Module: Msf::Exploit::Remote::HTTP::Nifi

Includes:
Auth, Dbconnectionpool, Processor, Msf::Exploit::Remote::HttpClient
Defined in:
lib/msf/core/exploit/remote/http/nifi.rb

Overview

This module provides a way of interacting with Apache NiFi installations

Defined Under Namespace

Modules: Auth, Dbconnectionpool, Processor

Instance Attribute Summary

Attributes included from Msf::Exploit::Remote::HttpClient

#client, #cookie_jar

Instance Method Summary collapse

Methods included from Dbconnectionpool

#create_dbconnectionpool, #delete_dbconnectionpool, #start_dbconnectionpool, #stop_dbconnectionpool

Methods included from Msf::Exploit::Remote::HttpClient

#basic_auth, #cleanup, #configure_http_login_scanner, #connect, #connect_ws, #deregister_http_client_options, #disconnect, #download, #full_uri, #handler, #http_fingerprint, #lookup_http_fingerprints, #normalize_uri, #path_from_uri, #peer, #proxies, #reconfig_redirect_opts!, #request_opts_from_url, #request_url, #rhost, #rport, #send_request_cgi, #send_request_cgi!, #send_request_raw, #service_details, #setup, #ssl, #ssl_version, #strip_tags, #target_uri, #validate_fingerprint, #vhost

Methods included from Auxiliary::LoginScanner

#configure_login_scanner

Methods included from Auxiliary::Report

#active_db?, #create_cracked_credential, #create_credential, #create_credential_and_login, #create_credential_login, #db, #db_warning_given?, #get_client, #get_host, #inside_workspace_boundary?, #invalidate_login, #mytask, #myworkspace, #myworkspace_id, #report_auth_info, #report_client, #report_exploit, #report_host, #report_loot, #report_note, #report_service, #report_vuln, #report_web_form, #report_web_page, #report_web_site, #report_web_vuln, #store_cred, #store_local, #store_loot

Methods included from Metasploit::Framework::Require

optionally, optionally_active_record_railtie, optionally_include_metasploit_credential_creation, #optionally_include_metasploit_credential_creation, optionally_require_metasploit_db_gem_engines

Methods included from Processor

#create_processor, #delete_processor, #get_processor_field, #start_processor, #stop_processor

Methods included from Auth

#retrieve_login_token, #supports_login?

Instance Method Details

#fetch_root_process_group(token) ⇒ String

Fetch the root process group’s UUID

Parameters:

  • token (String)

    The bearer token from a valid login, or nil for no Authorization headers

Returns:

  • (String)

    The UUID of the root process group



60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
# File 'lib/msf/core/exploit/remote/http/nifi.rb', line 60

def fetch_root_process_group(token)
  vprint_status('Attempting to retrieve root process group')
  opts = {
    'method' => 'GET',
    'uri' => normalize_uri(target_uri.path, 'nifi-api', 'process-groups', 'root')
  }
  opts['headers'] = { 'Authorization' => "Bearer #{token}" } if token
  res = send_request_cgi(opts)
  
  if res.nil?
    print_bad("#{peer} - Could not connect to web service - no response")
    return nil
  end

  unless res.code == 200
    print_bad("Unexpected response code: #{res.code}")
    return nil
  end
  res.get_json_document['id']
end

#get_versionGem::Version

Find the version number of the Apache NiFi system based on JS calls on the nifi/ page.

Returns:

  • (Gem::Version)

    version number of the system, or nil on error



35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
# File 'lib/msf/core/exploit/remote/http/nifi.rb', line 35

def get_version
  vprint_status('Attempting to retrieve version number')
  res = send_request_cgi!(
    'uri' => normalize_uri(target_uri.path, 'nifi/')
  )

  if res.nil?
    print_bad("#{peer} - Could not connect to web service - no response")
    return nil
  end

  unless res.code == 200
    print_bad("#{peer} - Unexpected Response Code (response code: #{res.code})")
    return nil
  end

  return Rex::Version.new(Regexp.last_match(1)) if res.body =~ %r{js/nf/nf-namespace\.js\?([\d.]*)">}

  nil
end

#initialize(info = {}) ⇒ Object



14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
# File 'lib/msf/core/exploit/remote/http/nifi.rb', line 14

def initialize(info = {})
  super

  register_options(
    [
      Msf::Opt::RPORT(8443),
      Msf::OptString.new('TARGETURI', [ true, 'The URI of the Apache NiFi Application', '/']),
      Msf::OptString.new('USERNAME', [false, 'Username to authenticate with']),
      Msf::OptString.new('PASSWORD', [false, 'Password to authenticate with']),
      Msf::OptString.new('BEARER-TOKEN', [false, 'JWT authenticate with']),
    ], Msf::Exploit::Remote::HTTP::Nifi
  )

  register_advanced_options([
    Msf::OptBool.new('SSL', [true, 'Negotiate SSL connection', true])
  ])
end