Hi all,

I am trying to write a check that checks if the following:

1. Access-Control-Allow-Origin is *
2. Cache-Control does NOT contain no-store.

In the second case the header Cache-Control might be set or not, and it might contain other values than no-store.

My matcher:

    matchers:
      - type: dsl
        name: "[ACAO * and no cache-control header]"
        dsl:
          - "contains(access_control_allow_origin, '*') && !contains(tolower(all_headers), 'no-store')"

Does ! work as NOT in the dsl syntax? How would you write it?

Test cases:

Correct headers - should not trigger a finding

Access-Control-Allow-Origin: *
Cache-Control: no-store

Missing Cache-Control, should trigger a finding

Access-Control-Allow-Origin: *

Cache-Control set but not containing no-store, should trigger a finding

Access-Control-Allow-Origin: *
Cache-Control: private

Missing ACAO, should not trigger a finding

Cache-Control: private, no-cache, no-store, must-revalidate

With my current DSL, I get positive matches on all my test cases except the last one. Any Idea why?

Cheers,

emil

This template seems to be checkin only for HTTP response and gives a high false positive rate IMHO

https://github.com/projectdiscovery/nuclei-templates/blob/master/brute-force/tomcat-manager-bruteforce.yaml

Maybe we can add the matcher for Apache Tomcat that is present on files/public-tomcat-instance.yaml

matchers:
  - type: word
    words:
      - Apache Tomcat

buggie@ubuntu-s-1vcpu-1gb-tor1-01:~$ echo https://mobile.twitter.com | ./go/bin/nuclei -t nuclei-templates/brute-force/tomcat-manager-bruteforce.yaml

                       __     _
     ____  __  _______/ /__  (_)
    / __ \/ / / / ___/ / _ \/ /
   / / / / /_/ / /__/ /  __/ /
  /_/ /_/\__,_/\___/_/\___/_/   v2.1

                projectdiscovery.io

[WRN] Use with caution. You are responsible for your actions
[WRN] Developers assume no liability and are not responsible for any misuse or damage.
[INF] [tomcat-manager-bruteforce] Loaded template tomcat-manager-bruteforce-fuzzing (@pdteam) [high]
[tomcat-manager-bruteforce] [http] https://mobile.twitter.com/manager/html [password=admin,username=admin]
[tomcat-manager-bruteforce] [http] https://mobile.twitter.com/manager/html [password=guest,username=admin]
[tomcat-manager-bruteforce] [http] https://mobile.twitter.com/manager/html [password=password,username=admin]
[tomcat-manager-bruteforce] [http] https://mobile.twitter.com/manager/html [password=test,username=admin]
[tomcat-manager-bruteforce] [http] https://mobile.twitter.com/manager/html [username=admin,password=12345]
[tomcat-manager-bruteforce] [http] https://mobile.twitter.com/manager/html [password=123456,username=admin]
[tomcat-manager-bruteforce] [http] https://mobile.twitter.com/manager/html

Regards

Hi,
i was trying to create new template with multiple headers and i have read the wiki but could not found what i miss.

referring to this template vulnerabilities/x-forwarded-host-injection.yaml

It seems to me that cms-detect only detects wordpress and drupal. These two are already detected by tech-detect (needs to improve drupal detection though), IMHO we should just keep tech-detect and drop cms-detect.

cat CVE-2019-19985.yaml
id: CVE-2019-19985

info:
name: WordPress Plugin Email Subscribers & Newsletters 4.2.2 - Unauthenticated File Download
author: KBA@SOGETI_ESEC
severity: medium

source:- https://www.exploit-db.com/exploits/48698

requests:

• method: GET
  path:
  • '{{BaseURL}}/wp-admin/admin.php?page=download_report&report=users&status=all'
    matchers-condition: and
    matchers:
  • type: word
    words:
    • "Subscribed"
      part: body
  • type: status
    status:
    • 200
      

Hi heros!

Want to thank you again for that amazing work!

Have a way to do multiple tests with just one request?

In this case, im sure multiple requests could be saved, with that a lot time too: fdf9402

i want to make a sig, for sqli
but "{{BaseURL}}/q?q=' OR IF(MID(@@Version,1,1)='5',sleep(1),1)='2"
its not working because of ' can anyone help me

create ssrf how

Document guide can be improved by adding more examples of a few cases like

• Adding multiple cookies
• POST body examples

Guide link:- https://github.com/projectdiscovery/nuclei-templates/blob/master/GUIDE.md

I found a couple of sites like host/rest/api/latest/groupuserpicker?query=1&maxResults=50000&showAvatar=true

but with this reponse:

{"users":{"users":[],"total":0,"header":"Showing 0 of 0 matching users"},"groups":{"header":"Showing 0 of 0 matching groups","total":0,"groups":[]}}

Does it mean that this is unexploitable since no users available? any other endpoint to check?

A lot of subdomains from Google return this generic "The requested URL was not found on this server."

The sample page I found https://info.hacker.one/ the response is exactly that. I think changing it to regex to match exactly the expected output is better.

https://www.mohamedharon.com/2019/02/2-subdomains-takeover-via-unbounce-in.html

[INF] [detect-all-takeovers] Loaded template Subdomain Takeover Detection (@melbadry9 & pxmme1337) [high]
[detect-all-takeovers:unbounce] [http] https://elements.google.com/
[detect-all-takeovers:unbounce] [http] https://info.hacker.one/
[INF] No results found. Happy hacking!

After this change:

      - type: regex
        name: unbounce
        regex:
          - "^The requested URL was not found on this server.$"

It no longer triggers on Google but works on info.hacker.one

[INF] [detect-all-takeovers] Loaded template Subdomain Takeover Detection (@melbadry9 & pxmme1337) [high]
[detect-all-takeovers:unbounce] [http] https://info.hacker.one/
[INF] No results found. Happy hacking!

The conditions in the Exposed SVN Directory template (see below) are too lax resulting in many false-positives. Maybe we should consider adding additional conditions to reduce the number of false-positives.

matchers:
    - type: word
    words:
        - "dir"
    - type: status
    status:
        - 200

The CRLF injection template's matcher is too lax resulting in false positives in particular when encountering Citrix Gateways. Citrix reflects the URL-encoded path into the cookie:

Set-Cookie: NSC_TASS=//%E5%98%8D%E5%98%8ASet-Cookie:crlfinjection=crlfinjection;HttpOnly;Path=/;Secure

Since the matcher only greps for crlfinjection in a Set-Cookie: header, this will result in false positives.

I suggest matching the literal string: Set-Cookie:crlfinjection=crlfinjection.

Sorry for making this issue, but I can't understand on my own why this would be even accepted as low severity instead of being closed as N/A. it is always expecting a 247 size response, but it isn't disclosing anything sensitive/reportable.

Am I wrong here? Please point me in the right direction

I figured out that is possible to know the server which is running and something else. That's it right? Found it on VDPs only :(

i managed to create new template which grap regex api, BUT
this template has multi regex and when i run against url it just mention the yaml id name not which regex he catches !
is it possible to till me which regex it catches when matches one of multiple provided in the same template.
example of my temp

id: mytemp

info:
  name: mytemp
  author: test
  severity: medium

requests:
  - method: GET
    path:
      - "{{BaseURL}}"
    extractors:
      - type: regex
        part: body
        regex:
          - "blabla1"
		  - "blabla2"
		  - "blabla3"
		  - "blabla4"
		  - "blabla5"
		  - "blabla6"
		  - "blabla7"

the simple question is could nuclei till me which bla it catches

filter-valid.yaml only consider responses with NOERROR, but as pointed out it should also consider the ones with SERVFAIL and REFUSED, as a corresponding record anyway exists.

i was mentioned you early and one of guys told me that i could run all template at once against list of urls.
But i tried so many times.
the case is when i run nuclei with list contains only subdomains without http(s) not working.

https://imgur.com/MVq5Waa

so i tried run another tool to probe then not working either !
BUT if i run it directly to feed nuclei with stdin directly like
cat listofurl | httprobe | nuclei -t ~/tools/nuclei-templates/ -v -o nuclei -c 50 -timeout 3
it would work with some template not all

Sorry for making this issues, but I think detecting them helps everyone.

the .yaml of exposed svn still gives too many false positives, like for example in this domains:

[exposed-svn] [http] https://2012ycwjsh.cn.1688.com/.svn/text-base/ [exposed-svn] [http] https://2013xieku.cn.alibaba.com/.svn/entries

• Fix

- "Index of /" 

In nuclei, templates get updated using the latest release tag of nuclei-templates, as such, we need to ensure that release gets created (incremental tags) in an automated way on each pull request and push.

Currently, tags are created in the following pattern:-

1.0.0 > 1.0.9 > 2.0.0

Hello,

I am getting false positives (i think) of CVE-2020-12720, this is reflected in response vbulletinrcepoc as expected but i receive code 401.

Is there any way to probe this is actually vulnerable? Can't read anywhere about it.

We need to automate the syntax checking for newly added YAML files in the pull request.

Add more examples here https://github.com/projectdiscovery/nuclei-templates/tree/master/examples

Is multiple matchers are possible while using DNS request ?
Is there a way to make HTTP requests when specific DNS condition is true?

• Fix:

Cookie: CSRF-TOKEN=rnqvt{{shell_exec('cat /etc/passwd')}}to5gw; simcify=uv82sg0jj2oqa0kkr2virls4dl

Hello again,

the templates aws-access-key-value.yaml looks for AWS key ID, which alone is not sensitive as is like sharing a username. Without the secret key (would be like the password) I don't think this has impact. Correct me if wrong please. This has medium severity at the moment

The Subdomain takeover finder template's matcher looks for lighttpd parking pages which is an independent piece of software not necessarily running on ActiveCampaign.

Also, just for your interest, there is a typo in the name.

- name: activecompaign 
+ name: activecampaign

Hi Team,
Is there a way to format the template to ignore words/formats from the scan, more like grep -v?

To give an example, when using the dead-host-with-cname template, how can we setup the same to ignore the host pointing to CNAME within same host.

Example:
xyz.example.com having CNAME as abc.example.com [dead]

This would result in false positive.

Hello,

For example, if you use a tool such as "naabu" and connect it with nuclei, it becomes the following form.

A duplicate port (7001:7001) is created, and the progress is interrupted.

For example:

root $ echo "http://x.x.x.x:7001" | nuclei -t nuclei-templates/technologies/weblogic-detect.yaml

                       __     _
     ____  __  _______/ /__  (_)
    / __ \/ / / / ___/ / _ \/ /
   / / / / /_/ / /__/ /  __/ /
  /_/ /_/\__,_/\___/_/\___/_/   v2.1

                projectdiscovery.io

[WRN] Use with caution. You are responsible for your actions
[WRN] Developers assume no liability and are not responsible for any misuse or damage.
[WRN] nuclei-templates are not installed, use update-templates flag.
[INF] [WebLogic-Detect] Loaded template Detect Weblogic (@bing0o) [informative]
[INF] Dumped HTTP request for http://x.x.x.x:7001 (WebLogic-Detect)

GET /console/login/LoginForm.jsp HTTP/1.1
Host: x.x.x.x:7001:7001<------------------------------ Issue
Connection: close
Accept: */*
Accept-Language: en
Connection: close
User-Agent: Nuclei - Open-source project (github.com/projectdiscovery/nuclei)

[INF] No results found. Happy hacking!

nuclei-templates/technologies/weblogic-detect.yaml

id: WebLogic-Detect

info:
  name: Detect Weblogic
  author: bing0o
  severity: informative

requests:
  - method: GET
    path:
      - "{{BaseURL}}:7001/console/login/LoginForm.jsp" <---------- run.
      - "{{BaseURL}}/console/login/LoginForm.jsp"     <-------- It doesn't work.
    matchers:
      - type: word
        words:
          - "WebLogic"

• Fix ( depends on the exploit payload ):

- "{{BaseURL}}/www/delivery/afr.php?refresh=10000&\")',10000000);alert(1337);setTimeout('alert(\"\""

or

- "{{BaseURL}}/www/delivery/afr.php?refresh=10000&\")',10000000);alert(1337);setTimeout('alert(\""

Hi,
I usually receive a lot of false positives for this CVE (almost every time I run Nuclei).

Thanks!

I want to send a request to a specific path and if it is binary data in the response that it alerts it.

`requests:

• method: GET
  path:
  • "{{BaseURL}}/path"
  • "{{BaseURL}}/path
    matchers:
  • type: binary
    part: body`

I copy this from the template guide but doesn't work. I tried grepping for a word but didn't work cause it was binary.

How is the correct way to do it?

Grepping for the word "users" doesn't make sense, way too many website give code 200 to that and also has the word "users" in the html code.

Can anyone take a look at this?

Example

< HTTP/1.1 301 Moved Permanently
< Server: nginx
< Date: Mon, 25 May 2020 16:32:58 GMT
< Content-Type: text/html
< Content-Length: 162
< Connection: keep-alive
< Location: Redacted
< Set-Cookie:crlfinjection=crlfinjection

This template lacks id and the report shows it as empty, when running with multiple templates it could confuse.

https://github.com/projectdiscovery/nuclei-templates/blob/master/vulnerabilities/rce-via-java-deserialization.yaml

     ____  __  _______/ /__  (_)
    / __ \/ / / / ___/ / _ \/ /
   / / / / /_/ / /__/ /  __/ /
  /_/ /_/\__,_/\___/_/\___/_/   v2.1

                projectdiscovery.io

[WRN] Use with caution. You are responsible for your actions
[WRN] Developers assume no liability and are not responsible for any misuse or damage.
[INF] [] Loaded template Java Deserialization [RCE] (@uhnysh) [critical]
[] [http] http://x:80/josso/%%5C../invoker/EJBInvokerServlet/
[] [http] http://x:80/josso/%%5C../invoker/JMXInvokerServlet/
[] [http] http://x:80/invoker/JMXInvokerServlet/
[] [http] http://x:80/invoker/EJBInvokerServlet/

P.S. I'll set my git environment soon to send pull requests instead of just issues :)

Hi, Is there any way to disable global flag in regex/extractor? for example, the matching regex have multiple entries in a page response. Rather than extractor printing out all the occurrences, is there a way to only print the first occurrence.

The Docker Registry Listing template's matcher is too lax resulting in false positives when encountering self-hosted Bitbucket instances. The /v2/_catalog endpoint will return a 404 on Bitbucket but the repositories string is in the navbar. This results in false positives.

I suggest possibly matching the surrounding JSON syntax.

Is this a bug in code or documentation that needs to be updated? 😄

[ERR] Could not execute workflow 'liferay-rce-workflow': Compile Error: unresolved reference 'liferay'
        at (main):1:4

Usage:

echo "target" | nuclei -t workflows/liferay-rce-workflow.yaml 

Resolved by:
Changing - to _.

Let me know if this is not a bug, then I will fix the workflow template.

Apparently Google Maps uses the same format for API keys as Google Cloud, which means that the template gives false positives when encountering a Maps key.

I don't think there's a way to fix this, unless the Google Cloud keys are embedded in a way that's distinguishable from Maps. However, that's not very likely since they're probably not meant to be public in the first place.

Hello,

The raw requests method allows you to select the HTTP version(HTTP/1.1, HTTP/2.0).

Is there a way to use the "raw requests'" approach without using it?

I want to send the below request in "HTTP/2.0" way.

id: test

info:
  name: test
  author: karas
  severity: low

requests:
  - method: GET
    headers:
      User-Agent: karas
    path:
      - "{{BaseURL}}/karas/"
    matchers:
      - type: word
        words:
          - "<title>karas</title>"

https://github.com/projectdiscovery/nuclei-templates/blob/master/cves/CVE-2020-5284.yaml

As suggested by @melbadry9 in #33, this is useful in subdomain takeover detection or any similar use cases.

Guide link:- https://github.com/projectdiscovery/nuclei-templates/blob/master/GUIDE.md

• Fix

- "{{BaseURL}}/email/[email protected]%27\"><svg/onload=alert(1337)>" 

Hi, can I add a custom workflow (workflows/ dir)? Ask for permission.

Thanks!