SeekAndExploit/nuclei-gen

# nuclei 生成器 从 curl 命令 + HTTP 响应生成 [nuclei](https://github.com/projectdiscovery/nuclei) YAML 模板。无需人工智能、无需 API 密钥、无需互联网连接 — 纯确定性解析。 ## 安装 ``` git clone https://github.com/SeekAndExploit/nuclei-gen/ cd nuclei-gen pip install -e . ``` ## 使用方法 ### 从 curl 命令 ``` nuclei-gen \ --curl 'curl -X POST https://target.com/internal/server/store \ -H "Content-Type: application/json" \ -d "{\"hostname\":\"attacker.com\",\"token\":\"forged\"}"' \ --response response.txt \ --name "internal-server-store-unauth" \ --severity high \ --class unauth-access ``` ### 从 Burp Suite 原始请求 ``` nuclei-gen \ --request request.txt \ --response response.txt \ --name "password-reset-no-token-validation" \ --severity high \ --class auth-bypass \ --tags "account-takeover" ``` ### 响应文件格式 完整的 HTTP 响应（包含状态行 + 头部）： ``` HTTP/1.1 200 OK Content-Type: application/json {"status":"ok","token":"abc123"} ``` 或者仅正文 — 如果没有状态行，nuclei-gen 假定为 HTTP 200。 ## 它生成什么 ``` id: internal-server-store-unauth info: name: internal-server-store-unauth author: nuclei-gen severity: high description: Unauthenticated access to internal or sensitive endpoint tags: misconfig,unauth http: - method: POST path: - '{{BaseURL}}/internal/server/store' headers: Content-Type: application/json body: '{"hostname":"attacker.com","token":"forged"}' matchers: - type: status status: - 200 ``` ## 漏洞分类 | 分类 | 标签 | 预设匹配器 | |---|---|---| | `auth-bypass` | misconfig, auth-bypass | 状态码 | | `unauth-access` | misconfig, unauth | 状态码 | | `idor` | idor, auth | 状态码 + 正文关键词 | | `info-disclosure` | exposure, info-disclosure | 状态码 + 正文关键词 | | `sqli` | sqli, injection | 状态码 + 数据库错误字符串 | | `ssrf` | ssrf, oob | interactsh OOB 匹配器 | | `xss` | xss, injection | 状态码 + 正文关键词 | | `ssti` | ssti, injection | 状态码 + `49` (7*7) | | `open-redirect` | redirect, open-redirect | 3xx 状态码 + Location 正则表达式 | | `misconfig` | misconfig | 状态码 | | `cve` | cve | 状态码 | ## 自动检测 nuclei-gen 分析响应正文，并在生成前打印提示： ``` [+] Sensitive patterns in response: JWT token, auth token field, refresh token [!] Debug/error patterns in response: stack trace, webpack:// ``` 检测到的模式会自动用于生成更精确的单词匹配器。 ## 选项 ``` --curl CMD curl command (quoted) --request FILE raw HTTP request file (Burp-style) --response FILE HTTP response file --name NAME template name --severity critical | high | medium | low | info --class CLASS vulnerability class (see table above) --author AUTHOR author field (default: nuclei-gen) --description TEXT override auto-description --tags tag1,tag2 extra tags to append --output / -o FILE output file (default: .yaml) ``` ## 运行测试 ``` python tests/test_curl_parser.py python tests/test_generator.py ```

标签：Burp Suite集成, curl命令解析, HTTP响应分析, nuclei模板, SSRF, Web安全, YAML生成, 信息泄露, 安全测试, 攻击性安全, 无AI, 无API密钥, 未授权访问, 模板生成, 确定性解析, 蓝队分析, 认证绕过, 逆向工具