CVE-2015-2842

GoAutoDial GoAdmin CE 3.x - Unauthenticated Arbitrary File Upload via Voice Files Upload

Title source: llm

Exploitation Summary

EIP tracks 1 public exploit for CVE-2015-2842. PoCs published by Chris McCurley.

AI-analyzed exploit summary The exploit demonstrates multiple vulnerabilities in GoAutoDial 3.3, including SQL injection for authentication bypass, arbitrary file upload, and command injection leading to remote code execution (RCE). The PoC includes clear examples of malicious payloads and techniques to achieve RCE and privilege escalation.

Description

Unrestricted file upload vulnerability in go_audiostore.php in the audiostore (Voice Files) upload functionality in GoAutoDial GoAdmin CE 3.x before 3.3-1421902800 allows remote attackers to execute arbitrary code by uploading a file with an executable extension, then accessing it via a direct request to the file in sounds/.

Exploits (1)

exploitdb WORKING POC VERIFIED

by Chris McCurley · textwebappsphp

https://www.exploit-db.com/exploits/36807

View Code ZIP pw:eip

The exploit demonstrates multiple vulnerabilities in GoAutoDial 3.3, including SQL injection for authentication bypass, arbitrary file upload, and command injection leading to remote code execution (RCE). The PoC includes clear examples of malicious payloads and techniques to achieve RCE and privilege escalation.

Classification

Working Poc 100%

Attack Type

Rce | Sqli | Auth Bypass

Complexity

Trivial

Reliability

Reliable

Target: GoAutoDial 3.3-1406088000 and previous releases

No auth needed

Prerequisites: Network access to the target · Default admin user not removed

MITRE ATT&CK