前面的文章中介绍了nuclei的基础使用方法,可以参考文章:
接下来我重点讲解一下nuclei中的三个概念,Workflows、Mathcer和Extractors。这些内容将有助于帮助大家编写更为复杂和高效的检测脚本!
workflows
Workflows允许用户自定义模板的执行顺序,这是使用nuclei最高效的方式,官方推荐用户使用自定义Workflows进而缩短扫描时间,提升扫描效率!
- 基础工作流
例如,定义workflow 扫描files目录下如下yaml
workflows:
- template: files/git-config.yaml
- template: files/svn-config.yaml
- template: files/env-file.yaml
- template: files/backup-files.yaml
- tags: xss,ssrf,cve,lfi
- 条件工作流
首先确认springboot-detect.yaml是否正确执行,如果OK,则运行subtemplates下的template,实例如下:
id: springboot-workflow
info:
name: Springboot Security Checks
author: dwisiswant0
workflows:
- template: security-misconfiguration/springboot-detect.yaml
subtemplates:
- template: cves/CVE-2018-1271.yaml
- template: cves/CVE-2018-1271.yaml
- template: cves/CVE-2020-5410.yaml
- template: vulnerabilities/springboot-actuators-jolokia-xxe.yaml
- template: vulnerabilities/springboot-h2-db-rce.yaml
运行workflows
nuclei -list http_urls.txt -w workflows/my-workflow.yaml
Matchers
Mathcer顾明思议,就是提供了一些规则,来对响应结果进行比较匹配!常用有六种类型的
mathcer,如下所示:
- status Integer Comparisons of Part
- size Content Length of Part
- word Part for a protocol
- regex Part for a protocol
- binary Part for a protocol
- dsl Part for a protocol
例如想对响应码进行比较匹配,写法如下:
matchers:
# Match the status codes
- type: status
# Some status codes we want to match
status:
- 200
想对响应码进行复杂的匹配时,可以使用dsl
matchers:
- type: dsl
dsl:
- "len(body)<1024 && status_code==200"
- "contains(toupper(body), md5(cookie))"
上个实例的含义是匹配响应体长度小于1024 并且状态码是200
判断大写的body中是否包括cookie的md5sum
使用condition: and\or 可以对多个条件进行匹配,默认多个条件是and的关系
官方实例如下:
matchers:
# Match the body word
- type: word
# Some words we want to match
words:
- "[core]"
- "[config]"
# Both words must be found in the response body
condition: and
# We want to match request body (default)
part: body
详情请参考 https://nuclei.projectdiscovery.io/templating-guide/operators/matchers/
Extractors
Extractors 也是对结果进行校验,与matchers相比,它可以把满足规则的内容显示出来,同样他也有不同类型的Extractors,如下所示:
1. regex - Extract data from response based on a Regular Expression.
2. kval - Extract key: value/key=value formatted data from Response Header/Cookie
3. json - Extract data from JSON based response in JQ like syntax.
4. xpath - Extract xpath based data from HTML Response
例如:
extractors:
- type: xpath # type of the extractor
attribute: href # attribute value to extract (optional)
xpath:
- "/html/body/div/p[2]/a" # xpath value for extraction
5. dsl - Extract data from the response based on a DSL expressions.
详情请参考https://nuclei.projectdiscovery.io/templating-guide/operators/extractors/
由于使用nuclei时间尚浅,关于Extractors和Matchers,个人感觉使用差别不是很大!
二者都是对结果的校验,与matchers相比,Extractors它可以把满足规则的内容显示出来!如果大家需要编写复杂的响应校验,那么就需要花时间多研究dsl了。
如何从nuclei中受益
当使用了nuclei一段时间后,个人觉得其实使用nuclei最有价值的就是里面各种template,我们可以查看各个template的脚本来学习攻击方法,而且还可以根据里面的reference 来查看漏洞的详情,这个特别有助于安全知识的相关积累!至于攻击请求的发送,这个其实就容易很多了,我们是否使用nuclei其实都无所谓的,举个简单的例子,关于CVE-2020-9484的 yaml脚本定义如下:
id: CVE-2020-9484
info:
name: Apache Tomcat Remote Command Execution
author: dwisiswant0
severity: high
description: |
When using Apache Tomcat versions 10.0.0-M1 to 10.0.0-M4, 9.0.0.M1 to 9.0.34, 8.5.0 to 8.5.54 and 7.0.0 to 7.0.103 if
a) an attacker is able to control the contents and name of a file on the server; and
b) the server is configured to use the PersistenceManager with a FileStore; and
c) the PersistenceManager is configured with sessionAttributeValueClassNameFilter="null" (the default unless a SecurityManager is used) or a sufficiently lax filter to allow the attacker provided object to be deserialized; and
d) the attacker knows the relative file path from the storage location used by FileStore to the file the attacker has control over; then, using a specifically crafted request, the attacker will be able to trigger remote code execution via deserialization of the file under their control.
Note that all of conditions a) to d) must be true for the attack to succeed.
reference:
- http://packetstormsecurity.com/files/157924/Apache-Tomcat-CVE-2020-9484-Proof-Of-Concept.html
- https://nvd.nist.gov/vuln/detail/CVE-2020-9484
- https://lists.apache.org/thread.html/r77eae567ed829da9012cadb29af17f2df8fa23bf66faf88229857bb1%40%3Cannounce.tomcat.apache.org%3E
- https://lists.apache.org/thread.html/rf70f53af27e04869bdac18b1fc14a3ee529e59eb12292c8791a77926@%3Cusers.tomcat.apache.org%3E
classification:
cvss-metrics: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
cvss-score: 7
cve-id: CVE-2020-9484
cwe-id: CWE-502
tags: cve,cve2020,apache,tomcat,rce
requests:
- method: GET
headers:
Cookie: "JSESSIONID=../../../../../usr/local/tomcat/groovy"
path:
- "{{BaseURL}}/index.jsp"
matchers-condition: and
matchers:
- type: status
status:
- 500
- type: word
part: body
words:
- "Exception"
- "ObjectInputStream"
- "PersistentManagerBase"
condition: and
这个脚本中,最容易的可能就是requests:部分攻击脚本代码,我们用jmeter 或者自己写代码的方式完全可以轻松模拟!而description:部分以及reference:部分才是我们需要重点研究的对象!也是我们深入理解poc攻击的最佳实例!