On the seventh day, amidst the darkness, God granted ProjectDiscovery, aiding brave souls in their perilous pen-testing journey.
In the wake of ProjectDiscovery's ascent, tools like Nuclei, Katana, Subfinder, Naabu, and the latest addition, cvemap, emerged to fortify the arsenal of the brave.
And most of the penetration testers were disappointed by the missing feature to “map” cvemap
results directly to existing nuclei templates.
This absolutely necessary feature does not exist today, and I hope it will change - I will create an issue on GitHub to address this problem.
However, I decided to fix this problem in this guide myself because a solution might not come at all.
Fortunately, the existing nuclei templates use the same naming convention as the CVE one, and nuclei support an argument where you can enter the ID of the desired templates directly into the input. CVEmap’s -template
flag nicely informs that the template exists in the Nuclei, but unfortunately, it doesn't tell how and where to find it.
By combining this information, I came up with an ugly but short solution.
A bit of bash glue allows us to create the following script.
This script scans targets from targets.txt
a file, with Nuclei templates filtered based on criteria from cvemap. Command expansion ($(…)
) creates the resulting list of template IDs, separated by a comma, which Nuclei accepts as valid template selection.
nuclei -l "targets.txt" \
-id "$(cvemap -template -list-id -silent \
-age '<365' -q '"remote code execution" is_remote:true' -vendor cisco |
tr -s '\n' ',')" \
-o "output.txt"
Precisely, in this case, the command scans CVEs of the Cisco products that provide RCE to the attackers and are less than one year old. Isn't that great!?
Feel free to change the query on line 3 for your purpose. The other lines are mandatory.
Why this feature doesn't exist officially, I don't know, but if I had to bet, it's because they want to use the synergy of these tools in their paid cloud platform, and they don't want to give all the features for free but at the same time they want to be opensource.
So they created a cvemap flag with the -template
flag, which informs you that the template exists, but which one it is, and so on, you must look up yourself.