免责声明
| 由于传播、利用本公众号琴音安全所提供的信息而造成的任何直接或者间接的后果及损失,均由使用者本人负责,公众号琴音安全及作者不为此承担任何责任,一旦造成后果请自行承担!如有侵权烦请告知,我们会立即删除并致歉谢谢! |
0x01前言
官网:https://nuclei.projectdiscovery.ioNuclei项目地址:https://github.com/projectdiscovery/nucleiNuclei-Templates项目地址:https://github.com/projectdiscovery/nuclei-templates
0x02 工具安装
#【在线源码编译安装】-需安装Go语言go install -v github.com/projectdiscovery/nuclei/v2/cmd/nuclei@latest#【本地源码编译安装】-需安装Go语言git clone https://github.com/projectdiscovery/nuclei.gitcd nuclei/v2/cmd/nucleigo buildmv nuclei /usr/local/bin/nuclei -version#【kali一键安装】-【推荐】-不需要安装Go语言,且仅限kali操作系统apt install nuclei#【macOS一键安装】-【推荐】-不需要安装Go语言,且仅限macOS操作系统brew install nuclei#【docker一键安装】-【推荐】-不需要安装Go语言docker pull projectdiscovery/nuclei:latest#【直接下载发行版】-【推荐】-不需要安装Go语言,适合各类操作系统https://github.com/projectdiscovery/nuclei/releases
0x03 常用参数以及模板编写
| 命令 | 描述 | 例子 |
|---|---|---|
| bulk-size | 每个模板最大并行的主机数 (默认 25) | nuclei -bulk-size 25 |
| burp-collaborator-biid | 使用 burp-collaborator 插件 | nuclei -burp-collaborator-biid XXXX |
| c | 并行的最大模板数量 (默认 10) | nuclei -c 10 |
| l | 对 URL 列表进行测试 | nuclei -l urls.txt |
| target | 对目标进行测试 |
nuclei -target hxxps://example.com |
| t | 要检测的模板种类 | nuclei -t git-core.yaml -t cves/ |
| no-color | 输出不显示颜色 | nuclei -no-color |
| no-meta | 不显示匹配的元数据 | nuclei -no-meta |
| json | 输出为 json 格式 | nuclei -json |
| include-rr | json 输出格式中包含请求和响应数据 | nuclei -json -include-rr |
| o | 输出为文件 | nuclei -o output.txt |
| project | 避免发送相同的请求 | nuclei -project |
| stats | 使用进度条 | nuclei -stats |
| silent | 只输出测试成功的结果 | nuclei -silent |
| retries | 失败后的重试次数 | nuclei -retries 1 |
| timeout | 超时时间 (默认为 5 秒) | nuclei -timeout 5 |
| trace-log | 输出日志到 log 文件 | nuclei -trace-log logs |
| rate-limit | 每秒最大请求数 (默认 150) | nuclei -rate-limit 150 |
| severity | 根据严重性选择模板 | nuclei -severity critical,high |
| stop-at-first-match | 第一次匹配不要处理 HTTP 请求 | nuclei -stop-at-frst-match |
| exclude | 排除的模板或文件夹 | nuclei -exclude panels -exclude tokens |
| debug | 调试请求或者响应 | nuclei -debug |
| update-templates | 下载或者升级模板 | nuclei -update-templates |
| update-directory | 选择储存模板的目录 (可选) | nuclei -update-directory templates |
| tl | 列出可用的模板 | nuclei -tl |
| templates-version | 显示已安装的模板版本 | nuclei -templates-version |
| v | 显示发送请求的详细信息 | nuclei -v |
| version | 显示 nuclei 的版本号 | nuclei -version |
| proxy-url | 输入代理地址 | nuclei -proxy-url hxxp://127.0.0.1:8080 |
| proxy-socks-url | 输入 socks 代理地址 | nuclei -proxy-socks-url socks5://127.0.0.1:8080 |
| H | 自定义请求头 | nuclei -H "x-bug-bounty:hacker" |
编写
id
ID 不得包含空格。这样做是为了让输出解析更容易。
id: git-configinfo:name: Git Config File Detection Templateauthor: Ice3manseverity: mediumdescription: Searches for the pattern /.git/config on passed URLs.reference: https://www.acunetix.com/vulnerabilities/web/git-repository-found/: git,config
requests:- raw:- |
GET /zentao/api-getModel-editor-save-filePath=bote HTTP/1.requests:raw:|GET /zentao/api-getModel-editor-save-filePath=bote HTTP/1.1redirects: true: 3
{{BaseURL}} - 这将在请求的运行时替换为目标文件中指定的输入 URL。{{RootURL}} - 这将在运行时将请求中的根 URL 替换为目标文件中指定的根 URL。{{Hostname}} - 主机名变量被替换为主机名,包括运行时目标的端口。{{Host}} - 这将在运行时替换目标文件中指定的输入主机的请求。{{Port}} - 这将在请求中的运行时替换为目标文件中指定的输入端口。{{Path}} - 这将在请求中的运行时替换为目标文件中指定的输入路径。{{File}} - 这将在请求中的运行时替换为目标文件中指定的输入文件名。{{Scheme}} - 这将在运行时按目标文件中指定的协议替换模板中的请求。
Variable Value{{BaseURL}} https://example.com:443/foo/bar.php{{RootURL}} https://example.com:443{{Hostname}} example.com:443{{Host}} example.com{{Port}} 443{{Path}} /foo{{File}} bar.php{{Scheme}} https
# headers contain the headers for the requestheaders:# Custom user-agent header: Some-Random-User-Agent# Custom request origin: https://google.com
# Body is a string sent along with the requestbody: "{"some random JSON"}"# Body is a string sent along with the requestbody: "admin=test"
# cookie-reuse accepts boolean input and false as defaultcookie-reuse: true
req-condition: truematchers:- type: dsldsl:- "status_code_1 == 404 && status_code_2 == 200 && contains((body_2), 'secret_string')"
匹配器
匹配器允许对协议响应进行不同类型的灵活比较。非常易于编写,并且可以根据需要添加多个检查以实现非常有效的扫描。
类型
可以在请求中指定多个匹配器。基本上有6种类型的匹配器:
| Matcher Type | Part Matched |
|---|---|
| status | Integer Comparisons of Part |
| size | Content Length of Part |
| word | Part for a protocol |
| regex | Part for a protocol |
| binary | Part for a protocol |
| dsl | Part for a protocol |
要匹配响应的状态代码,您可以使用以下语法。
matchers:# Match the status codestype: status# Some status codes we want to matchstatus:200302
要为十六进制响应匹配二进制,您可以使用以下语法。
matchers:- type: binarybinary:- "504B0304" # zip archive- "526172211A070100" # RAR archive version 5.0- "FD377A585A0000" # xz tar.xz archivecondition: orpart: body
匹配器还支持将被解码和匹配的十六进制编码数据。
matchers:type: wordencoding: hexwords:"50494e47"part: body
matchers:- type: dsldsl:- "len(body)<1024 && status_code==200" # Body length less than 1024 and 200 status code- "contains(toupper(body), md5(cookie))" # Check if the MD5 sum of cookies is contained in the uppercase body
| Response Part | Description | Example |
|---|---|---|
| content_length | Content-Length Header | content_length >= 1024 |
| status_code | Response Status Code | status_code==200 |
| all_headers | Unique string containing all headers | len(all_headers) |
| body | Body as string | len(body) |
| header_name | Lowercase header name with - converted to _ |
len(user_agent) |
| raw | Headers + Response | len(raw) |
条件
matchers:# Match the body wordtype: word# Some words we want to matchwords:"[core]""[config]"# Both words must be found in the response bodycondition: and# We want to match request body (default)part: body
负匹配器
所有类型的匹配器也支持否定条件,这在查找具有排除项的匹配时非常有用。这可以通过添加matchers块来negative: true使用。
这是使用条件的示例语法negative,这将返回PHPSESSID响应标头中没有的所有 URL。
matchers:type: wordwords:"PHPSESSID"part: headernegative: true
matchers:type: wordname: phpwords:"X-Powered-By: PHP""PHPSESSID"part: headertype: wordname: nodewords:"Server: NodeJS""X-Powered-By: nodejs"condition: orpart: headertype: wordname: pythonwords:"Python/2.""Python/3."condition: orpart: header
: andmatchers:type: wordwords:"X-Powered-By: PHP""PHPSESSID"condition: orpart: headertype: wordwords:"PHP"part: body
regex - 根据正则表达式从响应中提取数据。kval - 从响应标头/Cookie 中提取key: value/key=value格式化数据json - 从基于 JSON 的响应中提取数据,使用类似 JQ 的语法。xpath - 从 HTML 响应中提取基于 xpath 的数据dsl - 根据 DSL 表达式从响应中提取数据。
extractors:- type: regex # type of the extractorpart: body # part of the response (header,body,all)regex:- "(A3T[A-Z0-9]|AKIA|AGPA|AROA|AIPA|ANPA|ANVA|ASIA)[A-Z0-9]{16}" # regex to use for extraction.
extractors:- type: kval # type of the extractorkval:- content_type # header/cookie value to extract from response
- type: json # type of the extractorpart: bodyname: userjson:- '.[] | .id' # JQ like syntax for extraction
extractors:- type: xpath # type of the extractorattribute: href # attribute value to extract (optional)xpath:- "/html/body/div/p[2]/a" # xpath value for extraction
extractors:- type: dsl # type of the extractordsl:- "len(body)" # dsl expression value to extract from response
extractors:type: regexname: apipart: bodyinternal: true # Required for using dynamic variablesregex:"(?m)[0-9]{3,10}\.[0-9]+"
extractors:- type: regex # type of extractorname: csrf_token # defining the variable namepart: body # part of response to look for# group defines the matching group being used.# In GO the "match" is the full array of all matches and submatches# match[0] is the full match# match[n] is the submatches. Most often we'd want match[1] as depicted belowgroup: 1regex:- '<inputsname="csrf_token"stype="hidden"svalue="([[:alnum:]]{16})"s/>'
上面带有名称的提取器csrf_token将保存由([[:alnum:]]{16})as提取的值abcdefgh12345678。
如果此正则表达式未提供组选项,则上述名称提取器csrf_html_tag将完整匹配(by <input name="csrf_token"stype="hidden"svalue="([[:alnum:]]{16})" />)作为<input name="csrf_token" type="hidden" value="abcdefgh12345678" />.
完整的poc
用禅道的注入漏洞实例
id: zentao_Radafileinfo:name: zentao_Radafileauthor: Qinyinsafeseverity: highdescription: 影响版本:11.6.1之前的版本requests:raw:|GET /zentao/api-getModel-editor-save-filePath=bote HTTP/1.1Host: {{Hostname}}: max-age=0Authorization: Basic YWRtaW46YWRtaW4=: 1: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/116.0.0.0 Safari/537.36 Edg/116.0.0.0Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7: gzip, deflate: zh-CN,zh;q=0.9,en;q=0.8,en-GB;q=0.7,en-US;q=0.6Cookie: lang=zh-cn; device=desktop; theme=default; windowWidth=1912; windowHeight=920; zentaosid=02fkulmkglh43lbjr9fkot1od7 #cookieConnection: closematchers:type: wordwords:'status''fail'
抓包后点击延期->Nuclei->生成模板
原文始发于微信公众号(琴音安全):Nuclei Yaml模板编写漏洞poc
免责声明:文章中涉及的程序(方法)可能带有攻击性,仅供安全研究与教学之用,读者将其信息做其他用途,由读者承担全部法律及连带责任,本站不承担任何法律及连带责任;如有问题可邮件联系(建议使用企业邮箱或有效邮箱,避免邮件被拦截,联系方式见首页),望知悉。
- 左青龙
- 微信扫一扫
-
- 右白虎
- 微信扫一扫
-
评论