From 7c2790513dabb5575680f905a8914689eacf97e4 Mon Sep 17 00:00:00 2001
From: h00die <michaeltcyr@gmail.com>
Date: Wed, 24 May 2023 20:05:34 -0400
Subject: [PATCH] apache nifi version scanner

---
 .../scanner/http/apache_nifi_version.md       | 76 +++++++++++++++++++
 .../scanner/http/apache_nifi_version.rb       | 62 +++++++++++++++
 2 files changed, 138 insertions(+)
 create mode 100644 documentation/modules/auxiliary/scanner/http/apache_nifi_version.md
 create mode 100644 modules/auxiliary/scanner/http/apache_nifi_version.rb

diff --git a/documentation/modules/auxiliary/scanner/http/apache_nifi_version.md b/documentation/modules/auxiliary/scanner/http/apache_nifi_version.md
new file mode 100644
index 000000000000..60e18e852239
--- /dev/null
+++ b/documentation/modules/auxiliary/scanner/http/apache_nifi_version.md
@@ -0,0 +1,76 @@
+## Vulnerable Application
+
+This module identifies Apache NiFi websites and reports their version number.
+
+Tested against NiFi major releases 1.14.0 - 1.21.0, and 1.11.0-1.13.0.
+
+Also works against NiFi <= 1.13.0, but the module needs to be adjusted:
+ - set SSL false
+ - set rport 8080
+
+### Docker Install
+
+Apache manages Docker installs for nifi with version numbers, simply select the version number you wish to install. Examples:
+
+```
+docker run -p 8443:8443 -d apache/nifi:1.21.0
+docker run -p 8443:8443 -d apache/nifi:1.20.0
+docker run -p 8443:8443 -d apache/nifi:1.19.0
+docker run -p 8443:8443 -d apache/nifi:1.18.0
+docker run -p 8443:8443 -d apache/nifi:1.17.0
+docker run -p 8443:8443 -d apache/nifi:1.16.0
+docker run -p 8443:8443 -d apache/nifi:1.15.0
+docker run -p 8443:8443 -d apache/nifi:1.14.0
+docker run -p 8080:8080 -d apache/nifi:1.13.0
+docker run -p 8080:8080 -d apache/nifi:1.13.0
+docker run -p 8080:8080 -d apache/nifi:1.12.0
+docker run -p 8080:8080 -d apache/nifi:1.11.0
+```
+
+## Verification Steps
+
+1. Install the application
+1. Start msfconsole
+1. Do: `use auxiliary/scanner/http/apache_nifi_version`
+1. Do: `set rhosts [ip]`
+1. Do: `run`
+1. You should get back the version number of the nifi instance
+
+## Options
+
+## Scenarios
+
+### Docker image 1.21.0 and 1.11.0
+
+```
+└─$ docker run -p 8443:8443 -d apache/nifi:1.21.0
+1df39f1d1dc0a4abde9e2daedf8b3dc66d37fb53126e491b7050da618e971dfd
+└─$ ./msfconsole -q
+msf6 > use auxiliary/scanner/http/apache_nifi_version
+msf6 auxiliary(scanner/http/apache_nifi_version) > set rhosts 127.0.0.1
+rhosts => 127.0.0.1
+msf6 auxiliary(scanner/http/apache_nifi_version) > run
+
+[+] Apache NiFi 1.21.0 found on 127.0.0.1
+[*] Scanned 1 of 1 hosts (100% complete)
+[*] Auxiliary module execution completed
+```
+
+```
+└─$ docker run -p 8080:8080 -d apache/nifi:1.11.0
+089f1b164853df8b088a3e80d25d7f886b1934a654ed7807433e3eef46a5973f
+└─$ ./msfconsole -q
+msf6 > use auxiliary/scanner/http/apache_nifi_version
+msf6 auxiliary(scanner/http/apache_nifi_version) > set rhosts 127.0.0.1
+rhosts => 127.0.0.1
+msf6 auxiliary(scanner/http/apache_nifi_version) > set ssl false
+[!] Changing the SSL option's value may require changing RPORT!
+ssl => false
+msf6 auxiliary(scanner/http/apache_nifi_version) > set rport 8080
+rport => 8080
+msf6 auxiliary(scanner/http/apache_nifi_version) > run
+
+[+] Apache NiFi 1.11.0 found on 127.0.0.1
+[*] Scanned 1 of 1 hosts (100% complete)
+[*] Auxiliary module execution completed
+```
diff --git a/modules/auxiliary/scanner/http/apache_nifi_version.rb b/modules/auxiliary/scanner/http/apache_nifi_version.rb
new file mode 100644
index 000000000000..a60a9785989e
--- /dev/null
+++ b/modules/auxiliary/scanner/http/apache_nifi_version.rb
@@ -0,0 +1,62 @@
+##
+# This module requires Metasploit: https://metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+class MetasploitModule < Msf::Auxiliary
+  include Msf::Exploit::Remote::HttpClient
+  include Msf::Auxiliary::Scanner
+
+  def initialize(info = {})
+    super(
+      update_info(
+        info,
+        'Name' => 'Apache NiFi Version Scanner',
+        'Description' => %q{
+          This module identifies Apache NiFi websites and reports their version number.
+
+          Tested against NiFi major releases 1.14.0 - 1.21.0, and 1.11.0-1.13.0
+          Also works against NiFi <= 1.13.0, but the module needs to be adjusted:
+          set SSL false
+          set rport 8080
+        },
+        'License' => MSF_LICENSE,
+        'Author' => [
+          'h00die',
+        ],
+        'Notes' => {
+          'Stability' => [CRASH_SAFE],
+          'Reliability' => [],
+          'SideEffects' => []
+        }
+      )
+    )
+    register_options(
+      [
+        Opt::RPORT(8443),
+        OptString.new('TARGETURI', [ true, 'The URI of the Apache NiFi Application', '/nifi/login'])
+      ]
+    )
+    register_advanced_options([
+      OptBool.new('SSL', [true, 'Negotiate SSL connection', true])
+    ])
+  end
+
+  def run_host(ip)
+    vprint_status("Checking #{ip}")
+    res = send_request_cgi!(
+      'uri' => normalize_uri(target_uri.path)
+    )
+
+    fail_with(Failure::Unreachable, "#{peer} - Could not connect to web service - no response") if res.nil?
+    fail_with(Failure::UnexpectedReply, "#{peer} - Unexpected Respones Code (response code: #{res.code})") unless res.code == 200
+
+    if res.body =~ %r{js/nf/nf-namespace\.js\?([\d.]*)">}
+      print_good("Apache NiFi #{Regexp.last_match(1)} found on #{ip}")
+    else
+      print_bad("Apache NiFi not detected on #{ip}")
+    end
+  rescue ::Rex::ConnectionError
+    fail_with(Failure::Unreachable, "#{peer} - Could not connect to the web service")
+  end
+end