conditional redirects with flow

[Baikeryoyo]

Regarding redirection issues
Example:
Target: xxx.com
Redirect: xxx.com/zxc.php
I hope to initiate a POST request to xxx.com/zxc.php in the template
Moreover, the path and file of zxc.php are not fixed. I hope to obtain them dynamically using redirection.
After studying the documentation I didn't find a solution to this problem
So I plan to obtain it through regular matching

flow: http(1) && http(2)

http:
  - raw:
      - |
        GET / HTTP/1.1
        Host: {{Hostname}}
        Referer: {{BaseURL}}
    
    host-redirects: true
    max-redirects: 3
    
    matchers:
      - type: regex
        name: path1
        part: body
        regex: 
          - '<meta http-equiv="refresh" content="0;url=/(.+?)"/>'
        
  - raw:
    - |
        POST /{{path1}} HTTP/1.1
        Host: {{Hostname}}
        Referer: {{BaseURL}}
        Content-Type: application/x-www-form-urlencoded

        xxx
        
    matchers: 
      - type: word
        part: body
        words: 
          -  'xxx'

I don't know what went wrong. The template did not successfully make network requests.
I'd like to know the correct way to do this, or some other way to handle redirects

[Baikeryoyo]

In the above syntax, I tried adding the following syntax, but it still didn't work
internal: true
condition: true

[tarunKoyalwar]

@Baikeryoyo , from what i could understand i have created a template . i want to point out that to extract url from 1st request and use it in second request you need to use extractor and not matcher

id: flow-redirect-extract
info:
  name: Flow redirect extract
  author: pdteam
  severity: medium

flow: |
  http(1)
  set("newpath",template.path1[0]) # temporary workaround for (https://github.com/projectdiscovery/nuclei/issues/4547)
  http(2)

http:
  - raw:
      - |
        GET / HTTP/1.1
        Host: {{Hostname}}
        Referer: {{BaseURL}}
    
    host-redirects: true
    max-redirects: 3

    extractors:
      - type: regex
        internal: true
        name: path1
        group: 1
        regex: 
          - <meta http-equiv="refresh" content="\d+;url='([^']*)'"
        
  - raw:
    - |
        GET {{newpath}} HTTP/1.1
        Host: {{Hostname}}
        Referer: {{BaseURL}}
        Content-Type: application/x-www-form-urlencoded

        xxx
        
    matchers: 
      - type: word
        part: body
        words: 
          -  'Admin Page'

$  nuclei -u http://localhost:8000 -t tmp.yaml               

                     __     _
   ____  __  _______/ /__  (_)
  / __ \/ / / / ___/ / _ \/ /
 / / / / /_/ / /__/ /  __/ /
/_/ /_/\__,_/\___/_/\___/_/   v3.1.3

		projectdiscovery.io

[INF] Current nuclei version: v3.1.3 (latest)
[INF] Current nuclei-templates version: v9.7.2 (latest)
[WRN] Scan results upload to cloud is disabled.
[INF] New templates added in latest release: 61
[INF] Templates loaded for current scan: 1
[WRN] Executing 1 unsigned templates. Use with caution.
[INF] Targets loaded for current scan: 1
[flow-redirect-extract] [http] [medium] http://localhost:8000/admin.html

Setup

$ cat index.html                                                                                                                      130 ↵
<!DOCTYPE html>
<html>
<head>
    <title>Redirecting...</title>
    <meta http-equiv="refresh" content="0;url='/admin.html'"/>
</head>
<body>
    <p>If you are not redirected, <a href="/admin.html">click here</a>.</p>
</body>
</html>

$ cat admin.html 
<!DOCTYPE html>
<html>
<head>
    <title>Admin</title>
</head>
<body>
    <p>Not a Admin Page !!</p>
</body>
</html>

$ simplehttpserver 

   _____ _                 __     __  __________________                                
  / ___/(_)___ ___  ____  / /__  / / / /_  __/_  __/ __ \________  ______   _____  _____
  \__ \/ / __ -__ \/ __ \/ / _ \/ /_/ / / /   / / / /_/ / ___/ _ \/ ___/ | / / _ \/ ___/
 ___/ / / / / / / / /_/ / /  __/ __  / / /   / / / ____(__  )  __/ /   | |/ /  __/ /    
/____/_/_/ /_/ /_/ .___/_/\___/_/ /_/ /_/   /_/ /_/   /____/\___/_/    |___/\___/_/     
                /_/                                                       - v0.0.6

		projectdiscovery.io

Serving /Users/tarun/testing/nuclei-redirect on http://0.0.0.0:8000/
[2024-01-06 02:02:43] 127.0.0.1:59766 "GET / HTTP/1.1" 200 233
[2024-01-06 02:04:07] 127.0.0.1:59842 "GET / HTTP/1.1" 200 233
[2024-01-06 02:04:42] 127.0.0.1:59904 "GET / HTTP/1.1" 200 233
[2024-01-06 02:05:08] 127.0.0.1:59925 "GET / HTTP/1.1" 200 233
[2024-01-06 02:05:44] 127.0.0.1:59975 "GET / HTTP/1.1" 200 233
[2024-01-06 02:05:50] 127.0.0.1:59998 "GET / HTTP/1.1" 200 233
[2024-01-06 02:07:12] 127.0.0.1:60087 "GET / HTTP/1.1" 200 233
[2024-01-06 02:07:23] 127.0.0.1:60106 "GET / HTTP/1.1" 200 233
[2024-01-06 02:07:41] 127.0.0.1:60122 "GET / HTTP/1.1" 200 233
[2024-01-06 02:08:02] 127.0.0.1:60140 "GET / HTTP/1.1" 200 233
[2024-01-06 02:08:02] 127.0.0.1:60141 "GET /[/admin.html] HTTP/1.1" 404 19
[2024-01-06 02:10:31] 127.0.0.1:60308 "GET / HTTP/1.1" 200 233
[2024-01-06 02:10:31] 127.0.0.1:60309 "GET //admin.html HTTP/1.1" 200 117
[2024-01-06 02:10:42] 127.0.0.1:60317 "GET / HTTP/1.1" 200 233
[2024-01-06 02:10:42] 127.0.0.1:60318 "GET /admin.html HTTP/1.1" 200 117
[2024-01-06 02:11:50] 127.0.0.1:60384 "GET / HTTP/1.1" 200 233
[2024-01-06 02:11:50] 127.0.0.1:60385 "GET /admin.html HTTP/1.1" 200 117

also @Baikeryoyo join projectdiscovery community where you can discuss and get help from community . also regarding any questions please create a discussion or ask in discord

[Baikeryoyo]

Is there any official configuration that can be obtained automatically?
Through regular matching, in the real environment, there may be various jump situations, such as in HTML tags, such as HTTP headers, such as multiple jumps
In my current case, there is such a problem, multiple jumps through HTML
/ -> /abc/index.php -> /abc/login
According to the regular way, I constructed the following template
However, it was found that the second request was initiated normally, that is, GET /abc/index.php, but the third request was not initiated.

flow: |
  http(1)
  set("path2",template.path1[0])
  http(2)
  set("path4",template.path3[0])
  http(3)


http:
  - raw:
      - |
        GET / HTTP/1.1
        Host: {{Hostname}}
        Referer: {{BaseURL}}
    
    host-redirects: true
    max-redirects: 1
    
    extractors:
      - type: regex
        name: path1
        group: 1
        regex: 
          - '<meta http-equiv="refresh" content="[0-9]+;url=(\/[^\s]*)"/>'
        internal: true  
        
  - raw:
      - |
        GET {{path2}} HTTP/1.1
        Host: {{Hostname}}
        Referer: {{BaseURL}}
    
    
    extractors:
      - type: regex
        name: path3
        group: 1
        regex: 
          - '<meta http-equiv="refresh" content="[0-9]+;url=(\/[^\s]*)"/>'
        internal: true

  - raw:
      - |
        POST {{path4}} HTTP/1.1
        Host: {{Hostname}}
        Referer: {{BaseURL}}
        Content-Type: application/x-www-form-urlencoded

        xxx
        
    matchers: 
      - type: word
        part: body
        words: 
          -  'admin'

[tarunKoyalwar]

@Baikeryoyo , there is actually, i would recommend reading https://docs.projectdiscovery.io/templates/protocols/flow docs , flow here is javascript so you can just use for loop with max limit or while loop etc anything and just run http protocol and exit on some condition ex:

http(1)
while(true) {
   if(template.path != "") {
      http(2)
  }
}

This is just a example but i think you get idea , just define your logic in javascript and run as many times as you want . but make sure to properly handle all edgecases to avoid infinite looops