Dwi Siswanto

Security R&D | Rapper | Shitposter | ACAB Weaponizes nuclei Workflows to Pwn All the Things | Dwi Siswanto

Weaponizes nuclei Workflows to Pwn All the Things

July 06, 2020

Nuclei is configurable targeted scanning based on templates that allowing complete extensibility with a very simple and ez to use templating syntax.

Templates

nuclei-templates is the main focus of nuclei scanner with simplicity, which you only need to define mappings (keys & values) in YAML format to be executed in nuclei scanner to make things work.

For an example:

id: exposed-svn
info:
  name: Exposed SVN Directory
  author: udit_thakkur & dwisiswant0
  severity: medium
requests:
  - method: GET
    path:
      - "/.svn/entries"
      - "/.svn/prop-base/"
      - "/.svn/text-base/"
    matchers-condition: and
    matchers:
      - type: regex
        part: body
        regex:
          - "(^10\\s*dir|\\.svn-base|has-props|svn:\\/\\/|([\\da-f]{32}[\\S+\\r\\n\\s]+[\\d]{4}-[\\d]{2}-[\\d]{2}T[\\d]{2}:[\\d]{2}:[\\d]{2}.[\\d]{6}Z))"
      - type: status
        status:
          - 200

The template above are for scanning exposed SVN on the targets, which will make sequence requests to:

Usage:

▶ nuclei -l urls.txt -t files/exposed-svn.yaml

NOTE: The matchers-condition key has and value, which means it will give you results if all types of matchers are correct!

(Demo: nuclei scan targets with exposed-svn template)

Then it will display the results on the terminal if the request contains a 200 response code and response body matches to the regexes.

Workflows

Nuclei workflows is to create conditional templates which executes after matching the condition from the previous templates to make the process more precise! Chained workflow supports both HTTP and DNS request based templates.

A workflow has two parts, variables and logic:

Example workflows

1. Spring Boot Pwner Workflow

Demo: nuclei scan targets with Spring Boot Pwner Workflow template(Demo: nuclei scan targets with Spring Boot Pwner Workflow template)

Template:

id: springboot-pwner-workflow
info:
  name: Spring Boot Pwner
  author: dwisiswant0
variables:
  springboot: security-misconfiguration/springboot-detect.yaml
  springboot_cve_2018_1271: cves/CVE-2018-1271.yaml
  springboot_cve_2019_3799: cves/CVE-2019-3799.yaml
  springboot_cve_2020_5410: cves/CVE-2020-5410.yaml
  springboot_xxe: vulnerabilities/springboot-actuators-jolokia-xxe.yaml
logic:
  |
  if springboot() {
    springboot_cve_2018_1271()
    springboot_cve_2019_3799()
    springboot_cve_2020_5410()
    springboot_xxe()
  }

Workflow above is to scan the target with flow as: if the target has a Spring Boot misconfiguration, then nuclei will scan for CVE-2018-1271, CVE-2019-3799, CVE-2020-5410 and Spring Boot Actuators (Jolokia) XXE vulnerability.

Workflow diagram

(Spring Boot Pwner Workflow diagram with Nuclei)

Usage:

Gather targets by querying Shodan with specific favicon hash then piped out to nuclei.

▶ shodan search org:"Target" http.favicon.hash:116323821 --fields ip\_str,port --separator " " | awk '{print $1":"$2}' | httprobe | nuclei -t workflows/springboot-pwner-workflow.yaml

2. F5 BIG-IP Remote Code Execution (CVE-2020-5902) Pwner Workflow

Template:

id: bigip-pwner-workflow
info:
  name: F5 BIG-IP RCE Workflow
  author: dwisiswant0
variables:
  bigip_config_utility: technologies/bigip-config-utility-detect.yaml
  bigip_cve_2020_5902: cves/CVE-2020-5902.yaml
logic:
  |
  if bigip_config_utility() {
    bigip_cve_2020_5902()
  }

Workflow diagram

(F5 BIG-IP Remote Code Execution — CVE-2020-5902 Pwner Workflow diagram with Nuclei)

Usage consume:

▶ shodan search org:"Target" http.favicon.hash:-335242539 --fields ip\_str,port --separator " " | awk '{print $1":"$2}' | httprobe | nuclei -t workflows/bigip-pwner-workflow.yaml

Another example workflows here.

Last but not least

You can also contribute and/ adding templates to nuclei-templates by open PR to grow the lists!

References