search

Moodle

hashtag
Automatic Scans

hashtag
droopescan

pip3 install droopescan
droopescan scan moodle -u http://moodle.example.com/<moodle_path>/

[+] Plugins found:                                                              
    forum http://moodle.schooled.htb/moodle/mod/forum/
        http://moodle.schooled.htb/moodle/mod/forum/upgrade.txt
        http://moodle.schooled.htb/moodle/mod/forum/version.php

[+] No themes found.

[+] Possible version(s):
    3.10.0-beta

[+] Possible interesting urls found:
    Static readme file. - http://moodle.schooled.htb/moodle/README.txt
    Admin panel - http://moodle.schooled.htb/moodle/login/

[+] Scan finished (0:00:05.643539 elapsed)

hashtag
moodlescan

hashtag
CMSMap

hashtag
CVEs

I found that the automatic tools are pretty useless finding vulnerabilities affecting the moodle version. You can check for them in https://snyk.io/vuln/composer:moodle%2Fmoodlearrow-up-right****

hashtag
RCE

You need to have manager role and you can install plugins inside the "Site administration" tab:

If you are manager you may still need to activate this option. You can see how ins the moodle privilege escalation PoC: https://github.com/HoangKien1020/CVE-2020-14321arrow-up-right.

Then, you can install the following plugin that contains the classic pentest-monkey php rev shell (before uploading it you need to decompress it, change the IP and port of the revshell and crompress it again)

file-archive
3KB
moodle-rce-plugin.zip
archive
arrow-up-right-from-squareOpen

Or you could use the plugin from https://github.com/HoangKien1020/Moodle_RCEarrow-up-right to get a regular PHP shell with the "cmd" parameter.

To access launch the malicious plugin you need to access to:

hashtag
POST

hashtag
Find database credentials

hashtag
Dump Credentials from database

PreviousDrupalNextFlask

Last updated