pip install git+https://github.com/Avielyo10/sqli
Run sqli [options ...].
Options:
-wto get a summary on stdout in addition tooutput.out.-tto run the test case before running the program.
In this part I just changed the php?id=<some_number> to jump to another course.
Here I tried consecutive numbers from the page I started from.
An example of a page with access as a guest.
The weakness here is that the .php is visible, to solve this issue see: StackOverflow - How to hide .php from address bar?.
Here you can find the output file contains all the open pages on our moodle.
What I did to improve the efficiency is to iterate all the categories with all the possible courses, to achieve that I chose this prefix &browse=courses&perpage=10000&page=0, this will guarantee having all the courses on the same page from a certain category.
If course is open, there is an "unlock" symbol next to it. So instead of iterating on each and every course, I looked on the overall page, and look for this symbol, if found - return the link to it.
I couldn't find any vulnerability inside the search bar since they use parameterized queries so I couldn't change the intent of the query, I tried to do some escaping, but all I got is the same search results without the shadow on the searched word.
Some other vulnerabilities I found:
