Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Advanced Scripting Engine #641

Closed
wants to merge 0 commits into from
Closed

Advanced Scripting Engine #641

wants to merge 0 commits into from

Conversation

Mzack9999
Copy link
Member

@Mzack9999 Mzack9999 commented Mar 22, 2021
edited by sync-by-unito bot
Loading

This PR extends the DSL language capability with pythonic syntax:

- type: dsl
        name: dsl-example
        dsl:
          - "body.contains('test') and status_code in (200,201,202)"

@Mzack9999 Mzack9999 self-assigned this Mar 22, 2021
@Mzack9999 Mzack9999 changed the base branch from master to dev March 22, 2021 20:11
@Mzack9999 Mzack9999 marked this pull request as draft March 22, 2021 20:13
@Mzack9999 Mzack9999 mentioned this pull request Mar 22, 2021
Closed
@Mzack9999 Mzack9999 linked an issue Mar 22, 2021 that may be closed by this pull request
Add embedded scripting language support for more complex workflows #549
Closed
@Mzack9999
Copy link
Member Author

  • Context aware json fuzzer, encode the payload to a valid json
id: json-fuzz-scan
info:
  name: json-fuzzing
  author: pdteam
  severity: info
  description: jdam json
  tags: fuzz
requests:
  - payloads:
      payload_to_inject: params.txt
    attack: sniper
    raw:
      - |
        GET / HTTP/1.1
        Host: {{Hostname}}
        Accept: application/json, text/plain, */*
        Accept-Language: en-US,en;q=0.5
        Referer: {{BaseURL}}

        {{json_encode({'key_one': 'anyvalue', 'key_two': payload_to_inject})}}

    matchers:
      - type: status
        status:
          - 200
  • Php serialize- generates valid php serialized objects
info:
  name: php-serialize-rce
  author: pdteam
  severity: info
  description: php serialize rce
  tags: fuzz
requests:
  - raw:
      - |
        GET / HTTP/1.1
        Host: {{Hostname}}

        Using php code or json => object
        {{php_serialize('new vulnerable_class()->class_param = 'phpinfo();')}}
        {{php_serialize({'a': 'phpinfo();'})}}

    matchers:
      - type: status
        status:
          - 200
  • Cross-template interaction (with pythonic syntax)
args = {
    'URL': URL,
    'cookies': a, # External variable - eg. nuclei -t advanced-template.ncl -var a=blabla
}
# Invoke one/template.yaml with placeholders populated with the values from args + the ones defined within the template
# Saves extractors and matchers in res1 structure
res = run('one/template.yaml', args1)
# Pass the output of "one/template.yaml" as input to "another/template.yaml" (cookies, tokens, extracted data, etc)
run('another/template.yaml', res)

@dwisiswant0
Copy link
Contributor

fire

@Mzack9999
Copy link
Member Author

Imcomplete PoC from https://0xpatrik.com/subdomain-takeover-ns/ (eg print needs to be replaced with helper functions to export data or trigger actions):

def testns(tracedata, host):
  for ns_server in tracedata["ns"]:
    # Check existence of base domain
    ns_data = dnsx_lookup(domain(ns_server))
    # Non existent?
    if not ns_data["a"] or ns_data["status_code"] != "NOERROR" :
      print("takeover of ns top domain for " + ns_server)
    ns_data = dnsx_lookup(ns_server)
    for ns_ip in ns_data["a"]:
      # Resolve against exactly one nameserver
      hostdata = dnsx_lookup_with_resolver(host, ns_ip)
      # Weird status?
      if not hostdata["a"] or hostdata["status_code"] != "NOERROR":
        print("takeover of " + host + " with resolver " + ns_ip)

testns(dnsx_trace(URL), URL)

Base automatically changed from dev to master May 4, 2021 13:06
@Mzack9999 Mzack9999 changed the base branch from master to dev May 4, 2021 14:20
@Ice3man543 Ice3man543 self-requested a review May 4, 2021 14:38
@0xcrypto
Copy link

0xcrypto commented Jun 7, 2021

Oh well, you guys could just embed python or lua to make it easier for everyone.

@ehsandeep ehsandeep mentioned this pull request Jun 17, 2021
Closed
This was referenced Jun 21, 2021
Closed
Closed
Closed
Base automatically changed from dev to master July 9, 2021 09:56
@Mzack9999 Mzack9999 removed the request for review from Ice3man543 August 8, 2021 20:32
@Mzack9999 Mzack9999 changed the base branch from master to dev August 8, 2021 20:37
@Mzack9999 Mzack9999 closed this Aug 8, 2021
@Mzack9999
Copy link
Member Author

Github auto-merge keeps failing - restarting at #914

@forgedhallpass forgedhallpass added Type: Enhancement Most issues will probably ask for additions or changes. and removed enhancement labels Oct 7, 2021
@ehsandeep ehsandeep deleted the feature-scripting-engine branch December 14, 2021 16:16
@ehsandeep ehsandeep removed a link to an issue Dec 3, 2022
Add embedded scripting language support for more complex workflows #549
Closed
@Mzack9999 Mzack9999 mentioned this pull request Aug 29, 2023
Merged
4 tasks
@Mzack9999 Mzack9999 mentioned this pull request Apr 5, 2024
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees

@Mzack9999 Mzack9999

Labels
Type: Enhancement Most issues will probably ask for additions or changes.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
4 participants
@Mzack9999 @dwisiswant0 @0xcrypto @forgedhallpass