Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

fix(code): do NOT compile single code protocol w/o request.SelfContained #5757

Open
wants to merge 7 commits into
base: dev
Choose a base branch
from

Conversation

dwisiswant0
Copy link
Member

@dwisiswant0 dwisiswant0 commented Oct 21, 2024

Proposed changes

Fix #5742

TODO:

  • Add note in docs.

How has been this tested?

  • code-template-1
id: code-template-1

info:
  name: uname
  author: dwisiswant0
  severity: info
  description: uname
  tags: code,test

code:
  - pre-condition: '!IsWindows()'
    engine:
      - sh
      - bash
    source: uname -a

    matchers:
      - type: word
        words:
          - Linux
          - Darwin
        condition: or
  • code-template-2
id: code-template-2

info:
  name: uname
  author: dwisiswant0
  severity: info
  description: uname
  tags: code,test

self-contained: true

code:
  - pre-condition: '!IsWindows()'
    engine:
      - sh
      - bash
    source: uname -a

    matchers:
      - type: word
        words:
          - Linux
          - Darwin
        condition: or
  • code-template-with-http-1
id: code-template-with-http-1

info:
  name: uname
  author: dwisiswant0
  severity: info
  description: uname
  tags: code,test

code:
  - pre-condition: '!IsWindows()'
    engine:
      - sh
      - bash
    source: uname -a

    matchers:
      - type: word
        words:
          - Linux
          - Darwin
        condition: or

http:
  - method: GET
    path:
      - "{{BaseURL}}/"
    matchers:
      - type: status
        status:
          - 200

Validate:

$ go run cmd/nuclei/main.go -silent -validate -code -t code-template-with-http-1.yaml && echo "OK"
OK
$ go run cmd/nuclei/main.go -silent -validate -code -t code-template-1.yaml && echo "OK"
[FTL] Could not validate templates: errors occurred during template validation
exit status 1
$ go run cmd/nuclei/main.go -silent -validate -code -t code-template-2.yaml && echo "OK"
OK

Test:

$ go test -v -race -run "^TestCodeProtocol$" ./pkg/protocols/code/...
=== RUN   TestCodeProtocol
--- PASS: TestCodeProtocol (0.06s)
PASS
ok  	github.com/projectdiscovery/nuclei/v3/pkg/protocols/code	1.299s

Checklist

  • Pull request is created against the dev branch
  • All checks passed (lint, unit/integration/regression tests etc.) with my changes
  • I have added tests that prove my fix is effective or that my feature works
  • I have added necessary documentation (if appropriate)

Signed-off-by: Dwi Siswanto <git@dw1.io>
Signed-off-by: Dwi Siswanto <git@dw1.io>
…tained`

Signed-off-by: Dwi Siswanto <git@dw1.io>
Signed-off-by: Dwi Siswanto <git@dw1.io>
pkg/templates/templates.go Outdated Show resolved Hide resolved
dwisiswant0 and others added 3 commits October 23, 2024 22:23
Signed-off-by: Dwi Siswanto <git@dw1.io>
Co-authored-by: Dogan Can Bakir <dogancanbakir@users.noreply.github.com>
…pile-single-code-protocol-without-self-contained
Copy link
Member

@tarunKoyalwar tarunKoyalwar left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

while this is one way to achieve , just confirming if we want to head in this direction cc: @ehsandeep @Mzack9999

i remember that one usecase was that , code protocol can be used to run other exploits that can't be necessarily run with javascript or http

  • some exploit in python which uses structs and stuff and would be difficult to achieve it in go
  • other such remote exploits that have poc's but can't be run with go but still require input

^ both of these require passing http url as input ( i remember there was one such template as well ).

If we still want to keep these usecases it might be just enough to print a forced warning like we do when we run code protocol without -code flag

@dwisiswant0
Copy link
Member Author

while this is one way to achieve , just confirming if we want to head in this direction cc: @ehsandeep @Mzack9999

i remember that one usecase was that , code protocol can be used to run other exploits that can't be necessarily run with javascript or http

  • some exploit in python which uses structs and stuff and would be difficult to achieve it in go
  • other such remote exploits that have poc's but can't be run with go but still require input

^ both of these require passing http url as input ( i remember there was one such template as well ).

If we still want to keep these usecases it might be just enough to print a forced warning like we do when we run code protocol without -code flag

To your concern:

This should be a bug, and we should drop a note in docs that: code-protocol-based templates are self-contained, unless they include other protocols in the template.

Also, the CVE-2024-22120 template should be rewritten to an HTTP-protocol-based template. I don't see any need to do it with the code-protocol-based template (it's just too raw & improper or over-engineered). Ref: https://support.zabbix.com/browse/ZBX-24505.

CC: @projectdiscovery/template.

Originally posted by @dwisiswant0 in #5742

IMO, I think code-protocol-based templates should be used for the pre-exploitation stage (like building) or other generative steps. After that, they could switch to other protocols for the actual exploit stage, matching whatever protocol is used on the target.

To make this even more effective, we could aim to support similar caps to Python like struct or pwntools lib - and if we can integrate this into the DSL engine, we could achieve continuous generation and handling within that env.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

[FEATURE] Add warnings for more visibility when running self-contained templates
4 participants