paint-brush
The Pen-Tester's Arsenal: ProjectDiscovery's CVEmap to Nuclei Template Mappingby@matejsmycka
555 reads
555 reads

The Pen-Tester's Arsenal: ProjectDiscovery's CVEmap to Nuclei Template Mapping

by Matěj SmyčkaFebruary 16th, 2024
Read on Terminal Reader
Read this story w/o Javascript
tldt arrow

Too Long; Didn't Read

Fixing cvemap and nuclei.
featured image - The Pen-Tester's Arsenal: ProjectDiscovery's CVEmap to Nuclei Template Mapping
Matěj Smyčka HackerNoon profile picture

On the seventh day, amidst the darkness, God granted ProjectDiscovery, aiding brave souls in their perilous pen-testing journey.


In the wake of ProjectDiscovery's ascent, tools like Nuclei, Katana, Subfinder, Naabu, and the latest addition, cvemap, emerged to fortify the arsenal of the brave.

CVEmap and Nuclei missing feature

And most of the penetration testers were disappointed by the missing feature to “map” cvemap results directly to existing nuclei templates.


This absolutely necessary feature does not exist today, and I hope it will change - I will create an issue on GitHub to address this problem.


However, I decided to fix this problem in this guide myself because a solution might not come at all.


Fortunately, the existing nuclei templates use the same naming convention as the CVE one, and nuclei support an argument where you can enter the ID of the desired templates directly into the input. CVEmap’s -template flag nicely informs that the template exists in the Nuclei, but unfortunately, it doesn't tell how and where to find it.


By combining this information, I came up with an ugly but short solution.

Solution

A bit of bash glue allows us to create the following script.

This script scans targets from targets.txt a file, with Nuclei templates filtered based on criteria from cvemap. Command expansion ($(…)) creates the resulting list of template IDs, separated by a comma, which Nuclei accepts as valid template selection.


nuclei -l "targets.txt" \
       -id "$(cvemap -template -list-id -silent \
        -age '<365' -q '"remote code execution" is_remote:true' -vendor cisco |
        tr -s '\n' ',')" \
       -o "output.txt" 


Precisely, in this case, the command scans CVEs of the Cisco products that provide RCE to the attackers and are less than one year old. Isn't that great!?


Feel free to change the query on line 3 for your purpose. The other lines are mandatory.

Postface

Why this feature doesn't exist officially, I don't know, but if I had to bet, it's because they want to use the synergy of these tools in their paid cloud platform, and they don't want to give all the features for free but at the same time they want to be opensource.


So they created a cvemap flag with the -template flag, which informs you that the template exists, but which one it is, and so on, you must look up yourself.

Resources