Closed daffainfo closed 1 month ago
That's because the value of the Port
parameter that's supplied as an argument is hardcoded.
@dwisiswant0 so that is the template fault or what? Because it produces a lot of false positive on my end
try this command, cc @dwisiswant0
echo '50.63.14.108' | naabu --top-ports 100 | nuclei -t javascript/enumeration/redis/redis-require-auth.yaml
Output:
[redis-require-auth] [javascript] [info] 50.63.14.108:110
[redis-require-auth] [javascript] [info] 50.63.14.108:143
[redis-require-auth] [javascript] [info] 50.63.14.108:139
[redis-require-auth] [javascript] [info] 50.63.14.108:21
[redis-require-auth] [javascript] [info] 50.63.14.108:49154
[redis-require-auth] [javascript] [info] 50.63.14.108:3389
[redis-require-auth] [javascript] [info] 50.63.14.108:135
[redis-require-auth] [javascript] [info] 50.63.14.108:49155
[redis-require-auth] [javascript] [info] 50.63.14.108:49156
JavaScript argument is different from a dynamic runtime variable. That stdout you're seeing is the output from variable, so this is expected behavior.
@dwisiswant0 huh? but that is a lot of false positive. Should we remove the template or what? How to fix that?
That's because the value of the
Port
parameter that's supplied as an argument is hardcoded.
Port: "6379"
So, no matter what port value you supply to the engine, it will still try to connect to the port (argument) as (statically) defined in its template.
Should we remove the template or what? How to fix that?
@dwisiswant0 But the output looks like this, then how to fix it? I have asked many times but still no answer yet
[redis-require-auth] [javascript] [info] 50.63.14.108:110
[redis-require-auth] [javascript] [info] 50.63.14.108:143
[redis-require-auth] [javascript] [info] 50.63.14.108:139
[redis-require-auth] [javascript] [info] 50.63.14.108:21
[redis-require-auth] [javascript] [info] 50.63.14.108:49154
[redis-require-auth] [javascript] [info] 50.63.14.108:3389
[redis-require-auth] [javascript] [info] 50.63.14.108:135
[redis-require-auth] [javascript] [info] 50.63.14.108:49155
[redis-require-auth] [javascript] [info] 50.63.14.108:49156
The expected result is something like this because 6379 ISNT open
[INF] No results found. Better luck next time!
@dwisiswant0 But the output looks like this, then how to fix it? I have asked many times but still no answer yet
Here's your answer - https://github.com/projectdiscovery/nuclei/issues/5546#issuecomment-2295902555
The expected result is something like this because 6379 ISNT open
I see. Do you have any idea why it's connecting to the port from variable instead of argument, @tarunKoyalwar?
@daffainfo - can you confirm if you're supplying to the engine without port value to that template, will it connect to the hardcoded Port
argument value?
@dwisiswant0 yes, youre correct. It will connect to harcoded port value. If i specifed the port in the argument, it will replaces the hardcoded port value
Got you. A temporary fix for this issue seems to be changing the property used for hardcoded port values from the JavaScript protocol.
Meanwhile, I'm gonna reopen this issue until we get confirmation from the team.
@daffainfo @dwisiswant0 , this is expected behaviour , if you remember each tcp template had something like
tcp:
- host:
- "{{Hostname}}"
- "{{Host}}:22"
basically nuclei would run it on given address (host:port) and on hardcoded port as well , but later on we simplified it to do this check internally by using Port field which first probes if port is open ( cached as well) and then attempts to run the template https://github.com/projectdiscovery/nuclei/pull/4123
ideal solution would be that templates have service field like service: ssh
and nuclei would accept a service discovery ( nmap or something else) input and only run where it is applicable.
but this is more of a long term solution and the current behaviour you are experiencing is expected
@daffainfo current solution is to improve matchers in template so it doesn't produce FP
Is there an existing issue for this?
Current Behavior
Even though port is already specified in the template, let's say this template
/javascript/enumeration/redis/redis-require-auth.yaml
. This template will scan port 6379, but if you specified another port in the user input, for example port 110. The template will scan 110 instead of 6379Expected Behavior
The template should be stopped
Steps To Reproduce
Im using an IP address from shodan
Relevant log output
Environment
Anything else?
I also found weird case like this, I scanned my own website which is daffa.info with port 443. And the output was something like this:
As you can see it looks like they scanned port 443 and 6379? And it only happen if I specified port 80 and 443 in my input