Comments (17)
@denandz I created a PR to fix this. This was caused because we enabled threads by default for templates that used payloads. This was done in order to speed up certain templates that fuzz but don't use threads. But to keep memory low, this does not share values across requests. Hence, this was happening. The fix introduced changes the logic to only occur when the requests exceed a certain threshold, in this case - NUCLEI_PAYLOAD_AUTO_CONCURRENCY_THRESHOLD
env variable which is 30 by default.
This fixes it.
~/hack/tt/nuclei/cmd/nuclei fix-templates-not-working* ❯ ./nuclei -t http/default-logins/tiny-file-manager-default-login.yaml -u http://127.0.0.1/
__ _
____ __ _______/ /__ (_)
/ __ \/ / / / ___/ / _ \/ /
/ / / / /_/ / /__/ / __/ /
/_/ /_/\__,_/\___/_/\___/_/ v3.2.3
projectdiscovery.io
[INF] Current nuclei version: v3.2.3 (latest)
[INF] Current nuclei-templates version: v9.8.0 (latest)
[WRN] Scan results upload to cloud is disabled.
[INF] New templates added in latest release: 85
[INF] Templates loaded for current scan: 1
[INF] Executing 1 signed templates from projectdiscovery/nuclei-templates
[INF] Targets loaded for current scan: 1
from nuclei.
@denandz thanks again for digging into this issue and sharing the details with us, fix is now merged into latest release i.e nuclei v3.2.4
from nuclei.
I wrote the following little bit of code to find all templates which used multiple HTTP raw requests with extractors and variables.
This has highlighted 225 checks that may be broken and need further triage.
package main
import (
"fmt"
"log"
"os"
"strings"
"github.com/projectdiscovery/nuclei/v3/pkg/templates"
"gopkg.in/yaml.v2"
)
func main() {
if len(os.Args) != 2 {
log.Fatal("run as ./nucleilint <pathtoyaml>.yaml")
}
bin, err := os.ReadFile(os.Args[1])
if err != nil {
log.Fatal(err)
}
var yamlTemplate templates.Template
err = yaml.Unmarshal(bin, &yamlTemplate)
if err != nil {
log.Fatal(err)
}
// fmt.Printf("Processing: %s\n", yamlTemplate.ID)
http := yamlTemplate.RequestsHTTP
// no http object, or more than one http object, not checking...
if len(http) != 1 {
return
}
// no extractors, return
if len(http[0].Operators.Extractors) == 0 {
return
}
// only one raw request, issue affects two raw requests
if len(http[0].Raw) < 2 {
return
}
// loop each extractor, if the variable name is in the raw requests
// then we have an extractor bug
for _, e := range http[0].Operators.Extractors {
// var has no name, how could it be used in a subsequent raw template?
if e.Name == "" {
continue
}
for _, raw := range http[0].Raw {
if strings.Contains(raw, "{{"+e.Name+"}}") {
fmt.Printf("[!] Buggy extractor use found - template: %s var: %s\n", yamlTemplate.ID, e.Name)
}
}
}
}
Output of find /dev/shm/nuclei-templates/http/ -name '*.yaml' -exec ./nucleilint {} \;
below:
[!] Buggy extractor use found - template: yonyou-u8-crm-fileupload var: path
[!] Buggy extractor use found - template: wp-kadence-blocks-rce var: nonce
[!] Buggy extractor use found - template: wp-kadence-blocks-rce var: form_id
[!] Buggy extractor use found - template: wp-kadence-blocks-rce var: post_id
[!] Buggy extractor use found - template: seatreg-redirect var: seatreg-admin-nonce
[!] Buggy extractor use found - template: notificationx-sqli var: apikey
[!] Buggy extractor use found - template: weaver-uploadoperation-file-upload var: fileid
[!] Buggy extractor use found - template: weaver-login-sessionkey var: timestamp
[!] Buggy extractor use found - template: weaver-lazyuploadify-file-upload var: attachmentID
[!] Buggy extractor use found - template: weaver-lazyuploadify-file-upload var: attachmentName
[!] Buggy extractor use found - template: weaver-ktreeuploadaction-file-upload var: filename
[!] Buggy extractor use found - template: weaver-jquery-file-upload var: attachmentID
[!] Buggy extractor use found - template: weaver-ebridge-lfi var: idname
[!] Buggy extractor use found - template: weaver-eoffice-file-upload var: id
[!] Buggy extractor use found - template: wanhu-oa-fileupload-controller var: filename
[!] Buggy extractor use found - template: tongda-login-code-authbypass var: uid
[!] Buggy extractor use found - template: tongda-login-code-authbypass var: cookie
[!] Buggy extractor use found - template: tongda-arbitrary-login var: cookie
[!] Buggy extractor use found - template: ruijie-eg-rce var: admin
[!] Buggy extractor use found - template: realor-gwt-system-sqli var: cookie
[!] Buggy extractor use found - template: yapi-rce var: group_id
[!] Buggy extractor use found - template: yapi-rce var: interface_id
[!] Buggy extractor use found - template: yapi-rce var: project_id
[!] Buggy extractor use found - template: yapi-rce var: project_id
[!] Buggy extractor use found - template: yapi-rce var: project_id
[!] Buggy extractor use found - template: yapi-rce var: project_id
[!] Buggy extractor use found - template: powercreator-cms-rce var: endpoint
[!] Buggy extractor use found - template: podcast-generator-ssrf var: token
[!] Buggy extractor use found - template: pega-log4j-rce var: location
[!] Buggy extractor use found - template: goanywhere-mft-log4j-rce var: view
[!] Buggy extractor use found - template: jorani-benjamin-xss var: csrf
[!] Buggy extractor use found - template: rusty-joomla var: csrf
[!] Buggy extractor use found - template: hikvision-ivms-file-upload-rce var: res_id
[!] Buggy extractor use found - template: gitlab-rce var: csrf-token
[!] Buggy extractor use found - template: gitea-rce var: repo
[!] Buggy extractor use found - template: gitea-rce var: repo
[!] Buggy extractor use found - template: apache-solr-file-read var: core
[!] Buggy extractor use found - template: apache-solr-file-read var: core
[!] Buggy extractor use found - template: csrf-guard-detect var: masterToken
[!] Buggy extractor use found - template: unauthorized-plastic-scm var: csrf
[!] Buggy extractor use found - template: servicenow-widget-misconfig var: user-token
[!] Buggy extractor use found - template: seeyon-unauth var: session
[!] Buggy extractor use found - template: docker-daemon-exposed var: version
[!] Buggy extractor use found - template: qvisdvr-deserialization-rce var: token
[!] Buggy extractor use found - template: aspcms-backend-panel var: path
[!] Buggy extractor use found - template: wazuh-default-login var: osd
[!] Buggy extractor use found - template: vidyo-default-login var: csrf_tkn
[!] Buggy extractor use found - template: vidyo-default-login var: session
[!] Buggy extractor use found - template: versa-flexvnf-default-login var: xsrf_token
[!] Buggy extractor use found - template: tiny-filemanager-default-login var: token
[!] Buggy extractor use found - template: structurizr-default-login var: csrf
[!] Buggy extractor use found - template: steve-default-login var: csrf
[!] Buggy extractor use found - template: splunk-default-login var: cval
[!] Buggy extractor use found - template: rancher-default-login var: csrf
[!] Buggy extractor use found - template: rainloop-default-login var: token
[!] Buggy extractor use found - template: phpmyadmin-default-login var: token
[!] Buggy extractor use found - template: phpmyadmin-default-login var: token2
[!] Buggy extractor use found - template: phpmyadmin-default-login var: session
[!] Buggy extractor use found - template: octobercms-default-login var: token
[!] Buggy extractor use found - template: nagiosxi-default-login var: nsp
[!] Buggy extractor use found - template: magnolia-default-login var: csrf
[!] Buggy extractor use found - template: magnolia-default-login var: csrf
[!] Buggy extractor use found - template: magnolia-default-login var: session
[!] Buggy extractor use found - template: magnolia-default-login var: session
[!] Buggy extractor use found - template: kanboard-default-login var: csrf_token
[!] Buggy extractor use found - template: hybris-default-login var: csrftoken
[!] Buggy extractor use found - template: glpi-default-login var: token
[!] Buggy extractor use found - template: glpi-default-login var: name
[!] Buggy extractor use found - template: glpi-default-login var: password
[!] Buggy extractor use found - template: fuelcms-default-login var: csrftoken
[!] Buggy extractor use found - template: dvwa-default-login var: token
[!] Buggy extractor use found - template: dvwa-default-login var: session
[!] Buggy extractor use found - template: hue-default-credential var: csrfmiddlewaretoken
[!] Buggy extractor use found - template: camunda-default-login var: xsrf_token
[!] Buggy extractor use found - template: airflow-default-login var: csrf_token
[!] Buggy extractor use found - template: CVE-2024-29059 var: objref
[!] Buggy extractor use found - template: CVE-2024-25600 var: nonce
[!] Buggy extractor use found - template: CVE-2024-20767 var: extracted_uuid
[!] Buggy extractor use found - template: CVE-2024-1071 var: nonce
[!] Buggy extractor use found - template: CVE-2023-6909 var: EXPERIMENT_ID
[!] Buggy extractor use found - template: CVE-2023-6909 var: RUN_ID
[!] Buggy extractor use found - template: CVE-2023-5556 var: csrf
[!] Buggy extractor use found - template: CVE-2023-5556 var: workspace
[!] Buggy extractor use found - template: CVE-2023-5360 var: nonce
[!] Buggy extractor use found - template: CVE-2023-5360 var: filename
[!] Buggy extractor use found - template: CVE-2023-52085 var: _token
[!] Buggy extractor use found - template: CVE-2023-52085 var: _token
[!] Buggy extractor use found - template: CVE-2023-4966 var: session
[!] Buggy extractor use found - template: CVE-2023-48777 var: nonce
[!] Buggy extractor use found - template: CVE-2023-47643 var: csrftoken
[!] Buggy extractor use found - template: CVE-2023-47211 var: x_zcsrf_token
[!] Buggy extractor use found - template: CVE-2023-47211 var: x_zcsrf_token
[!] Buggy extractor use found - template: CVE-2023-47115 var: csrftoken
[!] Buggy extractor use found - template: CVE-2023-47115 var: id
[!] Buggy extractor use found - template: CVE-2023-47115 var: filename
[!] Buggy extractor use found - template: CVE-2023-4596 var: forminator_nonce
[!] Buggy extractor use found - template: CVE-2023-4596 var: form_id
[!] Buggy extractor use found - template: CVE-2023-42793 var: token
[!] Buggy extractor use found - template: CVE-2023-42793 var: token
[!] Buggy extractor use found - template: CVE-2023-42793 var: token
[!] Buggy extractor use found - template: CVE-2023-39002 var: para
[!] Buggy extractor use found - template: CVE-2023-39002 var: value
[!] Buggy extractor use found - template: CVE-2023-38646 var: token
[!] Buggy extractor use found - template: CVE-2023-3836 var: shell_filename
[!] Buggy extractor use found - template: CVE-2023-36934 var: session
[!] Buggy extractor use found - template: CVE-2023-36844 var: inifile
[!] Buggy extractor use found - template: CVE-2023-3460 var: path
[!] Buggy extractor use found - template: CVE-2023-3460 var: path
[!] Buggy extractor use found - template: CVE-2023-3460 var: version
[!] Buggy extractor use found - template: CVE-2023-3460 var: formid
[!] Buggy extractor use found - template: CVE-2023-3460 var: wpnonce
[!] Buggy extractor use found - template: CVE-2023-34362 var: ips
[!] Buggy extractor use found - template: CVE-2023-34362 var: csrf
[!] Buggy extractor use found - template: CVE-2023-3345 var: nonce
[!] Buggy extractor use found - template: CVE-2023-32243 var: nonce
[!] Buggy extractor use found - template: CVE-2023-32243 var: wordpress_username
[!] Buggy extractor use found - template: CVE-2023-32243 var: wordpress_username
[!] Buggy extractor use found - template: CVE-2023-32243 var: wordpress_username
[!] Buggy extractor use found - template: CVE-2023-30943 var: token
[!] Buggy extractor use found - template: CVE-2023-29357 var: realm
[!] Buggy extractor use found - template: CVE-2023-29084 var: admpcsrf
[!] Buggy extractor use found - template: CVE-2023-2825 var: token_1
[!] Buggy extractor use found - template: CVE-2023-2825 var: token_2
[!] Buggy extractor use found - template: CVE-2023-2825 var: token_2
[!] Buggy extractor use found - template: CVE-2023-2825 var: token_2
[!] Buggy extractor use found - template: CVE-2023-2825 var: token_2
[!] Buggy extractor use found - template: CVE-2023-2825 var: token_2
[!] Buggy extractor use found - template: CVE-2023-2825 var: token_2
[!] Buggy extractor use found - template: CVE-2023-2825 var: token_2
[!] Buggy extractor use found - template: CVE-2023-2825 var: token_2
[!] Buggy extractor use found - template: CVE-2023-2825 var: token_2
[!] Buggy extractor use found - template: CVE-2023-2825 var: token_2
[!] Buggy extractor use found - template: CVE-2023-2825 var: token_2
[!] Buggy extractor use found - template: CVE-2023-2825 var: token_2
[!] Buggy extractor use found - template: CVE-2023-2825 var: parent_id
[!] Buggy extractor use found - template: CVE-2023-2825 var: parent_id
[!] Buggy extractor use found - template: CVE-2023-2825 var: parent_id
[!] Buggy extractor use found - template: CVE-2023-2825 var: parent_id
[!] Buggy extractor use found - template: CVE-2023-2825 var: parent_id
[!] Buggy extractor use found - template: CVE-2023-2825 var: parent_id
[!] Buggy extractor use found - template: CVE-2023-2825 var: parent_id
[!] Buggy extractor use found - template: CVE-2023-2825 var: parent_id
[!] Buggy extractor use found - template: CVE-2023-2825 var: parent_id
[!] Buggy extractor use found - template: CVE-2023-2825 var: parent_id
[!] Buggy extractor use found - template: CVE-2023-2825 var: namespace_id
[!] Buggy extractor use found - template: CVE-2023-2825 var: x-csrf-token
[!] Buggy extractor use found - template: CVE-2023-2825 var: upload-hash
[!] Buggy extractor use found - template: CVE-2023-2780 var: version
[!] Buggy extractor use found - template: CVE-2023-27372 var: csrf
[!] Buggy extractor use found - template: CVE-2023-27350 var: printerID
[!] Buggy extractor use found - template: CVE-2023-27350 var: printerID
[!] Buggy extractor use found - template: CVE-2023-2648 var: name
[!] Buggy extractor use found - template: CVE-2023-26469 var: csrf
[!] Buggy extractor use found - template: CVE-2023-25157 var: name
[!] Buggy extractor use found - template: CVE-2023-25157 var: name
[!] Buggy extractor use found - template: CVE-2023-25157 var: column
[!] Buggy extractor use found - template: CVE-2023-2356 var: version
[!] Buggy extractor use found - template: CVE-2023-22620 var: session
[!] Buggy extractor use found - template: CVE-2023-2224 var: nonce
[!] Buggy extractor use found - template: CVE-2023-20889 var: csrf
[!] Buggy extractor use found - template: CVE-2023-20888 var: csrf
[!] Buggy extractor use found - template: CVE-2023-20864 var: xcsrftoken
[!] Buggy extractor use found - template: CVE-2023-2009 var: nonce
[!] Buggy extractor use found - template: CVE-2023-20073 var: index
[!] Buggy extractor use found - template: CVE-2023-1177 var: version
[!] Buggy extractor use found - template: CVE-2023-0900 var: nonce
[!] Buggy extractor use found - template: CVE-2023-0777 var: csrftoken
[!] Buggy extractor use found - template: CVE-2022-47003 var: siteid
[!] Buggy extractor use found - template: CVE-2022-47003 var: uuid
[!] Buggy extractor use found - template: CVE-2022-47002 var: siteid
[!] Buggy extractor use found - template: CVE-2022-47002 var: uuid
[!] Buggy extractor use found - template: CVE-2022-46020 var: username_fieldname
[!] Buggy extractor use found - template: CVE-2022-46020 var: password_fieldname
[!] Buggy extractor use found - template: CVE-2022-46020 var: formtoken
[!] Buggy extractor use found - template: CVE-2022-46020 var: app_name
[!] Buggy extractor use found - template: CVE-2022-45038 var: username_fieldname
[!] Buggy extractor use found - template: CVE-2022-45038 var: password_fieldname
[!] Buggy extractor use found - template: CVE-2022-45038 var: formtoken
[!] Buggy extractor use found - template: CVE-2022-45038 var: app_name
[!] Buggy extractor use found - template: CVE-2022-45037 var: username_fieldname
[!] Buggy extractor use found - template: CVE-2022-45037 var: password_fieldname
[!] Buggy extractor use found - template: CVE-2022-45037 var: formtoken
[!] Buggy extractor use found - template: CVE-2022-45037 var: username_fieldname_2
[!] Buggy extractor use found - template: CVE-2022-44957 var: csrf
[!] Buggy extractor use found - template: CVE-2022-44952 var: nonce
[!] Buggy extractor use found - template: CVE-2022-44952 var: nonce
[!] Buggy extractor use found - template: CVE-2022-44951 var: nonce
[!] Buggy extractor use found - template: CVE-2022-44951 var: nonce
[!] Buggy extractor use found - template: CVE-2022-44950 var: nonce
[!] Buggy extractor use found - template: CVE-2022-44950 var: nonce
[!] Buggy extractor use found - template: CVE-2022-44949 var: nonce
[!] Buggy extractor use found - template: CVE-2022-44949 var: nonce
[!] Buggy extractor use found - template: CVE-2022-44948 var: nonce
[!] Buggy extractor use found - template: CVE-2022-44948 var: nonce
[!] Buggy extractor use found - template: CVE-2022-44947 var: nonce
[!] Buggy extractor use found - template: CVE-2022-44947 var: nonce
[!] Buggy extractor use found - template: CVE-2022-44946 var: nonce
[!] Buggy extractor use found - template: CVE-2022-44946 var: nonce
[!] Buggy extractor use found - template: CVE-2022-44944 var: nonce
[!] Buggy extractor use found - template: CVE-2022-44944 var: nonce
[!] Buggy extractor use found - template: CVE-2022-43185 var: nonce
[!] Buggy extractor use found - template: CVE-2022-43185 var: nonce
[!] Buggy extractor use found - template: CVE-2022-43170 var: nonce
[!] Buggy extractor use found - template: CVE-2022-43170 var: nonce
[!] Buggy extractor use found - template: CVE-2022-43169 var: nonce
[!] Buggy extractor use found - template: CVE-2022-43169 var: nonce
[!] Buggy extractor use found - template: CVE-2022-43167 var: nonce
[!] Buggy extractor use found - template: CVE-2022-43167 var: nonce
[!] Buggy extractor use found - template: CVE-2022-43166 var: nonce
[!] Buggy extractor use found - template: CVE-2022-43166 var: nonce
[!] Buggy extractor use found - template: CVE-2022-43165 var: nonce
[!] Buggy extractor use found - template: CVE-2022-43165 var: nonce
[!] Buggy extractor use found - template: CVE-2022-43164 var: nonce
[!] Buggy extractor use found - template: CVE-2022-43164 var: nonce
[!] Buggy extractor use found - template: CVE-2022-4260 var: nonce
[!] Buggy extractor use found - template: CVE-2022-42096 var: form_id_1
[!] Buggy extractor use found - template: CVE-2022-42096 var: form_id_1
[!] Buggy extractor use found - template: CVE-2022-42096 var: name
[!] Buggy extractor use found - template: CVE-2022-42096 var: form_id_2
[!] Buggy extractor use found - template: CVE-2022-42096 var: form_token
[!] Buggy extractor use found - template: CVE-2022-42095 var: form_id_1
[!] Buggy extractor use found - template: CVE-2022-42095 var: form_id_2
[!] Buggy extractor use found - template: CVE-2022-42095 var: form_token
[!] Buggy extractor use found - template: CVE-2022-42094 var: form_id_1
[!] Buggy extractor use found - template: CVE-2022-42094 var: name
[!] Buggy extractor use found - template: CVE-2022-42094 var: form_id_2
[!] Buggy extractor use found - template: CVE-2022-42094 var: form_token
[!] Buggy extractor use found - template: CVE-2022-4049 var: nonce
[!] Buggy extractor use found - template: CVE-2022-40127 var: csrf_token
[!] Buggy extractor use found - template: CVE-2022-3982 var: nonce
[!] Buggy extractor use found - template: CVE-2022-39048 var: csrf
[!] Buggy extractor use found - template: CVE-2022-38296 var: filename
[!] Buggy extractor use found - template: CVE-2022-37191 var: apikey
[!] Buggy extractor use found - template: CVE-2022-37190 var: apikey
[!] Buggy extractor use found - template: CVE-2022-36804 var: key
[!] Buggy extractor use found - template: CVE-2022-36804 var: slug
[!] Buggy extractor use found - template: CVE-2022-36537 var: dtid
[!] Buggy extractor use found - template: CVE-2022-3506 var: nonce
[!] Buggy extractor use found - template: CVE-2022-31854 var: csrf
[!] Buggy extractor use found - template: CVE-2022-30073 var: formtoken
[!] Buggy extractor use found - template: CVE-2022-29272 var: nsp_token
[!] Buggy extractor use found - template: CVE-2022-2863 var: nonce
[!] Buggy extractor use found - template: CVE-2022-28117 var: csrf_token
[!] Buggy extractor use found - template: CVE-2022-2756 var: token
[!] Buggy extractor use found - template: CVE-2022-2756 var: token
[!] Buggy extractor use found - template: CVE-2022-2756 var: filename
[!] Buggy extractor use found - template: CVE-2022-25487 var: filename
[!] Buggy extractor use found - template: CVE-2022-2546 var: secretkey
[!] Buggy extractor use found - template: CVE-2022-25149 var: nonce
[!] Buggy extractor use found - template: CVE-2022-25148 var: nonce
[!] Buggy extractor use found - template: CVE-2022-23102 var: csrf
[!] Buggy extractor use found - template: CVE-2022-22972 var: protected_state
[!] Buggy extractor use found - template: CVE-2022-22972 var: horizonRelayState
[!] Buggy extractor use found - template: CVE-2022-22972 var: userstore
[!] Buggy extractor use found - template: CVE-2022-22972 var: userstoreDisplay
[!] Buggy extractor use found - template: CVE-2022-22972 var: stickyConnectorId
[!] Buggy extractor use found - template: CVE-2022-21705 var: session_key
[!] Buggy extractor use found - template: CVE-2022-21705 var: session_key
[!] Buggy extractor use found - template: CVE-2022-21705 var: session_key
[!] Buggy extractor use found - template: CVE-2022-21705 var: session_key
[!] Buggy extractor use found - template: CVE-2022-21705 var: token
[!] Buggy extractor use found - template: CVE-2022-21705 var: token
[!] Buggy extractor use found - template: CVE-2022-21705 var: token
[!] Buggy extractor use found - template: CVE-2022-21705 var: token
[!] Buggy extractor use found - template: CVE-2022-21705 var: theme
[!] Buggy extractor use found - template: CVE-2022-1952 var: filename
[!] Buggy extractor use found - template: CVE-2022-1442 var: id
[!] Buggy extractor use found - template: CVE-2022-1386 var: fusionformnonce
[!] Buggy extractor use found - template: CVE-2022-1329 var: nonce
[!] Buggy extractor use found - template: CVE-2022-1058 var: csrf
[!] Buggy extractor use found - template: CVE-2022-0968 var: form_token
[!] Buggy extractor use found - template: CVE-2022-0968 var: user
[!] Buggy extractor use found - template: CVE-2022-0968 var: email
[!] Buggy extractor use found - template: CVE-2022-0870 var: csrf
[!] Buggy extractor use found - template: CVE-2022-0870 var: auth_csrf
[!] Buggy extractor use found - template: CVE-2022-0651 var: nonce
[!] Buggy extractor use found - template: CVE-2022-0535 var: nonce
[!] Buggy extractor use found - template: CVE-2022-0482 var: csrf_token
[!] Buggy extractor use found - template: CVE-2022-0441 var: nonce
[!] Buggy extractor use found - template: CVE-2022-0415 var: csrf
[!] Buggy extractor use found - template: CVE-2022-0415 var: auth_csrf
[!] Buggy extractor use found - template: CVE-2022-0415 var: auth_csrf
[!] Buggy extractor use found - template: CVE-2022-0415 var: auth_csrf
[!] Buggy extractor use found - template: CVE-2022-0415 var: uuid
[!] Buggy extractor use found - template: CVE-2022-0220 var: nonce
[!] Buggy extractor use found - template: CVE-2021-44451 var: csrf_token
[!] Buggy extractor use found - template: CVE-2021-43421 var: hash
[!] Buggy extractor use found - template: CVE-2021-42258 var: VS
[!] Buggy extractor use found - template: CVE-2021-42258 var: VSG
[!] Buggy extractor use found - template: CVE-2021-42258 var: EV
[!] Buggy extractor use found - template: CVE-2021-42192 var: id
[!] Buggy extractor use found - template: CVE-2021-42192 var: id
[!] Buggy extractor use found - template: CVE-2021-42192 var: token
[!] Buggy extractor use found - template: CVE-2021-42192 var: token
[!] Buggy extractor use found - template: CVE-2021-41432 var: nonce
[!] Buggy extractor use found - template: CVE-2021-41282 var: csrf_token
[!] Buggy extractor use found - template: CVE-2021-40323 var: profile
[!] Buggy extractor use found - template: CVE-2021-38540 var: csrf
[!] Buggy extractor use found - template: CVE-2021-36873 var: nonce
[!] Buggy extractor use found - template: CVE-2021-36450 var: csrfp_login
[!] Buggy extractor use found - template: CVE-2021-35323 var: tokenCSRF
[!] Buggy extractor use found - template: CVE-2021-33851 var: nonce
[!] Buggy extractor use found - template: CVE-2021-32172 var: hash
[!] Buggy extractor use found - template: CVE-2021-27905 var: core
[!] Buggy extractor use found - template: CVE-2021-27850 var: id
[!] Buggy extractor use found - template: CVE-2021-26598 var: token
[!] Buggy extractor use found - template: CVE-2021-25299 var: nsp
[!] Buggy extractor use found - template: CVE-2021-25298 var: nsp
[!] Buggy extractor use found - template: CVE-2021-25298 var: nsp_auth
[!] Buggy extractor use found - template: CVE-2021-25297 var: nsp
[!] Buggy extractor use found - template: CVE-2021-25297 var: nsp_auth
[!] Buggy extractor use found - template: CVE-2021-25296 var: nsp
[!] Buggy extractor use found - template: CVE-2021-25296 var: nsp_auth
[!] Buggy extractor use found - template: CVE-2021-24358 var: username
[!] Buggy extractor use found - template: CVE-2021-24358 var: username
[!] Buggy extractor use found - template: CVE-2021-24347 var: nonce
[!] Buggy extractor use found - template: CVE-2021-24155 var: nonce
[!] Buggy extractor use found - template: CVE-2021-22986 var: token
[!] Buggy extractor use found - template: CVE-2020-9043 var: authkey
[!] Buggy extractor use found - template: CVE-2020-9043 var: nonce
[!] Buggy extractor use found - template: CVE-2020-8772 var: username
[!] Buggy extractor use found - template: CVE-2020-8772 var: username
[!] Buggy extractor use found - template: CVE-2020-8644 var: csrf
[!] Buggy extractor use found - template: CVE-2020-8193 var: randkey
[!] Buggy extractor use found - template: CVE-2020-8193 var: randkey
[!] Buggy extractor use found - template: CVE-2020-7136 var: sessionid
[!] Buggy extractor use found - template: CVE-2020-35987 var: nonce
[!] Buggy extractor use found - template: CVE-2020-35987 var: nonce
[!] Buggy extractor use found - template: CVE-2020-35986 var: nonce
[!] Buggy extractor use found - template: CVE-2020-35986 var: nonce
[!] Buggy extractor use found - template: CVE-2020-35985 var: nonce
[!] Buggy extractor use found - template: CVE-2020-35985 var: nonce
[!] Buggy extractor use found - template: CVE-2020-35984 var: nonce
[!] Buggy extractor use found - template: CVE-2020-35984 var: nonce
[!] Buggy extractor use found - template: CVE-2020-35951 var: fullpath
[!] Buggy extractor use found - template: CVE-2020-24186 var: wmuSecurity
[!] Buggy extractor use found - template: CVE-2020-23697 var: csrf
[!] Buggy extractor use found - template: CVE-2020-15867 var: csrf
[!] Buggy extractor use found - template: CVE-2020-15867 var: auth_csrf
[!] Buggy extractor use found - template: CVE-2020-15867 var: auth_csrf
[!] Buggy extractor use found - template: CVE-2020-15867 var: auth_csrf
[!] Buggy extractor use found - template: CVE-2020-15867 var: last_commit
[!] Buggy extractor use found - template: CVE-2020-14144 var: csrf
[!] Buggy extractor use found - template: CVE-2020-14144 var: auth_csrf
[!] Buggy extractor use found - template: CVE-2020-14144 var: auth_csrf
[!] Buggy extractor use found - template: CVE-2020-14144 var: auth_csrf
[!] Buggy extractor use found - template: CVE-2020-14144 var: last_commit
[!] Buggy extractor use found - template: CVE-2020-12116 var: endpoint
[!] Buggy extractor use found - template: CVE-2020-11978 var: exec_date
[!] Buggy extractor use found - template: CVE-2019-8390 var: csrf
[!] Buggy extractor use found - template: CVE-2019-7192 var: album_id
[!] Buggy extractor use found - template: CVE-2019-7192 var: album_id
[!] Buggy extractor use found - template: CVE-2019-7192 var: access_code
[!] Buggy extractor use found - template: CVE-2019-3398 var: csrftoken
[!] Buggy extractor use found - template: CVE-2019-3398 var: draftID
[!] Buggy extractor use found - template: CVE-2019-3398 var: draftID
[!] Buggy extractor use found - template: CVE-2019-2579 var: authkey
[!] Buggy extractor use found - template: CVE-2019-20183 var: endpoint
[!] Buggy extractor use found - template: CVE-2019-17558 var: core
[!] Buggy extractor use found - template: CVE-2019-17558 var: core
[!] Buggy extractor use found - template: CVE-2019-14750 var: csrftoken
[!] Buggy extractor use found - template: CVE-2019-13396 var: token
[!] Buggy extractor use found - template: CVE-2019-0193 var: core
[!] Buggy extractor use found - template: CVE-2018-7602 var: userid
[!] Buggy extractor use found - template: CVE-2018-7602 var: userid
[!] Buggy extractor use found - template: CVE-2018-7602 var: form_token
[!] Buggy extractor use found - template: CVE-2018-7602 var: form_build_id
[!] Buggy extractor use found - template: CVE-2018-3760 var: path
[!] Buggy extractor use found - template: CVE-2018-2894 var: id
[!] Buggy extractor use found - template: CVE-2018-11473 var: csrf
[!] Buggy extractor use found - template: CVE-2018-10942 var: file
[!] Buggy extractor use found - template: CVE-2018-1000533 var: path
[!] Buggy extractor use found - template: CVE-2017-12629 var: core
[!] Buggy extractor use found - template: CVE-2016-10033 var: username
[!] Buggy extractor use found - template: postman-login-check var: csrfToken
[!] Buggy extractor use found - template: github-login-check var: authenticity_token
[!] Buggy extractor use found - template: github-login-check var: timestamp
[!] Buggy extractor use found - template: github-login-check var: timestamp_secret
[!] Buggy extractor use found - template: datadog-login-check var: auth_token
[!] Buggy extractor use found - template: codepen-login-check var: token
[!] Buggy extractor use found - template: CNVD-2022-03672 var: cid
[!] Buggy extractor use found - template: CNVD-2020-68596 var: endpoint
[!] Buggy extractor use found - template: CNVD-2020-26585 var: date
[!] Buggy extractor use found - template: CNVD-2020-26585 var: file
from nuclei.
The plot thickens.... Strangely, the docker-daemon-exposed
checked seemed to work fine even though it used the extractor pattern that causes issues.
Further digging showed adding an attack
object to the template broke it in the same way as the wazuh, phpmyadmin, tinyfileuploader, kanboard etc checks. Dig this:
Works, even though testing so far suggests it shouldn't...
$ nuclei -t http/misconfiguration/docker-daemon-exposed.yaml -u http://127.0.0.1:2375/ -v --proxy http://127.0.0.1:8080
__ _
____ __ _______/ /__ (_)
/ __ \/ / / / ___/ / _ \/ /
/ / / / /_/ / /__/ / __/ /
/_/ /_/\__,_/\___/_/\___/_/ v3.2.3
projectdiscovery.io
[VER] Using http://127.0.0.1:8080 as proxy server
[VER] Started metrics server at localhost:9092
[INF] Current nuclei version: v3.2.3 (latest)
[INF] Current nuclei-templates version: v9.8.0 (latest)
[WRN] Scan results upload to cloud is disabled.
[INF] New templates added in latest release: 85
[INF] Templates loaded for current scan: 1
[WRN] Loading 1 unsigned templates for scan. Use with caution.
[INF] Targets loaded for current scan: 1
[VER] [docker-daemon-exposed] Sent HTTP request to http://127.0.0.1:2375/version
[VER] [docker-daemon-exposed] Sent HTTP request to http://127.0.0.1:2375/v1.41/containers/json
[docker-daemon-exposed] [http] [critical] http://127.0.0.1:2375/v1.41/containers/json
I figure the difference between this check and the others is the attack
object, so i add one in to test with the following patch
diff --git a/http/misconfiguration/docker-daemon-exposed.yaml b/http/misconfiguration/docker-daemon-exposed.yaml
index 0283f63dbf..ceec043679 100644
--- a/http/misconfiguration/docker-daemon-exposed.yaml
+++ b/http/misconfiguration/docker-daemon-exposed.yaml
@@ -20,9 +20,16 @@ http:
Host: {{Hostname}}
- |
- GET /v{{version}}/containers/json HTTP/1.1
+ GET /v{{version}}/containers/json&{{user}}={{pass}} HTTP/1.1
Host: {{Hostname}}
+ attack: pitchfork
+ payloads:
+ user:
+ - admin
+ pass:
+ - admin
+
matchers:
- type: dsl
dsl:
And it breaks, like the others:
$ nuclei -t ./http/misconfiguration/docker-daemon-exposed.yaml -u http://127.0.0.1:2375/ -v --proxy http://127.0.0.1:8080
__ _
____ __ _______/ /__ (_)
/ __ \/ / / / ___/ / _ \/ /
/ / / / /_/ / /__/ / __/ /
/_/ /_/\__,_/\___/_/\___/_/ v3.2.3
projectdiscovery.io
[VER] Using http://127.0.0.1:8080 as proxy server
[VER] Started metrics server at localhost:9092
[INF] Current nuclei version: v3.2.3 (latest)
[INF] Current nuclei-templates version: v9.8.0 (latest)
[WRN] Scan results upload to cloud is disabled.
[INF] New templates added in latest release: 85
[INF] Templates loaded for current scan: 1
[WRN] Loading 1 unsigned templates for scan. Use with caution.
[INF] Targets loaded for current scan: 1
[WRN] [docker-daemon-exposed] Could not make http request for http://127.0.0.1:2375/: unresolved variables found: version
[VER] [docker-daemon-exposed] Sent HTTP request to http://127.0.0.1:2375/version
[WRN] [docker-daemon-exposed] Could not execute request for http://127.0.0.1:2375/: stop execution due to unresolved variables
[INF] No results found. Better luck next time!
An attack
object or something similar may be required for the bug to occur.
from nuclei.
Hi @denandz, Thank you for taking the time to create this detailed issue and for contributing to this project 🍻
It looks like a bug has been introduced recently. we are working to fix this.
from nuclei.
Great, will take now 2 months to fix this... Giving Template team working speed
from nuclei.
@mastercho, it is a bug in the engine; there's nothing to fix in the templates.
from nuclei.
Great, will take now 2 months to fix this... Giving Template team working speed
Lol, Before commenting, ensure you understand the issue. If you're capable of contributing to fixing it, please do so. Criticizing others isn't helpful.
from nuclei.
Have checked out the fix-templates-not-working branch. TinyFileUploader and PHPMyAdmin works now, so does Kanboard provided I change the DSL matcher logic to work.
The fix introduced changes the logic to only occur when the requests exceed a certain threshold, in this case -
NUCLEI_PAYLOAD_AUTO_CONCURRENCY_THRESHOLD
env variable which is 30 by default.
Looking at the pull request this is really 10 by default? Regardless of the threshold, does this mean any template that generates more than 10 payloads is going to have this same flaw?
This seems like it will cause future confusion and may still break some templates. Would it be better to detect if variable substitution with an extractor is being used, then disabling the auto concurrency? This would make sure the problem is fixed regardless of the specific input payload numbers.
from nuclei.
@denandz , that was meant to be a hot fix and not complete solution, after investigation
we have found out that this is a design/arch level issue and only surfaced due to our recent efforts of improving nuclei scan speed by introducing payload-concurrency -pc
flag which overrides value of threads
in templates if not specified
Note: this bug seems to be affecting from Nuclei v3.1.9 [ that doesn't mean v3.1.9 is stable since we have fixed lots of bugs after v3.1.9 ]
linked PR should fix all breaking templates ( this count can be increased to 100 just to be safe) and we will try to fix this arch/design issue in upcoming versions
from nuclei.
Tweaked the linter to check for the presence of an attack
object, which narrows down the effected checks even further. Looks like a total of 28 checks are affected.
airflow-default-login
camunda-default-login
CVE-2021-44451
CVE-2022-4049
CVE-2023-0777
CVE-2023-5556
datadog-login-check
dvwa-default-login
fuelcms-default-login
glpi-default-login
hue-default-credential
hybris-default-login
kanboard-default-login
magnolia-default-login
nagiosxi-default-login
octobercms-default-login
phpmyadmin-default-login
postman-login-check
rainloop-default-login
rancher-default-login
splunk-default-login
steve-default-login
structurizr-default-login
tiny-filemanager-default-login
versa-flexvnf-default-login
vidyo-default-login
wazuh-default-login
weaver-ebridge-lfi
Updated check:
package main
import (
"fmt"
"log"
"os"
"strings"
"github.com/projectdiscovery/nuclei/v3/pkg/templates"
"gopkg.in/yaml.v2"
)
func main() {
if len(os.Args) != 2 {
log.Fatal("run as ./nucleilint <pathtoyaml>.yaml")
}
bin, err := os.ReadFile(os.Args[1])
if err != nil {
log.Fatal(err)
}
var yamlTemplate templates.Template
err = yaml.Unmarshal(bin, &yamlTemplate)
if err != nil {
log.Fatal(err)
}
// fmt.Printf("Processing: %s\n", yamlTemplate.ID)
http := yamlTemplate.RequestsHTTP
// no http object, or more than one http object, not checking...
if len(http) != 1 {
return
}
// no extractors, return
if len(http[0].Operators.Extractors) == 0 {
return
}
// only one raw request, issue affects two raw requests
if len(http[0].Raw) < 2 {
return
}
// needs an Attack object to be vulnerable to the concurrency issue
if http[0].AttackType.Value == 0 {
return
}
// loop each extractor, if the variable name is in the raw requests
// then we have an extractor bug
for _, e := range http[0].Operators.Extractors {
// var has no name, how could it be used in a subsequent raw template?
if e.Name == "" {
continue
}
for _, raw := range http[0].Raw {
if strings.Contains(raw, "{{"+e.Name+"}}") {
fmt.Printf("[!] Buggy extractor use found - template: %s var: %s\n", yamlTemplate.ID, e.Name)
}
}
}
}
from nuclei.
@ehsandeep this issue isn't closed. There's an interim hot-fix but no complete solution as per @tarunKoyalwar's comment. Can you please leave this issue open until a complete solution is implemented?
from nuclei.
@denandz thanks for the ping, it was closed in automated manner as the linked PR were merged.
A quick question, what kind of template would you expect to be affected that has > 100
requests, given that request history is not supported with payloads.
from nuclei.
Thanks @ehsandeep.
One example that comes to mind is a template that uses an input wordlist with >100
entries, where each request needs a unique nonce value. Not super common, if at all existing in the current template set, but I can see this sort of thing getting implemented as more advanced templates get submitted and the fuzzing capabilities get extended.
Something like:
http:
- raw:
- |
GET /foo HTTP/1.1
Host: {{Hostname}}
- |
POST /fooHTTP/1.1
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded
id={{num}}&nonce={{nonce}}
payloads:
num: some_long_wordlist_with_more_than_100_entries.txt
extractors:
- type: regex
name: nonce
part: body
group: 1
regex:
- "hidden\" name=\"nonce\" value=\"([0-9a-z]+)\""
internal: true
from nuclei.
Although, we'd need an attack
object for this bug to crop up, right? So it would need to be some combination of wordlists/payloads and an attack
configuration that leads to >100 total payloads.
Probably not super common, but I can see someone getting tripped up by the 100-payload edge case in the future.
from nuclei.
@denandz , attack
is a component of payloads and this issue seems to affect dynamic extractors
+ payloads
combination. more context here : #5015
since this will be a change at generator / core level it might break some templates if not carefully handled so we are first proceeding with generating unit tests for templates and then iteratively implementing this fix
from nuclei.
Thanks team! Love your work. Excited to see how the automated template testing works out
from nuclei.
Related Issues (20)
- Output results only provide the issues/vulnerabilities found - Full list of results including tests executed with no issues found is needed HOT 2
- update timeout HOT 1
- Warn - open /tmp/nuclei_scanner3696466119/000002.log: no such file or directory, while using nuclei library HOT 5
- HTTP2 support for raw requests HOT 2
- Multiple NucleiEngine instances cause HTTP scan failures
- panic: sync: WaitGroup is reused before previous Wait has returned
- Negative directive in the template matcher seems to not work with the case-insensitive directive
- Ability to name scans for PDCP HOT 1
- Wrong order using raw HTTP with pipelining
- Nuclei skips the active ip from scanning problem HOT 3
- Nuclei skips the active ip from scanning problem HOT 1
- Nuclei not findind any vulnerability when too much URL/Templates HOT 1
- unresolved variables found: interactsh-url issue - Fuzzing Template (Payloads)
- Problem with WithProxy method HOT 2
- Can't use openvpn tunnel to scan HOT 3
- Error in using url_encode function HOT 2
- Proxy Error 407
- How to migrate nuclei templates from the old syntax to the new syntax HOT 1
- goroutines leak when ExecuteNucleiWithOpts with sdk HOT 2
- about http: multiple registrations for /metrics error
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from nuclei.