Module: Msf::Exploit::Remote::HTTP::Nifi::Dbconnectionpool

Includes:
Msf::Exploit::Remote::HttpClient
Included in:
Msf::Exploit::Remote::HTTP::Nifi
Defined in:
lib/msf/core/exploit/remote/http/nifi/dbconnectionpool.rb

Defined Under Namespace

Classes: DBConnectionPoolError

Instance Attribute Summary

Attributes included from Msf::Exploit::Remote::HttpClient

#client, #cookie_jar

Instance Method Summary collapse

Methods included from Msf::Exploit::Remote::HttpClient

#basic_auth, #cleanup, #configure_http_login_scanner, #connect, #connect_ws, #deregister_http_client_options, #disconnect, #download, #full_uri, #handler, #http_fingerprint, #initialize, #lookup_http_fingerprints, #normalize_uri, #path_from_uri, #peer, #proxies, #reconfig_redirect_opts!, #request_opts_from_url, #request_url, #rhost, #rport, #send_request_cgi, #send_request_cgi!, #send_request_raw, #service_details, #setup, #ssl, #ssl_version, #strip_tags, #target_uri, #validate_fingerprint, #vhost

Methods included from Auxiliary::LoginScanner

#configure_login_scanner

Methods included from Auxiliary::Report

#active_db?, #create_cracked_credential, #create_credential, #create_credential_and_login, #create_credential_login, #db, #db_warning_given?, #get_client, #get_host, #inside_workspace_boundary?, #invalidate_login, #mytask, #myworkspace, #myworkspace_id, #report_auth_info, #report_client, #report_exploit, #report_host, #report_loot, #report_note, #report_service, #report_vuln, #report_web_form, #report_web_page, #report_web_site, #report_web_vuln, #store_cred, #store_local, #store_loot

Methods included from Metasploit::Framework::Require

optionally, optionally_active_record_railtie, optionally_include_metasploit_credential_creation, #optionally_include_metasploit_credential_creation, optionally_require_metasploit_db_gem_engines

Instance Method Details

#create_dbconnectionpool(token, name, process_group, nifi_version) ⇒ Object

Create DB Connection Pool

Parameters:

  • token (String)

    The bearer token from a valid login, or nil for no Authorization headers

  • name (String)

    Name to give to the db connection pool

  • process_group (String)

    UUID of the process_group

  • nifi_version (String)

    version number of the nifi instance

Raises:



119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
 
# File 'lib/msf/core/exploit/remote/http/nifi/dbconnectionpool.rb', line 119

def create_dbconnectionpool(token, name, process_group, nifi_version)
  vprint_status("Attempting to create DB Connection Pool in Process Group: #{process_group}")
  body = {
    'revision' =>
        {
          'clientId' => 'x',
          'version' => 0
        },
    'disconnectedNodeAcknowledged' => false,
    'component' => {
      'type' => 'org.apache.nifi.dbcp.DBCPConnectionPool',
      'bundle' => {
        'group' => 'org.apache.nifi',
        'artifact' => 'nifi-dbcp-service-nar',
        'version' => nifi_version.to_s
      },
      'name' => name
    }
  }
  opts = {
    'method' => 'POST',
    'uri' => normalize_uri(target_uri.path, 'nifi-api', 'process-groups', process_group, 'controller-services'),
    'ctype' => 'application/json',
    'data' => body.to_json
  }
  opts['headers'] = { 'Authorization' => "Bearer #{token}" } if token
  res = send_request_cgi(opts)
  raise DBConnectionPoolError if res.nil?

  unless res.code == 201
    print_bad("Unexpected response code: #{res.code}")
    raise DBConnectionPoolError
  end
  print_good('DB Connection Pool Created successfully')
  res.get_json_document['id']
end

#delete_dbconnectionpool(token, db_con_pool, version = 0) ⇒ Object

Delete DB Connection Pool

Parameters:

  • token (String)

    The bearer token from a valid login, or nil for no Authorization headers

  • db_con_pool (String)

    UUID of the DBConnectionPool

  • version (Integer) (defaults to: 0)

    version of the DBConnectionPool to delete

Raises:



46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
 
# File 'lib/msf/core/exploit/remote/http/nifi/dbconnectionpool.rb', line 46

def delete_dbconnectionpool(token, db_con_pool, version = 0)
  vprint_status("Attempting to delete version #{version} of DB Connection Pool: #{db_con_pool}")
  opts = {
    'method' => 'DELETE',
    'uri' => normalize_uri(target_uri.path, 'nifi-api', 'controller-services', db_con_pool),
    'vars_get' => { 'version' => version }
  }
  opts['headers'] = { 'Authorization' => "Bearer #{token}" } if token
  res = send_request_cgi(opts)

  raise DBConnectionPoolError if res.nil?

  while res.code == 400 && res.body.include?('is not the most up-to-date revision') && version <= 20
    version += 1
    opts['vars_get'] = { 'version' => version }

    res = send_request_cgi(opts)
    raise DBConnectionPoolError if res.nil?

    vprint_status("Found newer revision of #{db_con_pool}, attempting to delete version #{version}") if res.code == 400 && res.body.include?('is not the most up-to-date revision')
  end

  if version == 20
    print_bad("Aborting after attempting to delete #{version} version of DB Connection Pool: #{db_con_pool}")
    raise DBConnectionPoolError
  end

  unless res.code == 200
    print_bad("Unexpected response code: #{res.code}")
    raise DBConnectionPoolError
  end
  print_good('DB Connection Pool Delete sent successfully')
end

#start_dbconnectionpool(token, db_con_pool) ⇒ Object

Start DB Connection Pool

Parameters:

  • token (String)

    The bearer token from a valid login, or nil for no Authorization headers

  • db_con_pool (String)

    UUID of the DBConnectionPool

Raises:



84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
 
# File 'lib/msf/core/exploit/remote/http/nifi/dbconnectionpool.rb', line 84

def start_dbconnectionpool(token, db_con_pool)
  vprint_status("Attempting to start DB Connection Pool: #{db_con_pool}")
  body = {
    'disconnectedNodeAcknowledged' => false,
    'state' => 'ENABLED',
    'uiOnly' => true,
    'revision' => {
      'clientId' => 'x',
      'version' => 0
    }
  }
  opts = {
    'method' => 'PUT',
    'uri' => normalize_uri(target_uri.path, 'nifi-api', 'controller-services', db_con_pool, 'run-status'),
    'ctype' => 'application/json',
    'data' => body.to_json
  }
  opts['headers'] = { 'Authorization' => "Bearer #{token}" } if token
  res = send_request_cgi(opts)
  raise DBConnectionPoolError if res.nil?

  unless res.code == 200
    print_bad("Unexpected response code: #{res.code}")
    raise DBConnectionPoolError
  end
  print_good('DB Connection Pool Start sent successfully')
end

#stop_dbconnectionpool(token, db_con_pool) ⇒ Object

Stop DB Connection Pool

Parameters:

  • token (String)

    The bearer token from a valid login, or nil for no Authorization headers

  • db_con_pool (String)

    UUID of the DBConnectionPool

Raises:



13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
 
# File 'lib/msf/core/exploit/remote/http/nifi/dbconnectionpool.rb', line 13

def stop_dbconnectionpool(token, db_con_pool)
  vprint_status("Attempting to stop DB Connection Pool: #{db_con_pool}")
  body = {
    'disconnectedNodeAcknowledged' => false,
    'state' => 'DISABLED',
    'uiOnly' => true,
    'revision' => {
      'clientId' => 'x',
      'version' => 0
    }
  }
  opts = {
    'method' => 'PUT',
    'uri' => normalize_uri(target_uri.path, 'nifi-api', 'controller-services', db_con_pool, 'run-status'),
    'ctype' => 'application/json',
    'data' => body.to_json
  }
  opts['headers'] = { 'Authorization' => "Bearer #{token}" } if token
  res = send_request_cgi(opts)
  raise DBConnectionPoolError if res.nil?

  unless res.code == 200
    print_bad("Unexpected response code: #{res.code}")
    raise DBConnectionPoolError
  end
  print_good('DB Connection Pool Stop sent successfully')
end