### YAML Web Fingerprint Rule Example
Source: https://context7.com/0x727/fingerprinthub/llms.txt
Defines metadata for a web component, including name, author, tags, severity, and vendor/product for CPE matching. Supports Fofa and Shodan queries.
```yaml
# web-fingerprint/apache/shiro.yaml
id: apache-shiro
info:
name: apache-shiro
author: cn-kali-team
tags: detect,tech,apache-shiro
severity: info
metadata:
product: shiro
vendor: apache
verified: true
fofa-query:
- app="Apache-Shiro"
shodan-query:
- http.header:"rememberMe=deleteMe"
http:
- method: GET
path:
- '{{BaseURL}}/'
matchers:
- type: word
words:
- rememberme=deleteme
part: header
case-insensitive: true
```
--------------------------------
### Apache Shiro Detection Rule
Source: https://github.com/0x727/fingerprinthub/blob/main/README.md
An example rule for detecting Apache Shiro, leveraging metadata to link with CVEs. This demonstrates how CPE information in metadata aids in vulnerability association.
```yaml
id: shiro
info:
name: shiro
author: cn-kali-team
tags: detect,tech,shiro
severity: info
metadata:
product: shiro
vendor: apache
verified: true
```
--------------------------------
### YAML TCP Probe Example
Source: https://context7.com/0x727/fingerprinthub/llms.txt
Defines TCP probes for identifying network services, including raw TCP data, host, port, and regex extractors. Supports escape sequences in data.
```yaml
# service-fingerprint/adb-connect/adb/1830716701.yaml
id: adb
info:
name: Android Debug Bridge
author: nmap,cn-kali-team
tags: detect,tech,adb,service
severity: info
metadata:
info: token auth required
operating_system: Android
rarity: 8
tcp:
- name: adb-connect
inputs:
- data: CNXN\0\0\0\x01\0\x10\0\0\x07\0\0\0\x32\x02\0\0\xbc\xb1\xa7\xb1host::\0
host:
- '{{Hostname}}'
port: '5555'
extractors:
- name: adb
type: regex
regex:
- '(?i)^AUTH\x01\x00\x00\x00\x00\x00\x00\x00........\xbc\xb1\xa7\xb1'
```
--------------------------------
### YAML Regex Matcher for Title Tag
Source: https://context7.com/0x727/fingerprinthub/llms.txt
Employs regular expressions for matching patterns, recommended for extractors rather than matchers due to performance considerations. This example matches a title tag.
```yaml
# 使用正则匹配 title 标签(适用于 Web 识别)
id: opnsense
info:
name: opnsense
author: cn-kali-team
tags: detect,tech,opnsense
severity: info
metadata:
product: opnsense
vendor: opnsense
verified: true
fofa-query:
- title="opnsense"
shodan-query:
- http.title:"opnsense"
http:
- method: GET
path:
- '{{BaseURL}}/'
matchers:
- type: regex
regex:
# (?mi) 多行、忽略大小写
- '(?mi)
]*>opnsense.*?'
```
--------------------------------
### ThinkPHP Detection Rule
Source: https://github.com/0x727/fingerprinthub/blob/main/README.md
Example of a fingerprint rule for detecting ThinkPHP. It includes basic information, HTTP requests, and various matching conditions like favicon hash, word matching, and header matching.
```yaml
id: thinkphp
info:
name: thinkphp
author: cn-kali-team
tags: detect,tech,thinkphp
severity: info
metadata:
product: thinkphp
vendor: thinkphp
verified: true
http:
- method: GET
path:
- '{{BaseURL}}/'
matchers:
- type: favicon
hash:
- f49c4a4bde1eec6c0b80c2277c76e3db
- type: word
words:
- href="http://www.thinkphp.cn">thinkphp
- thinkphp_show_page_trace
case-insensitive: true
- type: word
words:
- 'x-powered-by: thinkphp'
part: header
case-insensitive: true
```
--------------------------------
### Extract Client IP Address using JSONPath Extractor
Source: https://context7.com/0x727/fingerprinthub/llms.txt
This example demonstrates using a JSONPath extractor to retrieve specific fields from a JSON response, similar to the `jq` command-line tool. It's suitable for parsing REST API responses.
```yaml
# 从 httpbin.org/ip 接口提取客户端 IP 地址
id: httpbin-ip
info:
name: httpbin-ip
author: cn-kali-team
tags: detect,tech,httpbin
severity: info
metadata:
product: httpbin
vendor: httpbin
verified: true
http:
- method: GET
path:
- '{{BaseURL}}/ip'
matchers:
- type: word
words:
- '"origin"'
extractors:
- type: json
name: ip
# JSONPath 语法:以 . 开头,提取 origin 字段
json:
- '.origin'
# 预期提取结果: ip:["1.1.1.1"]
```
--------------------------------
### Format Rules and Auto-Categorize
Source: https://context7.com/0x727/fingerprinthub/llms.txt
This command standardizes YAML rule formatting, including case sensitivity and HTTP method casing, and automatically infers `vendor` and `product` fields from file paths. It also integrates rules from the `plugins/` directory.
```bash
# 格式化所有指纹规则并自动归类
car go run -- --format
# 格式化效果示例(格式化前):
# matchers:
# - type: word
# words:
# - Apache ActiveMQ # 大写
# case-insensitive: false
# 格式化后:
# matchers:
# - type: word
# words:
# - apache activemq # 自动转小写
# case-insensitive: true # 自动开启
```
--------------------------------
### Configure Git User Information
Source: https://github.com/0x727/fingerprinthub/blob/main/README.md
Set your global Git configuration for username and email. This is necessary for committing changes.
```bash
git config --global user.name "$GITHUB_USERNAME"
git config --global user.email "$GITHUB_EMAIL"
git config --global github.user "$GITHUB_USERNAME"
```
--------------------------------
### Migrate V3 Web Fingerprints to V4 Format
Source: https://context7.com/0x727/fingerprinthub/llms.txt
Convert old v3 format Web fingerprint YAML (priority/fingerprint structure) to the current v4 format (info/http/matchers structure). Output is placed in the web-fingerprint/00_unknown/ directory for manual review.
```bash
cargo run -- --v3-to-v4 /path/to/v3-fingerprints/
```
--------------------------------
### Stage, Commit, and Push Changes
Source: https://github.com/0x727/fingerprinthub/blob/main/README.md
Stage your modified or new fingerprint rule files, commit them with a descriptive message, and push the changes to your fork's branch.
```bash
git add 你添加或者修改的文件名
git commit -m "添加的组件名或者你的描述"
git push origin thinkphp
```
--------------------------------
### Clone FingerprintHub Repository
Source: https://github.com/0x727/fingerprinthub/blob/main/README.md
Clone the FingerprintHub project to your local machine using Git. This is the first step for contributing new rules.
```bash
git clone git@github.com:你的个人github用户名/FingerprintHub.git
```
--------------------------------
### Synchronize Nuclei Templates
Source: https://context7.com/0x727/fingerprinthub/llms.txt
This command synchronizes vulnerability templates (CVE, CNVD, default logins) from a local `nuclei-templates/` repository into the `plugins/` directory. It categorizes templates by vendor and product and then generates web fingerprint rules using CSE syntax.
```bash
# 同步 nuclei-templates(需先 clone nuclei-templates 到同级目录)
# git clone https://github.com/projectdiscovery/nuclei-templates.git
car go run -- --sync
# 同步范围:
# nuclei-templates/http/cves/ -> plugins///CVE-*.yaml
# nuclei-templates/http/cnvd/ -> plugins///CNVD-*.yaml
# nuclei-templates/http/default-logins/ -> plugins///*-default-login.yaml
# nuclei-templates/http/vulnerabilities/ -> plugins///*.yaml
```
--------------------------------
### Create a New Branch for Contributions
Source: https://github.com/0x727/fingerprinthub/blob/main/README.md
Create and switch to a new branch before making any modifications. This follows the best practice of not committing directly to the main branch.
```bash
git checkout -b thinkphp
```
--------------------------------
### YAML Keyword Matcher with AND Condition
Source: https://context7.com/0x727/fingerprinthub/llms.txt
Demonstrates keyword matching in HTTP probes, supporting 'and' and 'or' conditions for multiple words. Can also match specific parts like headers.
```yaml
# Tomcat 多关键词 AND 匹配示例
id: tomcat
info:
name: tomcat
author: cn-kali-team
tags: detect,tech,tomcat
severity: info
metadata:
product: tomcat
vendor: apache
verified: true
http:
- method: GET
path:
- '{{BaseURL}}/'
matchers:
# AND 条件:两个关键词必须同时出现在 body 中
- type: word
words:
- /manager/html
- /manager/status
condition: and
# 独立匹配响应头中的 Server 字段
- type: word
words:
- apache-coyote
part: header
case-insensitive: true
```
--------------------------------
### Fetch All Branches and Upstream Changes
Source: https://github.com/0x727/fingerprinthub/blob/main/README.md
Fetch all branches from all remotes and specifically from the upstream remote. This ensures you have the latest code.
```bash
git fetch --all
git fetch upstream
```
--------------------------------
### Configure Upstream Remote for Updates
Source: https://github.com/0x727/fingerprinthub/blob/main/README.md
Add the original FingerprintHub repository as an upstream remote to fetch updates. This helps keep your fork synchronized.
```bash
cd FingerprintHub
git remote add upstream git@github.com:0x727/FingerprintHub.git
git fetch upstream
```
--------------------------------
### Verify Single Fingerprint with Debug Output
Source: https://github.com/0x727/fingerprinthub/blob/main/README.md
Use this command to verify a specific YAML rule against a target URL. The `--debug` flag provides detailed output for troubleshooting.
```bash
#!/bin/bash
➜ ./observer_ward -t http://httpbin.org -p observer_ward/examples/json.yaml --debug
[INFO ] 📇probes loaded: 1
[INFO ] 🎯target loaded: 1
[INFO ] 🚀optimized probes: 1
[DEBUG] start: http://httpbin.org/
[DEBUG] Request {
uri: http://httpbin.org/ip,
version: HTTP/1.1,
method: GET,
headers: {
"accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8",
"content-type": "application/json",
},
body: None,
raw_request: None,
}
[DEBUG] Response {
version: HTTP/1.1,
uri: http://httpbin.org/ip,
status_code: 200,
headers: {
"date": "Mon, 08 Jul 2024 13:19:59 GMT",
"content-type": "application/json",
"content-length": "32",
"connection": "keep-alive",
"server": "gunicorn/19.9.0",
"access-control-allow-origin": "*",
"access-control-allow-credentials": "true",
},
extensions: Extensions,
body: Some(
{
"origin": "1.1.1.1"
}
,
),
}
[DEBUG] end: http://httpbin.org/
🏹: http://httpbin.org/
|_🎯:[ http://httpbin.org/]
|_🎯:[ http://httpbin.org/ip [httpbin-ip] <>]
|_📰: ip:["1.1.1.1"]
```
--------------------------------
### Contribute New Fingerprint Rule - Git Workflow
Source: https://context7.com/0x727/fingerprinthub/llms.txt
Standard Git workflow for contributing fingerprint rules to FingerprintHub. Requires forking, cloning, creating a feature branch named after the component, and submitting a Pull Request.
```bash
git clone git@github.com:/FingerprintHub.git
cd FingerprintHub
```
```bash
git remote add upstream git@github.com:0x727/FingerprintHub.git
git fetch upstream
```
```bash
git checkout -b thinkphp
```
```bash
cat > web-fingerprint/thinkphp/thinkphp.yaml << 'EOF'
id: thinkphp
info:
name: thinkphp
author: your-github-username
tags: detect,tech,thinkphp
severity: info
metadata:
product: thinkphp
vendor: thinkphp
verified: true
http:
- method: GET
path:
- '{{BaseURL}}/'
matchers:
- type: favicon
hash:
- f49c4a4bde1eec6c0b80c2277c76e3db
- type: word
words:
- href="http://www.thinkphp.cn">thinkphp
- thinkphp_show_page_trace
case-insensitive: true
EOF
```
```bash
git add web-fingerprint/thinkphp/thinkphp.yaml
git commit -m "feat: 添加 thinkphp 指纹规则"
git push origin thinkphp
```
--------------------------------
### Convert Nmap Service Fingerprints to YAML
Source: https://context7.com/0x727/fingerprinthub/llms.txt
Use this command to parse Nmap nmap-service-probes files into standard YAML format. Each Nmap match rule is converted into a unique YAML template named by its MurmurHash3 hash.
```bash
cargo run -- --service
```
--------------------------------
### YAML HTTP Probe with Multiple Paths
Source: https://context7.com/0x727/fingerprinthub/llms.txt
Defines HTTP probes for identifying web components, supporting multiple paths and custom headers. The '{{BaseURL}}' template variable is used for the base URL.
```yaml
# 多路径探测示例(web-fingerprint/apache/nacos.yaml 类似结构)
id: nacos
info:
name: nacos
author: cn-kali-team
tags: detect,tech,nacos
severity: info
metadata:
product: nacos
vendor: alibaba
verified: true
http:
- method: GET
path:
- '{{BaseURL}}/'
- '{{BaseURL}}/nacos/'
headers:
Cookie: rememberMe=admin;rememberMe-K=admin
matchers:
- type: word
words:
- 'nacos'
case-insensitive: true
```
--------------------------------
### Detect SSH Service and Extract Version
Source: https://context7.com/0x727/fingerprinthub/llms.txt
This snippet uses a regex extractor to identify SSH services and capture protocol and version information. It's useful for service discovery and version enumeration.
```yaml
id: ssh
info:
name: OpenSSH
author: cn-kali-team
tags: detect,tech,ssh,service
severity: info
metadata:
# $1 对应正则第1组(协议版本),$2 对应第2组(OpenSSH版本)
info: protocol $1
version: $2
tcp:
- name: "null"
inputs:
- data: ""
host:
- '{{Hostname}}'
extractors:
- name: ssh
type: regex
regex:
# 提取组1: 协议版本 (如 2.0), 提取组2: OpenSSH版本 (如 9.7)
- '(?x)^SSH-([ -]+)-OpenSSH[_-]([ -]+)\s*\r?\n'
# 预期输出示例: version:["9.7"] info:["protocol 2.0"]
```
--------------------------------
### Convert YAML Rules to JSON
Source: https://context7.com/0x727/fingerprinthub/llms.txt
This command compiles YAML fingerprint rules into JSON format for use with other tools. It generates `web_fingerprint_v4.json` and `service_fingerprint_v4.json`.
```bash
# 编译 YAML 规则库为 JSON(在项目根目录执行)
car go run -- --convert
# 输出文件:
# web_fingerprint_v4.json (所有 Web 指纹规则)
# service_fingerprint_v4.json (所有服务指纹规则)
# 生成的 JSON 条目示例结构:
# [
# {
# "id": "apache-activemq",
# "info": {
# "name": "apache-activemq",
# "author": "cn-kali-team",
# "tags": "detect,tech,apache-activemq",
# "severity": "info",
# "metadata": { "product": "activemq", "vendor": "apache", "verified": true }
# },
# "http": [{ "method": "GET", "path": ["{{BaseURL}}/"], "matchers": [...] }]
# },
# ...
# ]
```
--------------------------------
### YAML Favicon Hash Matcher
Source: https://context7.com/0x727/fingerprinthub/llms.txt
Uses favicon hash values (MD5 or MurmurHash3) for component identification. The tool automatically extracts favicon links from the homepage.
```yaml
# web-fingerprint/atlassian/confluence.yaml
id: confluence
info:
name: confluence
author: cn-kali-team
tags: detect,tech,confluence
severity: info
metadata:
product: confluence
vendor: atlassian
verified: true
fofa-query:
- app="atlassian-confluence"
- icon_hash="-305179312"
shodan-query:
- http.component:"atlassian confluence"
- cpe:"cpe:2.3:a:atlassian:confluence"
http:
- method: GET
path:
- '{{BaseURL}}/'
matchers:
# mmh3 哈希值(负数也合法)
- type: favicon
hash:
- '-305179312'
# 也可同时填写 md5: 4644f2d45601037b8423d45e13194c93
```
--------------------------------
### Rule ID and Basic Information
Source: https://github.com/0x727/fingerprinthub/blob/main/README.md
Defines the basic information for a fingerprint rule, including ID, name, author, tags, severity, and metadata. The metadata can store CPE information for vulnerability correlation.
```yaml
id: thinkphp
info:
name: thinkphp
author: cn-kali-team
tags: detect,tech,thinkphp
severity: info
metadata:
product: thinkphp
vendor: thinkphp
verified: true
```
--------------------------------
### Validate Single Fingerprint Rule with observer_ward
Source: https://context7.com/0x727/fingerprinthub/llms.txt
Validate a single YAML fingerprint rule using observer_ward. Use the -p flag to load the YAML file and -t to specify the target. The --debug flag provides detailed request/response information.
```bash
./observer_ward -t http://httpbin.org -p examples/json.yaml --debug
```
--------------------------------
### Adobe ColdFusion XSS Vulnerability Plugin
Source: https://context7.com/0x727/fingerprinthub/llms.txt
This YAML defines a vulnerability plugin for Adobe ColdFusion, specifically targeting a reflected Cross-Site Scripting (XSS) vulnerability. It uses variables for randomization and includes multiple paths and matchers for detection.
```yaml
# plugins/adobe/coldfusion/CVE-2023-44352.yaml
id: CVE-2023-44352
info:
name: Adobe Coldfusion - Cross-Site Scripting
author: pwnwithlove
severity: medium
description: |
Adobe ColdFusion versions 2023.5 (and earlier) and 2021.11 (and earlier) are affected
by a reflected Cross-Site Scripting (XSS) vulnerability.
classification:
cvss-score: 6.1
cve-id: CVE-2023-44352
cwe-id: CWE-79
cpe: cpe:2.3:a:adobe:coldfusion:*:*:*:*:*:*:*:*
metadata:
verified: true
vendor: adobe
product: coldfusion # 与 web-fingerprint/adobe/coldfusion.yaml 关联
fofa-query:
- title="coldfusion administrator login"
tags: cve,cve2023,coldfusion,adobe,xss,vuln
variables:
string: "{{rand_base(8)}}" # 随机字符串,避免缓存干扰
http:
- method: GET
path:
- '{{BaseURL}}/{{string}}}}">
/..CFIDE/wizards/common/_authenticatewizarduser.cfm'
- '{{BaseURL}}//{{string}}}}">
/..CFIDE/administrator/index.cfm'
stop-at-first-match: true
matchers-condition: and
matchers:
- type: word
part: body
words:
- 'action="/{{string}}}}">
'
- '"{{string}}}}">'
condition: or
- type: dsl
dsl:
- "contains(body, 'ColdFusion')"
- "contains(header, 'text/html')"
condition: and
```
=== COMPLETE CONTENT === This response contains all available snippets from this library. No additional content exists. Do not make further requests.