From d875987fc9165279e4ee4fcf9c67a9753c3a207c Mon Sep 17 00:00:00 2001 From: Mzack9999 Date: Tue, 7 Feb 2023 11:47:15 +0100 Subject: [PATCH] Add docs related to interactsh sni annotation (#118) * Align usage of GitHub * typo update * Fix issue with description of modes * adding interactsh-sni annotation --------- Co-authored-by: Sandeep Singh Co-authored-by: Fabian Affolter Co-authored-by: sandeep <8293321+ehsandeep@users.noreply.github.com> Co-authored-by: Brendan O'Leary --- docs/nuclei/get-started.md | 17 ++++++++++------- docs/templating-guide/helper-functions.md | 2 +- docs/templating-guide/protocols/http-fuzzing.md | 4 ++-- docs/templating-guide/protocols/http.md | 14 +++++++++++++- 4 files changed, 26 insertions(+), 11 deletions(-) diff --git a/docs/nuclei/get-started.md b/docs/nuclei/get-started.md index 93c0522a..76a2cec1 100644 --- a/docs/nuclei/get-started.md +++ b/docs/nuclei/get-started.md @@ -80,7 +80,7 @@ Nuclei has built-in support for automatic update/download templates since version [v2.4.0](https://github.com/projectdiscovery/nuclei/releases/tag/v2.4.0). [**Nuclei-Templates**](https://github.com/projectdiscovery/nuclei-templates) project provides a community-contributed list of ready-to-use templates that is constantly updated. -Nuclei also support for update/download custom template repositories. You can pass the file/list of github repositories by using `-gtr`/`-github-template-repo` flag. This will download the repositories under `nuclei-templates/github` directory. To update the repo you can pass the `-update-templates` with `-gtr` flag. +Nuclei also support for update/download custom template repositories. You can pass the file/list of Github repositories by using `-gtr`/`-github-template-repo` flag. This will download the repositories under `nuclei-templates/github` directory. To update the repo you can pass the `-update-templates` with `-gtr` flag. Nuclei checks for new community template releases upon each execution and automatically downloads the latest version when available. This feature can be disabled using the `-duc`, `-disable-update-check` flags via the CLI or the configuration file. @@ -284,7 +284,8 @@ Custom template directory or multiple template directory can be executed as foll nuclei -u https://example.com -t cves/ -t exposures/ ``` -Custom template github repos are downloaded under `github` directory. Custom repo templates can be passed as follows +Custom template Github repos are downloaded under `github` directory. Custom repo templates can be passed as follows + ```sh nuclei -u https://example.com -t github/private-repo ``` @@ -345,6 +346,7 @@ nuclei -u https://example.com -tags cve -severity critical,high -author geeknik ``` Multiple filters can also be combined using the template condition flag (`-tc`) that allows complex expressions like the following ones: + ```sh nuclei -tc "contains(id,'xss') || contains(tags,'xss')" nuclei -tc "contains(tags,'cve') && contains(tags,'ssrf')" @@ -516,6 +518,7 @@ Template snippet of [CVE-2021-26855](https://github.com/projectdiscovery/nuclei- metadata: shodan-query: 'vuln:CVE-2021-26855' ``` + ```console nuclei -t cves/2021/CVE-2021-26855.yaml -uncover nuclei -tags cve -uncover @@ -584,7 +587,7 @@ This option should only be enabled if targets > 10k . This skips any type of sor Default path of nuclei config file is `$HOME/.config/nuclei/config.yaml`, uncomment and configure the flags you wish to run as default. -Here is an example config file:- +Here is an example config file: ```yaml # Headers to include with all HTTP request @@ -670,7 +673,7 @@ Nuclei comes with reporting module support with the release of [v2.3.0](https:// -For example, to create tickets on GitHub, create a config file with the following content and replace the appropriate values:- +For example, to create tickets on GitHub, create a config file with the following content and replace the appropriate values: ```yaml # GitHub contains configuration options for GitHub issue tracker @@ -683,7 +686,7 @@ github: issue-label: "Nuclei" ``` -To store results in Elasticsearch, create a config file with the following content and replace the appropriate values:- +To store results in Elasticsearch, create a config file with the following content and replace the appropriate values: ```yaml # elasticsearch contains configuration options for elasticsearch exporter @@ -696,7 +699,7 @@ elasticsearch: index-name: nuclei ``` -To forward results to Splunk HEC, create a config file with the following content and replace the appropriate values:- +To forward results to Splunk HEC, create a config file with the following content and replace the appropriate values: ```yaml # splunkhec contains configuration options for splunkhec exporter @@ -715,7 +718,7 @@ splunkhec: token: "$hec_token" ``` -**Running nuclei with reporting module:-** +**Running nuclei with reporting module:** ```bash nuclei -l urls.txt -t cves/ -rc issue-tracker.yaml diff --git a/docs/templating-guide/helper-functions.md b/docs/templating-guide/helper-functions.md index 98bab924..2d698ab0 100644 --- a/docs/templating-guide/helper-functions.md +++ b/docs/templating-guide/helper-functions.md @@ -29,7 +29,7 @@ Here is the list of all supported helper functions can be used in the RAW reques | html_unescape(input interface{}) string | HTML un-escapes the given input | `html_unescape("<body>test</body>")` | `test` | | join(separator string, elements ...interface{}) string | Joins the given elements using the specified separator | `join("_", 123, "hello", "world")` | `123_hello_world` | | json_minify(json) string | Minifies a JSON string by removing unnecessary whitespace | `json_minify("{ \"name\": \"John Doe\", \"foo\": \"bar\" }")` | `{"foo":"bar","name":"John Doe"}` | -| json_pretiffy(json) string | Prettifies a JSON string by adding indentation | `json_prettify("{\"foo\":\"bar\",\"name\":\"John Doe\"}")` | `{\n \"foo\": \"bar\",\n \"name\": \"John Doe\"\n}` | +| json_prettify(json) string | Prettifies a JSON string by adding indentation | `json_prettify("{\"foo\":\"bar\",\"name\":\"John Doe\"}")` | `{\n \"foo\": \"bar\",\n \"name\": \"John Doe\"\n}` | | len(arg interface{}) int | Returns the length of the input | `len("Hello")` | `5` | | line_ends_with(str string, suffix ...string) bool | Checks if any line of the string ends with any of the provided substrings | `line_ends_with("Hello\nHi", "lo")` | `true` | | line_starts_with(str string, prefix ...string) bool | Checks if any line of the string starts with any of the provided substrings | `line_starts_with("Hi\nHello", "He")` | `true` | diff --git a/docs/templating-guide/protocols/http-fuzzing.md b/docs/templating-guide/protocols/http-fuzzing.md index d8f58d63..07c66b88 100644 --- a/docs/templating-guide/protocols/http-fuzzing.md +++ b/docs/templating-guide/protocols/http-fuzzing.md @@ -34,8 +34,8 @@ fuzzing: Mode specifies the mode in which to perform the replacements. Available modes are - -1. **multiple** (`default`) - replace one value at a time -2. **single** - replace all values at once +1. **multiple** (`default`) - replace all values at once +2. **single** - replace one value at a time ```yaml fuzzing: diff --git a/docs/templating-guide/protocols/http.md b/docs/templating-guide/protocols/http.md index cbb7630b..5616f057 100644 --- a/docs/templating-guide/protocols/http.md +++ b/docs/templating-guide/protocols/http.md @@ -593,7 +593,7 @@ requests: Request inline annotations allow performing per request properties/behavior override. They are very similar to python/java class annotations and must be put on the request just before the RFC line. Currently, only the following overrides are supported: - `@Host:` which overrides the real target of the request (usually the host/ip provided as input). It supports syntax with ip/domain, port, and scheme, for example: `domain.tld`, `domain.tld:port`, `http://domain.tld:port` -- `@tls-sni:` which overrides the SNI Name of the TLS request (usually the hostname provided as input). It supports any literals, the speciale value `request.host` use the value of the `Host` header. +- `@tls-sni:` which overrides the SNI Name of the TLS request (usually the hostname provided as input). It supports any literals. The special value `request.host` uses the `Host` header and `interactsh-url` uses an interactsh generated URL. - `@timeout:` which overrides the timeout for the request to a custom duration. It supports durations formatted as string. If no duration is specified, the default Timeout flag value is used. The following example shows the annotations within a request: @@ -649,3 +649,15 @@ Example of a custom `timeout` annotations - mail_address=%3B{{cmd}}%3B&button=%83%81%81%5B%83%8B%91%97%90M ``` + +Example of `sni` annotation with `interactsh-url` - + +```yaml +- | + @tls-sni: interactsh-url + POST /conf_mail.php HTTP/1.1 + Host: {{Hostname}} + Content-Type: application/x-www-form-urlencoded + + mail_address=%3B{{cmd}}%3B&button=%83%81%81%5B%83%8B%91%97%90M +``` \ No newline at end of file