-
Notifications
You must be signed in to change notification settings - Fork 0
Expand file tree
/
Copy pathnuclei_workflow.sh
More file actions
executable file
·290 lines (236 loc) · 8.06 KB
/
nuclei_workflow.sh
File metadata and controls
executable file
·290 lines (236 loc) · 8.06 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
#!/bin/bash
# Nuclei Endpoint Discovery & Scanning Workflow
# Complete workflow for discovering real API endpoints and running stricter Nuclei scans
set -e
# Colors for output
RED='\033[0;31m'
GREEN='\033[0;32m'
YELLOW='\033[1;33m'
BLUE='\033[0;34m'
NC='\033[0m' # No Color
print_header() {
echo -e "\n${BLUE}╔════════════════════════════════════════╗${NC}"
echo -e "${BLUE}║${NC} $1"
echo -e "${BLUE}╚════════════════════════════════════════╝${NC}\n"
}
print_success() {
echo -e "${GREEN}[+]${NC} $1"
}
print_error() {
echo -e "${RED}[-]${NC} $1"
}
print_info() {
echo -e "${YELLOW}[*]${NC} $1"
}
# Check dependencies
check_dependencies() {
print_header "Checking Dependencies"
local deps=("python3" "nuclei" "curl")
for dep in "${deps[@]}"; do
if command -v "$dep" &> /dev/null; then
print_success "$dep is installed"
else
print_error "$dep is NOT installed"
echo " Please install $dep and try again"
exit 1
fi
done
}
# Mode: HAR file analysis
mode_har() {
local har_file=$1
if [ ! -f "$har_file" ]; then
print_error "HAR file not found: $har_file"
return 1
fi
print_header "Mode: HAR File Analysis"
print_info "Analyzing HAR file: $har_file"
python3 har_endpoint_extractor.py \
--har-file "$har_file" \
--output-txt nuclei_targets.txt \
--output-json nuclei_targets_metadata.json \
--output-report endpoint_classification.json \
--generate-commands
print_success "HAR analysis complete!"
print_info "Generated targets:"
echo " - nuclei_targets.txt"
echo " - nuclei_targets_metadata.json"
echo " - endpoint_classification.json"
}
# Mode: Authenticated crawling
mode_authenticated() {
local url=$1
local username=$2
local password=$3
local login_endpoint=${4:-/login}
print_header "Mode: Authenticated Endpoint Discovery"
print_info "Target URL: $url"
print_info "Username: $username"
python3 authenticated_endpoint_crawler.py \
--url "$url" \
--username "$username" \
--password "$password" \
--login-endpoint "$login_endpoint" \
--output-dir nuclei_input
print_success "Endpoint discovery complete!"
}
# Mode: Run Nuclei scan
mode_nuclei_scan() {
local targets_file=$1
local output_prefix=${2:-nuclei_results}
if [ ! -f "$targets_file" ]; then
print_error "Targets file not found: $targets_file"
return 1
fi
print_header "Running Nuclei Scan"
print_info "Targets: $targets_file"
# Verify templates exist
if ! ls netbear-*.yaml &> /dev/null; then
print_error "Nuclei templates not found (netbear-*.yaml)"
return 1
fi
print_info "Templates found:"
ls -1 netbear-*.yaml | sed 's/^/ - /'
mkdir -p "${output_prefix}_output"
print_info "Running Nuclei (this may take a while)..."
nuclei \
-l "$targets_file" \
-t netbear-*.yaml \
-o "${output_prefix}_output/results.txt" \
-json -o "${output_prefix}_output/results.json" \
-silent
print_success "Nuclei scan complete!"
print_info "Results saved to ${output_prefix}_output/"
if [ -f "${output_prefix}_output/results.txt" ]; then
local count=$(wc -l < "${output_prefix}_output/results.txt")
print_info "Found $count findings"
echo ""
echo "=== Findings ==="
head -20 "${output_prefix}_output/results.txt"
if [ "$count" -gt 20 ]; then
echo "... and $((count - 20)) more"
fi
fi
}
# Display usage
usage() {
cat << EOF
${BLUE}Nuclei Endpoint Discovery & Scanning Workflow${NC}
${BLUE}Usage:${NC}
$0 <mode> [options]
${BLUE}Modes:${NC}
${GREEN}har${NC} <har_file>
Extract API endpoints from browser HAR file
Example: $0 har traffic.har
${GREEN}auth${NC} <url> <username> <password> [login_endpoint]
Discover endpoints via authenticated crawling
Example: $0 auth https://app.example.com user@ex.com pass123 /login
${GREEN}scan${NC} <targets_file> [output_prefix]
Run Nuclei scan on target URLs
Example: $0 scan nuclei_targets.txt results
${GREEN}full${NC} <url> <username> <password>
Complete workflow: authenticate → discover → scan
Example: $0 full https://app.example.com user@ex.com pass123
${GREEN}check${NC}
Check dependencies only
${GREEN}help${NC}
Show this help message
${BLUE}Examples:${NC}
# 1. Export HAR from browser, analyze it
$0 har ~/Downloads/traffic.har
# 2. Discover endpoints from authenticated app
$0 auth https://app.doctolib.fr patient@ex.com password123 /patients/sign_in
# 3. Run Nuclei on discovered endpoints
$0 scan nuclei_targets.txt my_scan
# 4. Complete workflow in one command
$0 full https://app.doctolib.fr patient@ex.com password123
${BLUE}Generated Files:${NC}
From HAR analysis:
- nuclei_targets.txt (URL list for Nuclei)
- nuclei_targets_metadata.json (URLs with request metadata)
- endpoint_classification.json (Endpoints grouped by type)
From authenticated crawling:
- nuclei_input/endpoints_*.txt
- nuclei_input/nuclei_targets_*.json
- nuclei_input/discovery_summary_*.json
From Nuclei scan:
- <output>/results.txt (Plain text results)
- <output>/results.json (JSON results for parsing)
${BLUE}Notes:${NC}
- Requires: python3, nuclei, curl
- Templates used: netbear-api-exposure.yaml, netbear-auth-bypass.yaml, netbear-idor.yaml
- For authenticated mode, app must accept JSON POST with {username_field: user, password_field: pass}
- For HAR mode, export from browser DevTools (Network tab → right-click → "Save all as HAR")
EOF
}
main() {
if [ $# -eq 0 ]; then
usage
exit 0
fi
local mode=$1
shift
case $mode in
check)
check_dependencies
;;
help|--help|-h)
usage
;;
har)
if [ $# -lt 1 ]; then
print_error "HAR file required"
usage
exit 1
fi
check_dependencies
mode_har "$1"
;;
auth)
if [ $# -lt 3 ]; then
print_error "URL, username, and password required"
usage
exit 1
fi
check_dependencies
mode_authenticated "$1" "$2" "$3" "${4:-/login}"
;;
scan)
if [ $# -lt 1 ]; then
print_error "Targets file required"
usage
exit 1
fi
check_dependencies
mode_nuclei_scan "$1" "${2:-nuclei_results}"
;;
full)
if [ $# -lt 3 ]; then
print_error "URL, username, and password required"
usage
exit 1
fi
check_dependencies
local url=$1
local username=$2
local password=$3
# Run authenticated discovery
mode_authenticated "$url" "$username" "$password" "${4:-/login}"
# Find generated endpoints file
local endpoints_file=$(ls -t nuclei_input/endpoints_*.txt 2>/dev/null | head -1)
if [ -n "$endpoints_file" ]; then
print_info "Running Nuclei scan on discovered endpoints..."
mode_nuclei_scan "$endpoints_file" "nuclei_results"
else
print_error "No endpoints file found"
return 1
fi
;;
*)
print_error "Unknown mode: $mode"
usage
exit 1
;;
esac
}
main "$@"