General 1920x1240 nature flowers green plants leaves

nuclei配置

1、忽略不需要的poc

编辑~/.config/nuclei/config.yaml文件

image-20230404161935512

一些排除的模版

exclude-templates:
  - ssl/deprecated-tls.yaml
  - misconfiguration/http-missing-security-headers.yaml
  - ssl/tls-version.yaml
  - miscellaneous/addeventlistener-detect.yaml
  - technologies/akamai-cache-detect.yaml
  - technologies/apache/apache-detect.yaml
  - miscellaneous/apple-app-site-association.yaml
  - misconfiguration/aspx-debug-mode.yaml
  - technologies/aws/aws-cloudfront-service.yaml
  - exposures/configs/azure-domain-tenant.yaml
  - technologies/basic-auth-detect.yaml
  - vulnerabilities/generic/cors-misconfig.yaml
  - exposures/tokens/generic/credentials-disclosure.yaml
  - ssl/deprecated-tls.yaml
  - technologies/detect-sentry.yaml
  - miscellaneous/email-extractor.yaml
  - ssl/expired-ssl.yaml
  - technologies/fingerprinthub-web-fingerprints.yaml
  - technologies/google/google-bucket-service.yaml
  - technologies/google-frontend-httpserver.yaml
  - miscellaneous/gpc-json.yaml
  - misconfiguration/http-missing-security-headers.yaml
  - vulnerabilities/jira/jira-unauthenticated-user-picker.yaml
  - technologies/kubernetes/kubelet/kubelet-metrics.yaml
  - misconfiguration/kubernetes/kubernetes-metrics.yaml
  - misconfiguration/lvm-exporter-metrics.yaml
  - technologies/metatag-cms.yaml
  - ssl/mismatched-ssl.yaml
  - technologies/nginx/nginx-version.yaml
  - miscellaneous/old-copyright.yaml
  - technologies/openresty-detect.yaml
  - miscellaneous/options-method.yaml
  - misconfiguration/postgres-exporter-metrics.yaml
  - technologies/puppetdb-detect.yaml
  - vulnerabilities/generic/request-based-interaction.yaml
  - miscellaneous/robots-txt.yaml
  - miscellaneous/robots-txt-endpoint.yaml
  - miscellaneous/security-txt.yaml
  - ssl/self-signed-ssl.yaml
  - miscellaneous/sitemap-detect.yaml
  - ssl/ssl-dns-names.yaml
  - exposures/apis/swagger-api.yaml
  - technologies/tech-detect.yaml
  - misconfiguration/tls-sni-proxy.yaml
  - ssl/tls-version.yaml
  - misconfiguration/unauthenticated-varnish-cache-purge.yaml
  - technologies/waf-detect.yaml
  - technologies/wordpress-detect.yaml
  - misconfiguration/xss-deprecated-header.yaml
  - takeovers/announcekit-takeover.yaml
  - takeovers/aha-takeover.yaml
  - takeovers/flywheel-takeover.yaml
  - takeovers/bigcartel-takeover.yaml
  - takeovers/helprace-takeover.yaml
  - takeovers/aftership-takeover.yaml
  - takeovers/launchrock-takeover.yaml
  - takeovers/teamwork-takeover.yaml
  - takeovers/helpjuice-takeover.yaml
  - takeovers/jetbrains-takeover.yaml
  - takeovers/anima-takeover.yaml
  - takeovers/wix-takeover.yaml
  - takeovers/helpscout-takeover.yaml
  - takeovers/vend-takeover.yaml
  - takeovers/webflow-takeover.yaml
  - takeovers/readme-takeover.yaml
  - takeovers/cargo-takeover.yaml
  - takeovers/ghost-takeover.yaml
  - takeovers/pantheon-takeover.yaml
  - takeovers/short-io.yaml
  - takeovers/uservoice-takeover.yaml
  - takeovers/wishpond-takeover.yaml
  - takeovers/netlify-takeover.yaml
  - takeovers/intercom-takeover.yaml
  - takeovers/cargocollective-takeover.yaml
  - takeovers/ngrok-takeover.yaml
  - takeovers/pagewiz-takeover.yaml
  - takeovers/canny-takeover.yaml
  - takeovers/smartjob-takeover.yaml
  - takeovers/tave-takeover.yaml
  - takeovers/worksites-takeover.yaml
  - takeovers/leadpages-takeover.yaml
  - takeovers/github-takeover.yaml
  - takeovers/kinsta-takeover.yaml
  - takeovers/flexbe-takeover.yaml
  - takeovers/readthedocs-takeover.yaml
  - takeovers/heroku-takeover.yaml
  - takeovers/sprintful-takeover.yaml
  - takeovers/simplebooklet-takeover.yaml
  - takeovers/gemfury-takeover.yaml
  - takeovers/surveygizmo-takeover.yaml
  - takeovers/bitbucket-takeover.yaml
  - takeovers/strikingly-takeover.yaml
  - takeovers/tumblr-takeover.yaml
  - takeovers/uberflip-takeover.yaml
  - takeovers/smugmug-takeover.yaml
  - takeovers/tilda-takeover.yaml
  - takeovers/hatenablog-takeover.yaml
  - takeovers/airee-takeover.yaml
  - takeovers/getresponse-takeover.yaml
  - takeovers/zendesk-takeover.yaml
  - takeovers/jazzhr-takeover.yaml
  - takeovers/wufoo-takeover.yaml
  - takeovers/agilecrm-takeover.yaml
  - takeovers/gitbook-takeover.yaml
  - takeovers/mashery-takeover.yaml
  - takeovers/surveysparrow-takeover.yaml
  - takeovers/proposify-takeover.yaml
  - takeovers/surge-takeover.yaml
  - takeovers/aws-bucket-takeover.yaml
  - takeovers/hubspot-takeover.yaml
  - takeovers/shopify-takeover.yaml
  - takeovers/wordpress-takeover.yaml
  - takeovers/frontify-takeover.yaml
  - takeovers/campaignmonitor-takeover.yaml
  - takeovers/meteor-takeover.yaml
  - takeovers/pingdom-takeover.yaml
  - takeovers/uptimerobot-takeover.yaml
  - dns/txt-fingerprint.yaml
  - dns/dns-waf-detect.yaml
  - dns/worksites-detection.yaml
  - dns/caa-fingerprint.yaml
  - dns/cname-fingerprint.yaml
  - dns/mx-service-detector.yaml
  - dns/cname-service.yaml
  - dns/detect-dangling-cname.yaml
  - dns/nameserver-fingerprint.yaml
  - dns/ec2-detection.yaml
  - dns/dnssec-detection.yaml
  - dns/spoofable-spf-records-ptr.yaml
  - dns/azure-takeover-detection.yaml
  - dns/dmarc-detect.yaml
  - dns/ptr-fingerprint.yaml
  - dns/elasticbeantalk-takeover.yaml
  - dns/servfail-refused-hosts.yaml
  - dns/mx-fingerprint.yaml
  - exposed-panels/adobe
  - ssl/revoked-ssl-certificate.yaml
  - ssl/detect-ssl-issuer.yaml
  - ssl/weak-cipher-suites.yaml
  - add-2023-03-03/content_injection.yaml
  - network/detection/smtp-detect.yaml
  - network/detection/imap-detect.yaml
  - network/detection/pop3-detect.yaml
  - network/detection/esmtp-detect.yaml
  - misconfiguration/httponly-cookie-detect.yaml
  - network/detection/openssh-detect.yaml
  - add-2023-03-03/exposed-pii.yaml

2、提高扫描效率

  • -timeout:设置超时时间,默认为10,可以把值设置小一些
  • -retries:设置请求失败的尝试次数,默认为1

3、定位漏洞

假设第一次运行nuclei发现了漏洞,那么再运行-debug重新运行nuclei,那么可以识别漏洞。自己试了一下,发现-debug只是把所有目标的请求打印出来,如果目标过多,会有很多干扰。如果针对单个漏洞就还行,可以知道目标是怎么请求的。

nuclei -t ~/nuclei-templates/add-2023-03-04/Seeyou-ReportServer.yaml -l 1.txt -debug

4、nuclei指纹扫描

nuclei还可以用来扫描目标系统的指纹信息,可以通过-as选项来设置。

nuclei -u http://example.com -as

5、asn和cidr输入

echo AS11533 | nucleit -tags log4j

6、nuclei -tc condition

nuclei也可以通过-tc来指定加载模版的条件。

格式如下:

nuclei -tc <condition>

如:contains函数

nuclei -tc "contains(tags,'xss') && contains(tags,'cve')"
nuclei -tc "contains(tags,'xss') || contains(tags,'ssrf')"
nuclei -tc "(contains(tags,'xss') || contains(tags,'ssrf')) && contains(severity,'high')"

7、nuclei之tags

nuclei的标签可以指定需要加载的模版,分别有tags、etags、itags等。

nuclei -tags dns -u http://example.com

# 排除某些标签
nuclei -etags cve -u http://example.com

# 包含制定标签,排除其他标签
nuclei -itags xss -u http://example.com

8、nuclei之CI/CD

nuclei可以结合CI/CD Action工具联合起来使用,分别写了3个CI/CD平台,bitbucket、github、gitlab。

CI/CD是指持续集成(Continuous Integration)与持续交付(Continuous Delivery)的缩写。CI/CD构建了一套自动部署软件的流程,将软件从开发、测试、部署到最终生产中的多个过程无缝贯穿。持续集成将测试和部署流程自动化,让每位开发者更快更轻松地推出新版本。持续交付则确保软件的快速、可靠交付,并能够快速故障回滚。

参考:

https://blog.projectdiscovery.io/implementing-nuclei-into-your-bitbucket-ci-cd-pipeline-for-scanning-live-web-applications/

https://blog.projectdiscovery.io/implementing-nuclei-into-your-github-ci-cd-for-scanning-live-web-applications/

https://blog.projectdiscovery.io/implementing-nuclei-into-your-gitlab-ci-cd-pipeline-for-scanning-live-web-applications/