search

projectdiscovery / nuclei

Fast and customizable vulnerability scanner based on simple YAML based DSL.
https://docs.projectdiscovery.io/tools/nuclei
MIT License
20.13k stars 2.46k forks source link

Support Multiple events generation using operators #5353

Open tarunKoyalwar opened 3 months ago

tarunKoyalwar commented 3 months ago

Please describe your feature request:

id: ldap-obb
info:
  name: ADObject represents an Active Directory object
  author: pussycat0x
  severity: high
  description: |
    EasyCVR video management platform has leaked user information
  reference:
   - https://docs.projectdiscovery.io/templates/protocols/javascript/modules/ldap.ADObject
  metadata:
    verified: true
    shodan-query: ldap
  tags: unauth,easycvr,misconfig

javascript:
  - code: |
      const ldap = require('nuclei/ldap');
      const cfg = new ldap.Config();
      cfg.Upgrade = true;
      const client = ldap.Client(Host, Port, cfg);
      const users = client.GetADUsers();
      Export(users)

    args:
      Host: "ldap://{{Host}}"
      Port: 389

    extractors:  
      - type: json
        json:
          - '"DistinguishedName: " + .DistinguishedName'
          - '"SAMAccountName: " + .SAMAccountName'
          - '"PWDLastSet: "+ .PWDLastSet'
          - '"LastLogon:" +.LastLogon'
          - '"MemberOf:" +.MemberOf'
          - '"ServicePrincipalName" +.ServicePrincipalName'

[!NOTE] Above template shows a usecase where writing template in this form does not work

Some templates require creating multiple events from a single request of a protocol , this can be achieved if count of results is pre-determined like tech-detect using named extractors or matchers but if the resultant output is a array or slice then it can't be implemented using named matchers or extractors

One way we can implement support for this is using part in operators and if it is array or slice type with explicit option we allow iterating over it

something like

id: ldap-obb
info:
  name: ADObject represents an Active Directory object
  author: pussycat0x
  severity: high
  description: |
    EasyCVR video management platform has leaked user information
  reference:
   - https://docs.projectdiscovery.io/templates/protocols/javascript/modules/ldap.ADObject
  metadata:
    verified: true
    shodan-query: ldap
  tags: unauth,easycvr,misconfig

javascript:
  - code: |
      const ldap = require('nuclei/ldap');
      const cfg = new ldap.Config();
      cfg.Upgrade = true;
      const client = ldap.Client(Host, Port, cfg);
      const users = client.GetADUsers();
      Export(users)

    args:
      Host: "ldap://{{Host}}"
      Port: 389

    extractors:  
      - type: json
        part: users
        iterate-all: true #<- will iterate if users is array and generate multiple results
        json:
          - '"DistinguishedName: " + .DistinguishedName'
          - '"SAMAccountName: " + .SAMAccountName'
          - '"PWDLastSet: "+ .PWDLastSet'
          - '"LastLogon:" +.LastLogon'
          - '"MemberOf:" +.MemberOf'
          - '"ServicePrincipalName" +.ServicePrincipalName'

This will be easy to implement and will not break any other features and can be implemented on both matchers and extractors

tarunKoyalwar commented 3 months ago

ping @princechaddha @ehsandeep for proposed syntax and priority / requirement

princechaddha commented 3 months ago

The proposed syntax looks good.