CVE-2015-2843

GoAutoDial GoAdmin CE - SQL Injection via User Credentials or PATH_INFO

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 3 public exploits for CVE-2015-2843. PoCs published by Metasploit, Chris McCurley, including Metasploit module exploits/linux/http/goautodial_3_rce_command_injection.

AI-analyzed exploit summary This Metasploit module exploits a SQL injection vulnerability in GoAutoDial 3.3 for authentication bypass and command injection, leading to remote code execution with root privileges. It also retrieves admin credentials, including cleartext passwords, from the database.

Description

Multiple SQL injection vulnerabilities in GoAutoDial GoAdmin CE before 3.3-1421902800 allow remote attackers to execute arbitrary SQL commands via the (1) user_name or (2) user_pass parameter in go_login.php or the PATH_INFO to (3) go_login/validate_credentials/admin/ or (4) index.php/go_site/go_get_user_info/.

Exploits (3)

exploitdb WORKING POC VERIFIED
by Metasploit · rubyremoteunix
https://www.exploit-db.com/exploits/42296

This Metasploit module exploits a SQL injection vulnerability in GoAutoDial 3.3 for authentication bypass and command injection, leading to remote code execution with root privileges. It also retrieves admin credentials, including cleartext passwords, from the database.

Classification
Working Poc 95%
Attack Type
Rce | Sqli | Auth Bypass
Complexity
Moderate
Reliability
Reliable
Target: GoAutoDial 3.3-1406088000 and below
No auth needed
Prerequisites: Network access to the target · Target running vulnerable GoAutoDial version
devstral-2 · analyzed Feb 16, 2026 Full analysis →
exploitdb WORKING POC VERIFIED
by Chris McCurley · textwebappsphp
https://www.exploit-db.com/exploits/36807

The exploit demonstrates multiple vulnerabilities in GoAutoDial 3.3, including SQL injection for authentication bypass, arbitrary file upload, and command injection leading to remote code execution (RCE). The PoC includes clear examples of malicious payloads and techniques to achieve RCE and privilege escalation.

Classification
Working Poc 100%
Attack Type
Rce | Sqli | Auth Bypass
Complexity
Trivial
Reliability
Reliable
Target: GoAutoDial 3.3-1406088000 and previous releases
No auth needed
Prerequisites: Network access to the target · Default admin user not removed
devstral-2 · analyzed Feb 16, 2026 Full analysis →
metasploit WORKING POC EXCELLENT
by Chris McCurley · rubypoclinux
https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/linux/http/goautodial_3_rce_command_injection.rb

This Metasploit module exploits a SQL injection flaw in GoAutoDial 3.3's login functionality to bypass authentication and perform command injection with root privileges. It also retrieves admin credentials from the database.

Classification
Working Poc 100%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: GoAutoDial 3.3-1406088000 and below
No auth needed
Prerequisites: Network access to the target · GoAutoDial 3.3 or earlier running on port 443
devstral-2 · analyzed Apr 22, 2026 Full analysis →

References (6)

Core 6
Core References
Third Party Advisory, VDB Entry mailing-list x_refsource_bugtraq
http://www.securityfocus.com/archive/1/535319/100/1100/threaded
Exploit, Third Party Advisory exploit x_refsource_exploit-db
https://www.exploit-db.com/exploits/42296/
Third Party Advisory, VDB Entry vdb-entry x_refsource_bid
http://www.securityfocus.com/bid/74281
Vendor Advisory x_refsource_confirm
http://goautodial.org/news/21
Exploit exploit x_refsource_exploit-db
https://www.exploit-db.com/exploits/36807/

Scores

EPSS 0.8005
EPSS Percentile 99.1%

Details

CWE
CWE-89
Status published
Products (2)
goautodial/goadmin_ce 3.0
goautodial/goadmin_ce 3.3
Published May 12, 2015
Tracked Since Feb 18, 2026