CVE-2021-36393 PoC — Moodle SQL注入漏洞

Source

https://github.com/StackOverflowExcept1on/CVE-2021-36393

Associated Vulnerability

Title:Moodle SQL注入漏洞 (CVE-2021-36393)
Description:Moodle是一套免费、开源的电子学习软件平台，也称课程管理系统、学习管理系统或虚拟学习环境。 Moodle 存在SQL注入漏洞，该漏洞源于获取用户最近课程的库中用户提供的数据没有经过充分的处理。远程用户可以向受影响的应用程序发送特殊设计的请求，并在应用程序数据库中执行任意SQL命令。受影响的产品及版本如下:Moodle: 3.9.0、3.9.1、3.9.2、3.9.3、3.9.4、3.9.5、3.9.6、3.9.7、3.10.0、3.10.1、3.10.2、3.10.3、3.10.4、3.11、3.11

Description

Error-based blind SQL injection with bit-shifting approach for Moodle 3.10.4

Readme

### CVE-2021-36393

Error-based blind SQL injection with bit-shifting approach for Moodle 3.10.4.

Allows an attacker to perform arbitrary database queries. For example, you can steal:

- test answers from the database

  Modify the [`script.js`](script.js) file and run it on route `/mod/quiz/attempt.php?attempt=...&cmid=...`

- user password hashes:
  ```sql
  (SELECT password FROM mdl_user WHERE id = 2 LIMIT 1)
  ```

- user sessions:
  ```sql
  (SELECT sid FROM mdl_sessions ORDER BY id DESC LIMIT 1)
  ```

### How to use it?

You must be logged in and enrolled in at least one course. The just copy the [`script.js`](script.js) code into your
browser console and run it on a website that has the vulnerable version of Moodle installed.

### How to check the installed version of Moodle?

```bash
DOMAIN="example.com"
curl -s https://$DOMAIN/lib/upgrade.txt | head
```

File Snapshot


 [4.0K]  /data/pocs/6059dd4f806ea03a406039343e2224fa10e6665a
├── [1.3K]  keep_session.js
├── [ 877]  README.md
└── [4.3K]  script.js

0 directories, 3 files

Shenlong Bot has cached this for you

Remarks

1. It is advised to access via the original source first.

2. If the original source is unavailable, please email f.jinxu#gmail.com for a local snapshot (replace # with @).

3. Shenlong has snapshotted the POC code for you. To support long-term maintenance, please consider donating. Thank you for your support.

Goal Reached Thanks to every supporter — we hit 100%!