[issue] Host header change not working with H flag

[un-fmunozs]

I've been trying a couple of options to change the header Host without success. I also noticed that nuclei connects to the host that is included in the RAW HTTP request, instead of connection to the one supplied by stdin.

$ echo https://www.apple.com | ./go/bin/nuclei -t new.yaml -debug

                       __     _
     ____  __  _______/ /__  (_)
    / __ \/ / / / ___/ / _ \/ /
   / / / / /_/ / /__/ /  __/ /
  /_/ /_/\__,_/\___/_/\___/_/   v2.1

                projectdiscovery.io

[WRN] Use with caution. You are responsible for your actions
[WRN] Developers assume no liability and are not responsible for any misuse or damage.
[INF] [test] Loaded template  (@)
[INF] Dumped HTTP request for https://www.apple.com (test)

GET / HTTP/1.1
Host: google.com
Connection: close
Accept-Language: en-US,en;q=0.5
Connection: close
User-Agent: Nuclei - Open-source project (github.com/projectdiscovery/nuclei)

[INF] Dumped HTTP response for https://www.apple.com (test)

HTTP/1.1 301 Moved Permanently
Connection: close
Content-Length: 220
Alt-Svc: h3-29=":443"; ma=2592000,h3-27=":443"; ma=2592000,h3-T050=":443"; ma=2592000,h3-Q050=":443"; ma=2592000,h3-Q046=":443"; ma=2592000,h3-Q043=":443"; ma=2592000,quic=":443"; ma=2592000; v="46,43"
Cache-Control: public, max-age=2592000
Content-Type: text/html; charset=UTF-8
Date: Wed, 12 Aug 2020 09:00:13 GMT
Expires: Fri, 11 Sep 2020 09:00:13 GMT
Location: https://www.google.com/
Server: gws
X-Frame-Options: SAMEORIGIN
X-Xss-Protection: 0

<HTML><HEAD><meta http-equiv="content-type" content="text/html;charset=utf-8">
<TITLE>301 Moved</TITLE></HEAD><BODY>
<H1>301 Moved</H1>
The document has moved
<A HREF="https://www.google.com/">here</A>.
</BODY></HTML>

[INF] No results found. Happy hacking!
 

Template:

id: test

requests:
  - raw:
      - |
          GET / HTTP/1.1
          Host: google.com
          Accept-Language: en-US,en;q=0.5
          Connection: close

    matchers-condition: and
    matchers:
      - type: status
        status:
          - 206
      - type: word
        words:
          - Test
        part: all

Current behaviour: Request sent to google.com
Expected behaviour: Request sent to apple.com using Host: google.com

This doesnt work using CLI option either

~$ echo https://www.apple.com | ./go/bin/nuclei -t nuclei-templates/files/server-status-localhost.yaml -H "Host: www.google.com" -debug

                       __     _
     ____  __  _______/ /__  (_)
    / __ \/ / / / ___/ / _ \/ /
   / / / / /_/ / /__/ /  __/ /
  /_/ /_/\__,_/\___/_/\___/_/   v2.1

                projectdiscovery.io

[WRN] Use with caution. You are responsible for your actions
[WRN] Developers assume no liability and are not responsible for any misuse or damage.
[INF] [server-status-localhost] Loaded template Server Status Disclosure (@bauthard) [low]
[INF] Dumped HTTP request for https://www.apple.com (server-status-localhost)

GET /server-status HTTP/1.1
Host: www.apple.com
Connection: close
Accept: */*
Accept-Language: en
Connection: close
User-Agent: Nuclei - Open-source project (github.com/projectdiscovery/nuclei)
X-Client-IP: 127.0.0.1
X-Forwarded-For: 127.0.0.1
X-Originating-IP: 127.0.0.1
X-Remote-Addr: 127.0.0.1
X-Remote-IP: 127.0.0.1

[ehsandeep]

Hey @un-fmunozs,

Thank you for creating this issue, for the template, it's expected behavior, but using H flag it should be allowed to update that header, so we are tracking that bug in this issue.

[un-fmunozs]

No problem. Should it work inside the headers part of the template too? I can't get it working there either:

$ echo https://beford.org | /home/buggie/go/bin/nuclei -t cgi.yaml -debug

                       __     _
     ____  __  _______/ /__  (_)
    / __ \/ / / / ___/ / _ \/ /
   / / / / /_/ / /__/ /  __/ /
  /_/ /_/\__,_/\___/_/\___/_/   v2.1

                projectdiscovery.io

[WRN] Use with caution. You are responsible for your actions
[WRN] Developers assume no liability and are not responsible for any misuse or damage.
[INF] [cgi-test-page] Loaded template CGI Test page (@YASH ANAND @yashanand155) [info]
[INF] Dumped HTTP request for https://beford.org (cgi-test-page)

GET /cgi-bin/test/test.cgi HTTP/1.1
Host: beford.org
Connection: close
Accept: */*
Accept-Language: en
Connection: close
User-Agent: Nuclei - Open-source project (github.com/projectdiscovery/nuclei)
X-Client-IP: 127.0.0.1
X-Forwarded-For: 127.0.0.1
X-Originating-IP: 127.0.0.1
X-Remote-Addr: 127.0.0.1
X-Remote-IP: 127.0.0.1

[INF] Dumped HTTP response for https://beford.org (cgi-test-page)

HTTP/1.1 403 Forbidden
Connection: close
Content-Length: 199
Content-Type: text/html; charset=iso-8859-1
Date: Wed, 12 Aug 2020 10:36:44 GMT
Server: Apache

Template:

id: cgi-test-page
info:
  name: CGI Test page
  author: YASH ANAND @yashanand155
  severity: info

requests:
  - method: GET
    headers:
      Host: "127.0.0.1"
      X-Client-IP: "127.0.0.1"
      X-Remote-IP: "127.0.0.1"
      X-Remote-Addr: "127.0.0.1"
      X-Forwarded-For: "127.0.0.1"
      X-Originating-IP: "127.0.0.1"

    path:
      - "{{BaseURL}}/cgi-bin/test/test.cgi"

    matchers-condition: and
    matchers:
      - type: word
        words:
          - HTTP_ACCEPT
          - HTTP_ACCEPT_ENCODING
        condition: and

      - type: status
        status:
          - 200

[un-fmunozs]

Hey @un-fmunozs,

Thank you for creating this issue, for the template, it's expected behavior, but using H flag it should be allowed to update that header, so we are tracking that bug in this issue.

Sorry, I do not understand why is the request sent to google.com instead of the host provided.

Do you mean is expected behavior because the raw request is parsed and then the query sent (to the host in the raw), ignoring the data provided on the stdin? How does it know what port should it contact to in this case?

This is a case where I expected the raw request to be sent as-is on the template to the server but it isn't.

[ehsandeep]

Hey @un-fmunozs,

Nuclei do not support host manipulation with templates, for now, so when you do echo https://www.apple.com and have Host: google.com, it will make a request to host defined in your template.

[gy741]

Hello, @bauthard

This seems to be a problem similar to the question I left behind.

#215 #214

[ehsandeep]

Hey, this is open issue with known problems, this issue will be updated when we push an update for this in next release, let me know if you have any further questions on this.

[ehsandeep]

@un-fmunozs @gy741 this has been added in #329, now with unsafe:true you can make use of RAW HTTP to send any header/request. the changes are merged into master code, so you need to pull the master code before we create a new release for these changes.

[eur0pa]

@bauthard #329 does not fix this—ie:

requests:
  - raw:
    - |
      GET / HTTP/1.1
      Host: localhost
      
      
unsafe: true

Will still produce a request to the destination target:

[INF] Dumped HTTP request for http://dm347pj0fpkgykpn1wfznbkr5ib8zx.burpcollaborator.net (test)

GET / HTTP/1.1
Host:dm347pj0fpkgykpn1wfznbkr5ib8zx.burpcollaborator.net
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:47.0) Gecko/20100101 Firefox/47.0

[ehsandeep]

Hey @eur0pa, burp collaborator uses host header to dispatch the requests, so it will not work in case, you can use any other host to confirm this, for example:-

echo https://example.com | nuclei -t host.yaml -debug

                       __     _
     ____  __  _______/ /__  (_)
    / __ \/ / / / ___/ / _ \/ /
   / / / / /_/ / /__/ /  __/ /
  /_/ /_/\__,_/\___/_/\___/_/   v2.1.1

		projectdiscovery.io

[WRN] Use with caution. You are responsible for your actions
[WRN] Developers assume no liability and are not responsible for any misuse or damage.
[INF] Loading templates...
[INF] []  (@)
[INF] Using 1 rules (1 templates, 0 workflows)
[INF] Dumped HTTP request for https://example.com ()

GET / HTTP/1.1
Host: localhost
Connection: close
Connection: close
User-Agent: Nuclei - Open-source project (github.com/projectdiscovery/nuclei)

[INF] No results found. Happy hacking!