Limited functionality of the script

[doterurod]

Was trying to run the script, but unfortunately with no results.

The script returns empty values on all functions being run.

The target website is of version 3.9.7

The code returns this result

user profile: https://websitename/user/profile.php?id=NaN
count of sessions: NaN
length of 'select version()' = null
query1: 299.468017578125 ms

The target is proven to be vulnerable to a blind time-based SQL injection using this method.

Is there something I can do to fix this issue?

[StackOverflowExcept1on]

You need to log in with some account (not sure if guest is suitable) and probably be enrolled in at least 1 course.

[StackOverflowExcept1on]

The target is proven to be vulnerable to a blind time-based SQL injection using this method.

If you know that the target is vulnerable and you have a sleep-based method, then you can write a SQL query that will try to steal a session of any admin from the mdl_sessions table and you need to compare that user id is one of select * from mdl_config where name='siteadmins' (maybe you will need to know the time when some important teacher with the necessary rights will start a lecture to use the exploit at that moment). Once you have stolen the session, you can use the EditThisCookie extension and the keep_session.js script to not lose the admin session. Then google how to create a new admin in moodle to escalate your privileges and not steal sessions anymore. Also immediately install the plugin https://github.com/p0dalirius/Moodle-webshell-plugin to get the RCE vulnerability on the victim's site and do with it what you want. Once you get RCE you can change any part of the site and steal any passwords and data that users enter. For example, you can fake SSO authorization via evilginx to increase privileges even more.

Also check this:

• https://security.snyk.io/package/composer/moodle%2Fmoodle (search for <3.9.8)
• https://security.snyk.io/vuln/SNYK-PHP-MOODLEMOODLE-3356636
• https://security.snyk.io/vuln/SNYK-PHP-MOODLEMOODLE-3356634 (other CVE)

[doterurod]

You need to log in with some account (not sure if guest is suitable) and probably be enrolled in at least 1 course.

Have tried this with an account with some enrolled courses, but to no avail.

The target is proven to be vulnerable to a blind time-based SQL injection using this method.

If you know that the target is vulnerable and you have a sleep-based method, then you can write a SQL query that will try to steal a session of any admin from the mdl_sessions table and you need to compare that user id is one of select * from mdl_config where name='siteadmins' (maybe you will need to know the time when some important teacher with the necessary rights will start a lecture to use the exploit at that moment). Once you have stolen the session, you can use the EditThisCookie extension and the keep_session.js script to not lose the admin session. Then google how to create a new admin in moodle to escalate your privileges and not steal sessions anymore. Also immediately install the plugin https://github.com/p0dalirius/Moodle-webshell-plugin to get the RCE vulnerability on the victim's site and do with it what you want. Once you get RCE you can change any part of the site and steal any passwords and data that users enter. For example, you can fake SSO authorization via evilginx to increase privileges even more.

Also check this:

• https://security.snyk.io/package/composer/moodle%2Fmoodle (search for <3.9.8)
• https://security.snyk.io/vuln/SNYK-PHP-MOODLEMOODLE-3356636
• https://security.snyk.io/vuln/SNYK-PHP-MOODLEMOODLE-3356634 (other CVE)

Thanks for the quick answer! Will read the stuff you have provided.

P.S. maybe you know some stuff I can try to fix and run your version of the exploit?