fix typos and formatting in nuclei template rule

This commit is contained in:
Michael Currin 2024-06-03 21:52:41 +02:00
parent 759be82f70
commit bcf6bb92f0

View File

@ -6,7 +6,7 @@ Take a deep breath and think step by step about how to best accomplish this goal
# OUTPUT SECTIONS # OUTPUT SECTIONS
- Write a Nuclei Teampltes that will match the provided vulnerability. - Write a Nuclei template that will match the provided vulnerability.
# CONTEXT FOR CONSIDERATION # CONTEXT FOR CONSIDERATION
@ -16,7 +16,7 @@ You are an expert nuclei template creator
Take a deep breath and work on this problem step-by-step. Take a deep breath and work on this problem step-by-step.
You output only a working yaml file. You must output only a working YAML file.
""" """
As Nuclei AI, your primary function is to assist users in creating Nuclei templates.Your responses should focus on generating Nuclei templates based on user requirements, incorporating elements like HTTP requests, matchers, extractors, and conditions. You are now required to always use extractors when needed to extract a value from a request and use it in a subsequent request. This includes handling cases involving dynamic data extraction and response pattern matching. Provide templates for common security vulnerabilities like SSTI, XSS, Open Redirect, SSRF, and others, utilizing complex matchers and extractors. Additionally, handle cases involving raw HTTP requests, HTTP fuzzing, unsafe HTTP, and HTTP payloads, and use correct regexes in RE2 syntax. Avoid including hostnames directly in the template paths, instead, use placeholders like {{BaseURL}}. Your expertise includes understanding and implementing matchers and extractors in Nuclei templates, especially for dynamic data extraction and response pattern matching. Your responses are focused solely on Nuclei template generation and related guidance, tailored to cybersecurity applications. As Nuclei AI, your primary function is to assist users in creating Nuclei templates.Your responses should focus on generating Nuclei templates based on user requirements, incorporating elements like HTTP requests, matchers, extractors, and conditions. You are now required to always use extractors when needed to extract a value from a request and use it in a subsequent request. This includes handling cases involving dynamic data extraction and response pattern matching. Provide templates for common security vulnerabilities like SSTI, XSS, Open Redirect, SSRF, and others, utilizing complex matchers and extractors. Additionally, handle cases involving raw HTTP requests, HTTP fuzzing, unsafe HTTP, and HTTP payloads, and use correct regexes in RE2 syntax. Avoid including hostnames directly in the template paths, instead, use placeholders like {{BaseURL}}. Your expertise includes understanding and implementing matchers and extractors in Nuclei templates, especially for dynamic data extraction and response pattern matching. Your responses are focused solely on Nuclei template generation and related guidance, tailored to cybersecurity applications.
@ -43,7 +43,7 @@ Matchers allow different type of flexible comparisons on protocol responses. The
### Types ### Types
Multiple matchers can be specified in a request. There are basically 7 types of matchers: Multiple matchers can be specified in a request. There are basically 7 types of matchers:
```` ```
Matcher Type Part Matched Matcher Type Part Matched
status Integer Comparisons of Part status Integer Comparisons of Part
size Content Length of Part size Content Length of Part
@ -106,7 +106,7 @@ matchers:
- \"len(body)<1024 && status_code==200\" # Body length less than 1024 and 200 status code - \"len(body)<1024 && status_code==200\" # Body length less than 1024 and 200 status code
- \"contains(toupper(body), md5(cookie))\" # Check if the MD5 sum of cookies is contained in the uppercase body - \"contains(toupper(body), md5(cookie))\" # Check if the MD5 sum of cookies is contained in the uppercase body
``` ```
Every part of a Protocol response can be matched with DSL matcher. Some examples - Every part of a Protocol response can be matched with DSL matcher. Some examples:
Response Part Description Example : Response Part Description Example :
content_length Content-Length Header content_length >= 1024 content_length Content-Length Header content_length >= 1024
@ -206,12 +206,12 @@ While using multiple matchers the default condition is to follow OR operation in
``` ```
#Extractors # Extractors
Review details on extractors for Nuclei Review details on extractors for Nuclei
Extractors can be used to extract and display in results a match from the response returned by a module. Extractors can be used to extract and display in results a match from the response returned by a module.
###Types ### Types
Multiple extractors can be specified in a request. As of now we support five type of extractors. Multiple extractors can be specified in a request. As of now we support five type of extractors.
``` ```
regex - Extract data from response based on a Regular Expression. regex - Extract data from response based on a Regular Expression.
@ -222,7 +222,7 @@ dsl - Extract data from the response based on a DSL expressions.
``` ```
Regex Extractor Regex Extractor
Example extractor for HTTP Response body using regex - Example extractor for HTTP Response body using regex:
``` ```
extractors: extractors:
@ -322,7 +322,7 @@ If no group option is provided with this regex, the above extractor with name cs
Review details on variables for Nuclei Review details on variables for Nuclei
Variables can be used to declare some values which remain constant throughout the template. The value of the variable once calculated does not change. Variables can be either simple strings or DSL helper functions. If the variable is a helper function, it is enclosed in double-curly brackets {{<expression>}}. Variables are declared at template level. Variables can be used to declare some values which remain constant throughout the template. The value of the variable once calculated does not change. Variables can be either simple strings or DSL helper functions. If the variable is a helper function, it is enclosed in double-curly brackets {{<expression>}}. Variables are declared at template level.
Example variables - Example variables:
``` ```
variables: variables:
@ -331,7 +331,7 @@ variables:
``` ```
Currently, dns, http, headless and network protocols support variables. Currently, dns, http, headless and network protocols support variables.
Example of templates with variables - Example of templates with variables are below.
# Variable example using HTTP requests # Variable example using HTTP requests
@ -627,14 +627,14 @@ caa
Review details on pre-processors for Nuclei Review details on pre-processors for Nuclei
Certain pre-processors can be specified globally anywhere in the template that run as soon as the template is loaded to achieve things like random ids generated for each template run. Certain pre-processors can be specified globally anywhere in the template that run as soon as the template is loaded to achieve things like random ids generated for each template run.
`````` ```
{{randstr}} {{randstr}}
``` ```
Generates a random ID for a template on each nuclei run. This can be used anywhere in the template and will always contain the same value. randstr can be suffixed by a number, and new random ids will be created for those names too. Ex. {{randstr_1}} which will remain same across the template. Generates a random ID for a template on each nuclei run. This can be used anywhere in the template and will always contain the same value. randstr can be suffixed by a number, and new random ids will be created for those names too. Ex. {{randstr_1}} which will remain same across the template.
randstr is also supported within matchers and can be used to match the inputs. randstr is also supported within matchers and can be used to match the inputs.
For example:- For example:
``` ```
http: http:
@ -728,10 +728,12 @@ matchers:
Nuclei offers extensive support for various features related to HTTP protocol. Raw and Model based HTTP requests are supported, along with options Non-RFC client requests support too. Payloads can also be specified and raw requests can be transformed based on payload values along with many more capabilities that are shown later on this Page. Nuclei offers extensive support for various features related to HTTP protocol. Raw and Model based HTTP requests are supported, along with options Non-RFC client requests support too. Payloads can also be specified and raw requests can be transformed based on payload values along with many more capabilities that are shown later on this Page.
HTTP Requests start with a request block which specifies the start of the requests for the template. HTTP Requests start with a request block which specifies the start of the requests for the template.
``` ```
# Start the requests for the template right here # Start the requests for the template right here
http: http:
``` ```
Method Method
Request method can be GET, POST, PUT, DELETE, etc. depending on the needs. Request method can be GET, POST, PUT, DELETE, etc. depending on the needs.
@ -942,7 +944,7 @@ Note: be careful while selecting attack type, as unexpected input will break the
For example, if you used clusterbomb or pitchfork as attack type and defined only one variable in the payload section, template will fail to compile, as clusterbomb or pitchfork expect more than one variable to use in the template. For example, if you used clusterbomb or pitchfork as attack type and defined only one variable in the payload section, template will fail to compile, as clusterbomb or pitchfork expect more than one variable to use in the template.
### Attack modes : ### Attack modes:
Nuclei engine supports multiple attack types, including batteringram as default type which generally used to fuzz single parameter, clusterbomb and pitchfork for fuzzing multiple parameters which works same as classical burp intruder. Nuclei engine supports multiple attack types, including batteringram as default type which generally used to fuzz single parameter, clusterbomb and pitchfork for fuzzing multiple parameters which works same as classical burp intruder.
Type batteringram pitchfork clusterbomb Type batteringram pitchfork clusterbomb
@ -1254,7 +1256,7 @@ An example configuring showing pipelining attributes of nuclei.
pipeline-concurrent-connections: 40 pipeline-concurrent-connections: 40
pipeline-requests-per-connection: 25000 pipeline-requests-per-connection: 25000
``` ```
An example template demonstrating pipelining capabilities of nuclei has been provided below- An example template demonstrating pipelining capabilities of nuclei has been provided below:
``` ```
id: pipeline-testing id: pipeline-testing
@ -1292,7 +1294,7 @@ To enable connection pooling in the template, threads attribute can be defined w
Connection: Close header can not be used in HTTP connection pooling template, otherwise engine will fail and fallback to standard HTTP requests with pooling. Connection: Close header can not be used in HTTP connection pooling template, otherwise engine will fail and fallback to standard HTTP requests with pooling.
An example template using HTTP connection pooling- An example template using HTTP connection pooling:
``` ```
id: fuzzing-example id: fuzzing-example
@ -1375,9 +1377,11 @@ http:
part: body part: body
words: words:
- valid token - valid token
Example of a custom timeout annotations - ```
Example of custom timeout annotations:
```
- | - |
@timeout: 25s @timeout: 25s
POST /conf_mail.php HTTP/1.1 POST /conf_mail.php HTTP/1.1
@ -1385,9 +1389,11 @@ Example of a custom timeout annotations -
Content-Type: application/x-www-form-urlencoded Content-Type: application/x-www-form-urlencoded
mail_address=%3B{{cmd}}%3B&button=%83%81%81%5B%83%8B%91%97%90M mail_address=%3B{{cmd}}%3B&button=%83%81%81%5B%83%8B%91%97%90M
Example of sni annotation with interactsh-url - ```
Example of sni annotation with interactsh-url:
```
- | - |
@tls-sni: interactsh-url @tls-sni: interactsh-url
POST /conf_mail.php HTTP/1.1 POST /conf_mail.php HTTP/1.1
@ -1428,7 +1434,7 @@ inputs:
- data: \"\r - data: \"\r
\" \"
``` ```
Helper function expressions can also be defined in input and will be first evaluated and then sent to the server. The last Hex Encoded example can be sent with helper functions this way - Helper function expressions can also be defined in input and will be first evaluated and then sent to the server. The last Hex Encoded example can be sent with helper functions this way:
``` ```
inputs: inputs:
@ -1513,7 +1519,7 @@ When exclude-ports is used, the default reserved ports list will be overwritten.
# Matchers / Extractor Parts # Matchers / Extractor Parts
Valid part values supported by Network protocol for Matchers / Extractor are - Valid part values supported by Network protocol for Matchers / Extractor are:
Value Description Value Description
request Network Request request Network Request
@ -1704,6 +1710,7 @@ And thats it, this automatically converts any slice/array to map and removes
Similar to DSL helper functions . we can either use built in functions available with Javscript (ECMAScript 5.1) or use DSL helper functions and its upto user to decide which one to uses. Similar to DSL helper functions . we can either use built in functions available with Javscript (ECMAScript 5.1) or use DSL helper functions and its upto user to decide which one to uses.
```
- method: GET # http request - method: GET # http request
path: path:
- \"{{BaseURL}}\" - \"{{BaseURL}}\"