Mirrors/hacktricks

Fork 0

mirror of https://github.com/carlospolop/hacktricks synced 2024-11-27 15:12:11 +00:00

Translator dfd36b1f20 Translated ['README.md', 'backdoors/salseo.md', 'forensics/basic-forensi

2023-11-03 12:01:26 +00:00

12 KiB

Raw Blame History

Moodle

☁️ HackTricks Cloud ☁️ -🐦 Twitter 🐦 - 🎙️ Twitch 🎙️ - 🎥 Youtube 🎥

你在网络安全公司工作吗？想要在HackTricks中宣传你的公司吗？或者你想要获取PEASS的最新版本或下载HackTricks的PDF吗？请查看订阅计划！
发现我们的独家NFTs收藏品- The PEASS Family
获取官方PEASS和HackTricks周边产品
加入💬 Discord群组 或者 telegram群组 或者关注我在Twitter上的🐦@carlospolopm.
通过向hacktricks repo 和hacktricks-cloud repo 提交PR来分享你的黑客技巧。

如果你对黑客职业感兴趣并且想要攻破不可攻破的目标- 我们正在招聘！（需要流利的波兰语书写和口语能力）。

{% embed url="https://www.stmcyber.com/careers" %}

自动扫描

droopescan

pip3 install droopescan
droopescan scan moodle -u http://moodle.example.com/<moodle_path>/

[+] Plugins found:
forum http://moodle.schooled.htb/moodle/mod/forum/
http://moodle.schooled.htb/moodle/mod/forum/upgrade.txt
http://moodle.schooled.htb/moodle/mod/forum/version.php

[+] No themes found.

[+] Possible version(s):
3.10.0-beta

[+] Possible interesting urls found:
Static readme file. - http://moodle.schooled.htb/moodle/README.txt
Admin panel - http://moodle.schooled.htb/moodle/login/

[+] Scan finished (0:00:05.643539 elapsed)

moodlescan

moodlescan is a command-line tool used for scanning Moodle installations for vulnerabilities. It is written in Python and can be used to perform various security tests on Moodle websites.

To use moodlescan, you need to provide the target Moodle website URL as a parameter. The tool will then scan the website for common vulnerabilities, such as SQL injection, cross-site scripting (XSS), and file inclusion.

Here is an example of how to use moodlescan:

moodlescan http://example.com/moodle

The tool will start scanning the Moodle website and display the results in the command-line interface. It will provide information about any vulnerabilities found, along with recommendations for remediation.

It is important to note that moodlescan should only be used for ethical hacking purposes, such as penetration testing or security auditing. Unauthorized use of this tool is illegal and can result in severe consequences.

Overall, moodlescan is a useful tool for identifying and addressing security vulnerabilities in Moodle installations. By regularly scanning your Moodle website, you can ensure that it remains secure and protected against potential attacks.

#Install from https://github.com/inc0d3/moodlescan
python3 moodlescan.py -k -u http://moodle.example.com/<moodle_path>/

Version 0.7 - Dic/2020
.............................................................................................................

By Victor Herrera - supported by www.incode.cl

.............................................................................................................

Getting server information http://moodle.schooled.htb/moodle/ ...

server         	: Apache/2.4.46 (FreeBSD) PHP/7.4.15
x-powered-by   	: PHP/7.4.15
x-frame-options	: sameorigin
last-modified  	: Wed, 07 Apr 2021 21:33:41 GMT

Getting moodle version...

Version found via /admin/tool/lp/tests/behat/course_competencies.feature : Moodle v3.9.0-beta

Searching vulnerabilities...


Vulnerabilities found: 0

Scan completed.

CMSMap

CMSMap是一款用于扫描和识别Moodle网站的工具。Moodle是一种广泛使用的开源学习管理系统，用于创建在线课程和虚拟学习环境。CMSMap可以帮助渗透测试人员发现Moodle网站上的漏洞和弱点。

使用CMSMap，您可以执行以下操作：

扫描网站：CMSMap可以扫描目标网站，识别是否使用了Moodle CMS。
识别版本：CMSMap可以确定目标Moodle网站的版本号，这对于查找已知漏洞和弱点非常有用。
枚举用户：CMSMap可以枚举Moodle网站上的用户，包括管理员和其他用户。
发现插件：CMSMap可以发现目标Moodle网站上安装的插件和扩展。
检查漏洞：CMSMap可以检查目标Moodle网站是否存在已知的漏洞和安全问题。

要使用CMSMap，您需要提供目标Moodle网站的URL。然后，CMSMap将自动执行扫描并提供有关网站的详细信息。这些信息可以帮助您评估目标网站的安全性，并采取必要的措施来保护它免受潜在的攻击。

请注意，使用CMSMap进行渗透测试需要获得合法的授权，并遵守适用的法律和道德准则。

pip3 install git+https://github.com/dionach/CMSmap.git
cmsmap http://moodle.example.com/<moodle_path>

CVEs

我发现自动工具在发现影响 Moodle 版本的漏洞方面相当无用。你可以在 https://snyk.io/vuln/composer:moodle%2Fmoodle 上检查它们。

RCE

你需要拥有管理员角色，并且可以在“站点管理”选项卡中安装插件：

即使你是管理员，你可能仍然需要激活此选项。你可以在 Moodle 特权升级 PoC 中查看如何激活：https://github.com/HoangKien1020/CVE-2020-14321。

然后，你可以安装以下包含经典 pentest-monkey php 反向 shell 的插件（在上传之前，你需要解压缩它，更改反向 shell 的 IP 和端口，然后再次压缩）：

{% file src="../../.gitbook/assets/moodle-rce-plugin.zip" %}

或者你可以使用来自 https://github.com/HoangKien1020/Moodle_RCE 的插件，以获取带有 "cmd" 参数的常规 PHP shell。

要访问启动恶意插件，你需要访问：

http://domain.com/<moodle_path>/blocks/rce/lang/en/block_rce.php?cmd=id

POST

查找数据库凭据

To find database credentials in a Moodle application, you can start by analyzing the POST requests made by the application. These requests often contain sensitive information, such as database credentials, that are sent from the client to the server.

To begin, intercept the POST requests using a proxy tool like Burp Suite. Once you have intercepted a POST request, analyze its parameters and look for any fields that may contain database credentials. Common parameter names to look for include "db_user", "db_password", "db_username", and "db_passwd".

If you find any parameters that appear to contain database credentials, note down their values. These values may be encrypted or encoded, so you may need to decrypt or decode them to obtain the actual credentials.

Once you have obtained the database credentials, you can use them to gain unauthorized access to the database. This can be done by connecting to the database using a database management tool or by using the credentials in other parts of the application that require database access.

Remember to always obtain proper authorization before attempting any penetration testing activities. Unauthorized access to databases or other systems is illegal and unethical.

find / -name "config.php" 2>/dev/null | grep "moodle/config.php"

从数据库中获取凭据

To dump credentials from a database, you can follow these steps:

Identify the target database: Determine the type of database being used by the web application. Common databases include MySQL, PostgreSQL, Oracle, and Microsoft SQL Server.
Enumerate database users: Use techniques such as SQL injection or brute-forcing to identify the database users. This can be done by exploiting vulnerabilities in the web application or by using default or weak credentials.
Gain database access: Once you have identified a valid database user, attempt to gain access to the database. This can be done by leveraging SQL injection vulnerabilities or by using stolen or cracked credentials.
Dump the credentials: Once you have access to the database, you can extract the credentials stored within it. This can be done by executing SQL queries to retrieve the username and password hashes or by exporting the entire user table.
Crack the password hashes: If the passwords are stored as hashes, you will need to crack them to obtain the plaintext passwords. This can be done using tools like John the Ripper or Hashcat, which use various techniques such as dictionary attacks or brute-forcing.

Remember to always obtain proper authorization before performing any database penetration testing activities. Unauthorized access to databases is illegal and unethical.

/usr/local/bin/mysql -u <username> --password=<password> -e "use moodle; select email,username,password from mdl_user; exit"

如果你对黑客职业感兴趣并想要攻破不可攻破的东西 - 我们正在招聘！（需要流利的波兰语书面和口语表达能力）。