search

projectdiscovery / nuclei

Nuclei is a fast, customizable vulnerability scanner powered by the global security community and built on a simple YAML-based DSL, enabling collaboration to tackle trending vulnerabilities on the internet. It helps you find vulnerabilities in your applications, APIs, networks, DNS, and cloud configurations.
https://docs.projectdiscovery.io/tools/nuclei
MIT License
20.56k stars 2.5k forks source link

Cant use dynamic authentication with fuzzing templates #5493

Closed C0de4you closed 1 month ago

C0de4you commented 3 months ago

Nuclei version:

Nuclei Engine Version: v3.3.0

Nuclei command:

nuclei -l openapi.json -im openapi -t templates -sresp -secret-file secrets.yaml -debug

secrets.yaml

dynamic:
  - template: login.yaml
    variables:
      - key: username 
        value: name1 
      - key: password
        value: pass1
    type: bearertoken
    domains:
      - 127.0.0.1:5002
    input: http://127.0.0.1:5002 
    token: "{{auth_token}}"

login.yaml

id: login

info:
  name: Login
  author: test 
  severity: info
  tags: login

requests:
  - raw:
      - |
        POST /users/v1/login HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/json

        {"password": "{{password}}", "username": "{{username}}"}

    extractors:
      - type: regex
        name: auth_token 
        part: body 
        internal: true
        group: 1
        regex:
          - '"auth_token":\s*"([^"]+)"'

templates/sqli.yaml

info:
  name: SQLi
  author: test
  severity: critical
http:

  - matchers:
      - type: regex
        name: sql_error
        regex:
          - "SELECT"
          - "SQL"
        condition: or

    payloads:
      injection:
        - "'"
        - "\""
        - "`"

    fuzzing:
      - part: path 
        type: postfix
        mode: single
        fuzz:
          - "{{injection}}"
      - part: query 
        type: postfix
        mode: single
        fuzz:
          - "{{injection}}"
      - part: body 
        type: postfix
        mode: single
        fuzz:
          - "{{injection}}"

    stop-at-first-match: true

Current Behavior:

nuclei -l openapi_done.json -im openapi -t templates -sresp -secret-file secrets.yaml -debug

                     __     _
   ____  __  _______/ /__  (_)
  / __ \/ / / / ___/ / _ \/ /
 / / / / /_/ / /__/ /  __/ /
/_/ /_/\__,_/\___/_/\___/_/   v3.3.0

                projectdiscovery.io

[INF] Current nuclei version: v3.3.0 (latest)
[INF] Current nuclei-templates version: v9.9.2 (latest)
[WRN] Scan results upload to cloud is disabled.
[INF] New templates added in latest release: 67
[INF] Templates loaded for current scan: 1
[WRN] Loading 1 unsigned templates for scan. Use with caution.
[INF] Targets loaded for current scan: 13
[FTL] Could not fetch dynamic secret: no templates found for path: login.yaml

nuclei writes that it cannot find the file although it is obviously present.

Expected Behavior:

if we remove the fuzzing from the templates/sqli.yaml

id: sqli
info:
  name: SQLi
  author: test
  severity: critical
http:
  - method: GET
    path:
      - "{{BaseURL}}/api/test"

  - matchers:
      - type: regex
        name: sql_error
        regex:
          - "SELECT"
          - "SQL"
        condition: or

It work

nuclei -u http://127.0.0.1:5002 -secret-file secrets.yaml -t templates -sresp -debug                                                                                                                                                                                                                                                                  

                     __     _                                                                                                                                                                                                                                                                                                                           
   ____  __  _______/ /__  (_)                                                                                                                                                                                                                                                                                                                          
  / __ \/ / / / ___/ / _ \/ /                                                                                                                                                                                                                                                                                                                           
 / / / / /_/ / /__/ /  __/ /                                                                                                                                                                                                                                                                                                                            
/_/ /_/\__,_/\___/_/\___/_/   v3.3.0                                                                                                                                                                                                                                                                                                                    

                projectdiscovery.io

[INF] Current nuclei version: v3.3.0 (latest)
[INF] Current nuclei-templates version: v9.9.2 (latest)
[WRN] Scan results upload to cloud is disabled.
[INF] New templates added in latest release: 67
[INF] Templates loaded for current scan: 1
[WRN] Loading 1 unsigned templates for scan. Use with caution.
[INF] Targets loaded for current scan: 1
[INF] [login] Dumped HTTP request for http://127.0.0.1:5002/users/v1/login

POST /users/v1/login HTTP/1.1
Host: 127.0.0.1:5002
User-Agent: Mozilla/5.0 (Kubuntu; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/126.0.0.0 Safari/537.36
Connection: close
Content-Length: 42
Content-Type: application/json
Accept-Encoding: gzip

{"password": "pass1", "username": "name1"}
[DBG] [login] Dumped HTTP response http://127.0.0.1:5002/users/v1/login

HTTP/1.1 200 OK
Connection: close
Content-Length: 224
Content-Type: application/json
Date: Tue, 06 Aug 2024 00:31:00 GMT
Server: Werkzeug/2.2.3 Python/3.11.9

{"auth_token": "TOKEN", "message": "Successfully logged in.", "status": "success"}
[INF] [sqli] Dumped HTTP request for http://127.0.0.1:5002/api/test

GET /api/test HTTP/1.1
Host: 127.0.0.1:5002
User-Agent: Mozilla/5.0 (SS; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36
Connection: close
Accept: */*
Accept-Language: en
Authorization: Bearer TOKEN
Accept-Encoding: gzip
...

Steps To Reproduce:

I followed the error [FTL] Could not fetch dynamic secret: no templates found for path: login.yaml and I found that the function responsible for loading a template is the https://github.com/projectdiscovery/nuclei/blob/dev/pkg/catalog/loader/loader.go#L425

When we pass nuclei dynamic templates the control flow goes to the condition if store.config.ExecutorOptions.Options.DAST https://github.com/projectdiscovery/nuclei/blob/dev/pkg/catalog/loader/loader.go#L474, but for login templates the following condition if parsed.IsFuzzing() is not executed and nothing happens. As a result LoadTemplatesWithTags returns an empty slice and checking the slice length in the GetLazyAuthFetchCallback function https://github.com/projectdiscovery/nuclei/blob/dev/internal/runner/lazy.go#L66 returns the very error that no template was found

songjianwori commented 2 months ago

-sf, -secret-file string[] path to config file containing secrets for nuclei authenticated scan nuclei -l openapi.json -im openapi -t templates -sresp -secret-file ["secrets.yaml","/to/path/your login.yaml"] -debug