Open doterurod opened 5 hours ago
You need to log in with some account (not sure if guest is suitable) and probably be enrolled in at least 1 course.
The target is proven to be vulnerable to a blind time-based SQL injection using this method.
If you know that the target is vulnerable and you have a sleep-based method, then you can write a SQL query that will try to steal a session of any admin from the mdl_sessions
table and you need to compare that user id is one of select * from mdl_config where name='siteadmins'
(maybe you will need to know the time when some important teacher with the necessary rights will start a lecture to use the exploit at that moment). Once you have stolen the session, you can use the EditThisCookie extension and the keep_session.js
script to not lose the admin session. Then google how to create a new admin in moodle to escalate your privileges and not steal sessions anymore. Also immediately install the plugin https://github.com/p0dalirius/Moodle-webshell-plugin to get the RCE vulnerability on the victim's site and do with it what you want. Once you get RCE you can change any part of the site and steal any passwords and data that users enter. For example, you can fake SSO authorization via evilginx
to increase privileges even more.
Also check this:
You need to log in with some account (not sure if guest is suitable) and probably be enrolled in at least 1 course.
Have tried this with an account with some enrolled courses, but to no avail.
The target is proven to be vulnerable to a blind time-based SQL injection using this method.
If you know that the target is vulnerable and you have a sleep-based method, then you can write a SQL query that will try to steal a session of any admin from the
mdl_sessions
table and you need to compare that user id is one ofselect * from mdl_config where name='siteadmins'
(maybe you will need to know the time when some important teacher with the necessary rights will start a lecture to use the exploit at that moment). Once you have stolen the session, you can use the EditThisCookie extension and thekeep_session.js
script to not lose the admin session. Then google how to create a new admin in moodle to escalate your privileges and not steal sessions anymore. Also immediately install the plugin https://github.com/p0dalirius/Moodle-webshell-plugin to get the RCE vulnerability on the victim's site and do with it what you want. Once you get RCE you can change any part of the site and steal any passwords and data that users enter. For example, you can fake SSO authorization viaevilginx
to increase privileges even more.Also check this:
Thanks for the quick answer! Will read the stuff you have provided.
P.S. maybe you know some stuff I can try to fix and run your version of the exploit?
Was trying to run the script, but unfortunately with no results.
The script returns empty values on all functions being run.
The target website is of version 3.9.7
The code returns this result
The target is proven to be vulnerable to a blind time-based SQL injection using this method.
Is there something I can do to fix this issue?