FAKE APP DONT WASTE TIME

[XswoTman]

I already issues a clear report of this fake , they delete my comment . So i think this tool has some techniques to grab user's information or anything. I said because after made few discussions they removed my commented issue of tool . It will show results but fake app .

[ehsandeep]

Hey @masterwireshark,

since you reported this for the 2nd time I'm going to keep this up in the discussion section and also attach the initial GitHub
issue, let us know if you have something to add that can improve the project in any way.

.

[inthenightsky]

You didn't give us anything that we could realistically work off. If you can clearly describe the exact command you're passing into Nuclei, I would be more than happy to try and help you understand what's going wrong, or if there is an issue then we can raise it as an issue for the template you're running.

False positives do happen, but the clearer you are about what you're doing to run into the behaviour, the easier it will be for everyone involved.

[XswoTman]

Okay, this i can related to tools which available on github which is 5-8 years old tools.

Here problem comes, we know .js files have an output in frontend of website. So if we give a url paramater to nuclei example:[ http://abc.xyz/js?ver= ] any URL which ends up .js or any other coding which can viewable to users.

When i gave a parameter like this to nuclei , it provides me results of POC which found Critical LFI vulnerability,the POC may look like [ http://abc.xyz/js?ver=RANDOM?/xyz/xyz?file=../../../../etc/passwd ].

In which i think Automation tool fetch old known found random POC , and while there is already a viewable output .js Output.Finally tool assumes it has found LFI but it actually .js file output which already here in URL.

Anyway, i can exactly say this type of Vulnerability only sees in 5 years old not updated tool, am sorry I doesn't know it's an opensource tool which updates. Initial time i had trust in Nuclei because i got much hype from internet. Anyway fix it.

[ehsandeep]

@masterwireshark nuclei do not expect http://abc.xyz/js?ver=RANDOM?/xyz/xyz?file=../../../../etc/passwd or URLs with parameters as input to scan for public templates, as stated in running-nuclei section, you need to feed Root URL or list of URLs to scan with nuclei, so maybe that's an issue with the inputs?

[XswoTman]

@masterwireshark nuclei do not expect http://abc.xyz/js?ver=RANDOM?/xyz/xyz?file=../../../../etc/passwd or URLs with parameters as input to scan for public templates, as stated in running-nuclei section, you need to feed Root URL or list of URLs to scan with nuclei, so maybe that's an issue with the inputs?

Okay, i stopped the discussion. I already mentioned the issue if i not give parameter in URL list it does the same output . It automatically scan for subdomain and if it's found .js then it makes LFI possibility always false positives.

I hereby stopped all kinds of discussion, and further i will not interfere issues with nuclei, i got anger of this tool . It may have postive but i got only fake POC that's the reason i made a discussion. And my issue is what you should solve because the same issues i seen from many other tools which is 5 plus years old.

Thanks, bye

[inthenightsky]

You really aren't giving us anything we can work with. What is the command you're using? Are you using a specific template? Can you provide that template's ID?

I recognise your angry but we can't fix an issue that we don't have information on. Just saying "I'm getting a false positive on a template with LFI" doesn't help us. Additionally, just saying "Anyway, fix it" really doesn't compel anyone in the OSS community to lend you a hand when we're all volunteers, so please keep that in mind.

[XswoTman]

You really aren't giving us anything we can work with. What is the command you're using? Are you using a specific template? Can you provide that template's ID?

I recognise your angry but we can't fix an issue that we don't have information on. Just saying "I'm getting a false positive on a template with LFI" doesn't help us. Additionally, just saying "Anyway, fix it" really doesn't compel anyone in the OSS community to lend you a hand when we're all volunteers, so please keep that in mind.

I kept your request in mind, i will provide Screenshots / template name soon. I doesn't provided because i got many LFI false positives so i get specify one single template. I just already poste command i uses multiple times.

Wait for it..

[forgedhallpass]

@masterwireshark

We have set up a guidance on how to report issues in nuclei, which requires the exact steps on how to CLEARLY reproduce an issue: e.g. CLI arguments, screenshot(s) (that shows the actual results) and the behavior you would expect. My colleagues and community members were kind enough to answer, even though you've failed to comply with the guideline/requirements and made offensive and non-sense claims.

We are more than happy to provide assistance for those who seek our help and comply with our code of conduct. We treat everyone's opinion with respect, but we expect this to be mutual. The feedback should be constructive.

Before making such claims, you should first do a research yourself. This is an open-source project provided FOR FREE, with more than 300+ template and 50+ engine contributors and used/supported by a community of more than 1000. I invite you to navigate and analyze the code to convince yourself. You are also welcome to contribute to make it better.

"If a duck can't swim, it's not the water who is stupid."

[XswoTman]

@masterwireshark

We have set up a guidance on how to report issues in nuclei, which requires the exact steps on how to CLEARLY reproduce an issue: e.g. CLI arguments, screenshot(s) (that shows the actual results) and the behavior you would expect. My colleagues and community members were kind enough to answer, even though you've failed to comply with the guideline/requirements and made offensive and non-sense claims.

We are more than happy to provide assistance for those who seek our help and comply with our code of conduct. We treat everyone's opinion with respect, but we expect this to be mutual. The feedback should be constructive.

Before making such claims, you should first do a research yourself. This is an open-source project provided FOR FREE, with more than 300+ template and 50+ engine contributors and used/supported by a community of more than 1000. I invite you to navigate and analyze the code to convince yourself. You are also welcome to contribute to make it better.

"If a duck can't swim, it's not the water who is stupid."

Cool no hate. Comp_D_desk

[XswoTman]

It's been a lot i am a victim of botnet. Omg,

):Command nuclei -l urls.txt

): I have got same LFI results with Critical & high vulnerability from many templates. There is a lot more i not have time to take more screenshots and to edit confidential informations.

Thanks, I already got answer from a reputable good Member @ehsandeep , but i posted above from another guys request.

I am sorry, I don't know this is an open source project .

And Please remove all discussion above because it's been a lot criticism from you and my side , it's not a best report i know but no time to take screenshot more. Actually i became sad , i am really sorry my friends. It's been my initial approach to nuclei tool and it became false positive that's reason.

Have false positives but still it is a better tool . I love it , templates are useful and i can even make custom scripts. I didn't add positives it's good .