nuclei

nuclei copied to clipboard

Nuclei version:

v2.9.15

Current Behavior:

template：

http:
  - raw:
    - |
      POST /material/file/video HTTP/1.1
      Host: {{Hostname}}
      Accept-Encoding: gzip, deflate
      Connection: close
      Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryaRBBs9fvbcHzAWZw

      ------WebKitFormBoundaryaRBBs9fvbcHzAWZw
      Content-Disposition: form-data; name="Filedata"; filename="{{randstr}}.js"

      abc
      ------WebKitFormBoundaryaRBBs9fvbcHzAWZw
      Content-Disposition: form-data; name="poc"

      Content-Disposition: form-data; name="Submit"
      ------WebKitFormBoundaryaRBBs9fvbcHzAWZw--

    - |
      GET /publishingImg/{{upload_data}} HTTP/1.1
      Host: {{Hostname}}

    extractors:
      - type: json
        part: body_1
        name: upload_data
        internal: true
        json: 
          - '.data.path'

with -debug output

POST /material/file/video HTTP/1.1
Host: xx.xx.xx.xx
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/34.0.1847.137 Safari/4E423F
Content-Length: 301
Accept-Encoding: gzip, deflate
Connection: close
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryaRBBs9fvbcHzAWZw

------WebKitFormBoundaryaRBBs9fvbcHzAWZw
Content-Disposition: form-data; name="Filedata"; filename="dumcsv.js"

abc
------WebKitFormBoundaryaRBBs9fvbcHzAWZw
Content-Disposition: form-data; name="poc"

Content-Disposition: form-data; name="Submit"
------WebKitFormBoundaryaRBBs9fvbcHzAWZw--
[DBG] [test] Dumped HTTP response https://xx.xx.xx.xx/material/file/video

HTTP/1.1 200 OK
Content-Length: 91
Content-Type: text/html;charset=UTF-8
Date: Tue, 19 Sep 2023 05:10:19 GMT
Server: nginx
Set-Cookie: JSESSIONID=5BB8681C196A3FCA7790624C39E5087D; Path=/publishing; HttpOnly

{"data":{"id":448,"path":"VIDEO/xxxx.js"},"errMsg":"success!","success":true}
[INF] [test] Dumped HTTP request for https://xx.xx.xx.xx/material/file/video/publishingImg/VIDEO/xxxx.js

GET /material/file/video/publishingImg/VIDEO/xxxx.js HTTP/1.1
Host: xx.xx.xx.xx
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux i686 on x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/53.0.2820.59 Safari/537.36
Connection: close
Accept-Encoding: gzip

[DBG] [test] Dumped HTTP response https://xx.xx.xx.xx/material/file/video/publishingImg/VIDEO/xxxx.js

HTTP/1.1 404 Not Found
Content-Length: 564
Content-Type: text/html
Date: Tue, 19 Sep 2023 05:10:19 GMT
Server: nginx

Expected Behavior:

the second request should be RootURL+publishingImg/VIDEO/xxxx.js not BaseURL,not contains /material/file/video/

Steps To Reproduce:

nuclei -duc -t test.yaml -u https://x.x.x.x/material/file/video -debug

                     __     _
   ____  __  _______/ /__  (_)
  / __ \/ / / / ___/ / _ \/ /
 / / / / /_/ / /__/ /  __/ /
/_/ /_/\__,_/\___/_/\___/_/   v2.9.15

                projectdiscovery.io

[INF] Current nuclei version: v2.9.15 (outdated)
[INF] Current nuclei-templates version: v9.6.4 (latest)
[INF] New templates added in latest release: 121
[INF] Templates loaded for current scan: 1
[INF] Targets loaded for current scan: 1
[INF] [test] Dumped HTTP request for https://x.x.x.x/material/file/video

POST /material/file/video HTTP/1.1
Host: x.x.x.x
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1944.0 Safari/537.36
Content-Length: 303
Accept-Encoding: gzip, deflate
Connection: close
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryaRBBs9fvbcHzAWZw

------WebKitFormBoundaryaRBBs9fvbcHzAWZw
Content-Disposition: form-data; name="Filedata"; filename="mxgjir.js"

test
------WebKitFormBoundaryaRBBs9fvbcHzAWZw
Content-Disposition: form-data; name="poc"

Content-Disposition: form-data; name="Submit"
------WebKitFormBoundaryaRBBs9fvbcHzAWZw--
[DBG] [test] Dumped HTTP response https://x.x.x.x/material/file/video

HTTP/1.1 200 OK
Content-Length: 91
Content-Type: text/html;charset=UTF-8
Date: Wed, 20 Sep 2023 03:11:17 GMT
Server: nginx
Set-Cookie: JSESSIONID=C7FA988EA2C263812694B0002227D232; Path=/publishing; HttpOnly

{"data":{"id":457,"path":"VIDEO/xxx.js"},"errMsg":"success!","success":true}
[INF] [test] Dumped HTTP request for https://x.x.x.x/material/file/video/publishingImg/VIDEO/xxx.js

GET /material/file/video/publishingImg/VIDEO/xxx.js HTTP/1.1
Host: x.x.x.x
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/34.0.1847.137 Safari/4E423F
Connection: close
Accept-Encoding: gzip

[DBG] [test] Dumped HTTP response https://x.x.x.x/material/file/video/publishingImg/VIDEO/xxx.js

HTTP/1.1 404 Not Found
Content-Length: 564
Content-Type: text/html
Date: Wed, 20 Sep 2023 03:11:17 GMT
Server: nginx

<html>
<head><title>404 Not Found</title></head>
<body bgcolor="white">
<center><h1>404 Not Found</h1></center>
<hr><center>nginx</center>
</body>
</html>
<!-- a padding to disable MSIE and Chrome friendly error page -->
<!-- a padding to disable MSIE and Chrome friendly error page -->
<!-- a padding to disable MSIE and Chrome friendly error page -->
<!-- a padding to disable MSIE and Chrome friendly error page -->
<!-- a padding to disable MSIE and Chrome friendly error page -->
<!-- a padding to disable MSIE and Chrome friendly error page -->
[INF] No results found. Better luck next time!

if use nuclei -duc -t test.yaml -u https://x.x.x.x/ it's will work well . why the second raw requests used the full path not the templates path. the second request right url like this: https://x.x.x.x/publishingImg/VIDEO/xxx.js

Anything else:

@passwa11 Apologies for the late reply, but could you share the target for us to reproduce this? discord handle @ dogancanbakir

see here

I'm closing this issue due to inactivity. If you believe this was a mistake, please feel free to reopen it.