Nuclei进阶指南：安全研究者的扫描与模板技巧<\/h1>

1. Nuclei概述<\/h2>

Nuclei是由ProjectDiscovery开发的基于YAML模板的现代漏洞扫描器，具有以下核心特点：<\/p>

易于扩展<\/strong>：简单的YAML语法编写自定义检测<\/li> <\/ul>
2. 核心概念<\/h2>
2.1 架构原理<\/h3>
Nuclei的核心组件包括：<\/p>

组件<\/th> 功能<\/th> 示例<\/th> <\/tr> <\/thead>

模板<\/td> 定义检测逻辑<\/td> cves\/2023\/CVE-2023-1234.yaml<\/td> <\/tr>
匹配器<\/td> 验证漏洞特征<\/td> status: 200 + words: "admin"<\/code><\/td> <\/tr>
提取器<\/td> 获取关键信息<\/td> 提取session ID、版本号<\/td> <\/tr>
变量<\/td> 动态内容替换<\/td> {{BaseURL}}<\/code>、{{Hostname}}<\/code><\/td> <\/tr> <\/tbody> <\/table> 3. 安装配置<\/h2> 3.1 安装方式<\/h3> Go安装（推荐）<\/strong>：<\/p> go install -v github.com\/projectdiscovery\/nuclei\/v2\/cmd\/nuclei@latest <\/span><\/span><\/code><\/pre><\/li> 预编译二进制<\/strong>：从GitHub Releases下载对应平台的二进制文件<\/p> <\/li> Docker容器<\/strong>：<\/p> docker pull projectdiscovery\/nuclei:latest <\/span><\/span><\/code><\/pre><\/li> <\/ol> 3.2 环境配置<\/h3> 初始化配置：<\/p> nuclei <\/span><\/span><\/code><\/pre>配置文件示例（~\/.config\/nuclei\/config.yaml<\/code>）：<\/p> update-directory<\/span>: \/path\/to\/nuclei-templates<\/span> <\/span><\/span>templates-directory<\/span>: \/path\/to\/custom-templates<\/span> <\/span><\/span><\/code><\/pre>4. 基础使用<\/h2> 4.1 基本命令结构<\/h3> nuclei -t <模板> -u <目标> [<\/span>选项]<\/span> <\/span><\/span><\/code><\/pre>4.2 目标指定方式<\/h3> 单个URL：-u https:\/\/example.com<\/code><\/li> 文件列表：-l urls.txt<\/code><\/li> CIDR范围：192.168.1.1\/24<\/code><\/li> <\/ul> 4.3 实用参数组合<\/h3> 快速扫描<\/strong>：<\/p> nuclei -u https:\/\/example.com -t cves\/ -severity critical,high -silent <\/span><\/span><\/code><\/pre>深度扫描<\/strong>：<\/p> nuclei -u https:\/\/example.com -t all -depth 3<\/span> -rate-limit 50<\/span> <\/span><\/span><\/code><\/pre>静默扫描<\/strong>：<\/p> nuclei -l targets.txt -t exposures\/ -silent -no-color -json -o results.json <\/span><\/span><\/code><\/pre>5. 模板编写<\/h2> 5.1 基础模板结构<\/h3> id<\/span>: example-vuln<\/span> <\/span><\/span> <\/span><\/span>info<\/span>: <\/span><\/span> name<\/span>: Example Vulnerability<\/span> <\/span><\/span> author<\/span>: yourname<\/span> <\/span><\/span> severity<\/span>: medium<\/span> <\/span><\/span> description<\/span>: | <\/span><\/span><\/span> <\/span> This template detects Example Vulnerability.<\/span> <\/span><\/span> <\/span><\/span>requests<\/span>: <\/span><\/span> - method<\/span>: GET<\/span> <\/span><\/span> path<\/span>: <\/span><\/span> - "{{BaseURL}}\/vulnerable-endpoint"<\/span> <\/span><\/span> matchers<\/span>: <\/span><\/span> - type<\/span>: word<\/span> <\/span><\/span> words<\/span>: <\/span><\/span> - "vulnerable string"<\/span> <\/span><\/span><\/code><\/pre>5.2 实际模板示例<\/h3> 简单GET请求检测<\/strong>：<\/p> id<\/span>: exposed-phpinfo<\/span> <\/span><\/span> <\/span><\/span>info<\/span>: <\/span><\/span> name<\/span>: Exposed phpinfo<\/span> <\/span><\/span> author<\/span>: pdteam<\/span> <\/span><\/span> severity<\/span>: low<\/span> <\/span><\/span> <\/span><\/span>requests<\/span>: <\/span><\/span> - method<\/span>: GET<\/span> <\/span><\/span> path<\/span>: <\/span><\/span> - "{{BaseURL}}\/phpinfo.php"<\/span> <\/span><\/span> matchers<\/span>: <\/span><\/span> - type<\/span>: word<\/span> <\/span><\/span> words<\/span>: <\/span><\/span> - "<title>phpinfo()<\/title>"<\/span> <\/span><\/span> - "PHP Version"<\/span> <\/span><\/span> condition<\/span>: and<\/span> <\/span><\/span><\/code><\/pre>POST请求with负载<\/strong>：<\/p> id<\/span>: sql-injection-check<\/span> <\/span><\/span> <\/span><\/span>requests<\/span>: <\/span><\/span> - method<\/span>: POST<\/span> <\/span><\/span> path<\/span>: "{{BaseURL}}\/login"<\/span> <\/span><\/span> body<\/span>: "username=admin' OR 1=1--&password=test"<\/span> <\/span><\/span> matchers<\/span>: <\/span><\/span> - type<\/span>: word<\/span> <\/span><\/span> words<\/span>: <\/span><\/span> - "Welcome, admin"<\/span> <\/span><\/span><\/code><\/pre>5.3 匹配器详解<\/h3> 状态码匹配<\/strong>：<\/p> matchers<\/span>: <\/span><\/span> - type<\/span>: status<\/span> <\/span><\/span> status<\/span>: <\/span><\/span> - 200<\/span> <\/span><\/span> - 302<\/span> <\/span><\/span><\/code><\/pre>字符串匹配<\/strong>：<\/p> matchers<\/span>: <\/span><\/span> - type<\/span>: word<\/span> <\/span><\/span> words<\/span>: <\/span><\/span> - "admin panel"<\/span> <\/span><\/span> - "dashboard"<\/span> <\/span><\/span> condition<\/span>: or<\/span> <\/span><\/span><\/code><\/pre>正则表达式匹配<\/strong>：<\/p> matchers<\/span>: <\/span><\/span> - type<\/span>: regex<\/span> <\/span><\/span> regex<\/span>: <\/span><\/span> - "API_KEY: ([A-Z0-9]{32})"<\/span> <\/span><\/span><\/code><\/pre>DSL表达式匹配<\/strong>：<\/p> matchers<\/span>: <\/span><\/span> - type<\/span>: dsl<\/span> <\/span><\/span> dsl<\/span>: <\/span><\/span> - "status_code == 200 && contains(body, 'secret')"<\/span> <\/span><\/span><\/code><\/pre>6. 内置功能<\/h2> 6.1 变量系统<\/h3> 内置变量<\/strong>：<\/p> 变量<\/th> 描述<\/th> 示例值<\/th> <\/tr> <\/thead> {{BaseURL}}<\/code><\/td> 完整基础URL<\/td> https:\/\/example.com<\/code><\/td> <\/tr> {{RootURL}}<\/code><\/td> 根URL<\/td> https:\/\/example.com<\/code><\/td> <\/tr> {{Hostname}}<\/code><\/td> 主机名<\/td> example.com<\/code><\/td> <\/tr> {{Host}}<\/code><\/td> 主机地址<\/td> example.com:443<\/code><\/td> <\/tr> {{Port}}<\/code><\/td> 端口号<\/td> 443<\/code><\/td> <\/tr> {{Path}}<\/code><\/td> 路径部分<\/td> \/api\/v1<\/code><\/td> <\/tr> {{Scheme}}<\/code><\/td> 协议<\/td> https<\/code><\/td> <\/tr> <\/tbody> <\/table> 自定义变量<\/strong>：<\/p> variables<\/span>: <\/span><\/span> username<\/span>: "admin"<\/span> <\/span><\/span> password<\/span>: "password123"<\/span> <\/span><\/span><\/code><\/pre>6.2 内置函数库<\/h3> Nuclei提供了丰富的内置函数：<\/p> 编码解码函数<\/strong>：<\/p> base64()<\/code> - Base64编码<\/li> hex_encode()<\/code> - 十六进制编码<\/li> url_encode()<\/code> - URL编码<\/li> <\/ul> 字符串处理函数<\/strong>：<\/p> to_upper()<\/code> - 转为大写<\/li> to_lower()<\/code> - 转为小写<\/li> trim_space()<\/code> - 去除空格<\/li> <\/ul> 随机生成函数<\/strong>：<\/p> rand_char()<\/code> - 随机字符<\/li> rand_text_alphanumeric()<\/code> - 随机字母数字<\/li> rand_int()<\/code> - 随机整数<\/li> <\/ul> 时间函数<\/strong>：<\/p> unix_time()<\/code> - 当前Unix时间戳<\/li> wait_for()<\/code> - 等待指定秒数<\/li> <\/ul> 完整函数参考：访问 Nuclei官方文档 - Helper Functions<\/a><\/p> 6.3 条件逻辑和循环<\/h3> 条件判断<\/strong>：<\/p> requests<\/span>: <\/span><\/span> - method<\/span>: GET<\/span> <\/span><\/span> path<\/span>: "{{BaseURL}}\/status"<\/span> <\/span><\/span> matchers<\/span>: <\/span><\/span> - type<\/span>: dsl<\/span> <\/span><\/span> name<\/span>: is_healthy<\/span> <\/span><\/span> dsl<\/span>: <\/span><\/span> - "contains(body, 'healthy')"<\/span> <\/span><\/span> <\/span><\/span> - method<\/span>: GET<\/span> <\/span><\/span> path<\/span>: "{{BaseURL}}\/admin"<\/span> <\/span><\/span> matchers-condition<\/span>: and<\/span> <\/span><\/span> condition<\/span>: '{{is_healthy}} == true'<\/span> <\/span><\/span><\/code><\/pre>循环结构<\/strong>：<\/p> variables<\/span>: <\/span><\/span> endpoints<\/span>: <\/span><\/span> - "\/api\/v1"<\/span> <\/span><\/span> - "\/api\/v2"<\/span> <\/span><\/span> - "\/admin"<\/span> <\/span><\/span> <\/span><\/span>requests<\/span>: <\/span><\/span> - method<\/span>: GET<\/span> <\/span><\/span> path<\/span>: <\/span><\/span> - "{{BaseURL}}{{endpoint}}"<\/span> <\/span><\/span> payloads<\/span>: <\/span><\/span> endpoint<\/span>: "{{endpoints}}"<\/span> <\/span><\/span><\/code><\/pre>7. 高级技巧<\/h2> 7.1 多步骤攻击链<\/h3> 模拟真实的渗透测试流程，通过多个请求步骤完成复杂的漏洞检测：<\/p> id<\/span>: multi-step-auth-bypass<\/span> <\/span><\/span> <\/span><\/span>requests<\/span>: <\/span><\/span> # 第一步：获取CSRF token<\/span> <\/span><\/span> - method<\/span>: GET<\/span> <\/span><\/span> path<\/span>: "{{BaseURL}}\/login"<\/span> <\/span><\/span> extractors<\/span>: <\/span><\/span> - type<\/span>: regex<\/span> <\/span><\/span> name<\/span>: csrf_token<\/span> <\/span><\/span> regex<\/span>: <\/span><\/span> - 'name="csrf_token" value="([a-f0-9]{32})"'<\/span> <\/span><\/span> <\/span><\/span> # 第二步：尝试登录<\/span> <\/span><\/span> - method<\/span>: POST<\/span> <\/span><\/span> path<\/span>: "{{BaseURL}}\/login"<\/span> <\/span><\/span> body<\/span>: "username=admin&password=password123&csrf_token={{csrf_token}}"<\/span> <\/span><\/span> matchers<\/span>: <\/span><\/span> - type<\/span>: word<\/span> <\/span><\/span> words<\/span>: <\/span><\/span> - "Welcome, admin"<\/span> <\/span><\/span><\/code><\/pre>7.2 负载攻击模式<\/h3> Nuclei支持四种攻击模式来处理多个负载：<\/p> Batteringram模式<\/strong>：使用同一个负载填充所有位置：<\/p> payloads<\/span>: <\/span><\/span> user<\/span>: ["admin"<\/span>, "test"<\/span>, "guest"<\/span>] <\/span><\/span> pass<\/span>: ["password"<\/span>, "123456"<\/span>, "admin123"<\/span>] <\/span><\/span> <\/span><\/span>attack<\/span>: batteringram<\/span> <\/span><\/span><\/code><\/pre>Pitchfork模式<\/strong>：按位置顺序配对使用负载：<\/p> payloads<\/span>: <\/span><\/span> user<\/span>: ["admin"<\/span>, "test"<\/span>, "guest"<\/span>] <\/span><\/span> pass<\/span>: ["password"<\/span>, "123456"<\/span>, "admin123"<\/span>] <\/span><\/span> <\/span><\/span>attack<\/span>: pitchfork<\/span> <\/span><\/span><\/code><\/pre>Clusterbomb模式<\/strong>：所有负载的笛卡尔积组合：<\/p> payloads<\/span>: <\/span><\/span> user<\/span>: ["admin"<\/span>, "test"<\/span>] <\/span><\/span> pass<\/span>: ["password"<\/span>, "123456"<\/span>] <\/span><\/span> <\/span><\/span>attack<\/span>: clusterbomb<\/span> <\/span><\/span><\/code><\/pre>7.3 外部交互检测（OAST）<\/h3> 检测盲注、SSRF等需要外部交互确认的漏洞：<\/p> id<\/span>: oast-ssrf-check<\/span> <\/span><\/span> <\/span><\/span>requests<\/span>: <\/span><\/span> - method<\/span>: GET<\/span> <\/span><\/span> path<\/span>: "{{BaseURL}}\/fetch?url=http:\/\/{{interactsh-url}}"<\/span> <\/span><\/span> matchers<\/span>: <\/span><\/span> - type<\/span>: word<\/span> <\/span><\/span> part<\/span>: interactsh_protocol<\/span> <\/span><\/span> words<\/span>: <\/span><\/span> - "http"<\/span> <\/span><\/span><\/code><\/pre>7.4 原始请求模板<\/h3> 对于需要精确控制HTTP请求格式的场景：<\/p> requests<\/span>: <\/span><\/span> - raw<\/span>: <\/span><\/span> - | <\/span><\/span><\/span> GET \/path HTTP\/1.1 <\/span><\/span><\/span> Host: {{Hostname}} <\/span><\/span><\/span> User-Agent: Mozilla\/5.0 <\/span><\/span><\/span> Accept: *\/* <\/span><\/span><\/span> <\/span> <\/span><\/span> - | <\/span><\/span><\/span> POST \/submit HTTP\/1.1 <\/span><\/span><\/span> Host: {{Hostname}} <\/span><\/span><\/span> Content-Type: application\/x-www-form-urlencoded <\/span><\/span><\/span> Content-Length: 15 <\/span><\/span><\/span> <\/span><\/span><\/span> param1=test<\/span> <\/span><\/span><\/code><\/pre>7.5 条件执行控制<\/h3> 根据前置条件控制后续请求的执行：<\/p> requests<\/span>: <\/span><\/span> - method<\/span>: GET<\/span> <\/span><\/span> path<\/span>: "{{BaseURL}}\/check"<\/span> <\/span><\/span> matchers<\/span>: <\/span><\/span> - type<\/span>: dsl<\/span> <\/span><\/span> name<\/span>: is_vulnerable<\/span> <\/span><\/span> dsl<\/span>: <\/span><\/span> - "contains(body, 'vulnerable')"<\/span> <\/span><\/span> <\/span><\/span> - method<\/span>: POST<\/span> <\/span><\/span> path<\/span>: "{{BaseURL}}\/exploit"<\/span> <\/span><\/span> condition<\/span>: '{{is_vulnerable}} == true'<\/span> <\/span><\/span><\/code><\/pre>8. 最佳实践<\/h2> 8.1 模板编写规范<\/h3> 命名约定<\/strong>：<\/p> 使用小写字母和连字符<\/li> 按类型组织目录结构<\/li> 包含完整的信息字段<\/li> <\/ul> 完整的信息字段<\/strong>：<\/p> info<\/span>: <\/span><\/span> name<\/span>: Apache Struts OGNL Injection<\/span> <\/span><\/span> author<\/span>: pdteam<\/span> <\/span><\/span> severity<\/span>: critical<\/span> <\/span><\/span> description<\/span>: | <\/span><\/span><\/span> <\/span> Detects Apache Struts OGNL injection vulnerability (CVE-2017-5638).<\/span> <\/span><\/span> reference<\/span>: <\/span><\/span> - https:\/\/cve.mitre.org\/cgi-bin\/cvename.cgi?name=CVE-2017-5638<\/span> <\/span><\/span> - https:\/\/struts.apache.org\/docs\/s2-045.html<\/span> <\/span><\/span> tags<\/span>: cve,cve2017,struts,injection<\/span> <\/span><\/span><\/code><\/pre>8.2 性能优化策略<\/h3> 智能请求控制<\/strong>：<\/p> 合理设置rate-limit<\/code>参数<\/li> 使用-headless<\/code>模式减少资源消耗<\/li> 避免不必要的重定向<\/li> <\/ul> 优化匹配器性能<\/strong>：<\/p> 优先使用word<\/code>匹配器而非regex<\/code><\/li> 使用matchers-condition<\/code>减少不必要的匹配<\/li> 合理设置max-size<\/code>限制响应大小<\/li> <\/ul> 批量扫描优化<\/strong>：<\/p> nuclei -l targets.txt -t cves\/ -bulk-size 50<\/span> -c 100<\/span> -timeout 10<\/span> <\/span><\/span><\/code><\/pre>8.3 安全和道德考虑<\/h3> 负责任的漏洞检测<\/strong>：<\/p> 避免使用破坏性payload<\/li> 添加self-contained: true<\/code>标记非侵入式模板<\/li> 遵循目标网站的robots.txt规则<\/li> <\/ul> 避免破坏性测试<\/strong>：<\/p> info<\/span>: <\/span><\/span> classification<\/span>: <\/span><\/span> cvss-metrics<\/span>: CVSS:3.1\/AV:N\/AC:L\/PR:N\/UI:N\/S:U\/C:H\/I:H\/A:H<\/span> <\/span><\/span> cvss-score<\/span>: 9.8<\/span> <\/span><\/span> cwe-id<\/span>: CWE-89<\/span> <\/span><\/span> metadata<\/span>: <\/span><\/span> self-contained<\/span>: true<\/span> <\/span><\/span> verified<\/span>: true<\/span> <\/span><\/span><\/code><\/pre>8.4 错误处理和调试<\/h3> 调试模式使用<\/strong>：<\/p> nuclei -u https:\/\/example.com -t my-template.yaml -debug <\/span><\/span><\/code><\/pre>错误处理最佳实践<\/strong>：<\/p> 使用stop-at-first-match: true<\/code>减少不必要的请求<\/li> 设置合理的timeout<\/code>值<\/li> 使用retries<\/code>处理网络波动<\/li> <\/ul> 8.5 模板组织和管理<\/h3> 目录结构建议<\/strong>：<\/p> nuclei-templates\/ ├── cves\/ ├── vulnerabilities\/ ├── exposures\/ ├── misconfigurations\/ └── workflows\/ <\/code><\/pre> Git工作流程<\/strong>：<\/p> 从官方仓库fork<\/li> 创建特性分支<\/li> 提交模板变更<\/li> 发起Pull Request<\/li> <\/ol> 8.6 集成和自动化<\/h3> CI\/CD集成示例（GitHub Actions）<\/strong>：<\/p> name<\/span>: Nuclei Scan<\/span> <\/span><\/span> <\/span><\/span>on<\/span>: [push, pull_request]<\/span> <\/span><\/span> <\/span><\/span>jobs<\/span>: <\/span><\/span> scan<\/span>: <\/span><\/span> runs-on<\/span>: ubuntu-latest<\/span> <\/span><\/span> steps<\/span>: <\/span><\/span> - uses<\/span>: actions\/checkout@v2<\/span> <\/span><\/span> <\/span><\/span> - name<\/span>: Run Nuclei<\/span> <\/span><\/span> uses<\/span>: projectdiscovery\/nuclei-action@main<\/span> <\/span><\/span> with<\/span>: <\/span><\/span> targets<\/span>: https:\/\/example.com<\/span> <\/span><\/span> templates<\/span>: cves\/<\/span> <\/span><\/span> output<\/span>: results.json<\/span> <\/span><\/span><\/code><\/pre>Docker容器化扫描<\/strong>：<\/p> docker run -v $(<\/span>pwd)<\/span>:\/data projectdiscovery\/nuclei \ <\/span><\/span><\/span><\/span> -u https:\/\/example.com -t \/data\/custom-templates -o \/data\/results.json <\/span><\/span><\/code><\/pre>9. 故障排除<\/h2> 9.1 常见问题诊断<\/h3> 模板语法错误<\/strong>：<\/p> 使用nuclei -validate<\/code>验证模板<\/li> 检查YAML缩进和格式<\/li> <\/ul> <\/li> 网络连接问题<\/strong>：<\/p> 增加-timeout<\/code>值<\/li> 检查代理设置<\/li> <\/ul> <\/li> 性能和内存问题<\/strong>：<\/p> 减少-c<\/code>并发数<\/li> 使用-headless<\/code>模式<\/li> <\/ul> <\/li> 结果输出问题<\/strong>：<\/p> 检查文件权限<\/li> 确保输出目录存在<\/li> <\/ul> <\/li> <\/ol> 9.2 调试技巧<\/h3> 模板调试流程<\/strong>：<\/p> 使用-debug<\/code>参数运行<\/li> 检查请求和响应详情<\/li> 逐步验证匹配器逻辑<\/li> <\/ol> 性能分析<\/strong>：<\/p> nuclei -u https:\/\/example.com -stats -metrics <\/span><\/span><\/code><\/pre>9.3 错误代码和解决方案<\/h3> 错误类型<\/th> 原因<\/th> 解决方案<\/th> <\/tr> <\/thead> template not found<\/td> 模板路径错误<\/td> 检查-t<\/code>参数路径<\/td> <\/tr> invalid yaml<\/td> YAML语法错误<\/td> 使用-validate<\/code>检查<\/td> <\/tr> connection timeout<\/td> 网络连接超时<\/td> 增加-timeout<\/code>值<\/td> <\/tr> too many requests<\/td> 速率限制触发<\/td> 降低-rate-limit<\/code>值<\/td> <\/tr> memory allocation<\/td> 内存不足<\/td> 减少-c<\/code>并发数<\/td> <\/tr> template execution failed<\/td> 模板执行错误<\/td> 检查模板逻辑和语法<\/td> <\/tr> <\/tbody> <\/table> 10. 总结<\/h2> 10.1 核心能力<\/h3> ✅ 模板语法精通<\/strong>：熟练编写YAML检测模板<\/li> ✅ 函数库应用<\/strong>：善用内置函数和表达式<\/li> ✅ 性能优化<\/strong>：合理配置参数和并发策略<\/li> ✅ 实战经验<\/strong>：在真实环境中积累使用技巧<\/li> <\/ul> 10.2 进阶技能<\/h3> 多协议支持<\/strong>：HTTP、DNS、TCP等协议检测<\/li> 自动化集成<\/strong>：CI\/CD流程和监控告警<\/li> 社区贡献<\/strong>：编写高质量模板回馈社区<\/li> 安全意识<\/strong>：负责任的漏洞披露和道德使用<\/li> <\/ul> 通过本指南，您应该已经掌握了Nuclei的高级使用技巧和模板编写方法。建议持续关注ProjectDiscovery官方文档<\/a>和社区更新，以获取最新的功能和最佳实践。<\/p>