#Nuclei Templates: Need help to understand Code protocol

I am currently playing around with the code protocol block to use tlsx for SSL checks. How do i get to print the command output of tlsx in the command line?
https://github.com/projectdiscovery/tlsx

Command line: nuclei -t .\9.1.1.yaml -code -v -debug

id: 9-1-1

info:
  name: TLS Fallback
  author: S0meGuy
  severity: low

code:
  - engine:
      - powershell
      - powershell.exe
    source: |
      tlsx -ve -tv -u https://google.com -min-version tls12 -max-version tls12 -v

alternatively when trying to use the -u argument with {{BaseURL}}
Command line: nuclei -t .\9.1.1.yaml -code -u http://google.com -v -debug

id: 9-1-1

info:
  name: TLS Fallback
  author: S0meGuy
  severity: low

code:
  - engine:
      - powershell
      - powershell.exe
    source: |
      tlsx -ve -tv -u {{BaseURL}} -min-version tls12 -max-version tls12 -v

this resulted in

[VER] Started metrics server at localhost:9092
[WRN] Found 26 template[s] loaded with deprecated paths, update before v3 for continued support.
[INF] Current nuclei version: v3.2.2 (latest)
[INF] Current nuclei-templates version: v9.8.0 (latest)
[WRN] Scan results upload to cloud is disabled.
[INF] New templates added in latest release: 85
[INF] Templates loaded for current scan: 1
[INF] Executing 1 signed templates from S0meGuy
[INF] Targets loaded for current scan: 1
[VER] [9-1-1] Executed code on local machine http://google.com
[DBG] [9-1-1] Dumped Executed Source Code for http://google.com

tlsx -ve -tv -u {{BaseURL}} -min-version tls12 -max-version tls12 -v

[DBG] [9-1-1] Dumped Code Execution for http://google.com



[INF] No results found. Better luck next time!

tlsx is in PATH and I am able to run tlsx normally
What am I doing wrong?

How to get Nuclei to print output regardless of error?

I honestly cant tell what you are asking. It seems like you are asking how to use tlx and nuclei in the same thread

where did you find documentation guiding you in what you are doing? I could be wrong, but code templates dont do what you are trying to do

basically, please provide your source of what you followed to generate the code above. Unless its an LLM you used, in whcih case read documents, dont rely on LLMs

I'm trying to write a template that runs binaries or os commands using the code template via PowerShell engine.

In this case, trying to use the tlsx binary

can you provide a link to docs that helped you get this far so I can be on the same page

I'm writing this on my own

so you have read no docs?

Trying to figure out how does the code template works

I have read the code template examples and the docs

ok, so no links to docs you have referenced, got it. Have you tried calling tlsx with a full path name to eliminate it being a path issue?

have you seen anything indicating you can pass in a url into a code template?

Nope, that's why I'm trying to see if it's possible. As I would like to be able to pass a url to the template

maybe set it as a variable and reference that. I have a feeling it doesnt do what you are trying to do. But as you have a handful of potential things, id simplify it and hardcode the target for now and make sure you can get tlsx working. im not fully sure WHY you are doing this however, unless its just to learn code templates, as you can do this easier

I previous hardcoded the url in the tlsx command arguments, but nuclei did not return any command output.

Based on the first code block here.

then trying to use -u is definitely not going to work

the output you provided does not look like the hardcoded version so I dont know what that resulted in

The output I mentioned was for the second code block

I can see that from the output

so when you hard coded it, I dont know what it did to assist

is there a reason you wouldnt look at the ssl templates and do that?

if trying to learn code templates, I get it, if trying to solve a problem, those would be much more straight forward

I understand that running the tlsx command directly would be the best. But I'm trying to learn code templates to use it to run os commands

I didnt say running tlsx commands directly, I said using the ssl templates (which do use that in the background). But as you said, if trying to do code templates, than its a fair task

So that being said, what happens when you run the version where you hard coded the target

and what happens when you call tlsx by specifying the full path

I'm currently not at my workstation, but I believe the first hardcoded code block returns

[VER] Started metrics server at localhost:9092
[WRN] Found 26 template[s] loaded with deprecated paths, update before v3 for continued support.
[INF] Current nuclei version: v3.2.2 (latest)
[INF] Current nuclei-templates version: v9.8.0 (latest)
[WRN] Scan results upload to cloud is disabled.
[INF] New templates added in latest release: 85
[INF] Templates loaded for current scan: 1
[INF] Executing 1 signed templates from S0meGuy
[INF] No results found. Better luck next time!

would need to run it with debug or verbose to see what its actually doing

Debug and verbose flag was on

you dont have any matchers or extractors, so I am not sure what you are expecting it to do

I just wanna see what output/error just it dumps after running

then youd need to extract that

or see if it comes out in debug which it should

im looking at the docs and for powershell it mentions execution policy etc, id recommend following that

Nothing comes out with both debug and verbose flag though

Oooo

Ok I'll try that

id also try putting it in a ps1 file and seeing if it actually runs

I see

Wait no, execution policy is used is because it is trying to run ps1 files

ive not used this at all, but id expect treating it like running a file, vs runnign a command from the powershell command line is the correct way to look at it

I dont understand that comment

But mine is purely powershell followed by commmand

mine is equivalent to powershell tlsx ...

right which isnt the same as funning a ps1 file

if you throw it in a powershell file and run it, if it does what youd expect, then id say theres a better chance of it working

But that example is running powershell -ExecutionPolicy Bypass xx.ps1

Which that flag is needed for ps1 scripts

k, you dont need to try suggestions. Good luck with it

variables are passed in code templates via env variables that you must retrieve according to the engine used. Try to execute some simple command like ls in order to ensure you can run templates correctly

In the end, the suggestions I gave him that he did not try resolved his initial questions. I have verified it on my side, but I guess it wasnt the answer he wanted

I've now tried with a simpler command
to create a file using powershell

id: 9-1-1

info:
  name: TLS Fallback
  author: S0meGuy
  severity: low

code:
  - engine:
      - powershell
    source: |
      $file = "C:\Users\Public\file.txt"
      New-Item -Path $file -ItemType File

command: nuclei -t .\test.yaml -code -v -debug

output:

                      __     _
   ____  __  _______/ /__  (_)
  / __ \/ / / / ___/ / _ \/ /
 / / / / /_/ / /__/ /  __/ /
/_/ /_/\__,_/\___/_/\___/_/   v3.2.2

                projectdiscovery.io

[VER] Started metrics server at localhost:9092
[WRN] Found 26 template[s] loaded with deprecated paths, update before v3 for continued support.
[INF] Current nuclei version: v3.2.2 (latest)
[INF] Current nuclei-templates version: v9.8.0 (latest)
[WRN] Scan results upload to cloud is disabled.
[INF] New templates added in latest release: 85
[INF] Templates loaded for current scan: 1
[INF] Executing 1 signed templates from S0meGuy
[INF] No results found. Better luck next time!  

the output does not indicate anything

no error message shown

using the example powershell template from https://github.com/projectdiscovery/nuclei/blob/main/integration_tests/protocols/code/ps1-snippet.yaml

after running the example template, there was no results shown on my end

                     __     _
   ____  __  _______/ /__  (_)
  / __ \/ / / / ___/ / _ \/ /
 / / / / /_/ / /__/ /  __/ /
/_/ /_/\__,_/\___/_/\___/_/   v3.2.2

                projectdiscovery.io

[VER] Started metrics server at localhost:9092
[WRN] Found 26 template[s] loaded with deprecated paths, update before v3 for continued support.
[INF] Current nuclei version: v3.2.2 (latest)
[INF] Current nuclei-templates version: v9.8.0 (latest)
[WRN] Scan results upload to cloud is disabled.
[INF] New templates added in latest release: 85
[INF] Templates loaded for current scan: 1
[INF] Executing 1 signed templates from S0meGuy
[INF] No results found. Better luck next time!

@errant socket self-contained: true is what might be missing in your template.

for example: https://docs.projectdiscovery.io/templates/protocols/code#examples

yup it worked
@hollow geyser you were right about needing to use the execution policy, it seems that the way to run powershell code template are different from the syntax of running python/bash code templates

now, how can I pass {{Host}} parameter into powershell commands?

Command: nuclei -t .\test.yaml -code -u http://google.com -v -debug

id: 9-1-1

info:
  name: TLS Fallback
  author: S0meGuy
  severity: low

self-contained: true

variables:
  base_url: "{{BaseURL}}"

code:
  - engine:
      - powershell
    args:
      - -ExecutionPolicy
      - Bypass
      - -File
    pattern: "*.ps1"
    source: |
      echo $base_url

Output:

                     __     _
   ____  __  _______/ /__  (_)
  / __ \/ / / / ___/ / _ \/ /
 / / / / /_/ / /__/ /  __/ /
/_/ /_/\__,_/\___/_/\___/_/   v3.2.3

                projectdiscovery.io

[VER] Started metrics server at localhost:9092
[WRN] Found 26 template[s] loaded with deprecated paths, update before v3 for continued support.
[INF] Current nuclei version: v3.2.3 (latest)
[INF] Current nuclei-templates version: v9.8.0 (latest)
[WRN] Scan results upload to cloud is disabled.
[INF] New templates added in latest release: 85
[INF] Templates loaded for current scan: 1
[INF] Executing 1 signed templates from Alford
[INF] Targets loaded for current scan: 1
[VER] [9-1-1] Executed code on local machine
[DBG] [9-1-1] Dumped Executed Source Code for

echo {{BaseURL}}

[DBG] [9-1-1] Dumped Code Execution for



[INF] No results found. Better luck next time!

i've tried multiple variations, but all did not work, which is the one i should use?

variables:
  base_url: "{{BaseURL}}"
...
    source: |
      echo $base_url

variables:
  base_url: {{BaseURL}}
...
    source: |
      echo $base_url

    source: 
      echo {{BaseURL}}

    source: 
      echo "{{BaseURL}}"

    source: |
      echo $BaseURL

@frosty summit
How can args or env vars be used in an external python script when called in Python code template?

the args cannot be used behind the external python script or usage of the args: block will append the arguments in front instead of behind: python -u ... host.py

Python Code template:

id: args

info:
  name: Python Vars
  author: S0meGuy
  severity: low

self-contained: true

variables:
  base_url: "{{BaseURL}}"

code:
  - engine:
      - python3
    source: host.py -u $base_url

or this

    source: host.py
      args:
        - -u
        - $base_url

External Python file

import subprocess
import os
import argparse

try:
    parser = argparse.ArgumentParser(description='Insert host')
    parser.add_argument('-u', dest='host2', help='Get host')
    args = parser.parse_args()
    host2 = args.host2

    print(f"The variable value is: {host2}")
except subprocess.CalledProcessError as e:
    print(f"Error executing command: {e}")

except Exception as e:
    print(f"An error occurred: {e}")

First method:

                     __     _
   ____  __  _______/ /__  (_)
  / __ \/ / / / ___/ / _ \/ /
 / / / / /_/ / /__/ /  __/ /
/_/ /_/\__,_/\___/_/\___/_/   v3.2.3

                projectdiscovery.io

[VER] Started metrics server at localhost:9092
[WRN] Found 26 template[s] loaded with deprecated paths, update before v3 for continued support.
[INF] Current nuclei version: v3.2.3 (latest)
[INF] Current nuclei-templates version: v9.8.0 (latest)
[WRN] Scan results upload to cloud is disabled.
[INF] New templates added in latest release: 85
[INF] Templates loaded for current scan: 1
[INF] Executing 1 signed templates from S0meGuy
[VER] [args] Executed code on local machine
[DBG] [args] Dumped Executed Source Code for

host.py -u {{BaseURL}}
[DBG] [args] Dumped Code Execution for

[INF] No results found. Better luck next time!

using env vars does not work either, its printing "{{BaseURL}}" literally

id: args

info:
  name: Python Vars
  author: S0meGuy
  severity: low

self-contained: true

variables:
  base_url: "{{BaseURL}}"

code:
  - engine:
      - python3
    source: host.py

import subprocess
import os
import argparse

try:
    host = os.getenv('base_url')

    print(f"The variable value is: {host}")
except subprocess.CalledProcessError as e:
    print(f"Error executing command: {e}")

except Exception as e:
    print(f"An error occurred: {e}")

Second method:

                     __     _
   ____  __  _______/ /__  (_)
  / __ \/ / / / ___/ / _ \/ /
 / / / / /_/ / /__/ /  __/ /
/_/ /_/\__,_/\___/_/\___/_/   v3.2.3

                projectdiscovery.io

[VER] Started metrics server at localhost:9092
[WRN] Found 26 template[s] loaded with deprecated paths, update before v3 for continued support.
[INF] Current nuclei version: v3.2.3 (latest)
[INF] Current nuclei-templates version: v9.8.0 (latest)
[WRN] Scan results upload to cloud is disabled.
[INF] New templates added in latest release: 85
[INF] Templates loaded for current scan: 1
[INF] Executing 1 signed templates from S0meGuy
[VER] [args] Executed code on local machine
[DBG] [args] Dumped Executed Source Code for

import subprocess
import os
import argparse

try

    host = os.getenv('base_url')

    print(f"The variable value is: {host}")
except subprocess.CalledProcessError as e:
    print(f"Error executing command: {e}")

except Exception as e:
    print(f"An error occurred: {e}")
[DBG] [args] Dumped Code Execution for

The variable value is: {{BaseURL}}

[INF] No results found. Better luck next time!