Nuclei 進階—深入理解 Workflows、Matchers 和 Extractors

語言: CN / TW / HK

前面的文章中介紹了nuclei的基礎使用方法,可以參考文章:

​POC模擬攻擊利器——Nuclei入門(一)​

接下來我重點講解一下nuclei中的三個概念,Workflows、Mathcer和Extractors。這些內容將有助於幫助大家編寫更為複雜和高效的檢測指令碼!

workflows

Workflows允許使用者自定義模板的執行順序,這是使用nuclei最高效的方式,官方推薦使用者使用自定義Workflows進而縮短掃描時間,提升掃描效率!

  • 基礎工作流

例如,定義workflow 掃描files目錄下如下yaml:

workflows:- template: files/git-config.yaml- template: files/svn-config.yaml- template: files/env-file.yaml- template: files/backup-files.yaml- tags: xss,ssrf,cve,lfi
  • 條件工作流

首先確認springboot-detect.yaml是否正確執行,如果OK,則執行subtemplates下的template,例項如下:

id: springboot-workflowinfo:name: Springboot Security Checksauthor: dwisiswant0workflows:- template: security-misconfiguration/springboot-detect.yamlsubtemplates:- template: cves/CVE-2018-1271.yaml- template: cves/CVE-2018-1271.yaml- template: cves/CVE-2020-5410.yaml- template: vulnerabilities/springboot-actuators-jolokia-xxe.yaml- template: vulnerabilities/springboot-h2-db-rce.yaml

執行workflows。

nuclei -list http_urls.txt -w workflows/my-workflow.yaml。

Matchers

Mathcer顧明思議,就是提供了一些規則,來對響應結果進行比較匹配!常用有六種型別的。

mathcer,如下所示:

  • status Integer Comparisons of Part
  • size Content Length of Part
  • word Part for a protocol
  • regex Part for a protocol
  • binary Part for a protocol
  • dsl Part for a protocol

例如想對響應碼進行比較匹配,寫法如下:

matchers:# Match the status codes- type: status# Some status codes we want to matchstatus:- 200

想對響應碼進行復雜的匹配時,可以使用dsl。

matchers:- type: dsldsl:- "len(body)<1024 && status_code==200"- "contains(toupper(body), md5(cookie))"

上個例項的含義是匹配響應體長度小於1024 並且狀態碼是200。

判斷大寫的body中是否包括cookie的md5sum。

使用condition: and\or 可以對多個條件進行匹配,預設多個條件是and的關係。

官方例項如下:

matchers:# Match the body word- type: word# Some words we want to matchwords:- "[core]"- "[config]"# Both words must be found in the response bodycondition: and# We want to match request body (default)part: body

詳情請參考:

https://nuclei.projectdiscovery.io/templating-guide/operators/matchers/。

Extractors

Extractors 也是對結果進行校驗,與matchers相比,它可以把滿足規則的內容顯示出來,同樣他也有不同型別的Extractors,如下所示:

1. regex - Extract data from response based on a Regular Expression。

2. kval - Extract key: value/key=value formatted data from Response Header/Cookie。

3. json - Extract data from JSON based response in JQ like syntax。

4. xpath - Extract xpath based data from HTML Response。

例如:

extractors:- type: xpath # type of the extractorattribute: href # attribute value to extract (optional)xpath:- "/html/body/div/p[2]/a" # xpath value for extraction

5. dsl - Extract data from the response based on a DSL expressions。

詳情請參考:

https://nuclei.projectdiscovery.io/templating-guide/operators/extractors/。

由於使用nuclei時間尚淺,關於Extractors和Matchers,個人感覺使用差別不是很大!

二者都是對結果的校驗,與matchers相比,Extractors它可以把滿足規則的內容顯示出來!如果大家需要編寫複雜的響應校驗,那麼就需要花時間多研究dsl了。

如何從nuclei中受益

當使用了nuclei一段時間後,個人覺得其實使用nuclei最有價值的就是裡面各種template,我們可以檢視各個template的指令碼來學習攻擊方法,而且還可以根據裡面的reference 來檢視漏洞的詳情,這個特別有助於安全知識的相關積累!至於攻擊請求的傳送,這個其實就容易很多了,我們是否使用nuclei其實都無所謂的,舉個簡單的例子,關於CVE-2020-9484的 yaml指令碼定義如下:

id: CVE-2020-9484info:name: Apache Tomcat Remote Command Executionauthor: dwisiswant0severity: highdescription: |When using Apache Tomcat versions 10.0.0-M1 to 10.0.0-M4, 9.0.0.M1 to 9.0.34, 8.5.0 to 8.5.54 and 7.0.0 to 7.0.103 ifa) an attacker is able to control the contents and name of a file on the server; andb) the server is configured to use the PersistenceManager with a FileStore; andc) the PersistenceManager is configured with sessionAttributeValueClassNameFilter="null" (the default unless a SecurityManager is used) or a sufficiently lax filter to allow the attacker provided object to be deserialized; andd) the attacker knows the relative file path from the storage location used by FileStore to the file the attacker has control over; then, using a specifically crafted request, the attacker will be able to trigger remote code execution via deserialization of the file under their control.Note that all of conditions a) to d) must be true for the attack to succeed.reference:- http://packetstormsecurity.com/files/157924/Apache-Tomcat-CVE-2020-9484-Proof-Of-Concept.html- https://nvd.nist.gov/vuln/detail/CVE-2020-9484- https://lists.apache.org/thread.html/r77eae567ed829da9012cadb29af17f2df8fa23bf66faf88229857bb1%40%3Cannounce.tomcat.apache.org%3E- https://lists.apache.org/thread.html/rf70f53af27e04869bdac18b1fc14a3ee529e59eb12292c8791a77926@%3Cusers.tomcat.apache.org%3Eclassification:cvss-metrics: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:Hcvss-score: 7cve-id: CVE-2020-9484cwe-id: CWE-502tags: cve,cve2020,apache,tomcat,rcerequests:- method: GETheaders:Cookie: "JSESSIONID=../../../../../usr/local/tomcat/groovy"path:- "{{BaseURL}}/index.jsp"matchers-condition: andmatchers:- type: statusstatus:- 500- type: wordpart: bodywords:- "Exception"- "ObjectInputStream"- "PersistentManagerBase"condition: and

這個指令碼中,最容易的可能就是requests:部分攻擊指令碼程式碼,我們用jmeter 或者自己寫程式碼的方式完全可以輕鬆模擬!而description:部分以及reference:部分才是我們需要重點研究的物件!也是我們深入理解poc攻擊的最佳例項!