daffainfo
/
nuclei-templates
mirror of https://github.com/daffainfo/nuclei-templates.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Fix code execution in headless templates (#4484) 

* Wrapping the JS code with a function

https://github.com/projectdiscovery/nuclei/issues/2017

* Wrapping the JS code with a function

https://github.com/projectdiscovery/nuclei/issues/2017
patch-1
forgedhallpass 2022-07-28 14:21:08 +03:00 committed by GitHub
parent dcb024beac
commit d324310375
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
4 changed files with 132 additions and 133 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

41
headless/postmessage-outgoing-tracker.yaml
View File

@ -19,33 +19,32 @@ headless:
args:
hook: true
code: |
(function() {window.alerts = [];
() => {
window.alerts = [];
function logger(found) {
window.alerts.push(found);
}
logger = found => window.alerts.push(found);
function getStackTrace () {
var stack;
try {
throw new Error('');
function getStackTrace() {
var stack;
try {
throw new Error('');
} catch (error) {
stack = error.stack || '';
}
stack = stack.split('\n').map(line => line.trim());
return stack.splice(stack[0] == 'Error' ? 2 : 1);
}
catch (error) {
stack = error.stack || '';
}
stack = stack.split('\n').map(function (line) { return line.trim(); });
return stack.splice(stack[0] == 'Error' ? 2 : 1);
}
var oldSender = window.postMessage;
var oldSender = window.postMessage;
window.postMessage = function(data, origin) {
if(origin == '*'){
logger({stack: getStackTrace(), args: {data, origin}});
return oldSender.apply(this, arguments);
window.postMessage = (data, origin) => {
if (origin == '*') {
logger({stack: getStackTrace(), args: {data, origin}});
return oldSender.apply(this, arguments);
}
};
})();
}
- args:
url: "{{BaseURL}}"
action: navigate
@ -53,7 +52,7 @@ headless:
- action: script
name: alerts
args:
code: "window.alerts"
code: window.alerts
matchers:
- type: word
part: alerts

51
headless/postmessage-tracker.yaml
View File

@ -19,33 +19,32 @@ headless:
args:
hook: true
code: |
(function() {window.alerts = [];
() => {
window.alerts = [];
function logger(found) {
window.alerts.push(found);
logger = found => window.alerts.push(found);
function getStackTrace() {
var stack;
try {
throw new Error('');
} catch (error) {
stack = error.stack || '';
}
stack = stack.split('\n').map(line => line.trim());
return stack.splice(stack[0] == 'Error' ? 2 : 1);
}
var oldListener = Window.prototype.addEventListener;
Window.prototype.addEventListener = (type, listener, useCapture) => {
if (type === 'message') {
logger(getStackTrace());
}
return oldListener.apply(this, arguments);
};
}
function getStackTrace () {
var stack;
try {
throw new Error('');
}
catch (error) {
stack = error.stack || '';
}
stack = stack.split('\n').map(function (line) { return line.trim(); });
return stack.splice(stack[0] == 'Error' ? 2 : 1);
}
var oldListener = Window.prototype.addEventListener;
Window.prototype.addEventListener = function(type, listener, useCapture) {
if(type === 'message') {
logger(getStackTrace());
}
return oldListener.apply(this, arguments);
};
})();
- args:
url: "{{BaseURL}}"
action: navigate
@ -53,7 +52,7 @@ headless:
- action: script
name: alerts
args:
code: "window.alerts"
code: window.alerts
matchers:
- type: word
part: alerts

92
headless/prototype-pollution-check.yaml
View File

@ -30,53 +30,53 @@ headless:
hook: true
code: |
// Hooking code adapted from https://github.com/msrkp/PPScan/blob/main/scripts/content_script.js
(function() {window.alerts = [];
() => {
window.alerts = [];
function logger(found) {
window.alerts.push(found);
logger = found => window.alerts.push(found);
function check() {
loc = location.href;
if (loc.indexOf("e32a5ec9c99") >= 0 && loc.search("a0def12bce") == -1) {
setTimeout(function() {
if (Object.prototype.e32a5ec9c99 == "ddcb362f1d60") {
logger(location.href);
}
var url = new URL(location.origin + location.pathname);
url.hash = "__proto__[a0def12bce]=ddcb362f1d60&__proto__.a0def12bce=ddcb362f1d60&dummy";
location = url.href;
}, 5 * 1000);
} else if (loc.search("a0def12bce") != -1) {
setTimeout(function() {
if (Object.prototype.a0def12bce == "ddcb362f1d60") {
logger(location.href);
}
window.close();
}, 5 * 1000);
} else {
var url = new URL(loc);
url.searchParams.append("__proto__[e32a5ec9c99]", "ddcb362f1d60");
url.searchParams.append("__proto__.e32a5ec9c99", "ddcb362f1d60");
location = url.href;
}
}
window.onload = function() {
if (Object.prototype.e32a5ec9c99 == "ddcb362f1d60" || Object.prototype.a0def12bce == "ddcb362f1d60") {
logger(location.href);
} else {
check();
}
};
var timerID = setInterval(function() {
if (Object.prototype.e32a5ec9c99 == "ddcb362f1d60" || Object.prototype.a0def12bce == "ddcb362f1d60") {
logger(location.href);
clearInterval(timerID);
}
}, 5 * 1000);
}
function check() {
loc = location.href;
if (loc.indexOf("e32a5ec9c99") >= 0 && loc.search("a0def12bce") == -1) {
setTimeout(function() {
if (Object.prototype.e32a5ec9c99 == "ddcb362f1d60") {
logger(location.href);
}
var url = new URL(location.origin + location.pathname);
url.hash = "__proto__[a0def12bce]=ddcb362f1d60&__proto__.a0def12bce=ddcb362f1d60&dummy";
location = url.href;
}, 5 * 1000);
} else if (loc.search("a0def12bce") != -1) {
setTimeout(function() {
if (Object.prototype.a0def12bce == "ddcb362f1d60") {
logger(location.href);
}
window.close();
}, 5 * 1000);
} else {
var url = new URL(loc);
url.searchParams.append("__proto__[e32a5ec9c99]", "ddcb362f1d60");
url.searchParams.append("__proto__.e32a5ec9c99", "ddcb362f1d60");
location = url.href;
}
}
window.onload = function() {
if (Object.prototype.e32a5ec9c99 == "ddcb362f1d60" || Object.prototype.a0def12bce == "ddcb362f1d60") {
logger(location.href);
} else {
check();
}
};
var timerID = setInterval(function() {
if (Object.prototype.e32a5ec9c99 == "ddcb362f1d60" || Object.prototype.a0def12bce == "ddcb362f1d60") {
logger(location.href);
clearInterval(timerID);
}
}, 5 * 1000)})();
- args:
url: "{{BaseURL}}"
action: navigate
@ -84,7 +84,7 @@ headless:
- action: script
name: alerts
args:
code: "window.alerts"
code: window.alerts
matchers:
- type: word
part: alerts

81
headless/window-name-domxss.yaml
View File

@ -19,49 +19,50 @@ headless:
args:
hook: true
code: |
(function() {window.alerts = [];
() => {
window.alerts = [];
function logger(found) {
window.alerts.push(found);
}
logger = found => window.alerts.push(found);
function getStackTrace () {
var stack;
try {
throw new Error('');
}
catch (error) {
stack = error.stack || '';
}
stack = stack.split('\n').map(function (line) { return line.trim(); });
return stack.splice(stack[0] == 'Error' ? 2 : 1);
}
window.name = "{{randstr_1}}'\"<>";
var oldEval = eval;
var oldDocumentWrite = document.write;
var setter = Object.getOwnPropertyDescriptor(Element.prototype, 'innerHTML').set;
Object.defineProperty(Element.prototype, 'innerHTML', {
set: function innerHTML_Setter(val) {
if (val.includes("{{randstr_1}}'\"<>")) {
logger({sink: 'innerHTML', source: 'window.name', code: val, stack: getStackTrace()});
function getStackTrace() {
var stack;
try {
throw new Error('');
}
return setter.call(this, val)
catch (error) {
stack = error.stack || '';
}
stack = stack.split('\n').map(function (line) { return line.trim(); });
return stack.splice(stack[0] == 'Error' ? 2 : 1);
}
});
eval = function(data) {
if (data.includes("{{randstr_1}}'\"<>")) {
logger({sink: 'eval' ,source: 'window.name', code: data, stack: getStackTrace()});
}
return oldEval.apply(this, arguments);
};
document.write = function(data) {
if (data.includes("{{randstr_1}}'\"<>")) {
logger({sink: 'document.write' ,source: 'window.name', code: data, stack: getStackTrace()});
}
return oldEval.apply(this, arguments);
};
})();
window.name = "{{randstr_1}}'\"<>";
var oldEval = eval;
var oldDocumentWrite = document.write;
var setter = Object.getOwnPropertyDescriptor(Element.prototype, 'innerHTML').set;
Object.defineProperty(Element.prototype, 'innerHTML', {
set: function innerHTML_Setter(val) {
if (val.includes("{{randstr_1}}'\"<>")) {
logger({sink: 'innerHTML', source: 'window.name', code: val, stack: getStackTrace()});
}
return setter.call(this, val)
}
});
eval = function(data) {
if (data.includes("{{randstr_1}}'\"<>")) {
logger({sink: 'eval' ,source: 'window.name', code: data, stack: getStackTrace()});
}
return oldEval.apply(this, arguments);
};
document.write = function(data) {
if (data.includes("{{randstr_1}}'\"<>")) {
logger({sink: 'document.write' ,source: 'window.name', code: data, stack: getStackTrace()});
}
return oldEval.apply(this, arguments);
};
}
- args:
url: "{{BaseURL}}"
action: navigate
@ -69,7 +70,7 @@ headless:
- action: script
name: alerts
args:
code: "window.alerts"
code: window.alerts
matchers:
- type: word
part: alerts