fileupload var: path
[!] Buggy extractor use found - template: wp-kadence-blocks-rce var: nonce
[!] Buggy extractor use found - template: wp-kadence-blocks-rce var: form_id
[!] Buggy extractor use found - template: wp-kadence-blocks-rce var: post_id
[!] Buggy extractor use found - template: seatreg-redirect var: seatreg-admin-nonce
[!] Buggy extractor use found - template: notificationx-sqli var: apikey
[!] Buggy extractor use found - template: weaver-uploadoperation-file-upload var: fileid
[!] Buggy extractor use found - template: weaver-login-sessionkey var: timestamp
[!] Buggy extractor use found - template: weaver-lazyuploadify-file-upload var: attachmentID
[!] Buggy extractor use found - template: weaver-lazyuploadify-file-upload var: attachmentName
[!] Buggy extractor use found - template: weaver-ktreeuploadaction-file-upload var: filename
[!] Buggy extractor use found - template: weaver-jquery-file-upload var: attachmentID
[!] Buggy extractor use found - template: weaver-ebridge-lfi var: idname
[!] Buggy extractor use found - template: weaver-eoffice-file-upload var: id
[!] Buggy extractor use found - template: wanhu-oa-fileupload-controller var: filename
[!] Buggy extractor use found - template: tongda-login-code-authbypass var: uid
[!] Buggy extractor use found - template: tongda-login-code-authbypass var: cookie
[!] Buggy extractor use found - template: tongda-arbitrary-login var: cookie
[!] Buggy extractor use found - template: ruijie-eg-rce var: admin
[!] Buggy extractor use found - template: realor-gwt-system-sqli var: cookie
[!] Buggy extractor use found - template: yapi-rce var: group_id
[!] Buggy extractor use found - template: yapi-rce var: interface_id
[!] Buggy extractor use found - template: yapi-rce var: project_id
[!] Buggy extractor use found - template: yapi-rce var: project_id
[!] Buggy extractor use found - template: yapi-rce var: project_id
[!] Buggy extractor use found - template: yapi-rce var: project_id
[!] Buggy extractor use found - template: powercreator-cms-rce var: endpoint
[!] Buggy extractor use found - template: podcast-generator-ssrf var: token
[!] Buggy extractor use found - template: pega-log4j-rce var: location
[!] Buggy extractor use found - template: goanywhere-mft-log4j-rce var: view
[!] Buggy extractor use found - template: jorani-benjamin-xss var: csrf
[!] Buggy extractor use found - template: rusty-joomla var: csrf
[!] Buggy extractor use found - template: hikvision-ivms-file-upload-rce var: res_id
[!] Buggy extractor use found - template: gitlab-rce var: csrf-token
[!] Buggy extractor use found - template: gitea-rce var: repo
[!] Buggy extractor use found - template: gitea-rce var: repo
[!] Buggy extractor use found - template: apache-solr-file-read var: core
[!] Buggy extractor use found - template: apache-solr-file-read var: core
[!] Buggy extractor use found - template: csrf-guard-detect var: masterToken
[!] Buggy extractor use found - template: unauthorized-plastic-scm var: csrf
[!] Buggy extractor use found - template: servicenow-widget-misconfig var: user-token
[!] Buggy extractor use found - template: seeyon-unauth var: session
[!] Buggy extractor use found - template: docker-daemon-exposed var: version
[!] Buggy extractor use found - template: qvisdvr-deserialization-rce var: token
[!] Buggy extractor use found - template: aspcms-backend-panel var: path
[!] Buggy extractor use found - template: wazuh-default-login var: osd
[!] Buggy extractor use found - template: vidyo-default-login var: csrf_tkn
[!] Buggy extractor use found - template: vidyo-default-login var: session
[!] Buggy extractor use found - template: versa-flexvnf-default-login var: xsrf_token
[!] Buggy extractor use found - template: tiny-filemanager-default-login var: token
[!] Buggy extractor use found - template: structurizr-default-login var: csrf
[!] Buggy extractor use found - template: steve-default-login var: csrf
[!] Buggy extractor use found - template: splunk-default-login var: cval
[!] Buggy extractor use found - template: rancher-default-login var: csrf
[!] Buggy extractor use found - template: rainloop-default-login var: token
[!] Buggy extractor use found - template: phpmyadmin-default-login var: token
[!] Buggy extractor use found - template: phpmyadmin-default-login var: token2
[!] Buggy extractor use found - template: phpmyadmin-default-login var: session
[!] Buggy extractor use found - template: octobercms-default-login var: token
[!] Buggy extractor use found - template: nagiosxi-default-login var: nsp
[!] Buggy extractor use found - template: magnolia-default-login var: csrf
[!] Buggy extractor use found - template: magnolia-default-login var: csrf
[!] Buggy extractor use found - template: magnolia-default-login var: session
[!] Buggy extractor use found - template: magnolia-default-login var: session
[!] Buggy extractor use found - template: kanboard-default-login var: csrf_token
[!] Buggy extractor use found - template: hybris-default-login var: csrftoken
[!] Buggy extractor use found - template: glpi-default-login var: token
[!] Buggy extractor use found - template: glpi-default-login var: name
[!] Buggy extractor use found - template: glpi-default-login var: password
[!] Buggy extractor use found - template: fuelcms-default-login var: csrftoken
[!] Buggy extractor use found - template: dvwa-default-login var: token
[!] Buggy extractor use found - template: dvwa-default-login var: session
[!] Buggy extractor use found - template: hue-default-credential var: csrfmiddlewaretoken
[!] Buggy extractor use found - template: camunda-default-login var: xsrf_token
[!] Buggy extractor use found - template: airflow-default-login var: csrf_token
[!] Buggy extractor use found - template: CVE-2024-29059 var: objref
[!] Buggy extractor use found - template: CVE-2024-25600 var: nonce
[!] Buggy extractor use found - template: CVE-2024-20767 var: extracted_uuid
[!] Buggy extractor use found - template: CVE-2024-1071 var: nonce
[!] Buggy extractor use found - template: CVE-2023-6909 var: EXPERIMENT_ID
[!] Buggy extractor use found - template: CVE-2023-6909 var: RUN_ID
[!] Buggy extractor use found - template: CVE-2023-5556 var: csrf
[!] Buggy extractor use found - template: CVE-2023-5556 var: workspace
[!] Buggy extractor use found - template: CVE-2023-5360 var: nonce
[!] Buggy extractor use found - template: CVE-2023-5360 var: filename
[!] Buggy extractor use found - template: CVE-2023-52085 var: _token
[!] Buggy extractor use found - template: CVE-2023-52085 var: _token
[!] Buggy extractor use found - template: CVE-2023-4966 var: session
[!] Buggy extractor use found - template: CVE-2023-48777 var: nonce
[!] Buggy extractor use found - template: CVE-2023-47643 var: csrftoken
[!] Buggy extractor use found - template: CVE-2023-47211 var: x_zcsrf_token
[!] Buggy extractor use found - template: CVE-2023-47211 var: x_zcsrf_token
[!] Buggy extractor use found - template: CVE-2023-47115 var: csrftoken
[!] Buggy extractor use found - template: CVE-2023-47115 var: id
[!] Buggy extractor use found - template: CVE-2023-47115 var: filename
[!] Buggy extractor use found - template: CVE-2023-4596 var: forminator_nonce
[!] Buggy extractor use found - template: CVE-2023-4596 var: form_id
[!] Buggy extractor use found - template: CVE-2023-42793 var: token
[!] Buggy extractor use found - template: CVE-2023-42793 var: token
[!] Buggy extractor use found - template: CVE-2023-42793 var: token
[!] Buggy extractor use found - template: CVE-2023-39002 var: para
[!] Buggy extractor use found - template: CVE-2023-39002 var: value
[!] Buggy extractor use found - template: CVE-2023-38646 var: token
[!] Buggy extractor use found - template: CVE-2023-3836 var: shell_filename
[!] Buggy extractor use found - template: CVE-2023-36934 var: session
[!] Buggy extractor use found - template: CVE-2023-36844 var: inifile
[!] Buggy extractor use found - template: CVE-2023-3460 var: path
[!] Buggy extractor use found - template: CVE-2023-3460 var: path
[!] Buggy extractor use found - template: CVE-2023-3460 var: version
[!] Buggy extractor use found - template: CVE-2023-3460 var: formid
[!] Buggy extractor use found - template: CVE-2023-3460 var: wpnonce
[!] Buggy extractor use found - template: CVE-2023-34362 var: ips
[!] Buggy extractor use found - template: CVE-2023-34362 var: csrf
[!] Buggy extractor use found - template: CVE-2023-3345 var: nonce
[!] Buggy extractor use found - template: CVE-2023-32243 var: nonce
[!] Buggy extractor use found - template: CVE-2023-32243 var: wordpress_username
[!] Buggy extractor use found - template: CVE-2023-32243 var: wordpress_username
[!] Buggy extractor use found - template: CVE-2023-32243 var: wordpress_username
[!] Buggy extractor use found - template: CVE-2023-30943 var: token
[!] Buggy extractor use found - template: CVE-2023-29357 var: realm
[!] Buggy extractor use found - template: CVE-2023-29084 var: admpcsrf
[!] Buggy extractor use found - template: CVE-2023-2825 var: token_1
[!] Buggy extractor use found - template: CVE-2023-2825 var: token_2
[!] Buggy extractor use found - template: CVE-2023-2825 var: token_2
[!] Buggy extractor use found - template: CVE-2023-2825 var: token_2
[!] Buggy extractor use found - template: CVE-2023-2825 var: token_2
[!] Buggy extractor use found - template: CVE-2023-2825 var: token_2
[!] Buggy extractor use found - template: CVE-2023-2825 var: token_2
[!] Buggy extractor use found - template: CVE-2023-2825 var: token_2
[!] Buggy extractor use found - template: CVE-2023-2825 var: token_2
[!] Buggy extractor use found - template: CVE-2023-2825 var: token_2
[!] Buggy extractor use found - template: CVE-2023-2825 var: token_2
[!] Buggy extractor use found - template: CVE-2023-2825 var: token_2
[!] Buggy extractor use found - template: CVE-2023-2825 var: token_2
[!] Buggy extractor use found - template: CVE-2023-2825 var: parent_id
[!] Buggy extractor use found - template: CVE-2023-2825 var: parent_id
[!] Buggy extractor use found - template: CVE-2023-2825 var: parent_id
[!] Buggy extractor use found - template: CVE-2023-2825 var: parent_id
[!] Buggy extractor use found - template: CVE-2023-2825 var: parent_id
[!] Buggy extractor use found - template: CVE-2023-2825 var: parent_id
[!] Buggy extractor use found - template: CVE-2023-2825 var: parent_id
[!] Buggy extractor use found - template: CVE-2023-2825 var: parent_id
[!] Buggy extractor use found - template: CVE-2023-2825 var: parent_id
[!] Buggy extractor use found - template: CVE-2023-2825 var: parent_id
[!] Buggy extractor use found - template: CVE-2023-2825 var: namespace_id
[!] Buggy extractor use found - template: CVE-2023-2825 var: x-csrf-token
[!] Buggy extractor use found - template: CVE-2023-2825 var: upload-hash
[!] Buggy extractor use found - template: CVE-2023-2780 var: version
[!] Buggy extractor use found - template: CVE-2023-27372 var: csrf
[!] Buggy extractor use found - template: CVE-2023-27350 var: printerID
[!] Buggy extractor use found - template: CVE-2023-27350 var: printerID
[!] Buggy extractor use found - template: CVE-2023-2648 var: name
[!] Buggy extractor use found - template: CVE-2023-26469 var: csrf
[!] Buggy extractor use found - template: CVE-2023-25157 var: name
[!] Buggy extractor use found - template: CVE-2023-25157 var: name
[!] Buggy extractor use found - template: CVE-2023-25157 var: column
[!] Buggy extractor use found - template: CVE-2023-2356 var: version
[!] Buggy extractor use found - template: CVE-2023-22620 var: session
[!] Buggy extractor use found - template: CVE-2023-2224 var: nonce
[!] Buggy extractor use found - template: CVE-2023-20889 var: csrf
[!] Buggy extractor use found - template: CVE-2023-20888 var: csrf
[!] Buggy extractor use found - template: CVE-2023-20864 var: xcsrftoken
[!] Buggy extractor use found - template: CVE-2023-2009 var: nonce
[!] Buggy extractor use found - template: CVE-2023-20073 var: index
[!] Buggy extractor use found - template: CVE-2023-1177 var: version
[!] Buggy extractor use found - template: CVE-2023-0900 var: nonce
[!] Buggy extractor use found - template: CVE-2023-0777 var: csrftoken
[!] Buggy extractor use found - template: CVE-2022-47003 var: siteid
[!] Buggy extractor use found - template: CVE-2022-47003 var: uuid
[!] Buggy extractor use found - template: CVE-2022-47002 var: siteid
[!] Buggy extractor use found - template: CVE-2022-47002 var: uuid
[!] Buggy extractor use found - template: CVE-2022-46020 var: username_fieldname
[!] Buggy extractor use found - template: CVE-2022-46020 var: password_fieldname
[!] Buggy extractor use found - template: CVE-2022-46020 var: formtoken
[!] Buggy extractor use found - template: CVE-2022-46020 var: app_name
[!] Buggy extractor use found - template: CVE-2022-45038 var: username_fieldname
[!] Buggy extractor use found - template: CVE-2022-45038 var: password_fieldname
[!] Buggy extractor use found - template: CVE-2022-45038 var: formtoken
[!] Buggy extractor use found - template: CVE-2022-45038 var: app_name
[!] Buggy extractor use found - template: CVE-2022-45037 var: username_fieldname
[!] Buggy extractor use found - template: CVE-2022-45037 var: password_fieldname
[!] Buggy extractor use found - template: CVE-2022-45037 var: formtoken
[!] Buggy extractor use found - template: CVE-2022-45037 var: username_fieldname_2
[!] Buggy extractor use found - template: CVE-2022-44957 var: csrf
[!] Buggy extractor use found - template: CVE-2022-44952 var: nonce
[!] Buggy extractor use found - template: CVE-2022-44952 var: nonce
[!] Buggy extractor use found - template: CVE-2022-44951 var: nonce
[!] Buggy extractor use found - template: CVE-2022-44951 var: nonce
[!] Buggy extractor use found - template: CVE-2022-44950 var: nonce
[!] Buggy extractor use found - template: CVE-2022-44950 var: nonce
[!] Buggy extractor use found - template: CVE-2022-44949 var: nonce
[!] Buggy extractor use found - template: CVE-2022-44949 var: nonce
[!] Buggy extractor use found - template: CVE-2022-44948 var: nonce
[!] Buggy extractor use found - template: CVE-2022-44948 var: nonce
[!] Buggy extractor use found - template: CVE-2022-44947 var: nonce
[!] Buggy extractor use found - template: CVE-2022-44947 var: nonce
[!] Buggy extractor use found - template: CVE-2022-44946 var: nonce
[!] Buggy extractor use found - template: CVE-2022-44946 var: nonce
[!] Buggy extractor use found - template: CVE-2022-44944 var: nonce
[!] Buggy extractor use found - template: CVE-2022-44944 var: nonce
[!] Buggy extractor use found - template: CVE-2022-43185 var: nonce
[!] Buggy extractor use found - template: CVE-2022-43185 var: nonce
[!] Buggy extractor use found - template: CVE-2022-43170 var: nonce
[!] Buggy extractor use found - template: CVE-2022-43170 var: nonce
[!] Buggy extractor use found - template: CVE-2022-43169 var: nonce
[!] Buggy extractor use found - template: CVE-2022-43169 var: nonce
[!] Buggy extractor use found - template: CVE-2022-43167 var: nonce
[!] Buggy extractor use found - template: CVE-2022-43167 var: nonce
[!] Buggy extractor use found - template: CVE-2022-43166 var: nonce
[!] Buggy extractor use found - template: CVE-2022-43166 var: nonce
[!] Buggy extractor use found - template: CVE-2022-43165 var: nonce
[!] Buggy extractor use found - template: CVE-2022-43165 var: nonce
[!] Buggy extractor use found - template: CVE-2022-43164 var: nonce
[!] Buggy extractor use found - template: CVE-2022-43164 var: nonce
[!] Buggy extractor use found - template: CVE-2022-4260 var: nonce
[!] Buggy extractor use found - template: CVE-2022-42096 var: form_id_1
[!] Buggy extractor use found - template: CVE-2022-42096 var: form_id_1
[!] Buggy extractor use found - template: CVE-2022-42096 var: name
[!] Buggy extractor use found - template: CVE-2022-42096 var: form_id_2
[!] Buggy extractor use found - template: CVE-2022-42096 var: form_token
[!] Buggy extractor use found - template: CVE-2022-42095 var: form_id_1
[!] Buggy extractor use found - template: CVE-2022-42095 var: form_id_2
[!] Buggy extractor use found - template: CVE-2022-42095 var: form_token
[!] Buggy extractor use found - template: CVE-2022-42094 var: form_id_1
[!] Buggy extractor use found - template: CVE-2022-42094 var: name
[!] Buggy extractor use found - template: CVE-2022-42094 var: form_id_2
[!] Buggy extractor use found - template: CVE-2022-42094 var: form_token
[!] Buggy extractor use found - template: CVE-2022-4049 var: nonce
[!] Buggy extractor use found - template: CVE-2022-40127 var: csrf_token
[!] Buggy extractor use found - template: CVE-2022-3982 var: nonce
[!] Buggy extractor use found - template: CVE-2022-39048 var: csrf
[!] Buggy extractor use found - template: CVE-2022-38296 var: filename
[!] Buggy extractor use found - template: CVE-2022-37191 var: apikey
[!] Buggy extractor use found - template: CVE-2022-37190 var: apikey
[!] Buggy extractor use found - template: CVE-2022-36804 var: key
[!] Buggy extractor use found - template: CVE-2022-36804 var: slug
[!] Buggy extractor use found - template: CVE-2022-36537 var: dtid
[!] Buggy extractor use found - template: CVE-2022-3506 var: nonce
[!] Buggy extractor use found - template: CVE-2022-31854 var: csrf
[!] Buggy extractor use found - template: CVE-2022-30073 var: formtoken
[!] Buggy extractor use found - template: CVE-2022-29272 var: nsp_token
[!] Buggy extractor use found - template: CVE-2022-2863 var: nonce
[!] Buggy extractor use found - template: CVE-2022-28117 var: csrf_token
[!] Buggy extractor use found - template: CVE-2022-2756 var: token
[!] Buggy extractor use found - template: CVE-2022-2756 var: token
[!] Buggy extractor use found - template: CVE-2022-2756 var: filename
[!] Buggy extractor use found - template: CVE-2022-25487 var: filename
[!] Buggy extractor use found - template: CVE-2022-2546 var: secretkey
[!] Buggy extractor use found - template: CVE-2022-25149 var: nonce
[!] Buggy extractor use found - template: CVE-2022-25148 var: nonce
[!] Buggy extractor use found - template: CVE-2022-23102 var: csrf
[!] Buggy extractor use found - template: CVE-2022-22972 var: protected_state
[!] Buggy extractor use found - template: CVE-2022-22972 var: horizonRelayState
[!] Buggy extractor use found - template: CVE-2022-22972 var: userstore
[!] Buggy extractor use found - template: CVE-2022-22972 var: userstoreDisplay
[!] Buggy extractor use found - template: CVE-2022-22972 var: stickyConnectorId
[!] Buggy extractor use found - template: CVE-2022-21705 var: session_key
[!] Buggy extractor use found - template: CVE-2022-21705 var: session_key
[!] Buggy extractor use found - template: CVE-2022-21705 var: session_key
[!] Buggy extractor use found - template: CVE-2022-21705 var: session_key
[!] Buggy extractor use found - template: CVE-2022-21705 var: token
[!] Buggy extractor use found - template: CVE-2022-21705 var: token
[!] Buggy extractor use found - template: CVE-2022-21705 var: token
[!] Buggy extractor use found - template: CVE-2022-21705 var: token
[!] Buggy extractor use found - template: CVE-2022-21705 var: theme
[!] Buggy extractor use found - template: CVE-2022-1952 var: filename
[!] Buggy extractor use found - template: CVE-2022-1442 var: id
[!] Buggy extractor use found - template: CVE-2022-1386 var: fusionformnonce
[!] Buggy extractor use found - template: CVE-2022-1329 var: nonce
[!] Buggy extractor use found - template: CVE-2022-1058 var: csrf
[!] Buggy extractor use found - template: CVE-2022-0968 var: form_token
[!] Buggy extractor use found - template: CVE-2022-0968 var: user
[!] Buggy extractor use found - template: CVE-2022-0968 var: email
[!] Buggy extractor use found - template: CVE-2022-0870 var: csrf
[!] Buggy extractor use found - template: CVE-2022-0870 var: auth_csrf
[!] Buggy extractor use found - template: CVE-2022-0651 var: nonce
[!] Buggy extractor use found - template: CVE-2022-0535 var: nonce
[!] Buggy extractor use found - template: CVE-2022-0482 var: csrf_token
[!] Buggy extractor use found - template: CVE-2022-0441 var: nonce
[!] Buggy extractor use found - template: CVE-2022-0415 var: csrf
[!] Buggy extractor use found - template: CVE-2022-0415 var: auth_csrf
[!] Buggy extractor use found - template: CVE-2022-0415 var: auth_csrf
[!] Buggy extractor use found - template: CVE-2022-0415 var: auth_csrf
[!] Buggy extractor use found - template: CVE-2022-0415 var: uuid
[!] Buggy extractor use found - template: CVE-2022-0220 var: nonce
[!] Buggy extractor use found - template: CVE-2021-44451 var: csrf_token
[!] Buggy extractor use found - template: CVE-2021-43421 var: hash
[!] Buggy extractor use found - template: CVE-2021-42258 var: VS
[!] Buggy extractor use found - template: CVE-2021-42258 var: VSG
[!] Buggy extractor use found - template: CVE-2021-42258 var: EV
[!] Buggy extractor use found - template: CVE-2021-42192 var: id
[!] Buggy extractor use found - template: CVE-2021-42192 var: id
[!] Buggy extractor use found - template: CVE-2021-42192 var: token
[!] Buggy extractor use found - template: CVE-2021-42192 var: token
[!] Buggy extractor use found - template: CVE-2021-41432 var: nonce
[!] Buggy extractor use found - template: CVE-2021-41282 var: csrf_token
[!] Buggy extractor use found - template: CVE-2021-40323 var: profile
[!] Buggy extractor use found - template: CVE-2021-38540 var: csrf
[!] Buggy extractor use found - template: CVE-2021-36873 var: nonce
[!] Buggy extractor use found - template: CVE-2021-36450 var: csrfp_login
[!] Buggy extractor use found - template: CVE-2021-35323 var: tokenCSRF
[!] Buggy extractor use found - template: CVE-2021-33851 var: nonce
[!] Buggy extractor use found - template: CVE-2021-32172 var: hash
[!] Buggy extractor use found - template: CVE-2021-27905 var: core
[!] Buggy extractor use found - template: CVE-2021-27850 var: id
[!] Buggy extractor use found - template: CVE-2021-26598 var: token
[!] Buggy extractor use found - template: CVE-2021-25299 var: nsp
[!] Buggy extractor use found - template: CVE-2021-25298 var: nsp
[!] Buggy extractor use found - template: CVE-2021-25298 var: nsp_auth
[!] Buggy extractor use found - template: CVE-2021-25297 var: nsp
[!] Buggy extractor use found - template: CVE-2021-25297 var: nsp_auth
[!] Buggy extractor use found - template: CVE-2021-25296 var: nsp
[!] Buggy extractor use found - template: CVE-2021-25296 var: nsp_auth
[!] Buggy extractor use found - template: CVE-2021-24358 var: username
[!] Buggy extractor use found - template: CVE-2021-24358 var: username
[!] Buggy extractor use found - template: CVE-2021-24347 var: nonce
[!] Buggy extractor use found - template: CVE-2021-24155 var: nonce
[!] Buggy extractor use found - template: CVE-2021-22986 var: token
[!] Buggy extractor use found - template: CVE-2020-9043 var: authkey
[!] Buggy extractor use found - template: CVE-2020-9043 var: nonce
[!] Buggy extractor use found - template: CVE-2020-8772 var: username
[!] Buggy extractor use found - template: CVE-2020-8772 var: username
[!] Buggy extractor use found - template: CVE-2020-8644 var: csrf
[!] Buggy extractor use found - template: CVE-2020-8193 var: randkey
[!] Buggy extractor use found - template: CVE-2020-8193 var: randkey
[!] Buggy extractor use found - template: CVE-2020-7136 var: sessionid
[!] Buggy extractor use found - template: CVE-2020-35987 var: nonce
[!] Buggy extractor use found - template: CVE-2020-35987 var: nonce
[!] Buggy extractor use found - template: CVE-2020-35986 var: nonce
[!] Buggy extractor use found - template: CVE-2020-35986 var: nonce
[!] Buggy extractor use found - template: CVE-2020-35985 var: nonce
[!] Buggy extractor use found - template: CVE-2020-35985 var: nonce
[!] Buggy extractor use found - template: CVE-2020-35984 var: nonce
[!] Buggy extractor use found - template: CVE-2020-35984 var: nonce
[!] Buggy extractor use found - template: CVE-2020-35951 var: fullpath
[!] Buggy extractor use found - template: CVE-2020-24186 var: wmuSecurity
[!] Buggy extractor use found - template: CVE-2020-23697 var: csrf
[!] Buggy extractor use found - template: CVE-2020-15867 var: csrf
[!] Buggy extractor use found - template: CVE-2020-15867 var: auth_csrf
[!] Buggy extractor use found - template: CVE-2020-15867 var: auth_csrf
[!] Buggy extractor use found - template: CVE-2020-15867 var: auth_csrf
[!] Buggy extractor use found - template: CVE-2020-15867 var: last_commit
[!] Buggy extractor use found - template: CVE-2020-14144 var: csrf
[!] Buggy extractor use found - template: CVE-2020-14144 var: auth_csrf
[!] Buggy extractor use found - template: CVE-2020-14144 var: auth_csrf
[!] Buggy extractor use found - template: CVE-2020-14144 var: auth_csrf
[!] Buggy extractor use found - template: CVE-2020-14144 var: last_commit
[!] Buggy extractor use found - template: CVE-2020-12116 var: endpoint
[!] Buggy extractor use found - template: CVE-2020-11978 var: exec_date
[!] Buggy extractor use found - template: CVE-2019-8390 var: csrf
[!] Buggy extractor use found - template: CVE-2019-7192 var: album_id
[!] Buggy extractor use found - template: CVE-2019-7192 var: album_id
[!] Buggy extractor use found - template: CVE-2019-7192 var: access_code
[!] Buggy extractor use found - template: CVE-2019-3398 var: csrftoken
[!] Buggy extractor use found - template: CVE-2019-3398 var: draftID
[!] Buggy extractor use found - template: CVE-2019-3398 var: draftID
[!] Buggy extractor use found - template: CVE-2019-2579 var: authkey
[!] Buggy extractor use found - template: CVE-2019-20183 var: endpoint
[!] Buggy extractor use found - template: CVE-2019-17558 var: core
[!] Buggy extractor use found - template: CVE-2019-17558 var: core
[!] Buggy extractor use found - template: CVE-2019-14750 var: csrftoken
[!] Buggy extractor use found - template: CVE-2019-13396 var: token
[!] Buggy extractor use found - template: CVE-2019-0193 var: core
[!] Buggy extractor use found - template: CVE-2018-7602 var: userid
[!] Buggy extractor use found - template: CVE-2018-7602 var: userid
[!] Buggy extractor use found - template: CVE-2018-7602 var: form_token
[!] Buggy extractor use found - template: CVE-2018-7602 var: form_build_id
[!] Buggy extractor use found - template: CVE-2018-3760 var: path
[!] Buggy extractor use found - template: CVE-2018-2894 var: id
[!] Buggy extractor use found - template: CVE-2018-11473 var: csrf
[!] Buggy extractor use found - template: CVE-2018-10942 var: file
[!] Buggy extractor use found - template: CVE-2018-1000533 var: path
[!] Buggy extractor use found - template: CVE-2017-12629 var: core
[!] Buggy extractor use found - template: CVE-2016-10033 var: username
[!] Buggy extractor use found - template: postman-login-check var: csrfToken
[!] Buggy extractor use found - template: github-login-check var: authenticity_token
[!] Buggy extractor use found - template: github-login-check var: timestamp
[!] Buggy extractor use found - template: github-login-check var: timestamp_secret
[!] Buggy extractor use found - template: datadog-login-check var: auth_token
[!] Buggy extractor use found - template: codepen-login-check var: token
[!] Buggy extractor use found - template: CNVD-2022-03672 var: cid
[!] Buggy extractor use found - template: CNVD-2020-68596 var: endpoint
[!] Buggy extractor use found - template: CNVD-2020-26585 var: date
[!] Buggy extractor use found - template: CNVD-2020-26585 var: file
denandz commented 7 months ago

The plot thickens.... Strangely, the docker-daemon-exposed checked seemed to work fine even though it used the extractor pattern that causes issues.

Further digging showed adding an attack object to the template broke it in the same way as the wazuh, phpmyadmin, tinyfileuploader, kanboard etc checks. Dig this:

Works, even though testing so far suggests it shouldn't...

$ nuclei -t http/misconfiguration/docker-daemon-exposed.yaml -u http://127.0.0.1:2375/  -v --proxy http://127.0.0.1:8080

                     __     _
   ____  __  _______/ /__  (_)
  / __ \/ / / / ___/ / _ \/ /
 / / / / /_/ / /__/ /  __/ /
/_/ /_/\__,_/\___/_/\___/_/   v3.2.3

        projectdiscovery.io

[VER] Using http://127.0.0.1:8080 as proxy server
[VER] Started metrics server at localhost:9092
[INF] Current nuclei version: v3.2.3 (latest)
[INF] Current nuclei-templates version: v9.8.0 (latest)
[WRN] Scan results upload to cloud is disabled.
[INF] New templates added in latest release: 85
[INF] Templates loaded for current scan: 1
[WRN] Loading 1 unsigned templates for scan. Use with caution.
[INF] Targets loaded for current scan: 1
[VER] [docker-daemon-exposed] Sent HTTP request to http://127.0.0.1:2375/version
[VER] [docker-daemon-exposed] Sent HTTP request to http://127.0.0.1:2375/v1.41/containers/json
[docker-daemon-exposed] [http] [critical] http://127.0.0.1:2375/v1.41/containers/json

I figure the difference between this check and the others is the attack object, so i add one in to test with the following patch

diff --git a/http/misconfiguration/docker-daemon-exposed.yaml b/http/misconfiguration/docker-daemon-exposed.yaml
index 0283f63dbf..ceec043679 100644
--- a/http/misconfiguration/docker-daemon-exposed.yaml
+++ b/http/misconfiguration/docker-daemon-exposed.yaml
@@ -20,9 +20,16 @@ http:
         Host: {{Hostname}}

       - |
-        GET /v{{version}}/containers/json HTTP/1.1
+        GET /v{{version}}/containers/json&{{user}}={{pass}} HTTP/1.1
         Host: {{Hostname}}

+    attack: pitchfork
+    payloads:
+      user:
+        - admin
+      pass:
+        - admin
+
     matchers:
       - type: dsl
         dsl:

And it breaks, like the others:

$ nuclei -t ./http/misconfiguration/docker-daemon-exposed.yaml -u http://127.0.0.1:2375/  -v --proxy http://127.0.0.1:8080

                     __     _
   ____  __  _______/ /__  (_)
  / __ \/ / / / ___/ / _ \/ /
 / / / / /_/ / /__/ /  __/ /
/_/ /_/\__,_/\___/_/\___/_/   v3.2.3

        projectdiscovery.io

[VER] Using http://127.0.0.1:8080 as proxy server
[VER] Started metrics server at localhost:9092
[INF] Current nuclei version: v3.2.3 (latest)
[INF] Current nuclei-templates version: v9.8.0 (latest)
[WRN] Scan results upload to cloud is disabled.
[INF] New templates added in latest release: 85
[INF] Templates loaded for current scan: 1
[WRN] Loading 1 unsigned templates for scan. Use with caution.
[INF] Targets loaded for current scan: 1
[WRN] [docker-daemon-exposed] Could not make http request for http://127.0.0.1:2375/: unresolved variables found: version
[VER] [docker-daemon-exposed] Sent HTTP request to http://127.0.0.1:2375/version
[WRN] [docker-daemon-exposed] Could not execute request for http://127.0.0.1:2375/: stop execution due to unresolved variables
[INF] No results found. Better luck next time!

An attack object or something similar may be required for the bug to occur.

princechaddha commented 7 months ago

Hi @denandz, Thank you for taking the time to create this detailed issue and for contributing to this project 🍻

It looks like a bug has been introduced recently. we are working to fix this.

mastercho commented 7 months ago

Great, will take now 2 months to fix this... Giving Template team working speed

princechaddha commented 7 months ago

@mastercho, it is a bug in the engine; there's nothing to fix in the templates.

Ice3man543 commented 7 months ago

@denandz I created a PR to fix this. This was caused because we enabled threads by default for templates that used payloads. This was done in order to speed up certain templates that fuzz but don't use threads. But to keep memory low, this does not share values across requests. Hence, this was happening. The fix introduced changes the logic to only occur when the requests exceed a certain threshold, in this case - NUCLEI_PAYLOAD_AUTO_CONCURRENCY_THRESHOLD env variable which is 30 by default.

This fixes it. 


~/hack/tt/nuclei/cmd/nuclei fix-templates-not-working* ❯ ./nuclei -t http/default-logins/tiny-file-manager-default-login.yaml -u http://127.0.0.1/

                     __     _
   ____  __  _______/ /__  (_)
  / __ \/ / / / ___/ / _ \/ /
 / / / / /_/ / /__/ /  __/ /
/_/ /_/\__,_/\___/_/\___/_/   v3.2.3

                projectdiscovery.io

[INF] Current nuclei version: v3.2.3 (latest)
[INF] Current nuclei-templates version: v9.8.0 (latest)
[WRN] Scan results upload to cloud is disabled.
[INF] New templates added in latest release: 85
[INF] Templates loaded for current scan: 1
[INF] Executing 1 signed templates from projectdiscovery/nuclei-templates
[INF] Targets loaded for current scan: 1
ElBogeyman commented 7 months ago

@mastercho

Great, will take now 2 months to fix this... Giving Template team working speed

Lol, Before commenting, ensure you understand the issue. If you're capable of contributing to fixing it, please do so. Criticizing others isn't helpful.

denandz commented 7 months ago

Have checked out the fix-templates-not-working branch. TinyFileUploader and PHPMyAdmin works now, so does Kanboard provided I change the DSL matcher logic to work.

The fix introduced changes the logic to only occur when the requests exceed a certain threshold, in this case - NUCLEI_PAYLOAD_AUTO_CONCURRENCY_THRESHOLD env variable which is 30 by default.

Looking at the pull request this is really 10 by default? Regardless of the threshold, does this mean any template that generates more than 10 payloads is going to have this same flaw?

This seems like it will cause future confusion and may still break some templates. Would it be better to detect if variable substitution with an extractor is being used, then disabling the auto concurrency? This would make sure the problem is fixed regardless of the specific input payload numbers.

tarunKoyalwar commented 7 months ago

@denandz , that was meant to be a hot fix and not complete solution, after investigation

we have found out that this is a design/arch level issue and only surfaced due to our recent efforts of improving nuclei scan speed by introducing payload-concurrency -pc flag which overrides value of threads in templates if not specified

Note: this bug seems to be affecting from Nuclei v3.1.9 [ that doesn't mean v3.1.9 is stable since we have fixed lots of bugs after v3.1.9 ]

linked PR should fix all breaking templates ( this count can be increased to 100 just to be safe) and we will try to fix this arch/design issue in upcoming versions

denandz commented 7 months ago

Tweaked the linter to check for the presence of an attack object, which narrows down the effected checks even further. Looks like a total of 28 checks are affected.

Updated check:

package main

import (
    "fmt"
    "log"
    "os"
    "strings"

    "github.com/projectdiscovery/nuclei/v3/pkg/templates"
    "gopkg.in/yaml.v2"
)

func main() {

    if len(os.Args) != 2 {
        log.Fatal("run as ./nucleilint <pathtoyaml>.yaml")
    }

    bin, err := os.ReadFile(os.Args[1])
    if err != nil {
        log.Fatal(err)
    }

    var yamlTemplate templates.Template
    err = yaml.Unmarshal(bin, &yamlTemplate)
    if err != nil {
        log.Fatal(err)
    }

    //  fmt.Printf("Processing: %s\n", yamlTemplate.ID)

    http := yamlTemplate.RequestsHTTP

    // no http object, or more than one http object, not checking...
    if len(http) != 1 {
        return
    }

    // no extractors, return
    if len(http[0].Operators.Extractors) == 0 {
        return
    }

    // only one raw request, issue affects two raw requests
    if len(http[0].Raw) < 2 {
        return
    }

    // needs an Attack object to be vulnerable to the concurrency issue
    if http[0].AttackType.Value == 0 {
        return
    }

    // loop each extractor, if the variable name is in the raw requests
    // then we have an extractor bug
    for _, e := range http[0].Operators.Extractors {
        // var has no name, how could it be used in a subsequent raw template?
        if e.Name == "" {
            continue
        }

        for _, raw := range http[0].Raw {
            if strings.Contains(raw, "{{"+e.Name+"}}") {
                fmt.Printf("[!] Buggy extractor use found - template: %s var: %s\n", yamlTemplate.ID, e.Name)
            }
        }
    }
}
denandz commented 7 months ago

@ehsandeep this issue isn't closed. There's an interim hot-fix but no complete solution as per @tarunKoyalwar's comment. Can you please leave this issue open until a complete solution is implemented?

ehsandeep commented 7 months ago

@denandz thanks for the ping, it was closed in automated manner as the linked PR were merged.

A quick question, what kind of template would you expect to be affected that has> 100 requests, given that request history is not supported with payloads.

denandz commented 7 months ago

Thanks @ehsandeep.

One example that comes to mind is a template that uses an input wordlist with >100 entries, where each request needs a unique nonce value. Not super common, if at all existing in the current template set, but I can see this sort of thing getting implemented as more advanced templates get submitted and the fuzzing capabilities get extended.

Something like:

http:
  - raw:
      - |
        GET /foo HTTP/1.1
        Host: {{Hostname}}
      - |
        POST /fooHTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/x-www-form-urlencoded

        id={{num}}&nonce={{nonce}}

    payloads:
      num: some_long_wordlist_with_more_than_100_entries.txt

    extractors:
      - type: regex
        name: nonce
        part: body
        group: 1
        regex:
          - "hidden\" name=\"nonce\" value=\"([0-9a-z]+)\""
        internal: true
denandz commented 7 months ago

Although, we'd need an attack object for this bug to crop up, right? So it would need to be some combination of wordlists/payloads and an attack configuration that leads to >100 total payloads.

Probably not super common, but I can see someone getting tripped up by the 100-payload edge case in the future.

tarunKoyalwar commented 7 months ago

@denandz , attack is a component of payloads and this issue seems to affect dynamic extractors + payloads combination. more context here : https://github.com/projectdiscovery/nuclei/issues/5015

since this will be a change at generator / core level it might break some templates if not carefully handled so we are first proceeding with generating unit tests for templates and then iteratively implementing this fix

ehsandeep commented 7 months ago

@denandz thanks again for digging into this issue and sharing the details with us, fix is now merged into latest release i.e nuclei v3.2.4

denandz commented 7 months ago

Thanks team! Love your work. Excited to see how the automated template testing works out