Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Nuclei not finding the vulnerability without mentioning the exact template. #4604

Closed
RKiler opened this issue Jan 8, 2024 · 4 comments
Closed
Assignees
Labels
Status: Abandoned This issue is no longer important to the requestor and no one else has shown an interest in it. Type: Question A query or seeking clarification on parts of the spec. Probably doesn't need the attention of all.

Comments

@RKiler
Copy link

RKiler commented Jan 8, 2024

When i run the normal nuclei command on domain like nuclei -u https://test.com, it only finds info issues. when i run the command with -t flag mentioning the AEM template which i know the website is vulnerable, only then nuclei finds the bug.

with all templates:

normal

with specific templates for AEM:
normal

@RKiler RKiler added the Type: Bug Inconsistencies or issues which will cause an issue or problem for users or implementors. label Jan 8, 2024
@tarunKoyalwar tarunKoyalwar self-assigned this Jan 9, 2024
@tarunKoyalwar tarunKoyalwar added the Investigation Something to Investigate label Jan 9, 2024
@tarunKoyalwar
Copy link
Member

@RKiler , can you run below command to verify if template is loaded when -t is not used

$  nuclei -u scanme.sh -vv |& grep aem-default-get                                   
[aem-default-get-servlet] AEM DefaultGetServlet (@dhiyaneshdk) [low]

@tarunKoyalwar
Copy link
Member

@RKiler i am not able to reproduce this issue

when directly specifying template

$ nuclei -u https://xx.xxx.xxx.xxx:443/ -id aem-default-get-servlet                                               130 ↵

                     __     _
   ____  __  _______/ /__  (_)
  / __ \/ / / / ___/ / _ \/ /
 / / / / /_/ / /__/ /  __/ /
/_/ /_/\__,_/\___/_/\___/_/   v3.1.4

		projectdiscovery.io

[INF] Current nuclei version: v3.1.4 (latest)
[INF] Current nuclei-templates version: v9.7.2 (latest)
[WRN] Scan results upload to cloud is disabled.
[INF] New templates added in latest release: 61
[INF] Templates loaded for current scan: 1
[INF] Executing 1 signed templates from projectdiscovery/nuclei-templates
[INF] Targets loaded for current scan: 1
[aem-default-get-servlet] [http] [low] https://xx.xxx.xxx.xxx:443/etc.json

when running all templates (no filters)

$ nuclei -u https://xx.xxx.xxx.xxx:443/ -stats -c 2000

                     __     _
   ____  __  _______/ /__  (_)
  / __ \/ / / / ___/ / _ \/ /
 / / / / /_/ / /__/ /  __/ /
/_/ /_/\__,_/\___/_/\___/_/   v3.1.4

		projectdiscovery.io

[INF] Current nuclei version: v3.1.4 (latest)
[INF] Current nuclei-templates version: v9.7.2 (latest)
[WRN] Scan results upload to cloud is disabled.
[INF] New templates added in latest release: 61
[INF] Templates loaded for current scan: 7384
[INF] Executing 7403 signed templates from projectdiscovery/nuclei-templates
[INF] Targets loaded for current scan: 1
[INF] Templates clustered: 1267 (Reduced 1233 Requests)
[0:00:05] | Templates: 7384 | Hosts: 1 | RPS: 154 | Matched: 1 | Errors: 741 | Requests: 773/11058 (6%)
[0:00:10] | Templates: 7384 | Hosts: 1 | RPS: 116 | Matched: 1 | Errors: 756 | Requests: 1166/11058 (10%)
[options-method] [http] [info] https://xx.xxx.xxx.xxx:443/ [OPTIONS, TRACE, GET, HEAD]
[0:00:15] | Templates: 7384 | Hosts: 1 | RPS: 102 | Matched: 2 | Errors: 756 | Requests: 1537/11058 (13%)
[INF] Using Interactsh Server: oast.me
[0:00:20] | Templates: 7384 | Hosts: 1 | RPS: 100 | Matched: 2 | Errors: 836 | Requests: 2018/11058 (18%)
[0:00:25] | Templates: 7384 | Hosts: 1 | RPS: 102 | Matched: 2 | Errors: 947 | Requests: 2556/11058 (23%)
[http-missing-security-headers:x-permitted-cross-domain-policies] [http] [info] https://xx.xxx.xxx.xxx:443/
[http-missing-security-headers:referrer-policy] [http] [info] https://xx.xxx.xxx.xxx:443/
[http-missing-security-headers:clear-site-data] [http] [info] https://xx.xxx.xxx.xxx:443/
[http-missing-security-headers:cross-origin-embedder-policy] [http] [info] https://xx.xxx.xxx.xxx:443/
[http-missing-security-headers:cross-origin-resource-policy] [http] [info] https://xx.xxx.xxx.xxx:443/
[http-missing-security-headers:strict-transport-security] [http] [info] https://xx.xxx.xxx.xxx:443/
[http-missing-security-headers:content-security-policy] [http] [info] https://xx.xxx.xxx.xxx:443/
[http-missing-security-headers:permissions-policy] [http] [info] https://xx.xxx.xxx.xxx:443/
[http-missing-security-headers:cross-origin-opener-policy] [http] [info] https://xx.xxx.xxx.xxx:443/
[0:00:30] | Templates: 7384 | Hosts: 1 | RPS: 104 | Matched: 11 | Errors: 1134 | Requests: 3122/11058 (28%)
[aem-external-link-checker] [http] [unknown] https://xx.xxx.xxx.xxx:443/etc/linkchecker.html
[aem-bulkeditor] [http] [unknown] https://xx.xxx.xxx.xxx:443/etc/importers/bulkeditor.html
[robots-txt-endpoint] [http] [info] https://xx.xxx.xxx.xxx:443/robots.txt
[robots-txt] [http] [info] https://xx.xxx.xxx.xxx:443/robots.txt
[aem-userinfo-servlet] [http] [info] https://xx.xxx.xxx.xxx:443/libs/cq/security/userinfo.json
[aem-cached-pages] [http] [low] https://xx.xxx.xxx.xxx:443/dispatcher/invalidate.cache
[0:00:35] | Templates: 7384 | Hosts: 1 | RPS: 107 | Matched: 17 | Errors: 1413 | Requests: 3758/11058 (33%)
[0:00:40] | Templates: 7384 | Hosts: 1 | RPS: 112 | Matched: 17 | Errors: 1760 | Requests: 4519/11058 (40%)
[0:00:45] | Templates: 7384 | Hosts: 1 | RPS: 116 | Matched: 17 | Errors: 2139 | Requests: 5235/11058 (47%)
[0:00:50] | Templates: 7384 | Hosts: 1 | RPS: 120 | Matched: 17 | Errors: 2554 | Requests: 6012/11058 (54%)
[ssl-issuer] [ssl] [info] xx.xxx.xxx.xxx:443 [Amazon]
[ssl-dns-names] [ssl] [info] xx.xxx.xxx.xxx:443 [godigit.com,*.godigit.com]
[wildcard-tls] [ssl] [info] xx.xxx.xxx.xxx:443 [CN: godigit.com, SAN: [godigit.com *.godigit.com]]
[tls-version] [ssl] [info] xx.xxx.xxx.xxx:443 [tls10]
[weak-cipher-suites:tls-1.0] [ssl] [low] xx.xxx.xxx.xxx:443 [[tls10 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA]]
[aem-acs-common] [http] [medium] https://xx.xxx.xxx.xxx:443/etc/acs-commons/workflow-remover.html
[deprecated-tls] [ssl] [info] xx.xxx.xxx.xxx:443 [tls10]
[0:00:55] | Templates: 7384 | Hosts: 1 | RPS: 125 | Matched: 24 | Errors: 2845 | Requests: 6884/11058 (62%)
[tls-version] [ssl] [info] xx.xxx.xxx.xxx:443 [tls11]
[weak-cipher-suites:tls-1.1] [ssl] [low] xx.xxx.xxx.xxx:443 [[tls11 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA]]
[tls-version] [ssl] [info] xx.xxx.xxx.xxx:443 [tls12]
[0:01:00] | Templates: 7384 | Hosts: 1 | RPS: 125 | Matched: 27 | Errors: 2982 | Requests: 7556/11058 (68%)
[deprecated-tls] [ssl] [info] xx.xxx.xxx.xxx:443 [tls11]
[0:01:05] | Templates: 7384 | Hosts: 1 | RPS: 123 | Matched: 28 | Errors: 2996 | Requests: 8057/11058 (72%)
[aem-default-get-servlet] [http] [low] https://xx.xxx.xxx.xxx:443/etc.json
[0:01:10] | Templates: 7384 | Hosts: 1 | RPS: 121 | Matched: 29 | Errors: 3000 | Requests: 8482/11058 (76%)
[0:01:15] | Templates: 7384 | Hosts: 1 | RPS: 115 | Matched: 29 | Errors: 3004 | Requests: 8669/11058 (78%)
^C[INF] CTRL+C pressed: Exiting

this could be a network issue or server side (502 etc, timeout , WAF etc) but i can confirm template is loaded in both conditions. please try it with other targets and if you are still facing this issue share more info (like target url etc privately on our discord channel)

@tarunKoyalwar tarunKoyalwar added Status: Abandoned This issue is no longer important to the requestor and no one else has shown an interest in it. Type: Question A query or seeking clarification on parts of the spec. Probably doesn't need the attention of all. and removed Type: Bug Inconsistencies or issues which will cause an issue or problem for users or implementors. Investigation Something to Investigate labels Jan 9, 2024
@RKiler
Copy link
Author

RKiler commented Jan 9, 2024

@RKiler , can you run below command to verify if template is loaded when -t is not used

$  nuclei -u scanme.sh -vv |& grep aem-default-get                                   
[aem-default-get-servlet] AEM DefaultGetServlet (@dhiyaneshdk) [low]

This command works, The template is loaded during the scan. The WAF could be the issue, The site is using Cloudflare. is there any way to know when the Waf is interfering with scans? any option in Nuclei? because the issue was found by vidocsecurity but not with Nuclei.

@tarunKoyalwar
Copy link
Member

tarunKoyalwar commented Jan 9, 2024

@RKiler, you need to properly tune nuclei flags based on targets etc to avoid such issues and yeah we have open issue for global passive matchers to detect such conditions and other customs ones like (502 , ip ban , server down etc) #4549

you can react to that issue to let us know you find this feature helpful that way we can appropriately prioritize issues

@RKiler RKiler closed this as completed Jan 9, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Status: Abandoned This issue is no longer important to the requestor and no one else has shown an interest in it. Type: Question A query or seeking clarification on parts of the spec. Probably doesn't need the attention of all.
Projects
None yet
Development

No branches or pull requests

2 participants