adding burp collaborator support

v2/go.mod

@@ -3,6 +3,7 @@ module github.com/projectdiscovery/nuclei/v2
 go 1.14
 
 require (
+	github.com/projectdiscovery/collaborator v0.0.0
 	github.com/Knetic/govaluate v3.0.0+incompatible
 	github.com/blang/semver v3.5.1+incompatible
 	github.com/d5/tengo/v2 v2.6.2

v2/internal/runner/options.go

@@ -13,35 +13,36 @@ import (
 // Options contains the configuration options for tuning
 // the template requesting process.
 type Options struct {
-	Debug              bool                   // Debug mode allows debugging request/responses for the engine
+	Debug                bool                   // Debug mode allows debugging request/responses for the engine
-	Silent             bool                   // Silent suppresses any extra text and only writes found URLs on screen.
+	Silent               bool                   // Silent suppresses any extra text and only writes found URLs on screen.
-	Version            bool                   // Version specifies if we should just show version and exit
+	Version              bool                   // Version specifies if we should just show version and exit
-	Verbose            bool                   // Verbose flag indicates whether to show verbose output or not
+	Verbose              bool                   // Verbose flag indicates whether to show verbose output or not
-	NoColor            bool                   // No-Color disables the colored output.
+	NoColor              bool                   // No-Color disables the colored output.
-	UpdateTemplates    bool                   // UpdateTemplates updates the templates installed at startup
+	UpdateTemplates      bool                   // UpdateTemplates updates the templates installed at startup
-	JSON               bool                   // JSON writes json output to files
+	JSON                 bool                   // JSON writes json output to files
-	JSONRequests       bool                   // write requests/responses for matches in JSON output
+	JSONRequests         bool                   // write requests/responses for matches in JSON output
-	EnableProgressBar  bool                   // Enable progrss bar
+	EnableProgressBar    bool                   // Enable progrss bar
-	TemplatesVersion   bool                   // Show the templates installed version
+	TemplatesVersion     bool                   // Show the templates installed version
-	TemplateList       bool                   // List available templates
+	TemplateList         bool                   // List available templates
-	Stdin              bool                   // Stdin specifies whether stdin input was given to the process
+	Stdin                bool                   // Stdin specifies whether stdin input was given to the process
-	StopAtFirstMatch   bool                   // Stop processing template at first full match (this may break chained requests)
+	StopAtFirstMatch     bool                   // Stop processing template at first full match (this may break chained requests)
-	NoMeta             bool                   // Don't display metadata for the matches
+	NoMeta               bool                   // Don't display metadata for the matches
-	BulkSize           int                    // Number of targets analyzed in parallel for each template
+	BulkSize             int                    // Number of targets analyzed in parallel for each template
-	Threads            int                    // Thread controls the number of concurrent requests to make.
+	Threads              int                    // Thread controls the number of concurrent requests to make.
-	Timeout            int                    // Timeout is the seconds to wait for a response from the server.
+	Timeout              int                    // Timeout is the seconds to wait for a response from the server.
-	Retries            int                    // Retries is the number of times to retry the request
+	Retries              int                    // Retries is the number of times to retry the request
-	RateLimit          int                    // Rate-Limit of requests per specified target
+	RateLimit            int                    // Rate-Limit of requests per specified target
-	Severity           string                 // Filter templates based on their severity and only run the matching ones.
+	Severity             string                 // Filter templates based on their severity and only run the matching ones.
-	Target             string                 // Target is a single URL/Domain to scan usng a template
+	Target               string                 // Target is a single URL/Domain to scan usng a template
-	Targets            string                 // Targets specifies the targets to scan using templates.
+	Targets              string                 // Targets specifies the targets to scan using templates.
-	Output             string                 // Output is the file to write found subdomains to.
+	Output               string                 // Output is the file to write found subdomains to.
-	ProxyURL           string                 // ProxyURL is the URL for the proxy server
+	ProxyURL             string                 // ProxyURL is the URL for the proxy server
-	ProxySocksURL      string                 // ProxySocksURL is the URL for the proxy socks server
+	ProxySocksURL        string                 // ProxySocksURL is the URL for the proxy socks server
-	TemplatesDirectory string                 // TemplatesDirectory is the directory to use for storing templates
+	TemplatesDirectory   string                 // TemplatesDirectory is the directory to use for storing templates
-	Templates          multiStringFlag        // Signature specifies the template/templates to use
+	Templates            multiStringFlag        // Signature specifies the template/templates to use
-	ExcludedTemplates  multiStringFlag        // Signature specifies the template/templates to exclude
+	ExcludedTemplates    multiStringFlag        // Signature specifies the template/templates to exclude
-	CustomHeaders      requests.CustomHeaders // Custom global headers
+	CustomHeaders        requests.CustomHeaders // Custom global headers
+	BurpCollaboratorBiid string                 // Burp Collaborator BIID for polling
 }
 
 type multiStringFlag []string
@@ -86,6 +87,7 @@ func ParseOptions() *Options {
 	flag.IntVar(&options.BulkSize, "bulk-size", 150, "Number of hosts analyzed in parallel per template")
 	flag.BoolVar(&options.NoMeta, "no-meta", false, "Don't display metadata for the matches")
 	flag.BoolVar(&options.TemplatesVersion, "templates-version", false, "Shows the installed nuclei-templates version")
+	flag.StringVar(&options.BurpCollaboratorBiid, "burp-collaborator-biid", "", "Burp Collaborator BIID")
 	flag.Parse()
 
 	// Check if stdin pipe was given

v2/internal/runner/runner.go

@@ -15,6 +15,7 @@ import (
 	"github.com/projectdiscovery/nuclei/v2/internal/bufwriter"
 	"github.com/projectdiscovery/nuclei/v2/internal/progress"
 	"github.com/projectdiscovery/nuclei/v2/pkg/atomicboolean"
+	"github.com/projectdiscovery/nuclei/v2/pkg/collaborator"
 	"github.com/projectdiscovery/nuclei/v2/pkg/colorizer"
 	"github.com/projectdiscovery/nuclei/v2/pkg/globalratelimiter"
 	"github.com/projectdiscovery/nuclei/v2/pkg/templates"
@@ -164,6 +165,11 @@ func New(options *Options) (*Runner, error) {
 	// Creates the progress tracking object
 	runner.progress = progress.NewProgress(runner.colorizer.Colorizer, options.EnableProgressBar)
 
+	// Enable Polling
+	if options.BurpCollaboratorBiid != "" {
+		collaborator.DefaultCollaborator.Collab.AddBIID(options.BurpCollaboratorBiid)
+	}
+
 	return runner, nil
 }
 
@@ -229,6 +235,9 @@ func (r *Runner) RunEnumeration() {
 		} // nolint:wsl // comment
 	}
 
+	// Starts polling or ignore
+	collaborator.DefaultCollaborator.Poll()
+
 	var (
 		wgtemplates sync.WaitGroup
 		results     atomicboolean.AtomBool

v2/pkg/collaborator/collaborator.go

@@ -0,0 +1,57 @@
+package collaborator
+
+import (
+	"strings"
+	"time"
+
+	"github.com/projectdiscovery/collaborator"
+)
+
+const (
+	DefaultMaxBufferLimit = 150
+	DefaultPollInterval   = time.Second * time.Duration(5)
+)
+
+var DefaultCollaborator BurpCollaborator = BurpCollaborator{Collab: collaborator.NewBurpCollaborator()}
+
+type BurpCollaborator struct {
+	options *Options
+	Collab  *collaborator.BurpCollaborator
+}
+
+type Options struct {
+	BIID           string
+	PollInterval   time.Duration
+	MaxBufferLimit int
+}
+
+func New(options Options) *BurpCollaborator {
+	collab := collaborator.NewBurpCollaborator()
+	collab.AddBIID(options.BIID)
+	collab.MaxBufferLimit = options.MaxBufferLimit
+	return &BurpCollaborator{Collab: collab}
+}
+
+func (b *BurpCollaborator) Poll() {
+	// if no valid biids were provided just return
+	if len(b.Collab.BIIDs) > 0 {
+		go b.Collab.PollEach(DefaultPollInterval)
+	}
+}
+
+func (b *BurpCollaborator) Has(s string) bool {
+	for _, r := range b.Collab.RespBuffer {
+		for _, rr := range r.Responses {
+			// search in dns
+			if strings.Contains(rr.Data.RawRequestDecoded, s) {
+				return true
+			}
+			// search in http
+			if strings.Contains(rr.Data.RequestDecoded, s) {
+				return true
+			}
+		}
+	}
+
+	return false
+}

v2/pkg/generators/dsl.go

@@ -13,8 +13,10 @@ import (
 	"net/url"
 	"regexp"
 	"strings"
+	"time"
 
 	"github.com/Knetic/govaluate"
+	"github.com/projectdiscovery/nuclei/v2/pkg/collaborator"
 	"github.com/spaolacci/murmur3"
 )
 
@@ -277,5 +279,18 @@ func HelperFunctions() (functions map[string]govaluate.ExpressionFunction) {
 		return rand.Intn(max-min) + min, nil
 	}
 
+	// Time Functions
+	functions["waitfor"] = func(args ...interface{}) (interface{}, error) {
+		seconds := args[0].(float64)
+		time.Sleep(time.Duration(seconds) * time.Second)
+		return true, nil
+	}
+
+	// Collaborator
+	functions["collab"] = func(args ...interface{}) (interface{}, error) {
+		// check if collaborator contains a specific pattern
+		return collaborator.DefaultCollaborator.Has(args[0].(string)), nil
+	}
+
 	return functions
 }