Added line number for file results + stats fixes

[Ice3man543]

Proposed changes

Added line number for file templates results + fixed total calculation for file templates stats.

Checklist

• Pull request is created against the dev branch
• All checks passed (lint, unit/integration/regression tests etc.) with my changes
• I have added tests that prove my fix is effective or that my feature works
• I have added necessary documentation (if appropriate)

[Mzack9999]

Due to the matches deduplication mechanism, the summary line information only reports the first match occurrence:

$ cat logs/a.txt 
aaa
bbb
ccc
RequestDataTooBig
dddd
eeee
RequestDataTooBig
dd
RequestDataTooBig3
SuspiciousOperation
$ go run . -t file/logs/django-framework-exceptions.yaml -u logs -silent
[2022-01-19 09:09:31] [django-framework-exceptions:exception] [file] [medium] logs/a.txt [SuspiciousOperation,RequestDataTooBig] [Lines: 10,4]

I don't know if it's worth considering exposing all occurrences with something like:

RequestDataTooBig
logs/a.txt:4
logs/a.txt:7
logs/a.txt:9
SuspiciousOperation
logs/a.txt:10

[ehsandeep]

@Ice3man543 @Mzack9999 we are looking to print number based on matchers and not extractors, so we don't need to handle / map extracted data with line number instead we can simply print the line number of all match occurrence which is the case currently.

Requesting a change since the present line number logic only works with extractors and not with matchers.

[ehsandeep]

Test Template

id: django-framework-exceptions

info:
  name: Django Framework Exceptions
  description: Detects suspicious Django web application framework exceptions that could indicate exploitation attempts
  author: geeknik
  reference:
    - https://docs.djangoproject.com/en/1.11/ref/exceptions/
    - https://docs.djangoproject.com/en/1.11/topics/logging/#django-security
  severity: medium
  tags: file,logs,django

file:
  - extensions:
      - all

    matchers:
      - type: regex
        name: exception
        part: body
        regex:
          - 'SuspiciousOperation'
          - 'DisallowedHost'
          - 'DisallowedModelAdminLookup'
          - 'DisallowedModelAdminToField'
          - 'DisallowedRedirect'
          - 'InvalidSessionKey'
          - 'RequestDataTooBig'
          - 'SuspiciousFileOperation'
          - 'SuspiciousMultipartForm'
          - 'SuspiciousSession'
          - 'TooManyFieldsSent'
          - 'PermissionDenied'

Test Input (input.txt)

aaa
bbb
ccc
RequestDataTooBig
dddd
eeee
RequestDataTooBig
dd
RequestDataTooBig3
SuspiciousOperation

Example Run:

echo input.txt | ./nuclei -t test.yaml

[django-framework-exceptions:exception] [file] [medium] input.txt [LN: 4,6,9,10]

JSON Output

{
  "template-id":"django-framework-exceptions",
  "info":{
    "name":"Django Framework Exceptions",
    "author":[
      "geeknik"
    ],
    "tags":[
      "file",
      "logs",
      "django"
    ],
    "description":"Detects suspicious Django web application framework exceptions that could indicate exploitation attempts",
    "reference":[
      "https://docs.djangoproject.com/en/1.11/ref/exceptions/",
      "https://docs.djangoproject.com/en/1.11/topics/logging/#django-security"
    ],
    "severity":"medium"
  },
  "matcher-name":"exception",
  "type":"file",
  "path":"input.txt",
  "matched-at":"input.txt",
  "matched-line":[
    4,
    6,
    9,
    10
  ],
  "timestamp":"2022-02-03T00:03:38.195658+05:30",
  "matcher-status":true,
  "line-count":""
}

[Ice3man543]

The implementation has been changed to add a new match-all attribute to matchers which returns all matches for being used in file templates for line count calculation.

It works by default for extractors in file templates.

[sonarcloud]

SonarCloud Quality Gate failed.   

0 Bugs
0 Vulnerabilities
0 Security Hotspots
1 Code Smell

79.6% Coverage
0.0% Duplication

[ehsandeep]

[django-framework-exceptions:exception] [file] [medium] input.txt [LN: 4,7,9,10]