[FALSE-NEGATIVE] generic-linux-lfi.yaml

[liquidsec]

Template IDs or paths

/http/vulnerabilities/generic/generic-linux-lfi.yaml

Environment

- OS: Ubuntu
- Nuclei: 3.4.2

Steps To Reproduce

1. Create a web server with one of the words in the 1st flow in the signature in the root:

matchers:
- type: word
words:
- "Linux"
- "Ubuntu"
- "CentOS"
- "Apache"
- "nginx"
condition: or
internal: true

(Note: I strongly disagree with this initial fingerprint for this particular signature, and think that this alone basically completely neuters the signature/will create tons of false negatives, but that is not the point of the issue)

2. Place <html>root:.*:0:0:</html> at /etc/passwd on the web server.
3. Execute the signature:

./nuclei -u http://yourtestsite --tags lfi

4. The signature will not fire
5. Remove the redundant extra - method: GET (line 35)
6. rerun, detects as expected

Relevant dumped responses

Anything else?

The issue appears to be the extra - method: GET on line 35.

I randomly discovered this because we just so happened to use the /http/vulnerabilities/generic/generic-linux-lfi.yaml template as part of our tests in BBOT to test our integration with Nuclei, causing our tests to fail as a result.

May be worth double-checking the rest of the multiple request/flow roll out (d694ffe) or adding additional tests / validation if something like this was able to slip through.

[liquidsec]

A quick glance at the rest of that commit, and I believe it may have broken several other templates as well. For example:

[DhiyaneshGeek]

Hi @liquidsec

the broken templates are fixed in this PR https://github.com/projectdiscovery/nuclei-templates/pull/12882/files

Is it possible to share the false positive results via email templates@projectdiscovery.io

Looking forward to hear back from you

Thanks