{"id":2372,"date":"2025-03-01T20:35:41","date_gmt":"2025-03-01T12:35:41","guid":{"rendered":"https:\/\/systw.net\/note\/?p=2372"},"modified":"2025-07-27T18:23:03","modified_gmt":"2025-07-27T10:23:03","slug":"nuclei","status":"publish","type":"post","link":"https:\/\/systw.net\/note\/archives\/2372","title":{"rendered":"Nuclei"},"content":{"rendered":"\n

Nuclei \u7528\u65bc\u57fa\u65bc\u6a21\u677f\u8de8\u76ee\u6a19\u767c\u9001\u8acb\u6c42\uff0c\u5f9e\u800c\u5be6\u73fe\u96f6\u8aa4\u5831\u4e26\u63d0\u4f9b\u5c0d\u5927\u91cf\u4e3b\u6a5f\u7684\u5feb\u901f\u5f31\u9ede\u6383\u63cf\u3002 Nuclei \u63d0\u4f9b\u5404\u7a2e\u5354\u5b9a\u7684\u6383\u63cf\uff0c\u5305\u62ec TCP\u3001DNS\u3001HTTP\u3001SSL\u3001File\u3001Whois\u3001Websocket\u3001Headless\u3001Code \u7b49\uff0c\u5e38\u898b\u7528\u6cd5\u5982\u4e0b\u3002<\/p>\n\n\n\n

https:\/\/github.com\/projectdiscovery\/nuclei<\/a><\/p>\n\n\n\n

\n\n\n\n

\u9078\u76ee\u6a19<\/h4>\n\n\n\n

TARGET:
-u, -target string[] target URLs\/hosts to scan
-l, -list string path to file containing a list of target URLs\/hosts to scan (one per line)<\/p>\n\n\n\n

Run nuclei on single host:
$ nuclei -target example.com<\/code><\/p>\n\n\n\n

$ nuclei -u example.com<\/code>

Run nuclei against a list of hosts:
$ nuclei -list hosts.txt<\/code><\/p>\n\n\n\n

\n\n\n\n

<\/p>\n\n\n\n

\u904e\u6ffe<\/h4>\n\n\n\n

-tags: Filter based on tags field available in the template.
-severity: Filter based on severity field available in the template.
-t, -templates: list of template or template directory
-id, -template-id: templates to run based on template ids<\/p>\n\n\n\n

\u6307\u5b9atemplate\u6a94\u6848\u6216template\u76ee\u9304<\/p>\n\n\n\n

$ nuclei -u example.com -t CVE-2024-4577.yaml<\/code>
$ nuclei -u example.com -t http\/cves\/ -t ssl<\/code>
$ nuclei -u https:\/\/example.com -t cves\/ -t exposures\/<\/code><\/p>\n\n\n\n

\u900f\u904eid\u6307\u5b9a\u7279\u5b9atemplate, \u4f8b\u5982wp-xmlrpc.yaml\u5167\u7684ID\u70bawordpress-xmlrpc-file<\/p>\n\n\n\n

$ nuclei -u https:\/\/example.com -template-id wordpress-xmlrpc-file<\/code>
$ nuclei -u https:\/\/example.com -id wordpress-xmlrpc-file<\/code><\/p>\n\n\n\n

\u6307\u5b9atag
$ nuclei -u https:\/\/example.com -tags cve<\/code>
$ nuclei -u https:\/\/example.com -tags sqli<\/code>
$ nuclei -u https:\/\/example.com -tags lfi,xss,rce <\/code><\/p>\n\n\n\n

\u6307\u5b9aseverity
$ nuclei -u https:\/\/example.com -tags cve -severity critical,high<\/code><\/p>\n\n\n\n

\n\n\n\n

\u8f38\u51fa<\/h4>\n\n\n\n

\u8f38\u51fa\u7d50\u679c\u5230report.csv<\/p>\n\n\n\n

$ nuclei -target example.com -o report.csv<\/code><\/p>\n\n\n\n

Run nuclei with a JSON output:
$ nuclei -target example.com -json-export output.json<\/code><\/p>\n\n\n\n

-v: \u986f\u793a\u8a73\u7d30\u8f38\u51fa <\/p>\n\n\n\n

-stats \uff1a\u986f\u793a\u9032\u5ea6<\/p>\n\n\n\n

[0:00:02] | Templates: 4870 | Hosts: 217 | RPS: 18 | Matched: 0 | Errors: 25 | Requests: 36\/1455202 (0%)\n[0:00:03] | Templates: 4870 | Hosts: 217 | RPS: 16 | Matched: 0 | Errors: 25 | Requests: 46\/1455202 (0%)\n[0:00:03] | Templates: 4870 | Hosts: 217 | RPS: 14 | Matched: 0 | Errors: 25 | Requests: 47\/1455202 (0%)<\/code><\/pre>\n\n\n\n
\n\n\n\n
\u6548\u80fd <\/h3>\n\n\n\n
-c or -concurrency \u540c\u6642\u8acb\u6c42\u7684\u6578\u91cf\uff0c\u9810\u8a2d25<\/p>\n\n\n\n
rate-limit \u6bcf\u79d2\u6700\u5927\u8acb\u6c42\u6578\uff0c\u9810\u8a2d150<\/p>\n\n\n\n
\n\n\n\n
\u5176\u4ed6\u63a7\u5236\u904b\u4f5c\u65b9\u5f0f<\/h4>\n\n\n\n
-mhe or -max-host-error \uff1a \u55ae\u4e00\u76ee\u6a19\u5bb9\u8a31\u591a\u5c11\u6b21\u9019\u985e\u932f\u8aa4\uff0c\u8d85\u904e\u5c31\u505c\u6b62\u5c0d\u8a72\u76ee\u6a19\u6383\u63cf
This flag controls the maximum number of (network type) errors to allow per host before removing the unresponsive host from the scan (current default is 30)<\/p>\n\n\n\n
\u8aaa\u660e\uff1a\u7528 Nuclei \u53bb\u6279\u6b21\u6383\u63cf\u5927\u91cf\u7db2\u7ad9\u6216\u76ee\u6a19\u6642\uff0c\u6bcf\u500b\u76ee\u6a19 host \u53ef\u80fd\u6703\u9047\u5230\u4e00\u4e9b\u9023\u7dda\u554f\u984c\uff0c\u50cf\u662f\uff1a<\/p>\n\n\n\n
\u2022 \u7121\u6cd5\u9023\u7dda (Connection timeout)
\u2022 DNS \u89e3\u6790\u5931\u6557
\u2022 SSL\/TLS \u63e1\u624b\u932f\u8aa4
\u2022 \u5176\u4ed6\u985e\u4f3c\u7684 network type error<\/p>\n\n\n\n
\u9019\u500b\u53c3\u6578\u5c31\u662f\u7528\u4f86\u8a2d\u5b9a\u300c\u55ae\u4e00\u76ee\u6a19\u5bb9\u8a31\u591a\u5c11\u6b21\u9019\u985e\u932f\u8aa4\uff0c\u8d85\u904e\u5c31\u505c\u6b62\u5c0d\u8a72\u76ee\u6a19\u6383\u63cf\u300d\uff0c\u907f\u514d\u6d6a\u8cbb\u6642\u9593\u5361\u5728\u5df2\u7d93\u6b7b\u6389\u7684\u76ee\u6a19\u4e0a\u3002<\/p>\n\n\n\n
<\/p>\n\n\n\n
-resume   \u56de\u5fa9\u5230\u4e4b\u524d\u4e2d\u65b7\u7684\u9032\u5ea6\u7e7c\u7e8c\u6383\u63cf<\/p>\n\n\n\n
# nuclei -l url.list\n...omit...\n^C[INF] CTRL+C pressed: Exiting\n[INF] Creating resume file: \/Users\/Eo\/.config\/nuclei\/resume-cfb3outnsevg6m3t0jvg.cfg\n\n# nuclei -l url.list -resume \"\/Users\/Eo\/.config\/nuclei\/resume-cfb3outnsevg6m3t0jvg.cfg\" <\/code><\/pre>\n\n\n\n
\n\n\n\n
rule<\/h4>\n\n\n\n
nuclei\u662f\u7279\u5fb5\u6383\u63cf\u985e\u578b\u7684\u5de5\u5177\uff0c\u6240\u4ee5\u4f9d\u8cf4\u5927\u91cf\u7684\u7279\u5fb5\u898f\u5247\uff0c\u4e5f\u7a31nuclei-template<\/p>\n\n\n\n
\u898f\u5247\u6e05\u55ae  https:\/\/github.com\/projectdiscovery\/nuclei-templates<\/a><\/p>\n\n\n\n
\u898f\u5247\u5beb\u6cd5  https:\/\/docs.projectdiscovery.io\/templates\/introduction<\/a><\/p>\n\n\n\n
<\/p>\n\n\n\n
\n\n\n\n
\u5176\u4ed6\u548cNuclei\u642d\u914d\u7684\u6383\u63cf\u5de5\u5177 <\/h2>\n\n\n\n