Categories
Security

First try, Nuclei Vulnerability Scanning

Fast and customizable vulnerability scanner based on a simple YAML-based DSL.

I took my first steps with Nuclei. The plan was to verify if my Atlassian Confluence instance was vulnerable both before and after patching. Also, on June 7, 2024, a new PHP vulnerability emerged, and I wanted to use Nuclei to review the security posture of some PHP installations I manage.

Installing and running as a Docker container is quick and easy. You just need to pull the Docker container to your system. In my case, the host system is Windows. This will become relevant as I will use Windows-based paths in my commands. But Mac/Linux examples are plentiful on the official website.

docker pull projectdiscovery/nuclei:latest

Using CVE ID

This section will explain how to use a Nuclei scanner on a Windows host for Docker scanning to detect a CVE that already has an existing test in the Nuclei database.

Atlassian Confluence CVE-2021-25079

Verifying my Atlassian Confluence installation against CVE-2021-25079.

This was especially easy as the CVE was already in the system’s database. Just referencing it by ID was sufficient.

docker run projectdiscovery/nuclei:latest -u https://confluence-test.example.com -id CVE-2021-25079

                     __     _
   ____  __  _______/ /__  (_)
  / __ \/ / / / ___/ / _ \/ /
 / / / / /_/ / /__/ /  __/ /
/_/ /_/\__,_/\___/_/\___/_/   v3.0.3

                projectdiscovery.io

[INF] nuclei-templates are not installed, installing...
[INF] Successfully installed nuclei-templates at /root/nuclei-templates
[INF] Current nuclei version: v3.0.3 (latest)
[INF] Current nuclei-templates version: v9.6.8 (latest)
[INF] New templates added in latest release: 79
[INF] Templates loaded for current scan: 1
[INF] Executing 1 signed templates from projectdiscovery/nuclei-templates
[INF] Targets loaded for current scan: 1
[INF] No results found. Better luck next time!

Using custom Template

This section will explain how to use a Nuclei scanner on a Windows host using Docker with a mapped volume and a custom template that has been downloaded. It provides instructions based on a very recent vulnerability. However, these instructions will remain the same for future use cases; you will only need a different template to scan.

PHP CGI Injection CVE-2024-4577

The PHP CGI Argument Injection Vulnerability, known as CVE-2024-4577, is a bit more involved. The news did break yesterday, on Friday. Nuclei has not yet added the check to the Nuclei database. So referencing it solely by the CVE ID is insufficient at this point.

docker run projectdiscovery/nuclei:latest -u https://confluence-test.example.com -id CVE-2024-4577

                     __     _
   ____  __  _______/ /__  (_)
  / __ \/ / / / ___/ / _ \/ /
 / / / / /_/ / /__/ /  __/ /
/_/ /_/\__,_/\___/_/\___/_/   v3.2.8

                projectdiscovery.io

[INF] nuclei-templates are not installed, installing...
[INF] Successfully installed nuclei-templates at /root/nuclei-templates
[WRN] Found 2 templates loaded with deprecated protocol syntax, update before v3 for continued support.
[WRN] Excluded 116 template[s] with known weak matchers / tags excluded from default run using .nuclei-ignore
[INF] Current nuclei version: v3.2.8 (latest)
[INF] Current nuclei-templates version: v9.8.8 (latest)
[WRN] Scan results upload to cloud is disabled.
[INF] Targets loaded for current scan: 1
[INF] No results found. Better luck next time!
[FTL] Could not run nuclei: no templates provided for scan

This is not a problem. Later on, the database will be expanded and this command will work. But as of today, Saturday, June 8th, 2024, we have to do an additional step. Due to a very recent vulnerability, this will be a common occurrence. So, it’s a good time to learn what to do in that scenario.

We are lucky today because we do not have to create our own custom template. Through a search on GitHub, I quickly found that ir3shio already provides a Nuclei template for CVE-2024-4577 on his GitHub repository. Thank you for sharing.

https://github.com/ir3shio/nuclei/blob/6aba5ddcfa14c4411ae379486c7ed2941dc665fa/cve/CVE-2024-4577.yaml (2024-06-07)

For preparation, you need to download this YAML file and place it in D:\nuclei. The path might vary, but if it does, you will need to update it in the run command later.

Once placed, we can run Nuclei while mapping our Windows file system path, D:\nuclei, to /app/template in Nuclei. The following command does exactly this. With -t, we can then reference the downloaded YAML file /app/template/CVE-2024-4577.yaml. Additionally, you have to change the URL in the -u flag to the web service you would like to evaluate.

docker run -v D:/nuclei:/app/template projectdiscovery/nuclei:latest -u http://example.com/ -t /app/template/CVE-2024-4577.yaml -v -o /app/template/scan.txt

Once we run it, it will look something like this.

docker run -v D:/nuclei:/app/template projectdiscovery/nuclei:latest -u http://host.docker.internal/ -t /app/template/CVE-2024-4577.yaml -v -o /app/template/scan.txt

                     __     _
   ____  __  _______/ /__  (_)
  / __ \/ / / / ___/ / _ \/ /
 / / / / /_/ / /__/ /  __/ /
/_/ /_/\__,_/\___/_/\___/_/   v3.2.8

                projectdiscovery.io

[INF] nuclei-templates are not installed, installing...
[INF] Successfully installed nuclei-templates at /root/nuclei-templates
[VER] Started metrics server at localhost:9092
[WRN] Found 1 templates loaded with deprecated protocol syntax, update before v3 for continued support.
[INF] Current nuclei version: v3.2.8 (latest)
[INF] Current nuclei-templates version: v9.8.8 (latest)
[WRN] Scan results upload to cloud is disabled.
[INF] New templates added in latest release: 77
[INF] Templates loaded for current scan: 1
[WRN] Loading 1 unsigned templates for scan. Use with caution.
[INF] Targets loaded for current scan: 1
[VER] [CVE-2024-4577] Sent HTTP request to http://host.docker.internal/?%ADd+allow_url_include%3d1+%ADd+auto+prepend_file%3dphp://input
[VER] [CVE-2024-4577] Sent HTTP request to http://host.docker.internal/?%ADd+allow_url_include%3d1+%ADd+auto+prepend_file%3dphp://input
[VER] [CVE-2024-4577] Sent HTTP request to http://host.docker.internal/index.php?%ADd+allow_url_include%3d1+%ADd+auto+prepend_file%3dphp://input
[VER] [CVE-2024-4577] Sent HTTP request to http://host.docker.internal/home.php?%ADd+allow_url_include%3d1+%ADd+auto+prepend_file%3dphp://input
[VER] [CVE-2024-4577] Sent HTTP request to http://host.docker.internal/cgi-bin/php-cgi.exe?%ADd+allow_url_include%3d1+%ADd+auto+prepend_file%3dphp://input
[VER] [CVE-2024-4577] Sent HTTP request to http://host.docker.internal/php-bin/php-cgi.exe?%ADd+allow_url_include%3d1+%ADd+auto+prepend_file%3dphp://input
[INF] No results found. Better luck next time!

The relevance of this vulnerability will diminish over time, but the process for each new vulnerability will likely remain the same.

Once the official Nuclei check for a CVE is available, it might make sense to switch from the custom template to just referencing the CVE ID. I believe this could potentially offer an improved version of what was previously available very quickly.

In case you did read this Blog post because you try to mitigate CVE-2024-4577 – PHP CGI Argument Injection Vulnerability good on you. The vulnerability is very critical and needs immediate addressing, especially if you run web services on the internet.

In the very unlikely case that you are here from Devcore, the researchers who found and reported the vulnerability, great work!

Generic Nuclei Scan

In case you need to review the complete posture without a specific issue in mind, you can use just the domain, and the database will be checked against this web property. It is best not to run it against web services with which you are not involved.

docker run projectdiscovery/nuclei:latest -u https://example.com

                     __     _
   ____  __  _______/ /__  (_)
  / __ \/ / / / ___/ / _ \/ /
 / / / / /_/ / /__/ /  __/ /
/_/ /_/\__,_/\___/_/\___/_/   v3.2.8

                projectdiscovery.io

[INF] nuclei-templates are not installed, installing...
[INF] Successfully installed nuclei-templates at /root/nuclei-templates
[WRN] Found 2 templates loaded with deprecated protocol syntax, update before v3 for continued support.
[WRN] Found 1 templates with runtime error (use -validate flag for further examination)
[INF] Current nuclei version: v3.2.8 (latest)
[INF] Current nuclei-templates version: v9.8.8 (latest)
[WRN] Scan results upload to cloud is disabled.
[INF] New templates added in latest release: 77
[INF] Templates loaded for current scan: 8086
[WRN] Loading 2358 unsigned templates for scan. Use with caution.
[INF] Executing 5728 signed templates from projectdiscovery/nuclei-templates
[INF] Targets loaded for current scan: 1
[INF] Templates clustered: 1545 (Reduced 1454 Requests)
[INF] Using Interactsh Server: oast.pro

Thoughts on Nuclei

As you can see in the previous two examples, I’m already using Nuclei for years. For me, Nuclei is filling a good gap between regular vulnerability scanning of virtual machines and applications. Nuclei allows me to react super fast to new developments and perform quick checks, which is often even faster than the big vulnerability scanners. It definitely has its place, but I would not replace a generic vulnerability scanner with it.