Scan Results Are Inconsistent

[beyildirim]

Nuclei version:

2.7.5

Current Behavior:

I'm initiating a scan to a known vulnerable URL with the same custom template. Sometimes it's finding, and sometimes it's not.

Expected Behavior:

It should be showing the same results.

Steps To Reproduce:

1. nuclei -u http://php.testsparker.com -t nuclei-templates/exposures/configs/phpinfo.yaml
2. It won't be showing any findings:

1. nuclei -u http://php.testsparker.com -t nuclei-templates/exposures/configs/phpinfo.yaml
2. It's showing a finding:

Anything else:

I think that's not related to the default nuclei-templates phpinfo exposure script. It's like some packet sending/receiving issue.

Additionally, this vulnerable URL has a phpinfo: http://php.testsparker.com/phpinfo.php and the phpinfo.yaml script has that directory as a path.

[ehsandeep]

Not confirmed, could be related:

• Problem in url list process in nuclei #2385
• Rate limit per minute doesn't work in some cases in v2.7.5 #2375

[Ice3man543]

Hi @beyildirim, the issue seems to be related to the end server. While trying to request http://php.testsparker.com/phpinfo.php using curl multiple times, i noticed that the server is very slow to respond and it may take longer than 10 seconds for the request to finish.

By default. nuclei uses a very low timeout of 5 seconds after which requests are cancelled which seems to be what is causing the inconsistent results. If you try running the scan with a longer timeout value, the results appear to be consistent.

> nuclei -u http://php.testsparker.com -t ~/nuclei-templates/exposures/configs/phpinfo.yaml -v -timeout 15

                     __     _
   ____  __  _______/ /__  (_)
  / __ \/ / / / ___/ / _ \/ /
 / / / / /_/ / /__/ /  __/ /
/_/ /_/\__,_/\___/_/\___/_/   2.6.5

                projectdiscovery.io

[WRN] Use with caution. You are responsible for your actions.
[WRN] Developers assume no liability and are not responsible for any misuse or damage.
[INF] Using Nuclei Engine 2.6.5 (outdated)
[INF] Using Nuclei Templates 9.1.5 (latest)
[INF] Templates added in last update: 58
[INF] Templates loaded for scan: 1
[VER] [phpinfo-files] Sent HTTP request to http://php.testsparker.com/php.php
[VER] [phpinfo-files] Sent HTTP request to http://php.testsparker.com/phpinfo.php
[2022-08-15 13:17:23] [phpinfo-files] [http] [low] http://php.testsparker.com/phpinfo.php

> nuclei -u http://php.testsparker.com -t ~/nuclei-templates/exposures/configs/phpinfo.yaml -v -timeout 15

                     __     _
   ____  __  _______/ /__  (_)
  / __ \/ / / / ___/ / _ \/ /
 / / / / /_/ / /__/ /  __/ /
/_/ /_/\__,_/\___/_/\___/_/   2.6.5

                projectdiscovery.io

[WRN] Use with caution. You are responsible for your actions.
[WRN] Developers assume no liability and are not responsible for any misuse or damage.
[INF] Using Nuclei Engine 2.6.5 (outdated)
[INF] Using Nuclei Templates 9.1.5 (latest)
[INF] Templates added in last update: 58
[INF] Templates loaded for scan: 1
[VER] [phpinfo-files] Sent HTTP request to http://php.testsparker.com/php.php
[VER] [phpinfo-files] Sent HTTP request to http://php.testsparker.com/phpinfo.php
[2022-08-15 13:17:48] [phpinfo-files] [http] [low] http://php.testsparker.com/phpinfo.php

[JoshuaMart]

I thought I had the same problem, while discussing with a colleague we realized that we did not necessarily have the same results and that by pushing a little the tests, we have indeed inconsistencies

Using a custom template, each time some detections were missed, on the following screenshot, only 5 cases on 8 are detected :

Despite using a lower concurrency or rate limit, the results were still inconsistent. Whereas by just scanning the vulnerable target, I constantly have the vulnerability

Increasing the timeout as suggested by @Ice3man543, indeed allows to detect all cases. Although it seems to be a solution, I still have a doubt because the target only takes a while to respond when I use Nuclei and scan several targets at the same time (I use the -c 1 option in my tests).

If I scan the target directly, the response is almost immediate

Regards

[beyildirim]

Hello, @Ice3man543 Are there any new updates regarding @JoshuaMart s update on the ticket? I have done other tests with different targets. Results are still inconsistent.

[ehsandeep]

@beyildirim Thank you for helping us on this, Could you retry the same test with the latest version of nuclei? also, possible to share another example as http://php.testsparker.com/phpinfo.php is not accessible anymore?

[bradleman]

FWIW I'm seeing the same behavior with the latest version. Catches 2-4 of 8 matches from list of 40 targets, 1 in 10 tries will catch all 8 even with timeout set to 15 and rl set to 2. Same behavior on multiple systems. I don't think it's a timeout issue because they load up fine with curl or in a browser. Again, FWIW.

[ehsandeep]

@bradleman do you have more information to share that can be used to replicate?

[bradleman]

What additional information do you want? I see there's a new release 2.7.7 so I'll update and try the test again.

[ehsandeep]

input (if it's specific to any target) and cmd to replicate this behavior.

[ehsandeep]

@beyildirim @bradleman @JoshuaMart I was running some more tests with the latest release, and it seems the results are consistent, but let me know if you still notice otherwise.

while true; do echo total: `nuclei -u http://php.testsparker.com -id exposed-svn -silent | wc`; done

total: 1
total: 1
total: 1
total: 1
total: 1
total: 1
total: 1
total: 1
total: 1
total: 1
total: 1
total: 1
total: 1
total: 1
total: 1
total: 1
total: 1
total: 1
total: 1
total: 1
total: 1
total: 1
total: 1
total: 1
total: 1
total: 1
total: 1
total: 1
total: 1
total: 1
total: 1
total: 1
total: 1
total: 1
total: 1
total: 1
total: 1

[beyildirim]

Hello @ehsandeep , these are the results I got today, and the target is alive. Let me know if I can provide you with more info regarding it.

[ehsandeep]

also, moving this ticket to the discussion as currently this behavior can not be reproduced or requires more information for the investigation, and as @Ice3man543 suggested, the default value for the timeout is increased in the dev version and will be reflected in next release.