This introduces a "nucleitcp" protocol that Nuclei will use when
making MySQL connections as part of its templates.
Previously, this would register (and de-register!) a custom "tcp"
dialer, and that applied globally, so any piece of software that
used a MySQL database and included nuclei in SDK mode would have
its database connections ripped out from under it due to the dialer
hijacking.
By using "nucleitcp" as the protocol, we are free to do whatever
we want with the dialer and not impact any other packages.
Within our `BuildDSN` function, we quietly replace the protocol to
"nucleitcp" if it was "tcp", so nuclei developers don't have to do
anything special to use this functionality; it will always do it.
* Move proxy variable from global to options
- Provides ability to pass diff proxy in single nuclei instance using sdk
* add type check (resolve comments)
* feat: global matchers
Signed-off-by: Dwi Siswanto <git@dw1.io>
Co-authored-by: Ice3man543 <ice3man543@users.noreply.github.com>
* feat(globalmatchers): make `Callback` as type
Signed-off-by: Dwi Siswanto <git@dw1.io>
* feat: update `passive` term to `(matchers-)static`
Signed-off-by: Dwi Siswanto <git@dw1.io>
* feat(globalmatchers): add `origin-template-*` event
also use `Set` method instead of `maps.Clone`
Signed-off-by: Dwi Siswanto <git@dw1.io>
* feat: update `matchers-static` term to `global-matchers`
Signed-off-by: Dwi Siswanto <git@dw1.io>
* feat(globalmatchers): clone event before `operator.Execute`
Signed-off-by: Dwi Siswanto <git@dw1.io>
* fix(tmplexec): don't store `matched` on `global-matchers` templ
This will end up generating 2 events from the same
`scan.ScanContext` if one of the templates has
`global-matchers` enabled. This way, non-
`global-matchers` templates can enter the
`writeFailureCallback` func to log failure output.
Signed-off-by: Dwi Siswanto <git@dw1.io>
* feat(globalmatchers): initializes `requests` on `New`
Signed-off-by: Dwi Siswanto <git@dw1.io>
* feat(globalmatchers): add `hasStorage` method
Signed-off-by: Dwi Siswanto <git@dw1.io>
* refactor(templates): rename global matchers checks method
Signed-off-by: Dwi Siswanto <git@dw1.io>
* fix(loader): handle nil `templates.Template` pointer
Signed-off-by: Dwi Siswanto <git@dw1.io>
---------
Signed-off-by: Dwi Siswanto <git@dw1.io>
Co-authored-by: Ice3man543 <ice3man543@users.noreply.github.com>
* misc update
* chore(deps): bump github.com/gin-gonic/gin from 1.9.0 to 1.9.1 (#4252)
Bumps [github.com/gin-gonic/gin](https://github.com/gin-gonic/gin) from 1.9.0 to 1.9.1.
- [Release notes](https://github.com/gin-gonic/gin/releases)
- [Changelog](https://github.com/gin-gonic/gin/blob/master/CHANGELOG.md)
- [Commits](https://github.com/gin-gonic/gin/compare/v1.9.0...v1.9.1)
---
updated-dependencies:
- dependency-name: github.com/gin-gonic/gin
dependency-type: indirect
...
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
* chore(deps): bump github.com/docker/docker (#4316)
Bumps [github.com/docker/docker](https://github.com/docker/docker) from 24.0.5+incompatible to 24.0.7+incompatible.
- [Release notes](https://github.com/docker/docker/releases)
- [Commits](https://github.com/docker/docker/compare/v24.0.5...v24.0.7)
---
updated-dependencies:
- dependency-name: github.com/docker/docker
dependency-type: indirect
...
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
* fix README_CN.md typos (#4369)
* version update
* Add more support for `fs.FS` in the disk catalog
This adds more support for `fs.FS` in the disk catalog. This
fixes some places where direct `os` file-related calls were being
made to use the catalog interface instead.
Note that the JavaScript compiler *still* does not work in any
context where the `pkg/js/libs/fs` package is used. In particular,
the `ReadFilesFromDir` function is hard-coded to use the `os`
package and not respect the catalog.
* Remove some testing artifacts
* Wrap up
* Unwind other changes
* Add a LoadHelperFileFunction to Options
* Use a direct func
* Tweak validation
* Use a function type
---------
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: sandeep <8293321+ehsandeep@users.noreply.github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: Xc1Ym <xuedongyuming2233@gmail.com>
Co-authored-by: Sandeep Singh <sandeep@projectdiscovery.io>
* Apply input transformation to multi-protocol template execution
* Remove ad hoc input transoformation from DNS protocol
* Add SSL protocol input transformer
* Remove ad hoc input transoformation from SSL protocol
* Remove unused function extractDomain from the DNS protocol engine
* transform in flow as well
* bug fix + update test
* bug fix multi proto
:
* bug fix multi proto input
* bug fixes in input transform
---------
Co-authored-by: Tarun Koyalwar <tarun@projectdiscovery.io>
* feat: added fuzzing output enhancements
* changes as requested
* misc
* feat: added dfp flag to display fuzz points + misc additions
* feat: added support for fuzzing nested path segments
* feat: added parts to fuzzing requests
* feat: added tracking for parameter occurence frequency in fuzzing
* added cli flag for fuzz frequency
* fixed broken tests
* fixed path based sqli integration test
* feat: added configurable fuzzing aggression level for payloads
* fixed failing test
* feat: added support for context cancellation to engine
* misc
* feat: added contexts everywhere
* misc
* misc
* use granular http timeouts and increase http timeout to 30s using multiplier
* track response header timeout in mhe
* update responseHeaderTimeout to 5sec
* skip failing windows test
---------
Co-authored-by: Tarun Koyalwar <tarun@projectdiscovery.io>
* add default get method
* remove residual payload logic from old implementation
* fuzz: clone current state of component
* fuzz: bug fix stacking of payloads in multiple mode
* improve stdout template loading stats
* stdout: force display warnings if no templates are loaded
* update flags in README.md
* quote non-ascii chars in extractor output
* aws request signature can only be used in signed & verified tmpls
* deprecate request signature
* remove logic related to deprecated fuzzing input
* update test to use ordered params
* fix interactsh-url lazy eval: #4946
* output: skip unnecessary updates when unescaping
* updates as per requested changes
* feat: move fuzz package to root directory
* feat: added support for input providers like openapi,postman,etc
* feat: integration of new fuzzing logic in engine
* bugfix: use and instead of or
* fixed lint errors
* go mod tidy
* add new reqresp type + bump utils
* custom http request parser
* use new struct type RequestResponse
* introduce unified input/target provider
* abstract input formats via new inputprovider
* completed input provider refactor
* remove duplicated code
* add sdk method to load targets
* rename component url->path
* add new yaml format + remove duplicated code
* use gopkg.in/yaml.v3 for parsing
* update .gitignore
* refactor/move + docs fuzzing in http protocol
* fuzz: header + query integration test using fuzzplayground
* fix integration test runner in windows
* feat add support for filter in http fuzz
* rewrite header/query integration test with filter
* add replace regex rule
* support kv fuzzing + misc updates
* add path fuzzing example + misc improvements
* fix matchedURL + skip httpx on multi formats
* cookie fuzz integration test
* add json body + params body tests
* feat add multipart/form-data fuzzing support
* add all fuzz body integration test
* misc bug fixes + minor refactor
* add multipart form + body form unit tests
* only run fuzzing templates if -fuzz flag is given
* refactor/move fuzz playground server to pkg
* fix integration test + refactor
* add auth types and strategies
* add file auth provider
* start implementing auth logic in http
* add logic in http protocol
* static auth implemented for http
* default :80,:443 normalization
* feat: dynamic auth init
* feat: dynamic auth using templates
* validate targets count in openapi+swagger
* inputformats: add support to accept variables
* fix workflow integration test
* update lazy cred fetch logic
* fix unit test
* drop postman support
* domain related normalization
* update secrets.yaml file format + misc updates
* add auth prefetch option
* remove old secret files
* add fuzzing+auth related sdk options
* fix/support multiple mode in kv header fuzzing
* rename 'headers' -> 'header' in fuzzing rules
* fix deadlock due to merge conflict resolution
* misc update
* add bool type in parsed value
* add openapi validation+override+ new flags
* misc updates
* remove optional path parameters when unavailable
* fix swagger.yaml file
* misc updates
* update print msg
* multiple openapi validation enchancements + appMode
* add optional params in required_openapi_vars.yaml file
* improve warning/verbose msgs in format
* fix skip-format-validation not working
* use 'params/parameter' instead of 'variable' in openapi
* add retry support for falky tests
* fix nuclei loading ignored templates (#4849)
* fix tag include logic
* fix unit test
* remove quoting in extractor output
* remove quote in debug code command
* feat: issue tracker URLs in JSON + misc fixes (#4855)
* feat: issue tracker URLs in JSON + misc fixes
* misc changes
* feat: status update support for issues
* feat: report metadata generation hook support
* feat: added CLI summary of tickets created
* misc changes
* introduce `disable-unsigned-templates` flag (#4820)
* introduce `disable-unsigned-templates` flag
* minor
* skip instead of exit
* remove duplicate imports
* use stats package + misc enhancements
* force display warning + adjust skipped stats in unsigned count
* include unsigned skipped templates without -dut flag
---------
Co-authored-by: Tarun Koyalwar <tarun@projectdiscovery.io>
* Purge cache on global callback set (#4840)
* purge cache on global callback set
* lint
* purging cache
* purge cache in runner after loading templates
* include internal cache from parsers + add global cache register/purge via config
* remove disable cache purge option
---------
Co-authored-by: Tarun Koyalwar <tarun@projectdiscovery.io>
* misc update
* add application/octet-stream support
* openapi: support path specific params
* misc option + readme update
---------
Co-authored-by: Sandeep Singh <sandeep@projectdiscovery.io>
Co-authored-by: sandeep <8293321+ehsandeep@users.noreply.github.com>
Co-authored-by: Tarun Koyalwar <tarun@projectdiscovery.io>
Co-authored-by: Tarun Koyalwar <45962551+tarunKoyalwar@users.noreply.github.com>
Co-authored-by: Dogan Can Bakir <65292895+dogancanbakir@users.noreply.github.com>
Co-authored-by: Mzack9999 <mzack9999@protonmail.com>
