Weaponizes nuclei Workflows to Pwn All the Things
Nuclei is configurable targeted scanning based on templates that allowing complete extensibility with a very simple and ez to use templating syntax.
Templates
nuclei-templates is the main focus of nuclei scanner with simplicity, which you only need to define mappings (keys & values) in YAML format to be executed in nuclei scanner to make things work.
For an example:
id: exposed-svn
info:
name: Exposed SVN Directory
author: udit_thakkur & dwisiswant0
severity: medium
requests:
- method: GET
path:
- "/.svn/entries"
- "/.svn/prop-base/"
- "/.svn/text-base/"
matchers-condition: and
matchers:
- type: regex
part: body
regex:
- "(^10\\s*dir|\\.svn-base|has-props|svn:\\/\\/|([\\da-f]{32}[\\S+\\r\\n\\s]+[\\d]{4}-[\\d]{2}-[\\d]{2}T[\\d]{2}:[\\d]{2}:[\\d]{2}.[\\d]{6}Z))"
- type: status
status:
- 200
The template above are for scanning exposed SVN on the targets, which will make sequence requests to:
- /.svn/entries
- /.svn/prop-base/
- /.svn/text-base/
Usage:
▶ nuclei -l urls.txt -t files/exposed-svn.yaml
NOTE: The
matchers-conditionkey hasandvalue, which means it will give you results if all types ofmatchersare correct!
(Demo: nuclei scan targets with exposed-svn template)
Then it will display the results on the terminal if the request contains a 200 response code and response body matches to the regexes.
Workflows
Nuclei workflows is to create conditional templates which executes after matching the condition from the previous templates to make the process more precise! Chained workflow supports both HTTP and DNS request based templates.
A workflow has two parts, variables and logic:
- Variables: locations to a template/templates which will be executed, and
- Logic: which defines how the variables should be run.
Example workflows
1. Spring Boot Pwner Workflow
(Demo: nuclei scan targets with Spring Boot Pwner Workflow template)
id: springboot-pwner-workflow
info:
name: Spring Boot Pwner
author: dwisiswant0
variables:
springboot: security-misconfiguration/springboot-detect.yaml
springboot_cve_2018_1271: cves/CVE-2018-1271.yaml
springboot_cve_2019_3799: cves/CVE-2019-3799.yaml
springboot_cve_2020_5410: cves/CVE-2020-5410.yaml
springboot_xxe: vulnerabilities/springboot-actuators-jolokia-xxe.yaml
logic:
|
if springboot() {
springboot_cve_2018_1271()
springboot_cve_2019_3799()
springboot_cve_2020_5410()
springboot_xxe()
}
Workflow above is to scan the target with flow as: if the target has a Spring Boot misconfiguration, then nuclei will scan for CVE-2018-1271, CVE-2019-3799, CVE-2020-5410 and Spring Boot Actuators (Jolokia) XXE vulnerability.
Workflow diagram
(Spring Boot Pwner Workflow diagram with Nuclei)
Usage:
Gather targets by querying Shodan with specific favicon hash then piped out to nuclei.
▶ shodan search org:"Target" http.favicon.hash:116323821 --fields ip\_str,port --separator " " | awk '{print $1":"$2}' | httprobe | nuclei -t workflows/springboot-pwner-workflow.yaml
2. F5 BIG-IP Remote Code Execution (CVE-2020-5902) Pwner Workflow
id: bigip-pwner-workflow
info:
name: F5 BIG-IP RCE Workflow
author: dwisiswant0
variables:
bigip_config_utility: technologies/bigip-config-utility-detect.yaml
bigip_cve_2020_5902: cves/CVE-2020-5902.yaml
logic:
|
if bigip_config_utility() {
bigip_cve_2020_5902()
}
Workflow diagram
(F5 BIG-IP Remote Code Execution — CVE-2020-5902 Pwner Workflow diagram with Nuclei)
Usage consume:
▶ shodan search org:"Target" http.favicon.hash:-335242539 --fields ip\_str,port --separator " " | awk '{print $1":"$2}' | httprobe | nuclei -t workflows/bigip-pwner-workflow.yaml
Another example workflows here.
Last but not least
You can also contribute and/ adding templates to nuclei-templates by open PR to grow the lists!
References
- https://blog.projectdiscovery.io/post/nuclei-introduction/
- https://github.com/projectdiscovery/nuclei
- https://github.com/projectdiscovery/nuclei-templates
- https://github.com/projectdiscovery/nuclei-templates/blob/master/GUIDE.md
- https://www.shodan.io
- https://github.com/devanshbatham/FavFreak