Nucleus -- a fast vulnerability scanning tool based on YAML syntax template

Posted by leeperryar on Sun, 09 Jan 2022 10:31:51 +0100

1, Tool introduction

1. Introduction

Nucleus is a customized rapid vulnerability scanner based on YAML syntax template. It is developed with Go language and has strong configurability, scalability and ease of use.

At present, the project has 6.6k stars on Github.

2. Function

  • HTTP | DNS | TCP | file support
  • Fully configurable template
  • Large scale scanning
  • Out of band detection
  • Easily write your own template


YAML(/ ˈ jæm ə l /, the ending sound is similar to camel (camel), which is highly readable and used to express data serialize Format. YAML references many other languages, including: C language,Python,Perl , and from XML Inspired by the data format of e-mail (RFC 2822). Clark Evans first published the language in 2001, and Ingy d ö t Net and Oren Ben Kiki were also co designers of the language. At present, several programming languages or scripting languages support (or parse) this language.

YAML is "YAML Ain't a Markup Language" Markup Language )Yes Recursive acronym . When developing this language, YAML actually means "Yet Another Markup Language" Markup Language )However, in order to emphasize that the language is data centric rather than focusing on markup language, it is renamed with reverse abbreviations.

2, Tool installation

1. Install Go language

Because nucleus needs the latest go to install, you need to use the following command to install the go language before installation:

sudo apt update
sudo apt install golang-go

After the installation is completed, you can view the Go language version using the go verison command.

2. Install nucleus

Nucleoi officially provides various installation methods. Users can choose the most appropriate installation method according to their actual situation.

#[online source code compilation and installation] - Go language needs to be installed
go install -v

#[local source code compilation and installation] - Go language needs to be installed
git clone
cd nuclei/v2/cmd/nuclei
go build
mv nuclei /usr/local/bin/
nuclei -version

#[kali one click installation] - [recommended] - Go language does not need to be installed, and only kali operating system
apt install nuclei

#[macOS one click installation] - [recommended] - Go language does not need to be installed, and only macOS operating system
brew install nuclei

#[docker one click installation] - [recommended] - no need to install Go language
docker pull projectdiscovery/nuclei:latest

#[download the distribution version directly] - [recommended] - no need to install Go language, suitable for all kinds of operating systems

3. After successful installation, enter nucleus - version in the terminal window to view the nucleus version.

At the same time, from V2 Since version 4.0, nucleus has built-in support for automatic updating / downloading templates. The first time nucleus runs, it will automatically download the latest nucleus templates to the current user's root directory (/ home / current user / nucleus templates).

The nucleus templates project provides a list of ready-made templates contributed by the community, which will be updated continuously. Users can also download the latest version of the template locally.

Download address of nucleus templates:

3, Tool use

1.nuclei -h

This will display the help of nucleus. The following are all supported commands [mainly the latest version]:

  nuclei [command]

   -u, -target string[]                 Specifies the of the scan URL/host
   -l, -list string                     Specify the to scan URL/Host files (one per line)

   -t, -templates string[]              Specify the template to be scanned or the path of the template
   -nt, -new-templates                  Scan only templates added in the latest version
   -w, -workflows string[]              Specify the workflow or workflow directory in the scan
   -validate                            Validated templates
   -tl                                  Lists all available templates

   -tags string[]                       Execute tagged template subset
   -etags, -exclude-tags string[]       Execute templates marked as excluded
   -itags, -include-tags string[]       Do not execute aggressive templates
   -et, -exclude-templates string[]     Template or template directory to exclude
   -it, -include-templates string[]     Execute the default or excluded templates in the configuration
   -s, -severity value[]                Run the template according to the severity. The allowed values are: info,low,medium,high,critical   
   -es, -exclude-severity value[]       Exclude templates according to severity. The allowed values are: info,low,medium,high,critical   
   -a, -author string[]                 Executes the template for the specified author

   -o, -output string                   Output the problems found to the file
   -silent                              Show results only
   -nc, -no-color                       Turn off output shading( ANSI Escape code)
   -json                                Output as jsonL(ines)
   -irr, -include-rr                    stay JSONL Output the corresponding request and corresponding (results only)
   -nm, -no-meta                        Do not display matching metadata
   -nts, -no-timestamp                  Do not show timestamp in output
   -rdb, -report-db string              Local Nuclei Results database (always use this database to save results)       
   -me, -markdown-export string         with markdown Export results
   -se, -sarif-export string            with SARIF Export results

to configure:
   -config string                       appoint Nuclei Configuration file for
   -rc, -report-config string           appoint Nuclei Report template file
   -H, -header string[]                 Specify the title in the report: value format
   -V, -var value                       adopt var=value appoint var value
   -r, -resolvers string                appoint Nuclei Parse file for
   -sr, -system-resolvers               When DNS Use system in case of error DNS
   -passive                             Enable passive scan processing HTTP response
   -ev, env-vars                        Using environment variables in templates

   -inserver, -ineractsh-server string  use interactsh Reverse connection detection platform (default to"")
   -itoken, -interactsh-token string    Specify the identity certificate of the anti connection detection platform
   -interactions-cache-size int         Specifies the number of requests saved in the interactive cache (default: 5000)
   -interactions-eviction int           The time to wait before deleting a request from Cong cache (60 seconds by default)
   -interactions-poll-duration int      Wait time before each poll (default is 5 seconds)
   -interactions-cooldown-period int    Wait time before exiting polling (default is 5 seconds)
   -ni, -no-interactsh                  Disable the anti connection detection platform and exclude templates based on anti connection detection

Speed limit:
   -r1, -rate-limit int                 Maximum requests per second (default: 150)
   -rlm, -rate-limit-minute int         Maximum requests per minute
   -bs, -bulk-size int                  Maximum number of parallel detections per template (default: 25)
   -c, -concurrency int                 Maximum number of templates executed in parallel (default: 25)

   -timeout int                         Timeout (default is 5 seconds)
   -retries int                         Number of retries (default: 1)
   -mhe, -max-host-error int            Number of failed scans of a host, skipping the host (default: 30)
   -project                             Use project folders to avoid sending the same request multiple times
   -project-path string                 Set specific project folders
   -spm, -stop-at-first-path            Stop after getting a result (may interrupt the logic of the template and workflow)
   -stream                              Flow mode - Detailed description without sorting input

Browser without interface:
    -headless                           Enable templates that require a browser without an interface
    -page-timeout int                   Timeout seconds without interface (default: 20)
    -sb, -show-brower                   Displays the browser when the template is run without an interface browser
    -sc, -system-chrome                 Not used Nuclei Native browser, local browser

    -debug                              Show all requests and responses
    -debug-req                          Show all requests
    -debug-resp                         Show all responses
    -proxy, -proxy-url string           use HTTP agent
    -proxy-socks-url string             use SOCK5 agent
    -tlog, -trace-log string            Write request log to file
    -version                            display version information
    -v, -verbose                        Show details
    -vv                                 Show additional details
    -tv, -templates-version             Displays the installed template version

    -update                             to update Nuclei To the latest version
    -ut, -update-templates              to update Nuclei Template to latest version
    -ud, -update-directory string       Overlay installation template
    -duc, -disable-update-check         Disable updates

    -stats                              Displays statistics being scanned
    -sj, -stats-json                    Convert statistics to JSONL Format output to file
    -si, -stats-inerval int             Displays the number of seconds between statistics updates (default: 5)
    -m, -metrics                        display Nuclei port information
    -mp, -metrics-port int              change Nuclei Default port (default: 9092)

2. Update nucleus

Use the nuclei -update command to update your Nuclei to the latest version.

Use the nuclei - update templates command to update your core template nuclei templates to the latest version. In addition, nuclei itself will be automatically updated every 24 hours.

3. Scan a single target

nuclei -u

#Using socks5 proxy
nuclei -u -p socks5://

#Use http proxy
nuclei -u -p

For example, we use Grafana unauthorized arbitrary file reading vulnerability on vulfocus to scan and test:

4. Scan multiple targets

nuclei -list urls.txt

#Using socks5 proxy
nuclei -list urls.txt -p socks5://

#Use http proxy
nuclei -list urls.txt -p

Where URLs Txt is the URL of the scan target:

5. Custom report format

Nucleoi provides the function of scanning result output. Users can customize and output various types of report formats according to their own needs, including text, JSON, Markdown, etc.

#The output result is in JSON format
nuclei -u -json 

#Save the output result to result Txt file
nuclei -u -o result.txt  

#Save the output results to a Markdown format file
nuclei -u -md result

For example:

We use nucleus - U -The me result command generates a Markdown file

The output Markdown file is as follows:

File Weblogic weak login http___ vulfocus. fofa. so_ 53003_ console_ j_ security_ check. MD contents are as follows:

6. Customize scanning content

The nucleus engine supports three basic filters to customize template execution.

  1. tags (- tags) filter based on the tag fields available in the template.
  2. Severity (- severity) filters based on the severity Fields available in the template.
  3. Authors (- Author) are filtered based on the author Fields available in the template.

By default, the filter is applied to the installed path of the template and can be customized by manually entering the template path.

For example:

#The following command will run all templates installed in the ~ / nucleus templates / directory, including the cve tag.
nuclei -u -tags cve

#The following command will run all available templates with config tag under ~ / nucleus templates / exposures /
nuclei -u -tags config -t exposures/

Multiple filters and AND Conditions work together
#The following command will run all templates with cve tags, with critical or high severity and geeknik as the author of the template.
nuclei -u -tags cve -severity critical,high -author geeknik

8. User defined detection template

Nucleus supports custom writing of YAML syntax templates. You can write your own detection templates according to your own needs.

Basic template:

#The template is the URL in the request / response and matches the path of the string.
id: basic-example

  name: Test HTTP Template
  author: pdteam
  severity: info

  - method: GET
      - "{{BaseURL}}/"
      - type: word
          - "This is test matcher text"

Presentation template:

YAML template for Spring Boot directory traversal (CVE-2021-21234) vulnerability

id: CVE-2021-21234

  name: Spring Boot Actuator Logview - Directory Traversal
  author: gy741,pikpikcu
  severity: high
  description: spring-boot-actuator-logview in a library that adds a simple logfile viewer as spring boot actuator endpoint. It is maven package "eu.hinsch:spring-boot-actuator-logview". In spring-boot-actuator-logview before version 0.2.13 there is a directory traversal vulnerability.
  tags: cve,cve2021,springboot,lfi,actuator
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N
    cvss-score: 7.70
    cve-id: CVE-2021-21234
    cwe-id: CWE-22

  - method: GET
      - "{{BaseURL}}/manage/log/view?filename=/windows/win.ini&base=../../../../../../../../../../" # Windows
      - "{{BaseURL}}/log/view?filename=/windows/win.ini&base=../../../../../../../../../../" # windows
      - "{{BaseURL}}/manage/log/view?filename=/etc/passwd&base=../../../../../../../../../../" # linux
      - "{{BaseURL}}/log/view?filename=/etc/passwd&base=../../../../../../../../../../" # linux

    matchers-condition: or
      - type: regex
        part: body
          - "root:.*:0:0"

      - type: word
          - "bit app support"
          - "fonts"
          - "extensions"
        condition: and
        part: body

For more template authoring rules, please see:

Use your own template

nuclei -u -t mytemplate.yaml

9. Use Fiora to manage nucleus

Project introduction

Fiora is the name of the unparalleled sword Ji in LoL. she is good at finding the opponent's defensive weakness and achieving precision attack. The project is a PoC framework nuclei Provide graphical interface to realize quick search, one click operation and other functions, and improve nuclei User experience.

Project address:

Project Author: bit4woo

Video tutorial: Fiora: quick search PoC, one click Run Nuclei_ Beep beep beep_ bilibili

usage method

  • Use Java - jar Fiora-v0 1-jar-with-dependencies. The jar command runs Fiora independently

  • Run Fiora as a Burpsuite plug-in

Install the plug-in as follows:

Topics: Cyber Security Web Security CTF security hole