nuclei

Resources

https://nuclei.projectdiscovery.io/
https://github.com/projectdiscovery/nuclei-templates


Usage and Examples

Targets and settings
# Templates
nuclei -t exposures/configs/git-config.yaml -l urls.txt
nuclei -t cves/2021/ -l urls.txt
nuclei -t cves/2020/ -t exposed-tokens -t misconfiguration -l urls.txt

# Tags
nuclei -tags cve -u urls.txt
nuclei -tags config -t exposures/ -u urls.txt
nuclei -tags lfi,ssrf,rce -t cves/ -l urls.txt

# Workflows
nuclei -w workflows/wordpress-workflow.yaml -l wordpress_urls.txt
nuclei -w workflows/wordpress-workflow.yaml -w workflows/jira-workflow.yaml -l urls.txt

# Severity
nuclei -t cves/ -severity critical -l urls.txt
nuclei -t cves/ -t vulnerabilities -severity critical,high -l urls.txt
Rate Limits
rate-limit # Control the total number of request to send per seconds
bulk-size # Control the number of hosts to process in parallel for each template
c # Control the number of templates to process in parallel
Template exclusion
# Nuclei supports multiple ways to exclude templates for the execution, as default nuclei excludes two type of templates.
# Template from ignore list
# Templates with dos tags

# Exclude templates
nuclei -l urls.txt -t cves/ -exclude cves/2020/CVE-2020-XXXX.yaml
nuclei -l urls.txt -t nuclei-templates/ -exclude exposed-panels/ -exclude technologies

# Exclude tags
nuclei -l urls.txt -t cves/ -etags xss
nuclei -l urls.txt -t cves/ -etags sqli,rce
Config
# $HOME/.config/nuclei/config.yaml
nuclei -config project.yaml -list urls.txt
# Example
# Headers to include with each request.
header:
  - 'X-BugBounty-Hacker: h1/geekboy'
  - 'User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64)'

# Templates with tags to run
tags: rce,lfi

# Templates with tags to exclude
exclude-tags: info

# Templates to scan
templates:
  - cves/
  - vulnerabilities/
  - misconfiguration/

# Templates to exclude scan
exclude:
  - vulnerabilities/xxx
  - misconfiguration/xxxx

# Send random User-agent for each scan
random-agent: false

# Rate limit configuration for scan
rate-limit: 500
bulk-size: 50
concurrency: 50
Metrics
# Exposes metrics on localhost:9092/metrics when flag is used
nuclei -t cves/ -l urls.txt -metrics

curl -s localhost:9092/metrics | jq .
{
  "duration": "0:00:03",
  "errors": "2",
  "hosts": "1",
  "matched": "0",
  "percent": "99",
  "requests": "350",
  "rps": "132",
  "startedAt": "2021-03-27T18:02:18.886745+05:30",
  "templates": "256",
  "total": "352"
}


Templating

https://nuclei.projectdiscovery.io/templating-guide/#template-details
https://nuclei.projectdiscovery.io/template-examples/http/