Nuclei 进阶—深入理解 Workflows、Matchers 和 Extractors

开发 开发工具
本篇我重点讲解一下Nuclei中的三个概念,Workflows、Mathcer和Extractors。这些内容将有助于帮助大家编写更为复杂和高效的检测脚本!

前面的文章中介绍了nuclei的基础使用方法,可以参考文章:

​POC模拟攻击利器——Nuclei入门(一)​

接下来我重点讲解一下nuclei中的三个概念,Workflows、Mathcer和Extractors。这些内容将有助于帮助大家编写更为复杂和高效的检测脚本!

workflows

Workflows允许用户自定义模板的执行顺序,这是使用nuclei最高效的方式,官方推荐用户使用自定义Workflows进而缩短扫描时间,提升扫描效率!

  • 基础工作流

例如,定义workflow 扫描files目录下如下yaml:

workflows:- template: files/git-config.yaml- template: files/svn-config.yaml- template: files/env-file.yaml- template: files/backup-files.yaml- tags: xss,ssrf,cve,lfi
  • 条件工作流

首先确认springboot-detect.yaml是否正确执行,如果OK,则运行subtemplates下的template,实例如下:

id: springboot-workflowinfo:name: Springboot Security Checksauthor: dwisiswant0workflows:- template: security-misconfiguration/springboot-detect.yamlsubtemplates:- template: cves/CVE-2018-1271.yaml- template: cves/CVE-2018-1271.yaml- template: cves/CVE-2020-5410.yaml- template: vulnerabilities/springboot-actuators-jolokia-xxe.yaml- template: vulnerabilities/springboot-h2-db-rce.yaml

运行workflows。

nuclei -list http_urls.txt -w workflows/my-workflow.yaml。

Matchers

Mathcer顾明思议,就是提供了一些规则,来对响应结果进行比较匹配!常用有六种类型的。

mathcer,如下所示:

  • status Integer Comparisons of Part
  • size Content Length of Part
  • word Part for a protocol
  • regex Part for a protocol
  • binary Part for a protocol
  • dsl Part for a protocol

例如想对响应码进行比较匹配,写法如下:

matchers:# Match the status codes- type: status# Some status codes we want to matchstatus:- 200

想对响应码进行复杂的匹配时,可以使用dsl。

matchers:- type: dsldsl:- "len(body)<1024 && status_code==200"- "contains(toupper(body), md5(cookie))"

上个实例的含义是匹配响应体长度小于1024 并且状态码是200。

判断大写的body中是否包括cookie的md5sum。

使用condition: and\or 可以对多个条件进行匹配,默认多个条件是and的关系。

官方实例如下:

matchers:# Match the body word- type: word# Some words we want to matchwords:- "[core]"- "[config]"# Both words must be found in the response bodycondition: and# We want to match request body (default)part: body

详情请参考:

https://nuclei.projectdiscovery.io/templating-guide/operators/matchers/。

Extractors

Extractors 也是对结果进行校验,与matchers相比,它可以把满足规则的内容显示出来,同样他也有不同类型的Extractors,如下所示:

1. regex - Extract data from response based on a Regular Expression。

2. kval - Extract key: value/key=value formatted data from Response Header/Cookie。

3. json - Extract data from JSON based response in JQ like syntax。

4. xpath - Extract xpath based data from HTML Response。

例如:

extractors:- type: xpath # type of the extractorattribute: href # attribute value to extract (optional)xpath:- "/html/body/div/p[2]/a" # xpath value for extraction

5. dsl - Extract data from the response based on a DSL expressions。

详情请参考:

https://nuclei.projectdiscovery.io/templating-guide/operators/extractors/。

由于使用nuclei时间尚浅,关于Extractors和Matchers,个人感觉使用差别不是很大!

二者都是对结果的校验,与matchers相比,Extractors它可以把满足规则的内容显示出来!如果大家需要编写复杂的响应校验,那么就需要花时间多研究dsl了。

如何从nuclei中受益

当使用了nuclei一段时间后,个人觉得其实使用nuclei最有价值的就是里面各种template,我们可以查看各个template的脚本来学习攻击方法,而且还可以根据里面的reference 来查看漏洞的详情,这个特别有助于安全知识的相关积累!至于攻击请求的发送,这个其实就容易很多了,我们是否使用nuclei其实都无所谓的,举个简单的例子,关于CVE-2020-9484的 yaml脚本定义如下:

id: CVE-2020-9484info:name: Apache Tomcat Remote Command Executionauthor: dwisiswant0severity: highdescription: |When using Apache Tomcat versions 10.0.0-M1 to 10.0.0-M4, 9.0.0.M1 to 9.0.34, 8.5.0 to 8.5.54 and 7.0.0 to 7.0.103 ifa) an attacker is able to control the contents and name of a file on the server; andb) the server is configured to use the PersistenceManager with a FileStore; andc) the PersistenceManager is configured with sessionAttributeValueClassNameFilter="null" (the default unless a SecurityManager is used) or a sufficiently lax filter to allow the attacker provided object to be deserialized; andd) the attacker knows the relative file path from the storage location used by FileStore to the file the attacker has control over; then, using a specifically crafted request, the attacker will be able to trigger remote code execution via deserialization of the file under their control.Note that all of conditions a) to d) must be true for the attack to succeed.reference:- http://packetstormsecurity.com/files/157924/Apache-Tomcat-CVE-2020-9484-Proof-Of-Concept.html- https://nvd.nist.gov/vuln/detail/CVE-2020-9484- https://lists.apache.org/thread.html/r77eae567ed829da9012cadb29af17f2df8fa23bf66faf88229857bb1%40%3Cannounce.tomcat.apache.org%3E- https://lists.apache.org/thread.html/rf70f53af27e04869bdac18b1fc14a3ee529e59eb12292c8791a77926@%3Cusers.tomcat.apache.org%3Eclassification:cvss-metrics: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:Hcvss-score: 7cve-id: CVE-2020-9484cwe-id: CWE-502tags: cve,cve2020,apache,tomcat,rcerequests:- method: GETheaders:Cookie: "JSESSIONID=../../../../../usr/local/tomcat/groovy"path:- "{{BaseURL}}/index.jsp"matchers-condition: andmatchers:- type: statusstatus:- 500- type: wordpart: bodywords:- "Exception"- "ObjectInputStream"- "PersistentManagerBase"condition: and

这个脚本中,最容易的可能就是requests:部分攻击脚本代码,我们用jmeter 或者自己写代码的方式完全可以轻松模拟!而description:部分以及reference:部分才是我们需要重点研究的对象!也是我们深入理解poc攻击的最佳实例!

责任编辑:姜华 来源: 今日头条
相关推荐

2014-07-15 17:17:31

AdapterAndroid

2021-09-10 07:31:54

AndroidAppStartup原理

2021-09-24 08:10:40

Java 语言 Java 基础

2021-09-08 06:51:52

AndroidRetrofit原理

2021-10-15 09:19:17

AndroidSharedPrefe分析源码

2017-08-08 09:15:41

前端JavaScript页面渲染

2021-09-15 07:31:33

Android窗口管理

2010-06-01 15:25:27

JavaCLASSPATH

2020-07-21 08:26:08

SpringSecurity过滤器

2016-12-08 15:36:59

HashMap数据结构hash函数

2012-08-31 10:00:12

Hadoop云计算群集网络

2012-11-08 14:47:52

Hadoop集群

2013-07-31 10:04:42

hadoopHadoop集群集群和网络

2011-07-18 14:38:44

子查询外部查询

2021-09-18 06:56:01

JavaCAS机制

2021-08-24 07:53:28

AndroidActivity生命周期

2017-04-25 15:30:23

堆栈函数JavaScript

2017-03-28 21:39:41

ErrorsStack trace代码

2017-01-10 08:48:21

2024-02-21 21:14:20

编程语言开发Golang
点赞
收藏

51CTO技术栈公众号