### YAML Web Fingerprint Rule Example Source: https://context7.com/0x727/fingerprinthub/llms.txt Defines metadata for a web component, including name, author, tags, severity, and vendor/product for CPE matching. Supports Fofa and Shodan queries. ```yaml # web-fingerprint/apache/shiro.yaml id: apache-shiro info: name: apache-shiro author: cn-kali-team tags: detect,tech,apache-shiro severity: info metadata: product: shiro vendor: apache verified: true fofa-query: - app="Apache-Shiro" shodan-query: - http.header:"rememberMe=deleteMe" http: - method: GET path: - '{{BaseURL}}/' matchers: - type: word words: - rememberme=deleteme part: header case-insensitive: true ``` -------------------------------- ### Apache Shiro Detection Rule Source: https://github.com/0x727/fingerprinthub/blob/main/README.md An example rule for detecting Apache Shiro, leveraging metadata to link with CVEs. This demonstrates how CPE information in metadata aids in vulnerability association. ```yaml id: shiro info: name: shiro author: cn-kali-team tags: detect,tech,shiro severity: info metadata: product: shiro vendor: apache verified: true ``` -------------------------------- ### YAML TCP Probe Example Source: https://context7.com/0x727/fingerprinthub/llms.txt Defines TCP probes for identifying network services, including raw TCP data, host, port, and regex extractors. Supports escape sequences in data. ```yaml # service-fingerprint/adb-connect/adb/1830716701.yaml id: adb info: name: Android Debug Bridge author: nmap,cn-kali-team tags: detect,tech,adb,service severity: info metadata: info: token auth required operating_system: Android rarity: 8 tcp: - name: adb-connect inputs: - data: CNXN\0\0\0\x01\0\x10\0\0\x07\0\0\0\x32\x02\0\0\xbc\xb1\xa7\xb1host::\0 host: - '{{Hostname}}' port: '5555' extractors: - name: adb type: regex regex: - '(?i)^AUTH\x01\x00\x00\x00\x00\x00\x00\x00........\xbc\xb1\xa7\xb1' ``` -------------------------------- ### YAML Regex Matcher for Title Tag Source: https://context7.com/0x727/fingerprinthub/llms.txt Employs regular expressions for matching patterns, recommended for extractors rather than matchers due to performance considerations. This example matches a title tag. ```yaml # 使用正则匹配 title 标签(适用于 Web 识别) id: opnsense info: name: opnsense author: cn-kali-team tags: detect,tech,opnsense severity: info metadata: product: opnsense vendor: opnsense verified: true fofa-query: - title="opnsense" shodan-query: - http.title:"opnsense" http: - method: GET path: - '{{BaseURL}}/' matchers: - type: regex regex: # (?mi) 多行、忽略大小写 - '(?mi)]*>opnsense.*?' ``` -------------------------------- ### ThinkPHP Detection Rule Source: https://github.com/0x727/fingerprinthub/blob/main/README.md Example of a fingerprint rule for detecting ThinkPHP. It includes basic information, HTTP requests, and various matching conditions like favicon hash, word matching, and header matching. ```yaml id: thinkphp info: name: thinkphp author: cn-kali-team tags: detect,tech,thinkphp severity: info metadata: product: thinkphp vendor: thinkphp verified: true http: - method: GET path: - '{{BaseURL}}/' matchers: - type: favicon hash: - f49c4a4bde1eec6c0b80c2277c76e3db - type: word words: - href="http://www.thinkphp.cn">thinkphp - thinkphp_show_page_trace case-insensitive: true - type: word words: - 'x-powered-by: thinkphp' part: header case-insensitive: true ``` -------------------------------- ### Extract Client IP Address using JSONPath Extractor Source: https://context7.com/0x727/fingerprinthub/llms.txt This example demonstrates using a JSONPath extractor to retrieve specific fields from a JSON response, similar to the `jq` command-line tool. It's suitable for parsing REST API responses. ```yaml # 从 httpbin.org/ip 接口提取客户端 IP 地址 id: httpbin-ip info: name: httpbin-ip author: cn-kali-team tags: detect,tech,httpbin severity: info metadata: product: httpbin vendor: httpbin verified: true http: - method: GET path: - '{{BaseURL}}/ip' matchers: - type: word words: - '"origin"' extractors: - type: json name: ip # JSONPath 语法:以 . 开头,提取 origin 字段 json: - '.origin' # 预期提取结果: ip:["1.1.1.1"] ``` -------------------------------- ### Format Rules and Auto-Categorize Source: https://context7.com/0x727/fingerprinthub/llms.txt This command standardizes YAML rule formatting, including case sensitivity and HTTP method casing, and automatically infers `vendor` and `product` fields from file paths. It also integrates rules from the `plugins/` directory. ```bash # 格式化所有指纹规则并自动归类 car go run -- --format # 格式化效果示例(格式化前): # matchers: # - type: word # words: # - Apache ActiveMQ # 大写 # case-insensitive: false # 格式化后: # matchers: # - type: word # words: # - apache activemq # 自动转小写 # case-insensitive: true # 自动开启 ``` -------------------------------- ### Configure Git User Information Source: https://github.com/0x727/fingerprinthub/blob/main/README.md Set your global Git configuration for username and email. This is necessary for committing changes. ```bash git config --global user.name "$GITHUB_USERNAME" git config --global user.email "$GITHUB_EMAIL" git config --global github.user "$GITHUB_USERNAME" ``` -------------------------------- ### Migrate V3 Web Fingerprints to V4 Format Source: https://context7.com/0x727/fingerprinthub/llms.txt Convert old v3 format Web fingerprint YAML (priority/fingerprint structure) to the current v4 format (info/http/matchers structure). Output is placed in the web-fingerprint/00_unknown/ directory for manual review. ```bash cargo run -- --v3-to-v4 /path/to/v3-fingerprints/ ``` -------------------------------- ### Stage, Commit, and Push Changes Source: https://github.com/0x727/fingerprinthub/blob/main/README.md Stage your modified or new fingerprint rule files, commit them with a descriptive message, and push the changes to your fork's branch. ```bash git add 你添加或者修改的文件名 git commit -m "添加的组件名或者你的描述" git push origin thinkphp ``` -------------------------------- ### Clone FingerprintHub Repository Source: https://github.com/0x727/fingerprinthub/blob/main/README.md Clone the FingerprintHub project to your local machine using Git. This is the first step for contributing new rules. ```bash git clone git@github.com:你的个人github用户名/FingerprintHub.git ``` -------------------------------- ### Synchronize Nuclei Templates Source: https://context7.com/0x727/fingerprinthub/llms.txt This command synchronizes vulnerability templates (CVE, CNVD, default logins) from a local `nuclei-templates/` repository into the `plugins/` directory. It categorizes templates by vendor and product and then generates web fingerprint rules using CSE syntax. ```bash # 同步 nuclei-templates(需先 clone nuclei-templates 到同级目录) # git clone https://github.com/projectdiscovery/nuclei-templates.git car go run -- --sync # 同步范围: # nuclei-templates/http/cves/ -> plugins///CVE-*.yaml # nuclei-templates/http/cnvd/ -> plugins///CNVD-*.yaml # nuclei-templates/http/default-logins/ -> plugins///*-default-login.yaml # nuclei-templates/http/vulnerabilities/ -> plugins///*.yaml ``` -------------------------------- ### Create a New Branch for Contributions Source: https://github.com/0x727/fingerprinthub/blob/main/README.md Create and switch to a new branch before making any modifications. This follows the best practice of not committing directly to the main branch. ```bash git checkout -b thinkphp ``` -------------------------------- ### YAML Keyword Matcher with AND Condition Source: https://context7.com/0x727/fingerprinthub/llms.txt Demonstrates keyword matching in HTTP probes, supporting 'and' and 'or' conditions for multiple words. Can also match specific parts like headers. ```yaml # Tomcat 多关键词 AND 匹配示例 id: tomcat info: name: tomcat author: cn-kali-team tags: detect,tech,tomcat severity: info metadata: product: tomcat vendor: apache verified: true http: - method: GET path: - '{{BaseURL}}/' matchers: # AND 条件:两个关键词必须同时出现在 body 中 - type: word words: - /manager/html - /manager/status condition: and # 独立匹配响应头中的 Server 字段 - type: word words: - apache-coyote part: header case-insensitive: true ``` -------------------------------- ### Fetch All Branches and Upstream Changes Source: https://github.com/0x727/fingerprinthub/blob/main/README.md Fetch all branches from all remotes and specifically from the upstream remote. This ensures you have the latest code. ```bash git fetch --all git fetch upstream ``` -------------------------------- ### Configure Upstream Remote for Updates Source: https://github.com/0x727/fingerprinthub/blob/main/README.md Add the original FingerprintHub repository as an upstream remote to fetch updates. This helps keep your fork synchronized. ```bash cd FingerprintHub git remote add upstream git@github.com:0x727/FingerprintHub.git git fetch upstream ``` -------------------------------- ### Verify Single Fingerprint with Debug Output Source: https://github.com/0x727/fingerprinthub/blob/main/README.md Use this command to verify a specific YAML rule against a target URL. The `--debug` flag provides detailed output for troubleshooting. ```bash #!/bin/bash ➜ ./observer_ward -t http://httpbin.org -p observer_ward/examples/json.yaml --debug [INFO ] 📇probes loaded: 1 [INFO ] 🎯target loaded: 1 [INFO ] 🚀optimized probes: 1 [DEBUG] start: http://httpbin.org/ [DEBUG] Request { uri: http://httpbin.org/ip, version: HTTP/1.1, method: GET, headers: { "accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8", "content-type": "application/json", }, body: None, raw_request: None, } [DEBUG] Response { version: HTTP/1.1, uri: http://httpbin.org/ip, status_code: 200, headers: { "date": "Mon, 08 Jul 2024 13:19:59 GMT", "content-type": "application/json", "content-length": "32", "connection": "keep-alive", "server": "gunicorn/19.9.0", "access-control-allow-origin": "*", "access-control-allow-credentials": "true", }, extensions: Extensions, body: Some( { "origin": "1.1.1.1" } , ), } [DEBUG] end: http://httpbin.org/ 🏹: http://httpbin.org/ |_🎯:[ http://httpbin.org/] |_🎯:[ http://httpbin.org/ip [httpbin-ip] <>] |_📰: ip:["1.1.1.1"] ``` -------------------------------- ### Contribute New Fingerprint Rule - Git Workflow Source: https://context7.com/0x727/fingerprinthub/llms.txt Standard Git workflow for contributing fingerprint rules to FingerprintHub. Requires forking, cloning, creating a feature branch named after the component, and submitting a Pull Request. ```bash git clone git@github.com:/FingerprintHub.git cd FingerprintHub ``` ```bash git remote add upstream git@github.com:0x727/FingerprintHub.git git fetch upstream ``` ```bash git checkout -b thinkphp ``` ```bash cat > web-fingerprint/thinkphp/thinkphp.yaml << 'EOF' id: thinkphp info: name: thinkphp author: your-github-username tags: detect,tech,thinkphp severity: info metadata: product: thinkphp vendor: thinkphp verified: true http: - method: GET path: - '{{BaseURL}}/' matchers: - type: favicon hash: - f49c4a4bde1eec6c0b80c2277c76e3db - type: word words: - href="http://www.thinkphp.cn">thinkphp - thinkphp_show_page_trace case-insensitive: true EOF ``` ```bash git add web-fingerprint/thinkphp/thinkphp.yaml git commit -m "feat: 添加 thinkphp 指纹规则" git push origin thinkphp ``` -------------------------------- ### Convert Nmap Service Fingerprints to YAML Source: https://context7.com/0x727/fingerprinthub/llms.txt Use this command to parse Nmap nmap-service-probes files into standard YAML format. Each Nmap match rule is converted into a unique YAML template named by its MurmurHash3 hash. ```bash cargo run -- --service ``` -------------------------------- ### YAML HTTP Probe with Multiple Paths Source: https://context7.com/0x727/fingerprinthub/llms.txt Defines HTTP probes for identifying web components, supporting multiple paths and custom headers. The '{{BaseURL}}' template variable is used for the base URL. ```yaml # 多路径探测示例(web-fingerprint/apache/nacos.yaml 类似结构) id: nacos info: name: nacos author: cn-kali-team tags: detect,tech,nacos severity: info metadata: product: nacos vendor: alibaba verified: true http: - method: GET path: - '{{BaseURL}}/' - '{{BaseURL}}/nacos/' headers: Cookie: rememberMe=admin;rememberMe-K=admin matchers: - type: word words: - 'nacos' case-insensitive: true ``` -------------------------------- ### Detect SSH Service and Extract Version Source: https://context7.com/0x727/fingerprinthub/llms.txt This snippet uses a regex extractor to identify SSH services and capture protocol and version information. It's useful for service discovery and version enumeration. ```yaml id: ssh info: name: OpenSSH author: cn-kali-team tags: detect,tech,ssh,service severity: info metadata: # $1 对应正则第1组(协议版本),$2 对应第2组(OpenSSH版本) info: protocol $1 version: $2 tcp: - name: "null" inputs: - data: "" host: - '{{Hostname}}' extractors: - name: ssh type: regex regex: # 提取组1: 协议版本 (如 2.0), 提取组2: OpenSSH版本 (如 9.7) - '(?x)^SSH-([-]+)-OpenSSH[_-]([-]+)\s*\r?\n' # 预期输出示例: version:["9.7"] info:["protocol 2.0"] ``` -------------------------------- ### Convert YAML Rules to JSON Source: https://context7.com/0x727/fingerprinthub/llms.txt This command compiles YAML fingerprint rules into JSON format for use with other tools. It generates `web_fingerprint_v4.json` and `service_fingerprint_v4.json`. ```bash # 编译 YAML 规则库为 JSON(在项目根目录执行) car go run -- --convert # 输出文件: # web_fingerprint_v4.json (所有 Web 指纹规则) # service_fingerprint_v4.json (所有服务指纹规则) # 生成的 JSON 条目示例结构: # [ # { # "id": "apache-activemq", # "info": { # "name": "apache-activemq", # "author": "cn-kali-team", # "tags": "detect,tech,apache-activemq", # "severity": "info", # "metadata": { "product": "activemq", "vendor": "apache", "verified": true } # }, # "http": [{ "method": "GET", "path": ["{{BaseURL}}/"], "matchers": [...] }] # }, # ... # ] ``` -------------------------------- ### YAML Favicon Hash Matcher Source: https://context7.com/0x727/fingerprinthub/llms.txt Uses favicon hash values (MD5 or MurmurHash3) for component identification. The tool automatically extracts favicon links from the homepage. ```yaml # web-fingerprint/atlassian/confluence.yaml id: confluence info: name: confluence author: cn-kali-team tags: detect,tech,confluence severity: info metadata: product: confluence vendor: atlassian verified: true fofa-query: - app="atlassian-confluence" - icon_hash="-305179312" shodan-query: - http.component:"atlassian confluence" - cpe:"cpe:2.3:a:atlassian:confluence" http: - method: GET path: - '{{BaseURL}}/' matchers: # mmh3 哈希值(负数也合法) - type: favicon hash: - '-305179312' # 也可同时填写 md5: 4644f2d45601037b8423d45e13194c93 ``` -------------------------------- ### Rule ID and Basic Information Source: https://github.com/0x727/fingerprinthub/blob/main/README.md Defines the basic information for a fingerprint rule, including ID, name, author, tags, severity, and metadata. The metadata can store CPE information for vulnerability correlation. ```yaml id: thinkphp info: name: thinkphp author: cn-kali-team tags: detect,tech,thinkphp severity: info metadata: product: thinkphp vendor: thinkphp verified: true ``` -------------------------------- ### Validate Single Fingerprint Rule with observer_ward Source: https://context7.com/0x727/fingerprinthub/llms.txt Validate a single YAML fingerprint rule using observer_ward. Use the -p flag to load the YAML file and -t to specify the target. The --debug flag provides detailed request/response information. ```bash ./observer_ward -t http://httpbin.org -p examples/json.yaml --debug ``` -------------------------------- ### Adobe ColdFusion XSS Vulnerability Plugin Source: https://context7.com/0x727/fingerprinthub/llms.txt This YAML defines a vulnerability plugin for Adobe ColdFusion, specifically targeting a reflected Cross-Site Scripting (XSS) vulnerability. It uses variables for randomization and includes multiple paths and matchers for detection. ```yaml # plugins/adobe/coldfusion/CVE-2023-44352.yaml id: CVE-2023-44352 info: name: Adobe Coldfusion - Cross-Site Scripting author: pwnwithlove severity: medium description: | Adobe ColdFusion versions 2023.5 (and earlier) and 2021.11 (and earlier) are affected by a reflected Cross-Site Scripting (XSS) vulnerability. classification: cvss-score: 6.1 cve-id: CVE-2023-44352 cwe-id: CWE-79 cpe: cpe:2.3:a:adobe:coldfusion:*:*:*:*:*:*:*:* metadata: verified: true vendor: adobe product: coldfusion # 与 web-fingerprint/adobe/coldfusion.yaml 关联 fofa-query: - title="coldfusion administrator login" tags: cve,cve2023,coldfusion,adobe,xss,vuln variables: string: "{{rand_base(8)}}" # 随机字符串,避免缓存干扰 http: - method: GET path: - '{{BaseURL}}/{{string}}}}">/..CFIDE/wizards/common/_authenticatewizarduser.cfm' - '{{BaseURL}}//{{string}}}}">/..CFIDE/administrator/index.cfm' stop-at-first-match: true matchers-condition: and matchers: - type: word part: body words: - 'action="/{{string}}}}">' - '"{{string}}}}">' condition: or - type: dsl dsl: - "contains(body, 'ColdFusion')" - "contains(header, 'text/html')" condition: and ``` === COMPLETE CONTENT === This response contains all available snippets from this library. No additional content exists. Do not make further requests.