Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Support to use "ip" DSL in the requests #2025

Closed
brenocss opened this issue May 18, 2022 · 9 comments · Fixed by #3011 or #3021
Closed

Support to use "ip" DSL in the requests #2025

brenocss opened this issue May 18, 2022 · 9 comments · Fixed by #3011 or #3021
Assignees
@Mzack9999
Labels
Priority: Medium This issue may be useful, and needs some attention. Status: Completed Nothing further to be done with this issue. Awaiting to be closed. Type: Bug Inconsistencies or issues which will cause an issue or problem for users or implementors.

Comments

@brenocss
Copy link

brenocss commented May 18, 2022
edited by ehsandeep
Loading

This works:

id: basic-raw-example
info:
  name: Test RAW Template
  author: pdteam
  severity: info

requests:
  - raw:
      - |
        GET / HTTP/1.1
        Host: {{Hostname}}

    extractors:
      - type: dsl
        dsl:
          - ip

But not this:

id: basic-raw-example
info:
  name: Test RAW Template
  author: pdteam
  severity: info

requests:
  - raw:
      - |
        GET / HTTP/1.1
        Host: {{Hostname}}
        Origin: {{ip}}

should be exposed to use in all supported protocols.
@brenocss brenocss added the Type: Enhancement Most issues will probably ask for additions or changes. label May 18, 2022
@ehsandeep ehsandeep changed the title Add variable that returns the resolved ips of a domain New DSL to access resolved Host IP May 19, 2022
@ehsandeep ehsandeep added the Priority: Low This issue can probably be picked up by anyone looking to contribute to the project, as an entry fix label May 19, 2022
@ehsandeep ehsandeep changed the title New DSL to access resolved Host IP Support to use "ip" DSL in the requests Jun 3, 2022
@ehsandeep ehsandeep added Priority: Medium This issue may be useful, and needs some attention. Type: Bug Inconsistencies or issues which will cause an issue or problem for users or implementors. and removed Priority: Low This issue can probably be picked up by anyone looking to contribute to the project, as an entry fix Type: Enhancement Most issues will probably ask for additions or changes. labels Jun 3, 2022
@Mzack9999 Mzack9999 self-assigned this Jun 22, 2022
@Mzack9999 Mzack9999 added the Status: In Progress This issue is being worked on, and has someone assigned. label Jun 22, 2022
@Mzack9999
Copy link
Member

@brenocss Unfortunately, the IP information is available only after performing at least one connection to the target. A temporary workaround could be a template like the following one:

id: basic-raw-example
info:
  name: Test RAW Template
  author: pdteam
  severity: info

requests:
  - raw:
      - |
        GET / HTTP/1.1
        Host: {{Hostname}}
        
      - |
        GET / HTTP/1.1
        Host: {{Hostname}}
        Origin: {{extractedip}}

    extractors:
      - type: dsl
        internal: true
        name: extractedip
        dsl:
          - ip

Is there any specific use case you encountered that requires the IP information to be available before the connection?

@Mzack9999 Mzack9999 added Status: On Hold Similar to blocked, but is assigned to someone Type: Question A query or seeking clarification on parts of the spec. Probably doesn't need the attention of all. and removed Status: In Progress This issue is being worked on, and has someone assigned. labels Jun 22, 2022
@Mzack9999 Mzack9999 mentioned this issue Jun 22, 2022
Merged
@brenocss
Copy link
Author

brenocss commented Jun 22, 2022
edited by ehsandeep
Loading

Use case

nuclei -t internetdb.yaml  -u google.com
nuclei -t internetdb.yaml  -u https://google.com

It is important that this template can be executed even for entries that are not URLs

requests:
  - raw:
      - |
        @Host: https://internetdb.shodan.io/
        GET /{{ip}} HTTP/1.1
        Host: internetdb.shodan.io

An example of a workaround that would be possible when the cross-protocol data sharing function is working

id: teste

info:
  name: debug
  author: brenocss
  severity: info
  description: Ip 
  reference:
    - https://google.com
  classification:
    cwe-id: CWE-200
  tags: dns,A

dns:
  - name: "{{FQDN}}"
    type: A

    matchers:
      - type: word
        words:
          - "IN\tA"

    extractors:
      - type: regex
        name: extractedip
        group: 1
        # internal: true
        regex:
          - "IN\tA\t(\\S+)"
requests:
  - raw:
      - |
        @Host: https://internetdb.shodan.io/
        GET /{{extractedip}} HTTP/1.1
        Host: internetdb.shodan.io

But that won't work for this, that's why dsl would be a better way to do it

echo hackerone.com | nuclei -t internetdb -u 8.8.8.8

Another problem is to keep redoing unnecessary dns/http requests

@brenocss brenocss mentioned this issue Jul 18, 2022
Closed
2 tasks
@Mzack9999
Copy link
Member

Unfortunately, knowing the actual server's IP is impossible before performing at least one connection to the DNS hostname.
@ehsandeep What do you think about adding a DNS function to resolve hostname=>ip and assuming that the first available IP is optimistically the one used to perform a successful connection?

@ehsandeep
Copy link
Member

@Mzack9999 indeed, it will not only solve this, but also helpful for new helpers at #2341

@brenocss
Copy link
Author

brenocss commented Aug 17, 2022
edited
Loading

Unfortunately, knowing the actual server's IP is impossible before performing at least one connection to the DNS hostname. @ehsandeep What do you think about adding a DNS function to resolve hostname=>ip and assuming that the first available IP is optimistically the one used to perform a successful connection?

Don't we need to preprocess all domains before using for all templates?

it is worth mentioning that when the input is an ip the variable {{ip}} is also not valid

echo https://127.0.0.1 | nuclei -t teste.yaml -duc -debug

@ehsandeep ehsandeep removed Status: On Hold Similar to blocked, but is assigned to someone Type: Question A query or seeking clarification on parts of the spec. Probably doesn't need the attention of all. labels Aug 20, 2022
@Mzack9999
Copy link
Member

Mzack9999 commented Aug 31, 2022
edited
Loading

@brenocss, the pre-processing phase only lexicographically (fqdn)/range (ip + cidr) deduplicates input items. The DNS resolution, if a domain name is provided, happens within fastdialer at connection time.

On Hold - We need to clarify if the helper function with heuristic assumptions can cover the particular use case

@Mzack9999 Mzack9999 added the Status: On Hold Similar to blocked, but is assigned to someone label Sep 4, 2022
@Mzack9999 Mzack9999 mentioned this issue Sep 4, 2022
Closed
@Mzack9999
Copy link
Member

@brenocss
Copy link
Author

brenocss commented Dec 4, 2022

@Mzack9999 don't scan based in ip type ( such as ipv6 or ipv4 ) pre process domains and resolve before running?

@Mzack9999
Copy link
Member

Mzack9999 commented Dec 9, 2022
edited
Loading

@brenocss, that is an excellent point. Still, this happens only in the case of scan-all-ips, as we use a custom ip to connect to.

@Mzack9999 Mzack9999 linked a pull request Dec 9, 2022 that will close this issue
Adding custom ip to protocol generated variables #3011
Merged
4 tasks
@Mzack9999 Mzack9999 removed the Status: On Hold Similar to blocked, but is assigned to someone label Dec 9, 2022
@ehsandeep ehsandeep added the Status: Completed Nothing further to be done with this issue. Awaiting to be closed. label Dec 9, 2022
@ehsandeep ehsandeep linked a pull request Dec 11, 2022 that will close this issue
Bugfix release #3021
Merged
4 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@Mzack9999 Mzack9999

Labels
Priority: Medium This issue may be useful, and needs some attention. Status: Completed Nothing further to be done with this issue. Awaiting to be closed. Type: Bug Inconsistencies or issues which will cause an issue or problem for users or implementors.
Projects
None yet
Milestone
No milestone
3 participants
@ehsandeep @Mzack9999 @brenocss