Moodle 2.7 Persistent XSS


I hope you all have heard about the Moodle project. The full form is Moodle Modular Object-Oriented Dynamic Learning Environment. This project is a free open-source project which focuses in teaching and learning online courses effectively. Most of the universities, colleges, educational institutes use this application in interacting with students. You can read and research more information on Wikipedia.

Vulnerability and Exploit

This is a persistent XSS I found in Moodle 2.7. Well, this vulnerability was present from the version 2.4.9 till 2.7 so far hidden from the eye 😉 luckily I spotted this while I was fuzzing random stuff against the application.

Edit your user profile and under “Optional” you can see “Skype ID”. Let’s inject some HTML into the Skype ID field and check the output

“>>><h1>Hello World</h1>

It seems like our input is echoed back thrice. In one line the input is being URL encoded since it should be the URL of the user and in another it is being converted to HTML entities, while in the other field it seems like our input is being filtered out. I love to break filters. Here is my quick and small analysis in detail.

Output 1:

<a href=”skype:%22%3E%3E%3EHello+World?call”>

Output 2:

&quot;&gt;&gt;&gt;Hello World



Concrete Multiple XSS

While I was playing around with Concrete CMS, I wanted to know how this application shows us a hyperlink to the “Back” button. I found something interesting in the “download_file.php” file.


line 27

<form action="<?php echo  View::url('/download_file', 'submit_password', $fID) ?>" method="post">
		<?php  if(isset($force)) { ?>
			<input type="hidden" value="<?php echo  $force ?>" name="force" />
		<?php  } ?>
		<input type="hidden" value="<?php echo  $returnURL ?>" name="returnURL" />
		<input type="hidden" value="<?php echo  $rcID ?>" name="rcID"/>
		<label for="password"><?php echo t('Password')?>: <input type="password" name="password" /></label>
		<br /><br />
		<button type="submit"><?php echo t('Download')?></button>

Let’s have a look at the “$returnURL” variable. (more…)

A Flashback of my Childhood – NOIP XSRF

No-Ip is a free DNS providing service for users. I’ve signed up for an account when I was at the age of eleven long times back. Mainly I used it for configuring my RATs (Remote Administration Tools) for forwarding the connection from the No-IP DNS to my external IP. So it was long time back and I just used it for testing purposes only. After that I’ve never wanted to use a DNS service for any reason. One day I accidently visited no-ip and to my surprise my previous account was still active which I created long time back 🙂

I did not have any intention of finding any kind of vulnerability. But at that moment my Burp Suite was in intercepting mode and I was experimenting with another web application. I created a new no-ip account for testing some of my reverse tcp dns shells. After the testing was done I just deleted my account since it was a fake random account. As time passed by testing my other application and my shells I saw the HTTP request of the deletion of my fake no-ip account in the history. It had no XSRF token used. W00t! I was able to delete any account when the user just opens my malicious request. Well, Here is the proof of concept.

Blue Ivy Logger

Blue Ivy Logger is a powerful keylogger for Windows environments. You have a variety of options to generate your customized logger. Author takes no responsibility for any kind of damage you cause.
This is developed for educational and research purposes only. Use this at your own risk.


Creative Commons License
Blue Ivy Logger by Osanda Malith Jayathissa is licensed under a Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International License.
Based on a work at