badmoodle

Moodle community-based vulnerability scanner

Description

badmoodle is an unofficial community-based vulnerability scanner for moodle that scans for canonical and non-canonical Moodle vulnerabilities.

badmoodle's purpose is to help penetration testers, bug hunters and security researchers find more vulnerabilities on moodle instances.

Since badmoodle is community-based, it will scan for two different kind of vulnerabilities:

• Official vulnerabilities: The canonical ones published in Moodle security advisory blog;

• Community vulnerabilities: The non-canonical ones that are not present in Moodle security advisory blog.

The community vulnerability scan can run in two modes:

• Check mode: Only checks if the host is vulnerable or not;

• Exploit mode: If the host is vulnerable, exploit the vulnerabilities.

If not specified, the scan will run in check mode.

Installation

Installing badmoodle is very simple, it can be performed in just a few steps:

• Clone the repository:

  git clone https://github.com/cyberaz0r/badmoodle

• Dive into "badmoodle" directory:

  cd badmoodle

• Install requirements for Python:

  pip3 install -r requirements.txt

• Give execution permissions to "badmoodle.py":

  chmod +x badmoodle.py

• Run "badmoodle.py":

  ./badmoodle.py

If you see the badmoodle logo and help with no errors you are good to go :)

Usage

Using badmoodle is also very simple. Once installed you can run it with the following options:

• -h, --help

  Show logo and help with options and their descriptions, then exit

• -u TARGET_URL, --url TARGET_URL

  Moodle target URL (required)

• -a USERNAME:PASSWORD, --auth USERNAME:PASSWORD

  Moodle username and password separated by ":" (default: none)

• -p PROXY_ADDRESS:PORT, --proxy PROXY_ADDRESS:PORT

  Proxy used for connecting to moodle (default: none)

• -H HEADER, --header HEADER

  Headers used for HTTP connections

• -l LEVEL, --level LEVEL

  Level of tests to perform (default: 1)

• -v LEVEL, --verbose LEVEL

  Verbosity level (default: 1)

• -r, --random-agent

  Use a random User Agent for HTTP requests (default: Chrome Win10)

• -e, --exploit

  Enable exploit mode (default: check mode)

• -s, --scrape

  Scraping mode: scrape all the pages from moodle and save the result in a JSON file (default: disabled)

• -U, --update

  Update badmoodle vulnerability database by scraping Moodle security advisory blog and retrieving new modules from GitHub repository

Community Vulnerability Modules

Since Moodle is so strict about their vulnerability disclosure program, a lot of vulnerabilities that security researchers discover and share with Moodle end up rejected or put on hold forever.

All these vulnerabilities will never see the light, they will be left unfixed and forgotten by Moodle... but not by badmoodle ;)

You can just add a community vulnerability module with your exploit code and badmoodle will execute it for you :)

badmoodle is modular, which means that you can add a community vulnerability module that will be executed by badmoodle without interfering with the rest of the code.

Adding a community vulnerability module is very simple: just create a .py file inside the "vulns" directory and badmoodle will execute it alongside the other modules.

badmoodle needs only 2 requirements to make your module work:

• It must have a boolean variable enabled.

  This boolean variable is used to determine wether badmoodle should run the module or not. This allows to enable or disable modules by simply editing this variable without removing it from the "vulns" folder.

• It must have the functions check(args, sess, version) and exploit(args, sess, version)

  These are the main functions of the module, the ones badmoodle will call in the core. Through these functions badmoodle will pass to the module the script arguments, the request session object of the script (useful for authenticated sessions) and moodle version.

  The check function is a boolean function that only checks whether the host is vulnerable or not, the exploit function instead will exploit that vulnerability.

  If in check mode badmoodle will call only the check function to only determine whether the host is vulnerable or not, if in exploit mode badmoodle will also call the exploit function for exploiting the vulnerability.

There follows a template for a badmoodle community vulnerability module:

'''
@Title:
MODULE_TITLE

@Author:
MODULE_AUTHOR

@Description:
MODULE_DESCRIPTION
'''


enabled = True


def check(args, sess, version):
	#YOUR_CHECK_CODE_HERE
	#return True if the host is vulnerable, False otherwise


def exploit(args, sess, version):
	#YOUR_EXPLOIT_CODE_HERE

badmoodle comes with 2 community vulnerability modules built-in:

• A module for a Dashboard Stored XSS vulnerability

• A module for an Atto Editor Stored XSS vulnerability

Contribute

If you wrote a community vulnerability module for badmoodle and want to share it with the community, you can contribute to the badmoodle project.

Pull requests with new community vulnerability modules are very welcome :)

Also, if you want to report a bug, feel free to open an issue or contact me via mail at [email protected]

Credits

badmoodle is coded by Michele 'cyberaz0r' Di Bonaventura.

A special thanks to Panfilo Salutari for the idea of the concept of the tool.

Thanks to moodlescan (https://github.com/inc0d3/moodlescan) for the specific version check technique and its version database.