Weaponizes nuclei Workflows to Pwn All the Things

Nuclei is configurable targeted scanning based on templates that allowing complete extensibility with a very simple and ez to use templating syntax.

Templates

nuclei-templates is the main focus of nuclei scanner with simplicity, which you only need to define mappings (keys & values) in YAML format to be executed in nuclei scanner to make things work.

For an example:

id: exposed-svninfo:
name: Exposed SVN Directory
author: udit_thakkur & dwisiswant0
severity: medium
requests:
- method: GET
path:
- "{{BaseURL}}/.svn/entries"
- "{{BaseURL}}/.svn/prop-base/"
- "{{BaseURL}}/.svn/text-base/"
matchers-condition: and
matchers:
- type: regex
part: body
regex:
- "(^10\\s*dir|\\.svn-base|has-props|svn:\\/\\/|([\\da-f]{32}[\\S+\\r\\n\\s]+[\\d]{4}-[\\d]{2}-[\\d]{2}T[\\d]{2}:[\\d]{2}:[\\d]{2}.[\\d]{6}Z))"
- type: status
status:
- 200

The template above are for scanning exposed SVN on the targets, which will make sequence requests to:

  • {{BaseURL}}/.svn/entries
  • {{BaseURL}}/.svn/prop-base/
  • {{BaseURL}}/.svn/text-base/

Usage:

▶ nuclei -l urls.txt -t files/exposed-svn.yaml

NOTE: The matchers-condition key has and value, which means it will give you results if all types of matchers are correct!

Demo: nuclei scan targets with exposed-svn template
Demo: nuclei scan targets with exposed-svn template
(Demo: nuclei scan targets with exposed-svn template)

Then it will display the results on the terminal if the request contains a 200 response code and response body matches to the regexes.

Workflows

Nuclei workflows is to create conditional templates which executes after matching the condition from the previous templates to make the process more precise! Chained workflow supports both HTTP and DNS request based templates.

A workflow has two parts, variables and logic:

  • Variables: locations to a template/templates which will be executed, and
  • Logic: which defines how the variables should be run.

Example workflows

1. Spring Boot Pwner Workflow

Demo: nuclei scan targets with Spring Boot Pwner Workflow template
(Demo: nuclei scan targets with Spring Boot Pwner Workflow template)

Template:

id: springboot-pwner-workflowinfo:
name: Spring Boot Pwner
author: dwisiswant0
variables:
springboot: security-misconfiguration/springboot-detect.yaml
springboot_cve_2018_1271: cves/CVE-2018-1271.yaml
springboot_cve_2019_3799: cves/CVE-2019-3799.yaml
springboot_cve_2020_5410: cves/CVE-2020-5410.yaml
springboot_xxe: vulnerabilities/springboot-actuators-jolokia-xxe.yaml
logic:
|
if springboot() {
springboot_cve_2018_1271()
springboot_cve_2019_3799()
springboot_cve_2020_5410()
springboot_xxe()
}

Workflow above is to scan the target with flow as: if the target has a Spring Boot misconfiguration, then nuclei will scan for CVE-2018-1271, CVE-2019-3799, CVE-2020-5410 and Spring Boot Actuators (Jolokia) XXE vulnerability.

Workflow diagram

Spring Boot Pwner Workflow diagram with Nuclei
Spring Boot Pwner Workflow diagram with Nuclei
(Spring Boot Pwner Workflow diagram with Nuclei)

Usage:

Gather targets by querying Shodan with specific favicon hash then piped out to nuclei.

▶ shodan search org:"Target" http.favicon.hash:116323821 --fields ip_str,port --separator " " | awk '{print $1":"$2}' | httprobe | nuclei -t workflows/springboot-pwner-workflow.yaml

2. F5 BIG-IP Remote Code Execution (CVE-2020-5902) Pwner Workflow

Template:

id: bigip-pwner-workflowinfo:
name: F5 BIG-IP RCE Workflow
author: dwisiswant0
variables:
bigip_config_utility: technologies/bigip-config-utility-detect.yaml
bigip_cve_2020_5902: cves/CVE-2020-5902.yaml
logic:
|
if bigip_config_utility() {
bigip_cve_2020_5902()
}

Workflow diagram

F5 BIG-IP Remote Code Execution (CVE-2020–5902) Pwner Workflow diagram with Nuclei
F5 BIG-IP Remote Code Execution (CVE-2020–5902) Pwner Workflow diagram with Nuclei
(F5 BIG-IP Remote Code Execution — CVE-2020-5902 Pwner Workflow diagram with Nuclei)

Usage consume:

▶ shodan search org:"Target" http.favicon.hash:-335242539 --fields ip_str,port --separator " " | awk '{print $1":"$2}' | httprobe | nuclei -t workflows/bigip-pwner-workflow.yaml

Another example workflows here.

You can also contribute and/ adding templates to nuclei-templates by open PR to grow the lists!

References

Love to build & break things.

Get the Medium app