How to exploit open redirect vulnerability?

Exactly as you are doing. The idea of open redirect vulnerabilities is to use the trust a user has in a specific website (the vulnerable site), and exploit it to get them to visit your website.

So you would send this link to a user: example.com/?url=evil.com/sploitCode.php. Because the website they see is example.com, and they trust them, they will click on it (in theory). On the other hand, if you would have send them evil.com, they would not click on it, because they do not know or trust it.

You can also obfuscate the url further example.com/some/nice/sounding/path/%2F..%2F..%2F..%2F..%2F/?url=evil.com/something-less-evil.php?some-unneded=parameters. Then you can also wrap it up in a nice a tag, so users will be less suspicious (then the main advantage is that hovering over the link will show them an innocent link at first glance) .

Note that the URL that you give as example, can also be written as such:

example.com/?%75%72%6C=%65%76%69%6C%2E%63%6F%6D%2F%73%70%6C%6F%69%74%43%6F%64%65%2E%70%68%70

The domain, evil.com, is no longer visible in the link. Nor that it's a redirect at all. It doesn't look exactly normal, but how often are there funny-looking links in emails that include some tracking code? The domain is perfectly legit.