fix dynamic extractor + payloads edgecase by sending req sequentially

[tarunKoyalwar]

Proposed Changes

• the crux of Erroneous extractor logic - 28 checks failing to detect issues #4993 was that using threads with payloads assumes that all requests are independent which necessarily is not the case and depends on usage pattern as we have seen with specified template in the issue
• the 💯 solution for that is to add a feature to iterate over a set of requests with concurrency [ this can be via flow , workflow or updating generators and is open to discussions ]
• a temporary solution for this is to set threads to 0 internally which forces nuclei to use sequential execution handler instead of executeparallelhttp in turn fixing the issue
• a recently merged hotfix attempted this by adding a high enough (100) value as threshold which is the minimum criteria required to run / use executeparallelhttp handler
• since this a special case with combination of ( dynamic extractor + payloads ) and adding a threshold limits concurrency of templates outside of such combination https://github.com/projectdiscovery/nuclei-templates/blob/ed682e6f178a4c8c7f12cbe4fbb40338d4aa3c6e/http/exposures/backups/zip-backup-files.yaml#L4
• to fix this , this pr explicitly handles the situation by detecting the edgecase and resetting threads value to 0 and thus forcing it to run sequentially ( a warning is printed in verbose more about this limitation as well)
• this fix should handle this edgecase regardless of number of requests and thus giving enough time for us to implement new feature or refactor as per convienence
• closes Erroneous extractor logic - 28 checks failing to detect issues #4993
• follow-up fix is tracked as enhancement at Support Concurrency when executing conditional requests with payloads #5015

template

id: wazuh-default-login

info:
  name: Wazuh - Default Login
  author: theamanrawat
  severity: high
  description: |
    Wazuh contains default credentials. An attacker can obtain access to user accounts and access sensitive information, modify data, and/or execute unauthorized operations.
  reference:
    - https://documentation.wazuh.com/current/user-manual/user-administration/password-management.html
    - https://wazuh.com
  metadata:
    verified: true
    max-request: 4
    shodan-query: title:"Wazuh"
  tags: wazuh,default-login

http:
  - raw:
      - |
        GET / HTTP/1.1
        Host: {{Hostname}}

      - |
        POST /auth/login HTTP/1.1
        Host: {{Hostname}}
        Osd-Version: {{osd}}
        Content-Type: application/json

        {"username":"{{username}}","password":"{{password}}"}

    attack: pitchfork
    payloads:
      username:
        - "admin"
        - "wazuh"
      password:
        - "admin"
        - "wazuh"
    stop-at-first-match: true

    matchers:
      - type: status
        status:
          - 200

    extractors:
      - type: regex
        name: osd
        internal: true
        part: body
        group: 1
        regex:
          - "<h1>(.*)</h1>"

example run ( in verbose mode)

$  ./nuclei -u https://example.com -t ./a.yaml  -v

                     __     _
   ____  __  _______/ /__  (_)
  / __ \/ / / / ___/ / _ \/ /
 / / / / /_/ / /__/ /  __/ /
/_/ /_/\__,_/\___/_/\___/_/   v3.2.3

		projectdiscovery.io

[VER] Started metrics server at localhost:9092
[wazuh-default-login] Setting thread count to 0 because dynamic extractors are not supported with payloads yet
[INF] Current nuclei version: v3.2.3 (latest)
[INF] Current nuclei-templates version: v9.8.0 (latest)
[WRN] Scan results upload to cloud is disabled.
[INF] New templates added in latest release: 85
[INF] Templates loaded for current scan: 1
[WRN] Loading 1 unsigned templates for scan. Use with caution.
[INF] Targets loaded for current scan: 1
[VER] [wazuh-default-login] Sent HTTP request to https://example.com
[wazuh-default-login] [http] [high] https://example.com [password="admin",username="admin"]